Re: Problems when query LDAP with SSL in HEAD

[Turbo Fredriksson <turbo@bayour.com>]

>>>>> "Anthony" == Anthony Brock <abrock@georgefox.edu> writes:

    Anthony> I am attempting to query an LDAP server using SSL, but am
    Anthony> not able to encrypt the connection when using the command
    Anthony> line tools.

OpenLDAP version above 2.0.something is more strict of the correct
hostname in the certificate. Make sure you access the same hostname
as is specified there.

    Anthony> TLS trace: SSL3 alert read:warning:bad certificate

Yes, that's looks like the one...


For example, I specified 'ldap.bayour.com' when creating my SSL certificate,
but if I access the LDAP database with 'localhost' (or something else I have
CNAME'd it to), I get this problem...

Does not work:
----- s n i p -----
[papadoc.pts/3]$ ldapsearch -H ldap:/// -p 389 -x -b "" -s base -LLL -ZZ supportedSASLMechanisms
ldap_start_tls: Connect error
[papadoc.pts/3]$ ldapsearch -H ldaps:/// -x -b "" -s base -LLL supportedSASLMechanisms
ldap_bind: Can't contact LDAP server
----- s n i p -----

DOES work:
----- s n i p -----
[papadoc.pts/3]$ ldapsearch -H ldap://ldap.bayour.com/ -p 389 -x -b "" -s base -LLL -ZZ supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

[papadoc.pts/3]$ ldapsearch -H ldaps://ldap.bayour.com/ -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

----- s n i p -----


Look at the URLs:
http://www.bayour.com/LDAPv3-HOWTO.html#3.1.4.Creating%20SSL%20certificate|outline
http://www.bayour.com/LDAPv3-HOWTO.html#3.5.4.2.Testing%20OpenLDAP,%20simple/anonymous%20bind,%20with%20SSL/TLS|outline