[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Multi-homed machine and TLS
I have the similar requirement as yours:
I am using start_tls and when MASTER LDAP Server is down, the LDAP Client will look for SLAVE LDAP Server using TLS, and the FQDN will be changed to SLAVE LDAP Server as indicated in /etc/ldap.conf and $ETC_OPENLDAP/ldap.conf
If I am not wrong (I think I must always quote this "protection" clause), u could generate additional server certs using the 2nd commonName, and COMBINE all the certs into a SINGLE cacert.pem, I am not sure the end result if u were to do this at the multi-homed LDAP Server end, I did this at the LDAP client end for LDAP MASTER to SLAVE faillover to work.
Eg: all the LDAP clients has a cacert.pem that contains two certs.
http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenSSH%20with%20pam_ldap%20for%20Solaris9.htm
http://web.singnet.com.sg/~garyttt
The following is an example of /usr/local/etc/openldap/cacert.pem, you would notice that it contains TWO Self-Signed CA Certificates from two LPAP Servers, one from the MASTER, the other SLAVE.
-----BEGIN CERTIFICATE-----
MIIEBjCCA2+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuTELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYD
VQQKEx1QTEFUVFMsIE1jR3Jhdy1IaWxsIENvbXBhbmllczEPMA0GA1UECxMGUExB
VFRTMSIwIAYDVQQDExluamhwbHBtb24xLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZI
hvcNAQkBFhNnYXJ5X3RheUBwbGF0dHMuY29tMB4XDTA0MDcwNjAyNTExNFoXDTE0
MDcwNDAyNTExNFowgbkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEW
MBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTEmMCQGA1UEChMdUExBVFRTLCBNY0dyYXct
SGlsbCBDb21wYW5pZXMxDzANBgNVBAsTBlBMQVRUUzEiMCAGA1UEAxMZbmpocGxw
bW9uMS5wbGF0dHMubWhtLm1oYzEiMCAGCSqGSIb3DQEJARYTZ2FyeV90YXlAcGxh
dHRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0wqm6JKsUMIXRYyn
YRKDUYh//+57SJl+XSES7xz/TRO+rvfmnpZWFqHdMG6K5ruPVjQeusSQfNxuZT8T
aMOXpI0Upv2pvmGJyP88zxSN/kS6btDJHqKOrF3sp8P/BJOgDartHb2/gVcdHXYE
/QISDwMRJncE0kFOxhBJ/1U8I20CAwEAAaOCARowggEWMB0GA1UdDgQWBBQlvKCz
RfHlJXtG5ecwD0XrmLg2NzCB5gYDVR0jBIHeMIHbgBQlvKCzRfHlJXtG5ecwD0Xr
mLg2N6GBv6SBvDCBuTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRYw
FAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYDVQQKEx1QTEFUVFMsIE1jR3Jhdy1I
aWxsIENvbXBhbmllczEPMA0GA1UECxMGUExBVFRTMSIwIAYDVQQDExluamhwbHBt
b24xLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZIhvcNAQkBFhNnYXJ5X3RheUBwbGF0
dHMuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAdra0I6Ei
Y+qgJyzBUM2ObxYAv26hDa+Vmk0VjVDxTBpjh1+4VM7ufWitClst3MZJy/ht/8Ui
4hBC6MtOdTnMb7YxJ6dCBHQ01WKs7pTPbYGuxAweSQQ/Jx3opmh55RyqFFs1/S4f
diTGRXhlVYaLsUP6FMCyvjXe3Tg68HBLyio=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID/TCCA2agAwIBAgIBADANBgkqhkiG9w0BAQQFADCBtjELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYD
VQQKEx1QTEFUVFMsIE1jR3Jhdy1IaWxsIENvbXBhbmllczEMMAoGA1UECxMDSU1T
MSIwIAYDVQQDExlueXBwbGRldjIxLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZIhvcN
AQkBFhNnYXJ5X3RheUBwbGF0dHMuY29tMB4XDTA0MDcwMTEwMDA1M1oXDTE0MDYy
OTEwMDA1M1owgbYxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEWMBQG
A1UEBxMNTmV3IFlvcmsgQ2l0eTEmMCQGA1UEChMdUExBVFRTLCBNY0dyYXctSGls
bCBDb21wYW5pZXMxDDAKBgNVBAsTA0lNUzEiMCAGA1UEAxMZbnlwcGxkZXYyMS5w
bGF0dHMubWhtLm1oYzEiMCAGCSqGSIb3DQEJARYTZ2FyeV90YXlAcGxhdHRzLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5lkc5m1WUABGw1oGZcqKPDdI
t2Qzc/dDyDDLu2LTjlwKdPUZGNogHyexUtv8uSxrnxiMLe1St9milVfO8pGRFRmC
VhL1irYkMuCxsILBP/byjkgzVr++GOaXq1bQYfQ9mYM9WTZ1sJgL3gI69GGNi06T
b52DynLH03e+Z/WcUGcCAwEAAaOCARcwggETMB0GA1UdDgQWBBQug5RT7NqwXX0S
tOvtX7iwZBN0/jCB4wYDVR0jBIHbMIHYgBQug5RT7NqwXX0StOvtX7iwZBN0/qGB
vKSBuTCBtjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRYwFAYDVQQH
Ew1OZXcgWW9yayBDaXR5MSYwJAYDVQQKEx1QTEFUVFMsIE1jR3Jhdy1IaWxsIENv
bXBhbmllczEMMAoGA1UECxMDSU1TMSIwIAYDVQQDExlueXBwbGRldjIxLnBsYXR0
cy5taG0ubWhjMSIwIAYJKoZIhvcNAQkBFhNnYXJ5X3RheUBwbGF0dHMuY29tggEA
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAdjp9wNRQ+WYyhfJCOK/L
2umo4kb9cf5bKF8/isUZzmqxlB5ncxvltdITfQ6PIGMR32naohPge4KprAbLH1xE
R6m5Sc+oJeg8+0H6xOokuobpRQZJdDcH15qNmW0hY4BVwCRfwka1k1wa4hdXBhnV
/SXBvN6aaGqu4lRwtky6eRw=
-----END CERTIFICATE-----
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Imobach González Sosa
Sent: Wednesday, September 15, 2004 5:38 PM
To: openldap-software@OpenLDAP.org
Subject: Multi-homed machine and TLS
Hi all,
We've got a multi-homed (and aliased machine) and we're using TLS to secure
communications. The problem is about the certificate: the commonName must be
the host's FQDN, but this machine could be referred using different names, so
TLS only works with one of the host's names. I've read something about
subjectAltName when generating the ssl certificates... is that the right
direction to the solution?
Thank you all.
--
Imobach González Sosa
Servicio de Informática y Comunicaciones de la ULPGC
e-mail: igonzalez@becarios.ulpgc.es
Teléfono: +34 928 459519