[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS/SSL & load-balanced servers

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
> Gibson-Mount

> Hello,
> I just ran into an interesting issue using TLS connections &
> load-balanced
> servers.  Basically, each of our servers has its own cert
> (ldap#.stanford.edu).  If I perform a search against the
> load-balanced name
> (ldap.stanford.edu), ldapsearch fails, noting that the names
> don't match.
> Is there an easy fix for this, or do I need to get an
> "ldap.stanford.edu"
> cert that each of the servers uses?  And, will that even work inside
> OpenLDAP?

This topic has come up before on this list. You need to add an X509v3
extension to your certs, subjectAltName, that lists valid aliases for the
servers. E.g., add subjectAltName=DNS:ldap.stanford.edu.


  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support