[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS LDAP Configuration w/Linux 5.0

To: Buchan Milne <bgmilne@staff.telkomsa.net>
Subject: Re: TLS LDAP Configuration w/Linux 5.0
From: Howard Chu <hyc@symas.com>
Date: Wed, 20 Feb 2008 23:46:02 -0800
Cc: "Mathis, Jim" <jim.mathis@lmco.com>, openldap-technical@openldap.org
In-reply-to: <200802210928.09826.bgmilne@staff.telkomsa.net>
References: <673954B3D6E9A14199B78659C4AD37EE0422CFCE@emss04m05.us.lmco.com> <200802210928.09826.bgmilne@staff.telkomsa.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre

Buchan Milne wrote:

On Thursday 21 February 2008 00:07:28 Mathis, Jim wrote:

OS: RH Enterprise Server 5.1
Server Certificates: Created using a Common Name of "S80.com"
Client Certificate: Copied "cacert.pem" from the server and placed into
"/etc/openldap/cacerts/"

uri ldaps://192.168.10.1/

CLIENT /ETC/OPENLDAP/LDAP.CONF
URI ldaps://192.168.10.1/


[...]

ldapsearch -x 'uid=jmathis' -H ldaps://192.168.10.1
ldap_bind: Can't contact LDAP server (-1)


The basic rules for SSL validation include "host name you connect to must
match subject CN", so, if 192.168.10.1 is S80.com, then -H ldaps://S80.com
should work ... but I guess it isn't, so you need to generate a new cert with
the name your clients connect to (hostname part of URI).]

Please remember to use the "-d" debug flag when investigating problems like this. There's a reason it's there. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

References:
- TLS LDAP Configuration w/Linux 5.0
  - From: "Mathis, Jim" <jim.mathis@lmco.com>
- Re: TLS LDAP Configuration w/Linux 5.0
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: ldapsearch for accont object class
Next by Date: Re: query regarding user names and passwords
Index(es):
- Chronological
- Thread