We're using the openldap packages from RHEL6/CentOS6.4:
# rpm -qa | grep openldap
openldap-servers-2.4.23-32.el6_4.1.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
openldap-2.4.23-32.el6_4.1.x86_64
Thing are working well for us with certs that use the VIP for Subject, and a
SAN list that includes the node names:
# openssl x509 -in /etc/openldap/cacerts/servercrt.pem -text -noout | grep ldap
Subject: C=US, ST=WA, L=Seattle, O=[snipped], OU=[snipped],
CN=ldap-vip. [snipped]/emailAddress=[snipped]
DNS:ldapmaster1. [snipped], DNS:ldapmaster2. [snipped]
The cert's and reqs were done via OpenSSL.
For whatever this is worth...
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Quanah
Gibson-Mount
Sent: Friday, October 18, 2013 9:08 AM
To: lejeczek; [email protected]
Subject: Re: Subject Alternative Name in TLS - does this work?
--On Friday, October 18, 2013 8:52 AM +0100 lejeczek <[email protected]>
wrote:
> slapd is redhat's openldap-servers-2.4.23-26.el6_3.2.x86_64, I hoped
> since slapd does not say a bad word about TLS cert with SAN it's tool
> would be fine too
Get a current release that is linked to OpenSSL, not the MozNSS garbage RH
links to.
You may want to try <http://ltb-project.org/wiki/download#openldap>
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
This message is private and confidential. If you have received it in error,
please notify the sender and remove it from your system.
