[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6554) OpenLDAP + TLS multiple server certificates

stepan.kipel@ab-group.biz wrote:
> Full_Name: Stepan Kipel
> Version: 2.4.19
> OS: Red Hat Enterprise Linux AS release 4
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> In our network there are 2 servers running slapd, one is syncrepl-provider and
> other is consumer. Both have identical IP address for LDAP requests and
> configured in manner that when one goes down, second takes over (configured
> externally, by routing). Also, TLS is configured and works transparently for
> client machines (DNS resolves their "common" IP), but it`s hard to use their
> Domain Name for TLS syncrepl - DNS resolves IP, that is up on local machine. We
> decided to put up other interface on syncrepl-provider for replication purposes,
> mapped another Domain Name on this interface and appended CA, server and private
> server certs created for this Domain Names to files included by
> TLSCACertificateFile, TLSCertificateFile and TLSCertificateKey in slapd.conf
> file, respectively. We`ve tried to execute ldapsearch with two different
> ldap.conf configs - for first and second domain name of the server, one works
> and another - not? error looks like "TLS: hostname (first_srv_name) does not
> match common name in certificate (second_srv_name)."
> The question is - can slapd server use more than 2 server certificates or we
> should use another technology (tunneling, etc...) for encrypted syncrepl?
A server cert file and key file may only contain one item; that's a constraint 
from the underlying TLS library. You should not have needed to create a new CA 
for this situation. You should look at using a single server cert with a 
subjectAltName matching the the alternate interface name.

The ITS is for bug reports, not for hetting help on using the software. This 
ITS will be closed. Use the -software mailing list.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/