[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl over TLS for mirrormode

To: openldap-technical@openldap.org, daniel@up247solution.com
Subject: Re: Syncrepl over TLS for mirrormode
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 29 Aug 2011 13:28:45 +0200
Cc: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
In-reply-to: <4E5955A7.4000605@up247solution.com>
References: <6C447584419BFE4E83D46E88F8131486827596A85C@EXCH07-05.apollogrp.edu> <4E5955A7.4000605@up247solution.com>
User-agent: KMail/1.13.5 (Linux/2.6.33.7-desktop-2.1mnb; KDE/4.4.5; x86_64; ; )

On Saturday, 27 August 2011 22:37:59 Daniel Qian wrote:
> Yes I wasn't aware of subjectAltName and I am still not sure if nss_ldap
> in the OS honors that but I will test it out. Thanks Chris for answering
> back.
> 

nss_ldap supports it if the underlying ldap library supports it.

Solaris' ldapclient doesn't ...

So (since we have a few Solaris boxes), we use individual certs where the 
subject is the same (the canonical name of the load-balanced servers), with 
subjectAltNames for all the additional names/IPs for the individual server.

Regards,
Buchan

References:
- Re: Syncrepl over TLS for mirrormode
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
- Re: Syncrepl over TLS for mirrormode
  - From: Daniel Qian <daniel@up247solution.com>

Prev by Date: Re: TLS issue with SLES11
Next by Date: Re: TLS issue with SLES11
Index(es):
- Chronological
- Thread