[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS



On Sun, Nov 02, 2003 at 12:50:50PM +0100, Beck Zoltan Gyula wrote:

> why the hostname does't match?!

You have several problems here. Taking a few lines from your mmessage:

> - testserver:/etc/ldap# host 10.0.0.185
> Name: testserver.aitia

I would be worried by that name - it would never be valid on the
Internet. Is it properly registered in your internal DNS?

> ldapsearch -x -H ldaps://localhost/ -b 'dc=aitia,dc=intra'

The certificate you generated was for testserver.aitia so it is not
valid for 'localhost'. You must address the server by the name in the
certificate:

	ldaps://testserver.aitia/

That is the reason for this error:

> connection_read(12): unable to get TLS client DN error=49 id=0
> ldap_bind: Can't contact LDAP server (81)
>         additional info: TLS: hostname does not match CN in peer
> certificate

(In fact you do not need to use ldaps if TLS is enabled, as the LDAP
clients will upgrade a normal LDAP connection to an encrypted one if
they find TLS.)

> TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
> issuer: -unknown-

That suggests that you have not installed the certificate in the right
places. The server needs a copy of the certificate *and* a copy of the
secret key that it was made from. You should have something like this
in slapd.conf:

TLSCertificateFile      /usr/local/etc/openldap/keys/cert
TLSCertificateKeyFile   /usr/local/etc/openldap/keys/key
TLSCACertificateFile    /usr/local/etc/openldap/keys/cacert

Note that I have included *two* certificates here: one is for the
Certification Authority that signed the server certificate. If you did
not make a CA then your server certificate will be 'self signed' -
this means that the certificate was used to sign itself.

You also need to put the CA certificate and/or the server certificate
in the right place for the *client* programs to find them. This is
probably /etc/ssl but you need to work out the proper filename if you
are not using a CA. To do this, use the command:

	openssl x509 -noout -subject_hash < certfile

The result will be something like '94132cf6'. This will be the base
part of the filename, so do this:

	cp certfile /etc/ssl/94132cf6.0

If you made a CA key/cert pair and used it to sign the server
certificate then all you need to do is copy the CA cert to
/etc/ssl/ca.cert on the client machine and add these lines to
/etc/ldap.conf:

tls_checkpeer yes
tls_cacertfile /etc/ssl/ca.cert

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------