10 messages in org.openldap.openldap-software[SOLVED] Re: multiple servers in DNS ...
FromSent OnAttachments
Emmanuel DreyfusJul 16, 2007 6:04 am 
Quanah Gibson-MountJul 16, 2007 8:13 am 
Emmanuel DreyfusJul 17, 2007 2:49 pm 
Emmanuel DreyfusJul 17, 2007 2:58 pm 
Dieter KluenterJul 17, 2007 8:15 pm 
Emmanuel DreyfusJul 17, 2007 9:44 pm 
Philip GuentherJul 17, 2007 11:07 pm 
Howard ChuJul 18, 2007 3:00 am 
Emmanuel DreyfusJul 18, 2007 5:30 am 
Howard ChuJul 18, 2007 8:34 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:[SOLVED] Re: multiple servers in DNS and TLSActions...
From:Emmanuel Dreyfus (ma@netbsd.org)
Date:Jul 17, 2007 2:49:59 pm
List:org.openldap.openldap-software

Quanah Gibson-Mount <qua@zimbra.com> wrote:

Is there some kind of trick to get this done properly?

Use a cert with a correct subjectAltName, or a wildcard cert.

For future reference:

Assuming we have in the DNS the following RR: foo IN A 192.0.2.11 bar IN A 192.0.2.12 ldap 1 IN A 192.0.2.11 ldap 1 IN A 192.0.2.12

Create certificate for foo: subjectAltName=DNS:ldap.example.net,DNS:foo.example.net CN=ldap.example.net

Create certificate for bar: subjectAltName=DNS:ldap.example.net,DNS:bar.example.net CN=ldap.example.net

On foo and bar, for generating the CSR, i needed that in /etc/openssl/openssl.cnf, in order to have openssl asking for subjectAltName [ req ] (...) distinguished_name = req_distinguished_name (...) [ req_distinguished_name ] (...) subjectAltName = Alternative Subject Name subjectAltName_default = DNS:fqdn

On the CA, for signing the certificate, I needed that in /etc/openssl/openssl.cnf :

[ ca ] default_ca = CA_default [ CA_default ] (...) policy = policy_match

[ policy_match ] (...) subjectAltName = optional

Then, I have been able to use URI ldaps://ldap.example.net:636 in ldap.conf

-- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma@netbsd.org