manu@netbsd.org (Emmanuel Dreyfus) writes:
Quanah Gibson-Mount quanah@zimbra.com wrote:
Is there some kind of trick to get this done properly?
Use a cert with a correct subjectAltName, or a wildcard cert.
For future reference:
Assuming we have in the DNS the following RR: foo IN A 192.0.2.11 bar IN A 192.0.2.12 ldap 1 IN A 192.0.2.11 ldap 1 IN A 192.0.2.12
Create certificate for foo: subjectAltName=DNS:ldap.example.net,DNS:foo.example.net CN=ldap.example.net
Create certificate for bar: subjectAltName=DNS:ldap.example.net,DNS:bar.example.net CN=ldap.example.net
I know that the subjectAltName type DNS is recommended, but RFC 4513 refers to type dNSName. Is there any reason that OpenLDAP requires type DNS?
-Dieter