[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and SSL

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: Re: LDAP and SSL
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Tue, 30 Nov 2004 20:35:50 +0100
In-reply-to: <91f88ee204113008267b58d0d5@mail.gmail.com>
Organization: Billy
References: <91f88ee204112810284d745e7f@mail.gmail.com> <Pine.OSX.4.58.0411282026360.387@spud.local> <91f88ee2041128183058dc0ae6@mail.gmail.com> <20041129152907.GA25263@mtholyoke.edu> <20041129185429.GD25565@mtholyoke.edu> <91f88ee20411291117141ece3b@mail.gmail.com> <91f88ee20411291128211545e@mail.gmail.com> <1101811667.30561.34.camel@localhost> <91f88ee2041130055298cc51d@mail.gmail.com> <1101825984.874.19.camel@localhost> <91f88ee204113008267b58d0d5@mail.gmail.com>

tir, 30.11.2004 kl. 17.26 skrev Chasecreek Systemhouse:

[...]

> > Looks better:) You're doing the wrong test though, so you don't get to
> > see the errnos. I don't believe for one minute that
> > debian.insecurity.org's IP no. as resolved by gethostbyname() is
> > 192.168.2.2 - I think it's 68.214.83.106:
> 
> So, even if I'm NOT doing internal tests over the public Internet
> (everything so far has been private IPs) I *still* have to put the
> public IP in this section:
> 
> subjectAltName=IP:192.168.2.2,DNS:debian.insecurity.org,DNS:*.insecurity.org,DNS:localhost.localdomain
> 
> Is that because the server can be "seen" over the public Internet?

Rethink. Internal domains (192.168.0.0/16) have nothing to do with
Internet domains. Either redesign your DNS so that you use split DNS
(e.g. internal domain maps 192.168.2.2/32 to debian.internal or some
such internal domain and use that in your cert for you host), or adjust
/etc/hosts on each and every machine to reflect the same. If, when doing
'hostname -f' it gives "debian.insecurity.org", that is plain wrong,
since it's on an RFC 1918 network. Rename it to debian.internal or
whatever.

I made a bad mistake in my last posting, wrote that gethostbyname uses
nss. It doesn't of course, it uses the resolv libraries.

--Tonni

-- 
Nothing sucksseeds like a pigeon without a beak ...

mail: tonye@billy.demon.nl
http://www.billy.demon.nl
 
They love us, don't they, They feed us, won't they ...

Follow-Ups:
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>

References:
- LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Steve Revilak <srevilak@speakeasy.net>
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Ron Peterson <rpeterso@mtholyoke.edu>
- Re: LDAP and SSL
  - From: Ron Peterson <rpeterso@mtholyoke.edu>
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Tony Earnshaw <tonye@billy.demon.nl>
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Tony Earnshaw <tonye@billy.demon.nl>
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>

Prev by Date: Re: group ACL Problems, disallow deletion of an object
Next by Date: Re: group ACL Problems, disallow deletion of an object
Index(es):
- Chronological
- Thread