[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: StartTLS with a host alias

Hallvard B Furuseth wrote:
Robert Minsk writes:
My cert on my LDAP server contains multiple commonName entries.
openssl x509 -noout -in s014-ldap-cert.pem -subject
subject= /C=US/ST=California/O=FooBar/CN=s014.cgi.foobar.com/CN=ldap1.cgi.foobar.com/CN=s14.cgi.foobar.com

There is only supposed to be one CN in the certificate name.

Well, there can be any number of CNs in a DN. But only the most-inferior RDN actually names the certificate, therefore that's the only one that may be used in hostname checking.

Strange that he said the syncrepl config works, since the syncrepl consumer uses the same libldap functions as the ldapsearch command line to open a TLS session. Unless of course his slapd is not linked with the same version of the libraries as his command line tools.

However you can put multiple hostnames in the certificate's
Subject Alternative Name (aka Subject Alt Name) extension.


  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/