[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: multiple server certificates
Howard Chu writes:
>Hallvard B Furuseth wrote:
>> Would it be hard to make different listener addresses present
>> different server certificates, signed by different CA certificates?
>
> Not that hard. The worst part would be defining the new config syntax
> for it and adding the appropriate config actions.
Maybe something like:
dn: cn={n}override,cn=config
olcOverrideBy: <"*" or socket-related <who> fields from olcAccess>
<same attributes as in cn=config entry>
slapd would search each override for the first which matches the
connection. Attributes not found there would be taken from the
cn=config entry. The attributes would need to accept some value
which means "don't use the cn=config default for this attribute".
Over time it could be generalized to cover other config parameters like
limits, and maybe other <by> clauses too.
I don't understand the tls-config code itself though. It configures
a fake LDAP*, slap_tls_ld, so I presume the TLS config isn't global.
That's good news - except I don't see where the slap_tls_ld settings
are applied to a connection.
--
Hallvard