[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap tls using ip addresses

To: Yao Mingxi <yaomingxi@gmail.com>
Subject: Re: openldap tls using ip addresses
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Sat, 5 Jul 2008 22:50:56 -0600
Cc: openldap-software@openldap.org
In-reply-to: <faddf4de0807020526o66dfa34bxf443fe916db710be@mail.gmail.com>
References: <faddf4de0807020526o66dfa34bxf443fe916db710be@mail.gmail.com>
User-agent: Alpine 1.10 (BSO 962 2008-03-14)

On Wed, 2 Jul 2008, Yao Mingxi wrote:
> I am trying to set up tls for ldap connection using self signed 
> certificates and I realized that I must use the host name of the 
> openldap server as the uri for tls to work. Is there a way to use ip 
> addresses as uri and utilizing tls? And is there a way for multiple 
> replicated openldap server to accept a single tls certificate?

This really isn't an LDAP question but rather a general TLS or PKI (public 
key infrastructure) question.  The one bit specific to OpenLDAP is the 
question of what X509 cert extensions it supports in this area.  The 
answer for that is that it supports the dNSName and iPAddress types for 
subjectAltName extension values.  The latter can be used for both IPv4 and 
IPv6 addresses (if compiled to support IPv6 at all).

so, if you want to use IP addresses in URIs with TLS, you should create 
your certs with values of the iPAddress type in the subjectAltName 
extension.

How to do _that_ depends completely on your PKI/CA software and has 
nothing to do with LDAP itself.  You should check the docs for your PKI/CA 
software and/or consult the mailing lists for it if you need assistance in 
creating such certs

Philip Guenther

References:
- openldap tls using ip addresses
  - From: "Yao Mingxi" <yaomingxi@gmail.com>

Prev by Date: Re: slapd and multi core cpu's
Next by Date: incompatible access control between versions
Index(es):
- Chronological
- Thread