In UCS LDAP is configured to use the local certificate for StartTLS, based on the root certificate of the UCS.
We have some external servers that I would like to connect to LDAP StartTLS.
To achieve this
I configured the firewall to forward the LDAP queries to our UCS
as a public FQDN is used, I changed the certificate information in /etc/ldap/slapd.conf. The certificate belonging to the public FQDN is used.
LDAP StartTLS is now working fine for external queries, unfortunately I broke the internal LDAP system of UCS. I tried to fix this by changing the following variables:
ldap/master
ldap/server/name
After this change, some policies are not met anymore.
Is it possible to change hostname and certificate used for LDAP StartTLS?
While it is possible to configure a different certificate for the Webserver it appears to be a harder task to replace the UCS-CA for other services. There are too many dependencies to resolve.
Instead of changing the certificate for LDAP I would rather try to configure the client to accept this self-signed cert.
Thanks for your reply. The first challenge is that the client is not on our private network. Moving the server would be a solution.
Another challenge is that my colleagues are quite sceptical about using the Root Certificate of the UCS. They think - in general - that their bank account is not safe anymore after installing the root certificate.
The creation of the UCS-CA is a transparent process which is described in Renewing the complete SSL chain. All sources are available.
I am tempted to have more trust in certificates derived from this CA than to some other certs in the pre-installed cert store of the operating system.