openldap 2.0.x generic ssl certificate

[Andrew Thomson <ajthomson@optushome.com.au>]

i've been in the habbit of using tls for all my pam_ldap clients talking
to my ldap server..

however i've gotten to the point where i need failover for my auth ldap
server.

I've got replication going to my slave so everything is fine there.. my
problem is incorporating tls for all the communication.

Originally I created a certificate like so:

#!/bin/sh
#
# create keys for openldap

openssl req -x509 -newkey rsa:1024 -keyout
/usr/local/etc/openldap/privateKey.pem -out
/usr/local/etc/openldap/certificate.pem -days 9999 -nodes

I entered my CN for the host I was using and everything worked.. however
I want tls to my slave and tls from clients to the slave.

My "failover" will just be an ip aliasing thing so all the pam_ldap
clients will just reference the dns name.

Using the script above, i created the key and certificate for:
auth.mydomain.com

I then copied these files over to my slave, so when I fail over, the tls
will still work for hosts pointing to auth.mydomain.com - which ever
host has the ip aliased.

However if I want tls to the replica host, I need a certificate that has
the real hostname in it..

I did do some reading of the faq and modified my /etc/ssl/openssl.cnf like so:

subjectAltName=DNS:*.mydomain.com

then recreated the cert and key with the script above.. however testing
with ldapsearch -ZZ shows that it still only works with whatever host I
put in as the CN.

Any suggestions..??

Thanks,

ajt.