atom feed30 messages in org.openldap.openldap-softwareRe: failover config: servers with sam...
FromSent OnAttachments
Emmanuel DreyfusJul 23, 2007 6:51 am 
Quanah Gibson-MountJul 23, 2007 11:01 am 
Emmanuel DreyfusJul 23, 2007 1:09 pm 
Quanah Gibson-MountJul 23, 2007 1:18 pm 
Russ AllberyJul 23, 2007 4:35 pm 
Christopher CowartJul 23, 2007 7:40 pm 
Howard ChuJul 23, 2007 9:58 pm 
Emmanuel DreyfusJul 24, 2007 1:02 am 
Howard ChuJul 24, 2007 1:54 am 
Emmanuel DreyfusJul 24, 2007 12:18 pm 
Quanah Gibson-MountJul 25, 2007 8:53 am 
Emmanuel DreyfusJul 25, 2007 9:07 am 
Quanah Gibson-MountJul 25, 2007 9:48 am 
Michael StröderJul 25, 2007 9:53 am 
Emmanuel DreyfusJul 25, 2007 10:36 am 
Quanah Gibson-MountJul 25, 2007 10:47 am 
Howard ChuJul 25, 2007 2:31 pm 
Michael StröderJul 25, 2007 2:39 pm 
Howard ChuJul 25, 2007 2:45 pm 
Russ AllberyJul 25, 2007 2:46 pm 
Norman GaywoodJul 25, 2007 3:04 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Howard ChuJul 25, 2007 11:18 pm 
Ralf HaferkampJul 26, 2007 1:28 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Donn CaveJul 26, 2007 9:39 am 
Ralf HaferkampJul 26, 2007 11:47 am 
Howard ChuJul 27, 2007 2:14 am 
Subject:Re: failover config: servers with same DNS address and TLS, subjectAltName extension
From:Christopher Cowart (ccow@rescomp.berkeley.edu)
Date:Jul 23, 2007 7:40:45 pm
List:org.openldap.openldap-software

On Mon, Jul 23, 2007 at 01:51:19PM +0000, Emmanuel Dreyfus wrote:

In order to have this working, we need x509 certificate that have the subjectAltName extension. This is not an OpenLDAP-specific problem, but the information about how to do it seems difficult to find, hence, here is the result of my experiments.

1) Creating a CSR On the LDAP servers, we need to setup OpenSSL for generating the certificate request (CSR). We need this in the [ req ] section of /etc/openssl/openssl.cnf: req_extensions = v3_req

The, we need a [ v3_req ] section: [ v3_req ] basicConstraints = CA:FALSE subjectAltName = "DNS:ldap.example.net, DNS:srv1.example.net"

I actually found that I could use the following: [ dev_ldap ] subjectAltName=DNS:ldap.example.com basicConstraints=CA:FALSE

I then used 'srv1.example.net' as the CN for the certificate. The OpenSSL libraries were quite happy with this; I can refer to the host as ldap.example.com or srv1.example.com and certificate verification will succeed.

Then, to sign, I use `openssl ca -extensions dev_ldap -in srv1.csr \ -out srv1.crt'.

This allowed me to use the 'dev_ldap' extension set only for my development config while issuing all other certificates fell back to the 'v3_req' default configuration. It also seems cleaner to me to only specify the actual alternate name in the AltName field.

It seems the subjectAltName has to be set in the config file. I found no way to have it prompted by the openssl command.

This was my experience too.