[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multiple server certificates

Howard Chu writes:
>Hallvard B Furuseth wrote:
>> Would it be hard to make different listener addresses present
>> different server certificates, signed by different CA certificates?
> Not that hard. The worst part would be defining the new config syntax
> for it and adding the appropriate config actions.

Maybe something like:

dn: cn={n}override,cn=config
olcOverrideBy: <"*" or socket-related <who> fields from olcAccess>
<same attributes as in cn=config entry>

slapd would search each override for the first which matches the
connection.  Attributes not found there would be taken from the
cn=config entry.  The attributes would need to accept some value
which means "don't use the cn=config default for this attribute".

Over time it could be generalized to cover other config parameters like
limits, and maybe other <by> clauses too.

I don't understand the tls-config code itself though.  It configures
a fake LDAP*, slap_tls_ld, so I presume the TLS config isn't global.
That's good news - except I don't see where the slap_tls_ld settings
are applied to a connection.