> Someone should file a bug report with Sun then, since LDAP RFC2830 > defines support for subjectAltName and not for wildcard certs. The > LDAPbis specifications will be pretty much the same here. I.e., Sun's > LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries, > which are fully LDAPv3 compliant. I think 2830 does mention wildcards as acceptable, but I would prefer to use subjectAltNames if possible. So I agree it would be great if Sun would add this support to their Solaris LDAP name service client. I believe part of the problem is that the Solaris client uses a fairly ancient version of the NSS toolkit (although Sun DS, like Fedora DS, uses a much more recent version). Howard Chu wrote: > >> Date: Tue, 04 Apr 2006 11:30:30 -0700 >> From: "George Holbert" <gholbert at broadcom.com> >> >> >>> Does Directory Server support the subjectAltName extension on SSL >>> certs? >>> >> >> Yes, the NSS toolkit which Directory Server uses can handle these certs. >> >> The next question is, do your SSL-enabled LDAP clients support these >> certs? >> I need to support both Solaris and RedHat Linux LDAP name service >> clients (i.e., passwd, group, automount, etc.). I've found that: >> - Solaris clients can handle wildcard certs. RHEL 3 clients can't. >> - RHEL 3 clients can handle subjectAltName certs. Solaris clients >> can't. >> >> So, while the server can present either of these cert types, your >> clients' limitations will also influence how you sign your certs. >> >> > Someone should file a bug report with Sun then, since LDAP RFC2830 > defines support for subjectAltName and not for wildcard certs. The > LDAPbis specifications will be pretty much the same here. I.e., Sun's > LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries, > which are fully LDAPv3 compliant. >
