[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
From: Howard Chu <hyc@symas.com>
Date: Wed, 25 Jul 2007 14:45:13 -0700
Cc: openldap-software@openldap.org
In-reply-to: <1i1tn9p.lcrilorkrmlkM%manu@netbsd.org>
References: <1i1tn9p.lcrilorkrmlkM%manu@netbsd.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a7pre) Gecko/2007072317 SeaMonkey/2.0a1pre

Emmanuel Dreyfus wrote:

Quanah Gibson-Mount <quanah@zimbra.com> wrote:
As pointed out by Howard multiple times, nearly everything you "couldn't find" was actually available online, in the form of published documentation, by the folks who provided the software.
If you speak about the subjectAltName stuff, there is IMO a huge gap
getween OpenSSL reference documentation and how to actually do it. The
information is there, but there is a lot of required reading if you want
to do something. And there are a lot of mistake to do before getting it
done (cf my first attempt with subjectAltName outside the extension
section)

Since it is an OpenSSL topic, it would make the most sense for you to submit some suggested doc changes to the OpenSSL team. Though I suspect that in the 7 or so years that OpenLDAP has supported OpenSSL, many people have been confronted with this problem, read the docs, and implemented the solution and moved on to the next thing, without any fuss. As such, the relative ease with which the problem is typically solved doesn't merit a writeup for Google to find.

It may just mean there is a language barrier, something that would better be served by a translation of OpenSSL docs into French.

The fact that you went to Google *before* going to the sites that actually distribute the software and reading their documentation is unfortunately the same thing many other people do to. And then they tend to complain about the lack of documentation.
Okay, so that could surprise you, but I actually started by searching
the OpenLDAP doc and FAQ. Then the OpenSSL web site, then Google...
That item is worth an OpenLDAP FAQ entry IMO, even if it's not really an
OpenLDAP problem. How one contribute FAQ entries, BTW? I just add it to
Faq-O-Matic?

Yes, anybody can add entries to the FAQ (hasn't that been said enough times already?), and you're welcome to add your corrected writeup there. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Follow-Ups:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: Configuring TLS
Next by Date: Re: LDAPS vs. StartTLS ext. op.
Index(es):
- Chronological
- Thread