Dieter Kluenter wrote:
manu@netbsd.org (Emmanuel Dreyfus) writes:
Quanah Gibson-Mount quanah@zimbra.com wrote:
Is there some kind of trick to get this done properly?
Use a cert with a correct subjectAltName, or a wildcard cert.
For future reference:
Assuming we have in the DNS the following RR: foo IN A 192.0.2.11 bar IN A 192.0.2.12 ldap 1 IN A 192.0.2.11 ldap 1 IN A 192.0.2.12
Create certificate for foo: subjectAltName=DNS:ldap.example.net,DNS:foo.example.net CN=ldap.example.net
Create certificate for bar: subjectAltName=DNS:ldap.example.net,DNS:bar.example.net CN=ldap.example.net
I know that the subjectAltName type DNS is recommended, but RFC 4513 refers to type dNSName. Is there any reason that OpenLDAP requires type DNS?
They are one and the same. "DNS" is just the way that it is specified in the OpenSSL tools.