Quanah Gibson-Mount quanah@zimbra.com wrote:
Is there some kind of trick to get this done properly?
Use a cert with a correct subjectAltName, or a wildcard cert.
For future reference:
Assuming we have in the DNS the following RR: foo IN A 192.0.2.11 bar IN A 192.0.2.12 ldap 1 IN A 192.0.2.11 ldap 1 IN A 192.0.2.12
Create certificate for foo: subjectAltName=DNS:ldap.example.net,DNS:foo.example.net CN=ldap.example.net
Create certificate for bar: subjectAltName=DNS:ldap.example.net,DNS:bar.example.net CN=ldap.example.net
On foo and bar, for generating the CSR, i needed that in /etc/openssl/openssl.cnf, in order to have openssl asking for subjectAltName [ req ] (...) distinguished_name = req_distinguished_name (...) [ req_distinguished_name ] (...) subjectAltName = Alternative Subject Name subjectAltName_default = DNS:fqdn
On the CA, for signing the certificate, I needed that in /etc/openssl/openssl.cnf :
[ ca ] default_ca = CA_default [ CA_default ] (...) policy = policy_match
[ policy_match ] (...) subjectAltName = optional
Then, I have been able to use URI ldaps://ldap.example.net:636 in ldap.conf