On Wed, 2 Jul 2008, Yao Mingxi wrote:
I am trying to set up tls for ldap connection using self signed certificates and I realized that I must use the host name of the openldap server as the uri for tls to work. Is there a way to use ip addresses as uri and utilizing tls? And is there a way for multiple replicated openldap server to accept a single tls certificate?
This really isn't an LDAP question but rather a general TLS or PKI (public key infrastructure) question. The one bit specific to OpenLDAP is the question of what X509 cert extensions it supports in this area. The answer for that is that it supports the dNSName and iPAddress types for subjectAltName extension values. The latter can be used for both IPv4 and IPv6 addresses (if compiled to support IPv6 at all).
so, if you want to use IP addresses in URIs with TLS, you should create your certs with values of the iPAddress type in the subjectAltName extension.
How to do _that_ depends completely on your PKI/CA software and has nothing to do with LDAP itself. You should check the docs for your PKI/CA software and/or consult the mailing lists for it if you need assistance in creating such certs
Philip Guenther