[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL based ldap server



Am Tue, 6 Oct 2015 00:00:43 +0500
schrieb Aneela Saleem <aneela@platalytics.com>:

> Do we need to have CA certificate/server key  on other client machine
> as well? If yes, then how can we achieve that?

Yes, you have to install a CA certificate on all hosts that want to
access a ldap server, and the client application on remote hosts need
to know the place ot this CA, usually that is configured in
ldap.conf(5), but it depends on the clients ability.

-Dieter


> 
> On Sun, Oct 4, 2015 at 9:00 PM, Dieter Klünter <dieter@dkluenter.de>
> wrote:
> 
> > Am Sun, 4 Oct 2015 19:18:19 +0500
> > schrieb Aneela Saleem <aneela@platalytics.com>:
> >
> > > I have followed this link
> > > <
> > http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl
> > >.
> > > I update openssl.cnf file manually and added the ip address of
> > > other client machine. Then i generated ssl certificate. Now
> > > accessing ldaps:// platalytics.com:636 from other client machine
> > > (i also have added platalytics.com in /etc/hosts file) but unable
> > > to access it from external ip address. What i'm missing now?
> >
> > Domain Name Service? Firewall? Routing Tables?
> >
> > -Dieter
> >
> > >
> > > On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem
> > > <aneela@platalytics.com> wrote:
> > >
> > > > Hi Michael,
> > > >
> > > > Thanks for explaining. I just so far performed server side
> > > > validation using the link
> > > > <http://www.openldap.org/faq/data/cache/185.html>
> > > >
> > > > Can you please guide me how can we perform client side
> > > > verification? Means how to set subjectAltName extension?
> > > >
> > > > On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder
> > > > <michael@stroeder.com> wrote:
> > > >
> > > >> Aneela Saleem wrote:
> > > >> > What if i want to access LDAP from external source? how
> > > >> > would it
> > > >> recognize
> > > >> > platalytics.com?
> > > >>
> > > >> Hope fully the client perfoms the TLS hostname check as
> > > >> defined in RFC 6125.
> > > >>
> > > >> All hostnames and IP addresses used by clients have to be
> > > >> listed in the subjectAltName extension.
> > > >>
> > > >> Ciao, Michael.



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E