[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3158) ldapsearch does not match simple hostnames against fqdns in certificates

---- walst005@umn.edu wrote:
> For future reference via this bug report, it appears that the answer lies in the
> FAQomatic entry:
>     http://www.openldap.org/faq/index.cgi?_highlightWords=tls&file=185

> Perhaps this could be added to the Administrator's Guide.

The Admin Guide already contains this text:
11.1.1. Server Certificates

The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the server's fully qualified domain name. Additional alias names and wildcards may be present in the subjectAltName certificate extension. More details on server certificate names are in RFC2830.
It is not appropriate for the OpenLDAP Admin Guide to provide instructions on how to use OpenSSL or any other software package. Pointers are already provided to all of the relevant documentation for other packages.

re: your other comments about configurability of the client - the certificate verification steps are mandated by RFC2830. If you disagree with this procedure, you should bring your arguments to the IETF and/or the authors of that RFC. Meanwhile, you can use the TLS_REQCERT directive to disable checking, as documented in the Admin Guide.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, 
Highland Sun
  Symas: Premier OpenSource Development and