https://bugs.openldap.org/show_bug.cgi?id=9318
Issue ID: 9318 Summary: RFC 6125 compliance (SANs-ID vs CN-ID) Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: dar@xoe.solutions Target Milestone: ---
As noted, a client MUST NOT seek a match for a reference identifier of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client.
It goes on
Therefore, if and only if the presented identifiers do not include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client, then the client MAY as a last resort check for a string whose form matches that of a fully qualified DNS domain name in a Common Name field of the subject field (i.e., a CN-ID). If the client chooses to compare a reference identifier of type CN-ID against that string, it MUST follow the comparison rules for the DNS domain name portion of an identifier of type DNS-ID, SRV-ID, or URI-ID, as described under Section 6.4.1, Section 6.4.2, and Section 6.4.3.
Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
(https://tools.ietf.org/html/rfc6125#section-6.4.4)
This is an Internet Standards Track document.
Ldap still using CN-ID by default, in the presence of URI/DNS/SRV SANs is prohibited and not standards compliant. It _may_ only fall back to CN if non of those values is provided.