[389-users] Trouble using self signed certificates.
John A. Sullivan III
jsullivan at opensourcedevel.com
Wed Jun 24 18:32:34 UTC 2009
On Wed, 2009-06-24 at 12:56 -0500, David Christensen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jean-Noel Chardron wrote:
> > David Christensen a écrit :
> >> I was having a similar issue yesterday, everything worked until I
> >> appended more then one CA to the file in /etc/openldap/cacerts, then it
> >> kept failing until I limited it to one CA. Are you
> >> using a single CA?
> >>
> > The client authenticates to a server with a single authority, so why try
> > to install two or more. otherwise you must use a file by CA in the
> > directory.
> > unless you speak CA chain.
> >
> > --
> > 389 users mailing list
> > 389-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> I have two directory servers in a multmaster config using round robin
> DNS so I need clients to be able to authenticate to both servers since
> it will be random. It hasn't worked for me yet, but that is where I am
> trying to get.
<snip>
That's exactly how we're set up (except we are not multi-master) and it
is working fine. However, one only needs the CA cert in the cacertfile
for it to work. For example, I have two DNS entries for
ldap.mycompany.com which point to my two replicas. Each replica has a
cert with ldap{1,2}.mycompany.com for the cn and that value as well as
ldap.mycompany.com as DNS entries in the subjAltName. tls_cacertfile
points to a single CA cert file (although I thought it supported
concatenated certs) containing the cert for the CA which issued the ldap
replica certs and keys. Hope this helps - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the 389-users
mailing list