[Date Prev][Date Next]
openldap 2.0.x generic ssl certificate
i've been in the habbit of using tls for all my pam_ldap clients talking
to my ldap server..
however i've gotten to the point where i need failover for my auth ldap
I've got replication going to my slave so everything is fine there.. my
problem is incorporating tls for all the communication.
Originally I created a certificate like so:
# create keys for openldap
openssl req -x509 -newkey rsa:1024 -keyout
/usr/local/etc/openldap/certificate.pem -days 9999 -nodes
I entered my CN for the host I was using and everything worked.. however
I want tls to my slave and tls from clients to the slave.
My "failover" will just be an ip aliasing thing so all the pam_ldap
clients will just reference the dns name.
Using the script above, i created the key and certificate for:
I then copied these files over to my slave, so when I fail over, the tls
will still work for hosts pointing to auth.mydomain.com - which ever
host has the ip aliased.
However if I want tls to the replica host, I need a certificate that has
the real hostname in it..
I did do some reading of the faq and modified my /etc/ssl/openssl.cnf like so:
then recreated the cert and key with the script above.. however testing
with ldapsearch -ZZ shows that it still only works with whatever host I
put in as the CN.