RE: SSL based ldap server
That is different per OS and application implementation. Search for "update CA
certificates [your os or app name]"
We only use our LDAP for auth(n/z) so we tell PAM or SSSD (depending on OS version) to use
the CA cert we push onto those nodes using our configuration management system (e.g.:
puppet, chef) – without having to modify our CA bundles. We DO have an internal CA that
java apps must support, as well as some system level apps: on those nodes we update the
system as needed (CentOS or Java).
Good luck,
- chris
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of
Aneela Saleem
Sent: Monday, October 05, 2015 12:01 PM
To: Dieter Klünter <dieter(a)dkluenter.de>
Cc: openldap-technical(a)openldap.org
Subject: Re: SSL based ldap server
Do we need to have CA certificate/server key on other client machine as well? If yes,
then how can we achieve that?
On Sun, Oct 4, 2015 at 9:00 PM, Dieter Klünter
<dieter@dkluenter.de<mailto:dieter@dkluenter.de>> wrote:
Am Sun, 4 Oct 2015 19:18:19 +0500
schrieb Aneela Saleem
<aneela@platalytics.com<mailto:aneela@platalytics.com>>:
I have followed this link
<http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-sig...;.
I update openssl.cnf file manually and added the ip address of other
client machine. Then i generated ssl certificate. Now accessing
ldaps:// platalytics.com:636<http://platalytics.com:636> from other client machine
(i also have
added platalytics.com<http://platalytics.com> in /etc/hosts file) but unable to
access it
from external ip address. What i'm missing now?
Domain Name Service? Firewall? Routing Tables?
-Dieter
On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem
<aneela@platalytics.com<mailto:aneela@platalytics.com>>
wrote:
> Hi Michael,
>
> Thanks for explaining. I just so far performed server side
> validation using the link
> <http://www.openldap.org/faq/data/cache/185.html>
>
> Can you please guide me how can we perform client side
> verification? Means how to set subjectAltName extension?
>
> On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder
> <michael@stroeder.com<mailto:michael@stroeder.com>> wrote:
>
>> Aneela Saleem wrote:
>> > What if i want to access LDAP from external source? how would it
>> recognize
>> > platalytics.com<http://platalytics.com>?
>>
>> Hope fully the client perfoms the TLS hostname check as defined in
>> RFC 6125.
>>
>> All hostnames and IP addresses used by clients have to be listed
>> in the subjectAltName extension.
>>
>> Ciao, Michael.
>>
>>
>
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Attachments:
- attachment.htm (text/html — 7.3 KB)