> -----Original Message----- > From: [email protected] [mailto:openldap- > [email protected]] On Behalf Of Howard Chu > Sent: Monday, October 21, 2013 3:04 AM > To: lejeczek; Christian Kratzer > Cc: Christian Kratzer; [email protected] > Subject: Re: Subject Alternative Name in TLS - does this work? > > lejeczek wrote: > > that was me, the way I tried to sing certificate were... > > incorrect > > > > apologies and great and many thanks to everybody > > > > I can now ldapsearch on both slapd.domain.local and > > slap.domain.external with -ZZZ, all good (only cannot confirm if CN > > has to be repeated in subjectAltName as per Olo's tip, currently it IS > > repeatedin my cert) > > No. The CN does not need to be repeated, anyone who says so is wrong. > Other libraries (e.g. old Solaris/Sun/Mozilla LDAP) may have required this but > they are defective and obsolete. The Mozilla LDAP SDK has been abandoned, > and Solaris 11 now bundles OpenLDAP. >
True, but putting the subject in the SAN list isn't bad or wrong per se. A bit like offering wheel ramps for those older libraries/clients, even though newer stuff exists obsoleting those ramps. - chris > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
