[Date Prev][Date Next]
Re: StartTLS with a host alias
Hallvard B Furuseth wrote:
Robert Minsk writes:
My cert on my LDAP server contains multiple commonName entries.
openssl x509 -noout -in s014-ldap-cert.pem -subject
There is only supposed to be one CN in the certificate name.
Well, there can be any number of CNs in a DN. But only the most-inferior RDN
actually names the certificate, therefore that's the only one that may be used
in hostname checking.
Strange that he said the syncrepl config works, since the syncrepl consumer
uses the same libldap functions as the ldapsearch command line to open a TLS
session. Unless of course his slapd is not linked with the same version of the
libraries as his command line tools.
However you can put multiple hostnames in the certificate's
Subject Alternative Name (aka Subject Alt Name) extension.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/