Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAPS Cert Question

3 views
Skip to first unread message

Joey Kinney

unread,
Dec 14, 2009, 11:48:39 AM12/14/09
to
I have an eDirectory tree that is used exclusively for LDAP queries. In
this tree I have servers behind load balancers and I'd like to change the
certificate used by TLS & LDAPS to a certificate that matches the hostname
of the virtual interface on the load balancer. I know I can change the cert
that LDAP is using, however can I generate a cert that matches the VIP and
then use the same cert for both of the servers that reside behind the load
balancer?? Basically, I just want to use the same cert for both servers to
answer TLS & LDAPS requests. Is there any problem with that or is there
something I should watch out for??

Thanks in advance!!


Joey

a...@novell.com

unread,
Dec 14, 2009, 12:03:39 PM12/14/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As long as LDAP loads in that case I think you should be fine. The
verification of the subject line (the DN or IP address) is handled by the
client's access to the machine (typically you want to use DNS if clients
access via DNS, and IP if they access via IP.... not sure how to make it
work both ways to be honest) so as long as your server hands out the
correct certificate you should be fine.

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLJm/rAAoJEF+XTK08PnB5FHAP/iM9IUZB90jioAorpv/4jyZ9
FsEVkmahS+DiwDLgWlGd11EaR962Mu9iBCXMzMStG3gaW2zPoI5Z35IoqXI+OAo0
IeLSj2OKl7jB47sgzBRvPKAP8JAIuHd6hfabODeytLTNHjz7g0VsZXN5NltASEBC
XWH16zjlgkmHABeQtDHnuP8AwSUpu0j6dRBNSGqxysq5sOB/95nfjeEbuMGJ9elG
Om/KPIr9aynX5HNvBJqu0hyKTiyQShmuuzfPvUR2qebYUjW7YVsD4vGNUPiwr/6H
PT8saQq8phez7n49zo9wwRUa78ZorQWQUpc/CaWcAPA/0zieLi2tv7oD2MDFpztb
ocr3dCk2DiMwxskmLZxQ9jZZG8hV6A4xgDDeKvuDuCHeFn7WDoPHTwQLUHKEEkOG
i4CbOEijsPy7An4K5sGE38joVS+KucGj3KQgSfoVhHYweuvBC91kw/F6/evwZ+KN
UCrDKADQZhTwo1EzMfUbWtGXvaTXaTz+UzaAkNXO2Lp+HMkPjOrPwkzFcG8Lly8M
6EYrnwHb2nWSwFRIPJq4nN/Zn1inww9xOTKes/v44Q+Vf25DiFDrPBQXNJUNm/uq
L2KPcCUB7oCtC9Jv02EM55KtROqgICs8uETQmLP9EFyMLySIJuYmQcjzCDFudBUM
OkhxH+ARnL0ql39D071P
=CMdx
-----END PGP SIGNATURE-----

Peter Kuo

unread,
Dec 14, 2009, 7:56:27 PM12/14/09
to
You can't, that I know of, using the eDir CA as it doesn't support
wildcard certs - which is sort of what you're trying to do ...


--


Peter
eDirectory Rules!
http://www.DreamLAN.com

Dave Parkes

unread,
Dec 15, 2009, 4:56:13 AM12/15/09
to
However, if you use the custom certificate option, you may be able to get
both names into the generated certificate using the 'Add Name' button ?

Cheers Dave


--
Dave Parkes [NSCS]
Occasionally resident at http://support-forums.novell.com/

Dave Parkes

unread,
Dec 15, 2009, 10:46:48 AM12/15/09
to
I'm sure I used to use it to get the same cert to work for both name and
IP address, but it was a while ago :-)

Peter Kuo

unread,
Dec 15, 2009, 9:24:59 PM12/15/09
to
Well, good for you then - don't have any load-balancing toys to play with
here ...

Peter Kuo

unread,
Dec 16, 2009, 2:15:28 AM12/16/09
to
OK, finally had a chance to read up on it - the field in question is
Subject Alternative Name and one can insert "as many as desired" DNS or IP
addresses into it so that the single SSL cert can be used to verify
multiple "sites" - as long as they are explictly listed in that field. So,
while not as flexible as a wildcard cert, but from the description it
works. And I guess in this case, one needs to add at least 2 more entries:
the DNS and IP of the other LDAP server so there is a total of 4 "names"
for the cert's Subject name.

Dave Parkes

unread,
Dec 16, 2009, 4:16:58 AM12/16/09
to
<g>, thought I was remembering correctly. It's not well documented, but
you can get it to work. So it's something for Joey to consider at least.
0 new messages