30 messages in org.openldap.openldap-softwareRe: failover config: servers with sam...| From | Sent On | Attachments |
|---|---|---|
| Emmanuel Dreyfus | Jul 23, 2007 6:50 am | |
| Quanah Gibson-Mount | Jul 23, 2007 11:01 am | |
| Emmanuel Dreyfus | Jul 23, 2007 1:09 pm | |
| Quanah Gibson-Mount | Jul 23, 2007 1:18 pm | |
| Russ Allbery | Jul 23, 2007 4:35 pm | |
| Christopher Cowart | Jul 23, 2007 7:40 pm | |
| Howard Chu | Jul 23, 2007 9:58 pm | |
| Emmanuel Dreyfus | Jul 24, 2007 1:02 am | |
| Howard Chu | Jul 24, 2007 1:54 am | |
| Emmanuel Dreyfus | Jul 24, 2007 12:18 pm | |
| Quanah Gibson-Mount | Jul 25, 2007 8:52 am | |
| Emmanuel Dreyfus | Jul 25, 2007 9:06 am | |
| Quanah Gibson-Mount | Jul 25, 2007 9:47 am | |
| Michael Ströder | Jul 25, 2007 9:53 am | |
| Emmanuel Dreyfus | Jul 25, 2007 10:36 am | |
| Quanah Gibson-Mount | Jul 25, 2007 10:46 am | |
| Howard Chu | Jul 25, 2007 2:31 pm | |
| Michael Ströder | Jul 25, 2007 2:38 pm | |
| Howard Chu | Jul 25, 2007 2:44 pm | |
| Russ Allbery | Jul 25, 2007 2:45 pm | |
| Norman Gaywood | Jul 25, 2007 3:04 pm | |
| Emmanuel Dreyfus | Jul 25, 2007 8:30 pm | |
| Emmanuel Dreyfus | Jul 25, 2007 8:31 pm | |
| Howard Chu | Jul 25, 2007 11:17 pm | |
| Ralf Haferkamp | Jul 26, 2007 1:27 am | |
| Emmanuel Dreyfus | Jul 26, 2007 4:04 am | |
| Emmanuel Dreyfus | Jul 26, 2007 4:04 am | |
| Donn Cave | Jul 26, 2007 9:38 am | |
| Ralf Haferkamp | Jul 26, 2007 11:46 am | |
| Howard Chu | Jul 27, 2007 2:13 am |
| Subject: | Re: failover config: servers with same DNS address and TLS, subjectAltName extension | |
|---|---|---|
| From: | Christopher Cowart (ccow...@rescomp.berkeley.edu) | |
| Date: | Jul 23, 2007 7:40:22 pm | |
| List: | org.openldap.openldap-software | |
On Mon, Jul 23, 2007 at 01:51:19PM +0000, Emmanuel Dreyfus wrote:
In order to have this working, we need x509 certificate that have the subjectAltName extension. This is not an OpenLDAP-specific problem, but the information about how to do it seems difficult to find, hence, here is the result of my experiments.
1) Creating a CSR On the LDAP servers, we need to setup OpenSSL for generating the certificate request (CSR). We need this in the [ req ] section of /etc/openssl/openssl.cnf: req_extensions = v3_req
The, we need a [ v3_req ] section: [ v3_req ] basicConstraints = CA:FALSE subjectAltName = "DNS:ldap.example.net, DNS:srv1.example.net"
I actually found that I could use the following: [ dev_ldap ] subjectAltName=DNS:ldap.example.com basicConstraints=CA:FALSE
I then used 'srv1.example.net' as the CN for the certificate. The OpenSSL libraries were quite happy with this; I can refer to the host as ldap.example.com or srv1.example.com and certificate verification will succeed.
Then, to sign, I use `openssl ca -extensions dev_ldap -in srv1.csr \ -out srv1.crt'.
This allowed me to use the 'dev_ldap' extension set only for my development config while issuing all other certificates fell back to the 'v3_req' default configuration. It also seems cleaner to me to only specify the actual alternate name in the AltName field.
It seems the subjectAltName has to be set in the config file. I found no way to have it prompted by the openssl command.
This was my experience too.
-- Chris Cowart Lead Systems Administrator Network & Infrastructure Services, RSSP-IT UC Berkeley