Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote: > > Is there some kind of trick to get this done properly? > Use a cert with a correct subjectAltName, or a wildcard cert.
For future reference: Assuming we have in the DNS the following RR: foo IN A 192.0.2.11 bar IN A 192.0.2.12 ldap 1 IN A 192.0.2.11 ldap 1 IN A 192.0.2.12 Create certificate for foo: subjectAltName=DNS:ldap.example.net,DNS:foo.example.net CN=ldap.example.net Create certificate for bar: subjectAltName=DNS:ldap.example.net,DNS:bar.example.net CN=ldap.example.net On foo and bar, for generating the CSR, i needed that in /etc/openssl/openssl.cnf, in order to have openssl asking for subjectAltName [ req ] (...) distinguished_name = req_distinguished_name (...) [ req_distinguished_name ] (...) subjectAltName = Alternative Subject Name subjectAltName_default = DNS:fqdn On the CA, for signing the certificate, I needed that in /etc/openssl/openssl.cnf : [ ca ] default_ca = CA_default [ CA_default ] (...) policy = policy_match [ policy_match ] (...) subjectAltName = optional Then, I have been able to use URI ldaps://ldap.example.net:636 in ldap.conf -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz [EMAIL PROTECTED]
