 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
30 messages in org.openldap.openldap-softwareRe: failover config: servers with sam...| From | Sent On | Attachments |
|---|---|---|
| Emmanuel Dreyfus | Jul 23, 2007 6:50 am | |
| Quanah Gibson-Mount | Jul 23, 2007 11:01 am | |
| Emmanuel Dreyfus | Jul 23, 2007 1:09 pm | |
| Quanah Gibson-Mount | Jul 23, 2007 1:18 pm | |
| Russ Allbery | Jul 23, 2007 4:35 pm | |
| Christopher Cowart | Jul 23, 2007 7:40 pm | |
| Howard Chu | Jul 23, 2007 9:58 pm | |
| Emmanuel Dreyfus | Jul 24, 2007 1:02 am | |
| Howard Chu | Jul 24, 2007 1:54 am | |
| Emmanuel Dreyfus | Jul 24, 2007 12:18 pm | |
| Quanah Gibson-Mount | Jul 25, 2007 8:52 am | |
| Emmanuel Dreyfus | Jul 25, 2007 9:06 am | |
| Quanah Gibson-Mount | Jul 25, 2007 9:47 am | |
| Michael Ströder | Jul 25, 2007 9:53 am | |
| Emmanuel Dreyfus | Jul 25, 2007 10:36 am | |
| Quanah Gibson-Mount | Jul 25, 2007 10:46 am | |
| Howard Chu | Jul 25, 2007 2:31 pm | |
| Michael Ströder | Jul 25, 2007 2:38 pm | |
| Howard Chu | Jul 25, 2007 2:44 pm | |
| Russ Allbery | Jul 25, 2007 2:45 pm | |
| Norman Gaywood | Jul 25, 2007 3:04 pm | |
| Emmanuel Dreyfus | Jul 25, 2007 8:30 pm | |
| Emmanuel Dreyfus | Jul 25, 2007 8:31 pm | |
| Howard Chu | Jul 25, 2007 11:17 pm | |
| Ralf Haferkamp | Jul 26, 2007 1:27 am | |
| Emmanuel Dreyfus | Jul 26, 2007 4:04 am | |
| Emmanuel Dreyfus | Jul 26, 2007 4:04 am | |
| Donn Cave | Jul 26, 2007 9:38 am | |
| Ralf Haferkamp | Jul 26, 2007 11:46 am | |
| Howard Chu | Jul 27, 2007 2:13 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: failover config: servers with same DNS address and TLS, subjectAltName extension | Actions... |
|---|---|---|
| From: | Emmanuel Dreyfus (ma...@netbsd.org) | |
| Date: | Jul 24, 2007 12:18:01 pm | |
| List: | org.openldap.openldap-software | |
Howard Chu <hy...@symas.com> wrote:
When you run OpenLDAP's configure script you will see:
checking OpenSSL library version (CRL checking capability)... no
indicating that your OpenSSL library doesn't support it. Otherwise I suppose you would see in your OpenSSL release notes/docs.
Yes, I discovered HAVE_OPENSSL_CRL. The problem is that this test validates at mine, despite OpenSSL version (0.9.7d)
configure:19757: checking OpenSSL library version (CRL checking capability) configure:19791: result: yes
And then if I use TLS_CRLCHECK, LDAP operation will fail:
ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I hope you'll agree with me that this is *very* misleading if CRL checks are not supposed to work with 0.9.7d.
You posted your email as if it was a general solution for anybody trying to solve the aliased server name problem for TLS certificates.
Quoting myself: "here is the result of my experiments"
I wouldn't call that a claim of being an authoritative guide. I posted it there with the hope it could be useful to other looking for the piece of information I missed. It was not perfect, but that's not a problem, since you and other kindly pointed out the errors. If you don't discourage me too much, I may even post an update with your comments included.
This part of your config is not part of that general solution, it is specific to your deployment. In particular, the sasl-secprops setting is a global option and affects all connections, whether they use TLS or not. As such, you are allowing users to use login/plain over cleartext connections as well as TLS connections. You might have taken precautions against this in the other parts of your slapd.conf (using the security directive)
Yes, I have this. Is it fine? security simple_bind=128
but you didn't indicate those precautions anywhere in what you posted. So you will mislead anyone following your advice into leaving their servers quite vulnerable.
I hope people do some testing before rolling a copy/pasted configuration in production...
-- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@netbsd.org