[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap tls using ip addresses



On Wed, 2 Jul 2008, Yao Mingxi wrote:
> I am trying to set up tls for ldap connection using self signed 
> certificates and I realized that I must use the host name of the 
> openldap server as the uri for tls to work. Is there a way to use ip 
> addresses as uri and utilizing tls? And is there a way for multiple 
> replicated openldap server to accept a single tls certificate?

This really isn't an LDAP question but rather a general TLS or PKI (public 
key infrastructure) question.  The one bit specific to OpenLDAP is the 
question of what X509 cert extensions it supports in this area.  The 
answer for that is that it supports the dNSName and iPAddress types for 
subjectAltName extension values.  The latter can be used for both IPv4 and 
IPv6 addresses (if compiled to support IPv6 at all).

so, if you want to use IP addresses in URIs with TLS, you should create 
your certs with values of the iPAddress type in the subjectAltName 
extension.

How to do _that_ depends completely on your PKI/CA software and has 
nothing to do with LDAP itself.  You should check the docs for your PKI/CA 
software and/or consult the mailing lists for it if you need assistance in 
creating such certs


Philip Guenther