-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap- technical-bounces@OpenLDAP.org] On Behalf Of Howard Chu Sent: Monday, October 21, 2013 3:04 AM To: lejeczek; Christian Kratzer Cc: Christian Kratzer; openldap-technical@openldap.org Subject: Re: Subject Alternative Name in TLS - does this work?
lejeczek wrote:
that was me, the way I tried to sing certificate were... incorrect
apologies and great and many thanks to everybody
I can now ldapsearch on both slapd.domain.local and slap.domain.external with -ZZZ, all good (only cannot confirm if CN has to be repeated in subjectAltName as per Olo's tip, currently it IS repeatedin my cert)
No. The CN does not need to be repeated, anyone who says so is wrong. Other libraries (e.g. old Solaris/Sun/Mozilla LDAP) may have required this but they are defective and obsolete. The Mozilla LDAP SDK has been abandoned, and Solaris 11 now bundles OpenLDAP.
True, but putting the subject in the SAN list isn't bad or wrong per se. A bit like offering wheel ramps for those older libraries/clients, even though newer stuff exists obsoleting those ramps. - chris
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.