[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Reverse Lookup Server SSL Certivicate CN
When an openLDAP client tries to verify an openLDAP server's SSL
certificate, the CN is compared to the server's name as it is provided
to the client. This is unlike the behavior of my customary
authentication mechanism, kerberos, which performs a reverse lookup of
the server's IP to locate it's principal.
this poses a problem. There are potentially many names by which my
server can be accessed - I would rather not list them all in its
certificate. Because I've used a wildcard in my DNS configuration,
there are actually an infinite number of names by which my server can
be accessed: a.server, aa.server, aaa.server, ... Furthermore, I
frequently supply to clients only the hostname, to which the default
domain is appended. In this case, the supplied name is a proper prefix
of the CN, and the two don't match: "example.com" is appended to
"server", but SSL unsuccessfully compares only "server" to the server's
CN, "server.example.com". Can openLDAP be configured to compare the
certificate's CN to a reverse lookup of the server's IP?
Thanks,
Jack