[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch certificate handling

To: "Sabo, Eric" <Eric.Sabo@cup.edu>
Subject: Re: ldapsearch certificate handling
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 19 Jan 2007 08:29:01 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <75E94F9EBFEA874E987FC468BCFCF43E06C740E3@VSEXCH1.CUP.EDU>
References: <75E94F9EBFEA874E987FC468BCFCF43E06C740E3@VSEXCH1.CUP.EDU>

At 08:59 AM 1/18/2007, Sabo, Eric wrote:
>I have an vendor that is trying to connect to my active directory (which
>is windows 2003 native for the forest level and the domain level) via
>SSL (port 636) using LDAPSEARCH.    They want to authenticate users
>against my active directory.    My certificates that I created
>(microsoft assisted me on this part)
>        One question I have  - My certificates contain multiple DNS
>names (domain name and a simple DNS name - which I want the vendor to
>use)  Does OPENLDAP have a problem with this setup on the certificate?

The OpenLDAP client library used by ldapsearch(1) implements
server certificate checking as described in RFC 4513, supporting
not only server name in the subject DN but also using a number
of alternative subject name choices, namely dNSname and ipAddress.

>Question about the command lines they are trying.
>        1st cmd  -  ldapsearch -H  ldaps://servername -x -D 'CN=name of
>user'     | grep usernameofusertheywanttofind
>        2nd cmd - ldapsearch -H  ldaps://servername -x -s base -D
>'cn=name of user'  
>
>Any thoughts or opinions on this subject would greatly be appreciated.

Well, I suggest you give it a go and see.

Kurt

References:
- ldapsearch certificate handling
  - From: "Sabo, Eric" <Eric.Sabo@cup.edu>

Prev by Date: WARNING: No dynamic config support for overlay ppolicy?
Next by Date: How to see ppolicy related state values
Index(es):
- Chronological
- Thread