comment about setupssl.sh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>
> If you create your certs with FQDNs, doesn't that mean that all clients
> must refer to ldap server by FQDN?  


In general, the answer is "yes."  For example, Solaris' LDAP name 
service will not work unless the server name in the Solaris client 
config exactly matches the CN on the LDAP server certificate.

Some clients (like PADL's nss_ldap used in most Linuxes) can be 
configured to disable server cert verification.  Or others just have it 
always turned off (Outlook Express).  In these cases, you could get away 
with using a shortname or alias instead of the exact name listed in the CN.

So it depends on the LDAP client apps you need to support.  Depending on 
your environment and requirements, you could technically use shortnames 
or aliases.  But you're really better off using FQDNs in both the server 
cert and your client configs, if possible.

Of course, for non-SSL/TLS connections, no cert verification is 
involved, so you can use whatever name or alias you want for those.


Susan wrote:
> --- Richard Megginson <rmeggins at redhat.com> wrote:
>   
>> One solution would be to change setupssl.sh to accept a list of FQDNs 
>> for which to create DS and AS certs.  Then you could just create all of 
>> the key/cert databases at once, and just copy them to the 
>> /opt/fedora-ds/alias directory on each machine.
>>     
>
> yeah, this is a good idea.  Because I don't know about other users but for me, creating certs is
> just 1 of the steps towards SSL encrypted client<->FDS comms & MMR.
>
> Another thing is this.  If you create your certs with FQDNs, doesn't that mean that all clients
> must refer to ldap server by FQDN?  Because that's how it works in the web world.  If I
> create/sign a cert for webserver and somebody goes to https://webserver.company.com it'll prompt
> the user, asking about this "new" cert, even though you're already trusting the CA that signed it.
>  If that's the case, that would be pretty annoying because within a company, everybody always
> refers to hostnames, not fqdns (provided DNS works properly, obv.)
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux