[Date Prev][Date Next] [Chronological] [Thread] [Top]


On Sun, Nov 02, 2003 at 12:50:50PM +0100, Beck Zoltan Gyula wrote:

> why the hostname does't match?!

You have several problems here. Taking a few lines from your mmessage:

> - testserver:/etc/ldap# host
> Name: testserver.aitia

I would be worried by that name - it would never be valid on the
Internet. Is it properly registered in your internal DNS?

> ldapsearch -x -H ldaps://localhost/ -b 'dc=aitia,dc=intra'

The certificate you generated was for testserver.aitia so it is not
valid for 'localhost'. You must address the server by the name in the


That is the reason for this error:

> connection_read(12): unable to get TLS client DN error=49 id=0
> ldap_bind: Can't contact LDAP server (81)
>         additional info: TLS: hostname does not match CN in peer
> certificate

(In fact you do not need to use ldaps if TLS is enabled, as the LDAP
clients will upgrade a normal LDAP connection to an encrypted one if
they find TLS.)

> TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
> issuer: -unknown-

That suggests that you have not installed the certificate in the right
places. The server needs a copy of the certificate *and* a copy of the
secret key that it was made from. You should have something like this
in slapd.conf:

TLSCertificateFile      /usr/local/etc/openldap/keys/cert
TLSCertificateKeyFile   /usr/local/etc/openldap/keys/key
TLSCACertificateFile    /usr/local/etc/openldap/keys/cacert

Note that I have included *two* certificates here: one is for the
Certification Authority that signed the server certificate. If you did
not make a CA then your server certificate will be 'self signed' -
this means that the certificate was used to sign itself.

You also need to put the CA certificate and/or the server certificate
in the right place for the *client* programs to find them. This is
probably /etc/ssl but you need to work out the proper filename if you
are not using a CA. To do this, use the command:

	openssl x509 -noout -subject_hash < certfile

The result will be something like '94132cf6'. This will be the base
part of the filename, so do this:

	cp certfile /etc/ssl/94132cf6.0

If you made a CA key/cert pair and used it to sign the server
certificate then all you need to do is copy the CA cert to
/etc/ssl/ca.cert on the client machine and add these lines to

tls_checkpeer yes
tls_cacertfile /etc/ssl/ca.cert

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |