Someone should file a bug report with Sun then, since LDAP RFC2830
defines support for subjectAltName and not for wildcard certs. The
LDAPbis specifications will be pretty much the same here. I.e., Sun's
LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries,
which are fully LDAPv3 compliant.
I think 2830 does mention wildcards as acceptable, but I would prefer to
use subjectAltNames if possible. So I agree it would be great if Sun
would add this support to their Solaris LDAP name service client. I
believe part of the problem is that the Solaris client uses a fairly
ancient version of the NSS toolkit (although Sun DS, like Fedora DS,
uses a much more recent version).
Howard Chu wrote:
Date: Tue, 04 Apr 2006 11:30:30 -0700
From: "George Holbert" <gholbert@xxxxxxxxxxxx>
Does Directory Server support the subjectAltName extension on SSL
certs?
Yes, the NSS toolkit which Directory Server uses can handle these certs.
The next question is, do your SSL-enabled LDAP clients support these
certs?
I need to support both Solaris and RedHat Linux LDAP name service
clients (i.e., passwd, group, automount, etc.). I've found that:
- Solaris clients can handle wildcard certs. RHEL 3 clients can't.
- RHEL 3 clients can handle subjectAltName certs. Solaris clients
can't.
So, while the server can present either of these cert types, your
clients' limitations will also influence how you sign your certs.
Someone should file a bug report with Sun then, since LDAP RFC2830
defines support for subjectAltName and not for wildcard certs. The
LDAPbis specifications will be pretty much the same here. I.e., Sun's
LDAP library is not LDAPv3 compliant. RHEL uses OpenLDAP libraries,
which are fully LDAPv3 compliant.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
