Re: TLS fails

[Francis Swasey <Frank.Swasey@uvm.edu>]

On 2/15/06 6:41 PM, Quanah Gibson-Mount wrote:
> On Wednesday 15 February 2006 15:40, Jon Roberts wrote:
> > Quanah Gibson-Mount wrote:
> > > On Wednesday 15 February 2006 14:23, Ran Li wrote:
> > > > > > The funny thing is, TLS works fine from a remote host, but not on the
> > > > server itself. I tried changing localhost to the actual DNS name of the
> > > > server, but still I get the same error.
> > > > is the ldap server a ldap client? my understanding is it has to be a
> > > > ldap client in order to make ldapsearch over tls work.
> > > You have to use the name in your search that matches the name in the
> > > certificate for TLS to work.
> > In JLDAP clients I can connect to a remote ldaps server by using the ip
> > address as hostname, even though I obviously did not use the ip as the
> > name in the certificate. Is that advice specific to ldapsearch,
> > StartTLS, or something else I might be confused about?
>
> I'm guessing that JLDAP translates the IP address to the FQDN.

Either that or JLDAP is not verifying the name on the cert matches the 
name requested at all -- only that the cert is signed by a root CA the 
client knows about.

--
Frank Swasey                    | http://www.uvm.edu/~fcs
Sr Systems Administrator        | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
  "I am not young enough to know everything." - Oscar Wilde (1854-1900)