[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch and TLS

To: Chris Majewski <majewski@cs.ubc.ca>
Subject: Re: ldapsearch and TLS
From: D.M.Lewney@sussex.ac.uk (Dave Lewney)
Date: Wed, 17 Mar 2004 08:50:14 +0000
Cc: openldap-software@OpenLDAP.org
References: <Pine.LNX.4.21.0403161044340.12780-100000@mi.krzys.ca>
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.1) Gecko/20020827

Chris Majewski wrote:

Have you properly configured slapd.conf, ldap.conf, ldaprc?
Well, that's really the question isn't it...
Have you created a valid certificate chain?
I believe so, since at least once client (Mozilla's address book) is able to negotiate an ssl connection with my server.
Did you read this site
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
Yes. Well, I have now. So here's the thing. This:
ldapsearch -x -b 'ou=People,o=cs.ubc.ca' -D "uid=majewski,ou=People,o=cs.ubc.ca" '(objectclass=*)' -H ldap://okocim -W
works!
But this:
ldapsearch -x -b 'ou=People,o=cs.ubc.ca' -D "uid=majewski,ou=People,o=cs.ubc.ca" '(objectclass=*)' -H ldaps://okocim -W
doesn't! What's up with that?

-chris

OK, the first is plain ldap, the second is ldap over SSL involving certificates. The CN of the certificate must match exactly the name of the machine referred to in the ldap search. Here you've specified

ldaps://okocim

My guess is that the CN in your certificate is not "okocim" . Try this ...

openssl s_client -connect okocim:636 -CAfile <path-to-CA-cert>


Dave
--
Dave Lewney
Principal Systems Programmer, IT Services
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956

Follow-Ups:
- Re: ldapsearch and TLS
  - From: Chris Majewski <majewski@cs.ubc.ca>

References:
- Re: ldapsearch and TLS
  - From: Chris Majewski <majewski@cs.ubc.ca>

Prev by Date: RE: slapd's syslogging slowing it down
Next by Date: Re: problem with samba & qmail
Index(es):
- Chronological
- Thread