[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multiple server certificates

To: Howard Chu <hyc@symas.com>
Subject: Re: multiple server certificates
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 29 Apr 2008 23:40:53 +0200
Cc: openldap-devel@openldap.org
In-reply-to: <48178768.3080609@symas.com>
References: <hbf.20080429bvmk@bombur.uio.no> <48178768.3080609@symas.com>

Howard Chu writes:
>Hallvard B Furuseth wrote:
>> Would it be hard to make different listener addresses present
>> different server certificates, signed by different CA certificates?
>
> Not that hard. The worst part would be defining the new config syntax
> for it and adding the appropriate config actions.

Maybe something like:

dn: cn={n}override,cn=config
olcOverrideBy: <"*" or socket-related <who> fields from olcAccess>
<same attributes as in cn=config entry>

slapd would search each override for the first which matches the
connection.  Attributes not found there would be taken from the
cn=config entry.  The attributes would need to accept some value
which means "don't use the cn=config default for this attribute".

Over time it could be generalized to cover other config parameters like
limits, and maybe other <by> clauses too.

I don't understand the tls-config code itself though.  It configures
a fake LDAP*, slap_tls_ld, so I presume the TLS config isn't global.
That's good news - except I don't see where the slap_tls_ld settings
are applied to a connection.

-- 
Hallvard

Follow-Ups:
- Re: multiple server certificates
  - From: Howard Chu <hyc@symas.com>

References:
- multiple server certificates
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: multiple server certificates
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: multiple server certificates
Next by Date: Re: multiple server certificates
Index(es):
- Chronological
- Thread