Hi,
Alex Samad alex@samad.com.au writes:
On Mon, Jan 21, 2008 at 06:12:33AM +0100, Emmanuel Dreyfus wrote:
Howard Chu hyc@symas.com wrote:
a) a way to specify another certificate to use in the syncrepl config
In OpenLDAP 2.4, yes. Read the manpage.
With 2.3, if a different cn is needed for the ldaps server and the syncrepl client, a certificate with subjectAltName may help.
its not the name.
There seems to be 2 scenario's that a cert is used,
- as a server to verify that you have connected to the right machine and to
ensure you packets are encrypted. This requires a certificate with purpose SSL Server 2) as a client when a ldap server in a syncrepl setup is talking to the master server. This requires a certificate with purpose SSL Client.
I am trying to find out if it is possible to use a different certificate for the syncrepl process, but I can't find it. Maybe its in saslmech option.
You may use the sasl external mechanism and create a certificate with a DN matching the bindDN (although you don't have to define a binddn).
-Dieter