[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Multi-homed machine and TLS

On Wed, 2004-09-15 at 11:27, Tay, Gary wrote:
> I have the similar requirement as yours: 
> I am using start_tls and when MASTER LDAP Server is down, the LDAP
> Client will look for SLAVE LDAP Server using TLS, and the FQDN will be
> changed to SLAVE LDAP Server as indicated in /etc/ldap.conf and
> $ETC_OPENLDAP/ldap.conf
> If I am not wrong (I think I must always quote this "protection"
> clause), u could generate additional server certs using the 2nd
> commonName, and COMBINE all the certs into a SINGLE cacert.pem, I am
> not sure the end result if u were to do this at the multi-homed LDAP
> Server end, I did this at the LDAP client end for LDAP MASTER to SLAVE
> faillover to work.

you are mixing up server certificates and CA certificates. You only need
one CA certificate to verify all server certificates generated by that
CA. Therefore your clients only need one CA cert in cacert.pem to verify
the master and slave server certs, unless they are issued by seperate
CAs in which case, it is fine to put the two CA certs into one file.

The original problem is that the LDAP server may have a number of
genuine names/aliases but the cert will only have one CN. using
SubjectAltName is the correct way to do things but many clients do not
use this extension (Solaris anyone?) so it is not a foolproof solution.


Greg Matthews
iTSS Wallingford	01491 692445