10 messages in org.openldap.openldap-softwareRe: [SOLVED] Re: multiple servers in ...
FromSent OnAttachments
Emmanuel DreyfusJul 16, 2007 6:04 am 
Quanah Gibson-MountJul 16, 2007 8:13 am 
Emmanuel DreyfusJul 17, 2007 2:49 pm 
Emmanuel DreyfusJul 17, 2007 2:58 pm 
Dieter KluenterJul 17, 2007 8:15 pm 
Emmanuel DreyfusJul 17, 2007 9:44 pm 
Philip GuentherJul 17, 2007 11:07 pm 
Howard ChuJul 18, 2007 3:00 am 
Emmanuel DreyfusJul 18, 2007 5:30 am 
Howard ChuJul 18, 2007 8:34 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [SOLVED] Re: multiple servers in DNS and TLSActions...
From:Howard Chu (hy@symas.com)
Date:Jul 18, 2007 3:00:29 am
List:org.openldap.openldap-software

Dieter Kluenter wrote:

ma@netbsd.org (Emmanuel Dreyfus) writes:

Quanah Gibson-Mount <qua@zimbra.com> wrote:

Is there some kind of trick to get this done properly?

Use a cert with a correct subjectAltName, or a wildcard cert.

For future reference:

Assuming we have in the DNS the following RR: foo IN A 192.0.2.11 bar IN A 192.0.2.12 ldap 1 IN A 192.0.2.11 ldap 1 IN A 192.0.2.12

Create certificate for foo: subjectAltName=DNS:ldap.example.net,DNS:foo.example.net CN=ldap.example.net

Create certificate for bar: subjectAltName=DNS:ldap.example.net,DNS:bar.example.net CN=ldap.example.net

I know that the subjectAltName type DNS is recommended, but RFC 4513 refers to type dNSName. Is there any reason that OpenLDAP requires type DNS?

They are one and the same. "DNS" is just the way that it is specified in the OpenSSL tools.

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/