[Date Prev][Date Next] [Chronological] [Thread] [Top]

Reverse Lookup Server SSL Certivicate CN



When an openLDAP client tries to verify an openLDAP server's SSL certificate, the CN is compared to the server's name as it is provided to the client. This is unlike the behavior of my customary authentication mechanism, kerberos, which performs a reverse lookup of the server's IP to locate it's principal.

this poses a problem. There are potentially many names by which my server can be accessed - I would rather not list them all in its certificate. Because I've used a wildcard in my DNS configuration, there are actually an infinite number of names by which my server can be accessed: a.server, aa.server, aaa.server, ... Furthermore, I frequently supply to clients only the hostname, to which the default domain is appended. In this case, the supplied name is a proper prefix of the CN, and the two don't match: "example.com" is appended to "server", but SSL unsuccessfully compares only "server" to the server's CN, "server.example.com". Can openLDAP be configured to compare the certificate's CN to a reverse lookup of the server's IP?

Thanks,

Jack