That is different per OS and application implementation. Search for "update CA certificates [your os or app name]"
We only use our LDAP for auth(n/z) so we tell PAM or SSSD (depending on OS version) to use the CA cert we push onto those nodes using our configuration management system (e.g.: puppet, chef) – without having to modify our CA bundles. We DO have an internal CA that java apps must support, as well as some system level apps: on those nodes we update the system as needed (CentOS or Java). Good luck, - chris From: openldap-technical [mailto:[email protected]] On Behalf Of Aneela Saleem Sent: Monday, October 05, 2015 12:01 PM To: Dieter Klünter <[email protected]> Cc: [email protected] Subject: Re: SSL based ldap server Do we need to have CA certificate/server key on other client machine as well? If yes, then how can we achieve that? On Sun, Oct 4, 2015 at 9:00 PM, Dieter Klünter <[email protected]<mailto:[email protected]>> wrote: Am Sun, 4 Oct 2015 19:18:19 +0500 schrieb Aneela Saleem <[email protected]<mailto:[email protected]>>: > I have followed this link > <http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl>. > I update openssl.cnf file manually and added the ip address of other > client machine. Then i generated ssl certificate. Now accessing > ldaps:// platalytics.com:636<http://platalytics.com:636> from other client > machine (i also have > added platalytics.com<http://platalytics.com> in /etc/hosts file) but unable > to access it > from external ip address. What i'm missing now? Domain Name Service? Firewall? Routing Tables? -Dieter > > On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem > <[email protected]<mailto:[email protected]>> > wrote: > > > Hi Michael, > > > > Thanks for explaining. I just so far performed server side > > validation using the link > > <http://www.openldap.org/faq/data/cache/185.html> > > > > Can you please guide me how can we perform client side > > verification? Means how to set subjectAltName extension? > > > > On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder > > <[email protected]<mailto:[email protected]>> wrote: > > > >> Aneela Saleem wrote: > >> > What if i want to access LDAP from external source? how would it > >> recognize > >> > platalytics.com<http://platalytics.com>? > >> > >> Hope fully the client perfoms the TLS hostname check as defined in > >> RFC 6125. > >> > >> All hostnames and IP addresses used by clients have to be listed > >> in the subjectAltName extension. > >> > >> Ciao, Michael. > >> > >> > > -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
