[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Require use of SSL..

To: <openldap-software@OpenLDAP.org>
Subject: Re: Require use of SSL..
From: "adp" <dap99@i-55.com>
Date: Mon, 8 Mar 2004 10:39:26 -0600
References: <004201c404d6$a19140a0$6401a8c0@yourqqh4336axf><005e01c404d9$aab06dc0$6401a8c0@yourqqh4336axf> <m3d67n3egj.fsf@marin.l4b.de>

> > And speaking of SSL, I have another issue I'd like to discuss. Okay,
when I
> > generate a cert I specify the hostname. This locks the SSL cert to that
> > hostname. For the LDAP service I am using RRDNS. So I have servers like
> > dir1, dir2, dir3, but the service is connected to as dir. So this means
when
> > I create the cert I need to create it as "dir" and use that cert for
dir1,
> > dir2, dir3.
> >
> > When specifying a replica host I need to specify the real hostname
(e.g.,
> > dir2). I can't specify dir since this will result in a RRDNS hit which
could
> > definitely lead to replication failing. (For one thing, you can't
replicate
> > to yourself.)
> >
> > Is there a solution?
>
> Yes, 'subjectAltName' in openssl.cnf

I wonder though if I even need to worry. The only time I have this issue is
when I define the host in the replica stanza. I generated all of the certs
using ldap.domain. In the replica stanza I have to put the real hostname
since ldap.domain is RRDNS for two servers (the master and slave). So I put
host=ldap-slave.domain. Does slurpd try to verify that the cert matches the
hostname? Will TLS for slurpd work anyway if it doesn't?

References:
- Require use of SSL..
  - From: "adp" <dap99@i-55.com>
- Re: Require use of SSL..
  - From: "adp" <dap99@i-55.com>
- Re: Require use of SSL..
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: slurpd and tls=yes: will it die if it can't do TLS?
Next by Date: Re: slurpd and tls=yes: will it die if it can't do TLS?
Index(es):
- Chronological
- Thread