We're using the openldap packages from RHEL6/CentOS6.4:
# rpm -qa | grep openldap openldap-servers-2.4.23-32.el6_4.1.x86_64 openldap-clients-2.4.23-32.el6_4.1.x86_64 openldap-2.4.23-32.el6_4.1.x86_64
Thing are working well for us with certs that use the VIP for Subject, and a SAN list that includes the node names: # openssl x509 -in /etc/openldap/cacerts/servercrt.pem -text -noout | grep ldap Subject: C=US, ST=WA, L=Seattle, O=[snipped], OU=[snipped], CN=ldap-vip. [snipped]/emailAddress=[snipped] DNS:ldapmaster1. [snipped], DNS:ldapmaster2. [snipped]
The cert's and reqs were done via OpenSSL.
For whatever this is worth...
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Quanah Gibson-Mount Sent: Friday, October 18, 2013 9:08 AM To: lejeczek; openldap-technical@openldap.org Subject: Re: Subject Alternative Name in TLS - does this work?
--On Friday, October 18, 2013 8:52 AM +0100 lejeczek peljasz@yahoo.co.uk wrote:
slapd is redhat's openldap-servers-2.4.23-26.el6_3.2.x86_64, I hoped since slapd does not say a bad word about TLS cert with SAN it's tool would be fine too
Get a current release that is linked to OpenSSL, not the MozNSS garbage RH links to.
You may want to try http://ltb-project.org/wiki/download#openldap
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.