[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Q: OpenLDAP In A 'Heartbeat' Cluster

To: "'Turbo Fredriksson'" <turbo@bayour.com>, <openldap-software@OpenLDAP.org>
Subject: RE: Q: OpenLDAP In A 'Heartbeat' Cluster
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 7 Mar 2003 07:12:42 -0800
Importance: Normal
In-reply-to: <87ptp3s436.fsf@papadoc.bayour.com>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo Fredriksson

> Quoting "Howard Chu" <hyc@highlandsun.com>:
>
> > In OpenSSL I use these lines in my openssl.cnf file:
> > ###
> > DNSNAME = $ENV::DNSNAME
> > IPADDR = $ENV::IPADDR
> > ###
> >
> > In the [ usr_cert ] section
> > ###
> > subjectAltName=DNS:$DNSNAME,IP:$IPADDR
> > ###
>
> Which is which here? Ie, is any of these 'registered
> names'... Hm, fuzzy.
> Example:
>
>         DNSNAME1 = $ENV::CERT_NAME1
>         DNSNAME2 = $ENV::CERT_NAME2
>         IPADDR1 = $ENV::CERT_IP1
>         IPADDR2 = $ENV::CERT_IP2
>         [...]
>         subjectAltName=DNS:DNSNAME1,IP:$IPADDR1
>         subjectAltName=DNS:DNSNAME2,IP:$IPADDR1
>
> Is this what you mean?

Pretty much. But as with every other openssl.cnf directive, you can only
specify subjectAltName once. If you want multiple values, put them all in a
single comma-separated list, or use a new config file section:

subjectAltName=@alt_section

[alt_section]
DNS.1=$DNSNAME1
DNS.2=$DNSNAME2
...

All of this is explained in the OpenSSL documentation, go read it. This
discussion should stop here, this list is not for teaching you how to use
OpenSSL.
>
> > You must set the DNSNAME and IPADDR environment variables
> before running the
> > CA app to generate/sign the cert. If you need to specify
> additional names,
> > use separate environment variables for each.
>
> In my example, I'd set variables 'CERT_NAME[12]' and
> 'CERT_IP[12]'... ?

In your example:
>         ----- s n i p -----
>         ldap1   IN A 192.168.1.4
>         ldap2   IN A 192.168.1.5
>         ldap3   IN A 192.168.1.6
>         ; Round-robin
>         ldap    IN A 192.168.1.4
>                 IN A 192.168.1.5
>                 IN A 192.168.1.6
>         ----- s n i p -----

I would ignore the IP addresses since you are obviously working with DNS;
working with IP addresses in certificate names is (in my opinion) a hack
reserved for when hostnames are unavailable.

I would use DNSNAME=$ENV::DNSNAME in the top section of openssl.cnf, setenv
DNSNAME ldap.domain.ltd, and then create three certificates whose DNs are
	cn=ldap1.domain.ltd,<suffix>
	cn=ldap2.domain.ltd,<suffix>
	cn=ldap3.domain.ltd,<suffix>
and distribute the 3 certs to their corresponding servers. Notice the policy
that I have chosen - the certDN always carries the canonical FQDN of the
server. The subjectAltName carries the round-robin alias. This way I only
have to set one environment variable, once, before generating a set of
certificates.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Re: Q: OpenLDAP In A 'Heartbeat' Cluster
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: indexing attributes with booleanMatch equality
Next by Date: authorizing in Netscape LDAP Server
Index(es):
- Chronological
- Thread