[Date Prev][Date Next]
RE: replication question; start_tls
Start by reading section 3.6 of RFC 2830, that should give you the
you need. The answer is to add an X509v3 extension to each server's
that specifies an alternate name to use for verification. The LDAP library
will look for this subjectAltName first, and will fall back to the
commonName if there are no matching alternates.
Though it will work either way, I usually set the machine's unique name in
the certificate's CN and put the shared name(s) in the subjectAltName
Also, RFC 2830 specifies that you can use a '*' as a wildcard match. While
RFC does not explicitly specify where wildcards can appear, the LDAP library
only allows wildcards in the subjectAltName, not the commonName.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Nick Urbanik
> Sent: Wednesday, February 20, 2002 1:41 AM
> To: OpenLDAP software
> Subject: replication question; start_tls
> Dear teams,
> I am unclear on how to configure replication with start_tls.
> The slave and master both have the same DNS entry, and share a
> certificate with
> the name set to the common server host name.
> When the slave sends the client a redirect, it will have to be to
> the master by
> some unique name. Then start_tls cannot work, since the client
> uses a name that
> does not match that in the certificate.
> How do you people do it?
> Nick Urbanik RHCE email@example.com
> Dept. of Information & Communications Technology
> Hong Kong Institute of Vocational Education (Tsing Yi)
> Tel: (852) 2436 8576, (852) 2436 8579 Fax: (852) 2436 8526
> PGP: 53 B6 6D 73 52 EE 1F EE EC F8 21 98 45 1C 23 7B ID: 7529555D
> GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24