That is different per OS and application implementation. Search for "update CA certificates [your os or app name]"

 

We only use our LDAP for auth(n/z) so we tell PAM or SSSD (depending on OS version) to use the CA cert we push onto those nodes using our configuration management system (e.g.: puppet, chef) – without having to modify our CA bundles. We DO have an internal CA that java apps must support, as well as some system level apps: on those nodes we update the system as needed (CentOS or Java).

 

Good luck,

- chris

 

From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Aneela Saleem
Sent: Monday, October 05, 2015 12:01 PM
To: Dieter Klünter <dieter@dkluenter.de>
Cc: openldap-technical@openldap.org
Subject: Re: SSL based ldap server

 

Do we need to have CA certificate/server key  on other client machine as well? If yes, then how can we achieve that?

 

On Sun, Oct 4, 2015 at 9:00 PM, Dieter Klünter <dieter@dkluenter.de> wrote:

Am Sun, 4 Oct 2015 19:18:19 +0500
schrieb Aneela Saleem <aneela@platalytics.com>:

> I have followed this link
> <http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl>.
> I update openssl.cnf file manually and added the ip address of other
> client machine. Then i generated ssl certificate. Now accessing
> ldaps:// platalytics.com:636 from other client machine (i also have
> added platalytics.com in /etc/hosts file) but unable to access it
> from external ip address. What i'm missing now?

Domain Name Service? Firewall? Routing Tables?

-Dieter

>
> On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem <aneela@platalytics.com>
> wrote:
>
> > Hi Michael,
> >
> > Thanks for explaining. I just so far performed server side
> > validation using the link
> > <http://www.openldap.org/faq/data/cache/185.html>

> >
> > Can you please guide me how can we perform client side
> > verification? Means how to set subjectAltName extension?
> >
> > On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder
> > <michael@stroeder.com> wrote:
> >
> >> Aneela Saleem wrote:
> >> > What if i want to access LDAP from external source? how would it
> >> recognize
> >> > platalytics.com?
> >>
> >> Hope fully the client perfoms the TLS hostname check as defined in
> >> RFC 6125.
> >>
> >> All hostnames and IP addresses used by clients have to be listed
> >> in the subjectAltName extension.
> >>
> >> Ciao, Michael.
> >>
> >>
> >


--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E