[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and SSL



Tony Earnshaw wrote:

ons, 01.12.2004 kl. 00.42 skrev Chasecreek Systemhouse:



OK, My DN should match my CN.

dn: dc=debian,dc=insecurity,dc=org
...
dn: cn=admin,dc=debian,dc=insecurity,dc=org

Is there any reason why a Cert created for debian.insecurity.org
should NOT work now?

ldapsearch -x -b 'dc=debian,dc=insecurity,dc=org' -D
"cn=admin,dc=debian,dc=insecurity,dc=org" '(objectclass=*)' -H
ldap://192.168.2.2 -W

Works as expected; however this still hangs the server:

ldapsearch -x -b 'dc=debian,dc=insecurity,dc=org' -D
"cn=admin,dc=debian,dc=insecurity,dc=org" '(objectclass=*)' -H
ldaps://192.168.2.2 -W



If slapd is using the resolver, which it is (do an ldd on the binary) it
will go both to your /etc/hosts then to DNS and get two different IP
addresses for the subject CN in the server cert. You shouldn't use the
same hostname for both 192.168.2.2 and 68.214.83.106.- your local lan
shouldn't be known to the machine as insecurity.org - it's a different
zone. Maybe that's why it's hanging.


Wrong. The resolver stops as soon as it finds one match, it will not look in both places. There is nothing wrong with this hosts configuration.

The fact that the server hangs cannot be caused by any content of the certificate. This whole line of pursuit is pointless.

Moreover, if it' true (as you wrote in a recent posting that you're
using OL 2.1.3 (and not 2.1.30) then that's a really buggy version. I
started with 2.1.8 and that was bad enough.


This is more likely to be relevant than anything else.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support