[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP w/ TLS/SSL connection setup on dynamic hosts

Is there any way to set up SSL/TLS connections (no client
verification/authentication, just encryption of the data stream) to an
openldap host whose IP address changes?

I've created a self-signed cert, with the correct FQDN placed in the
certificate.  I use dyndns.org to update by hostname, so though it is
dynamic, it is correct.  However, I can't control my reverse DNS, and
currently, even though I have the CA Cert I used to self-sign my cert
with on the client machine, with TLS_REQCERT allow, and TLS_CACERT
pointing to a local copy of the cert, when I try to use ldapsearch to
the machine, i get:

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: TLS: hostname does not match CN in peer

What i'm wondering is if this is even possible if you can't control the
reverse DNS, or if i've just messed something up along the way.

I've included, in my slapd.conf:

TLSCipherSuite             HIGH:MEDIUM:+SSLv2
TLSCertificateFile         /etc/ssl/certs/slapd-cert.pem
TLSCACertificateFile    /etc/ssl/certs/slapd-cert.pem
TLSCertificateKeyFile      /etc/ssl/private/slapd-key.pem
TLSVerifyClient never

Luke St.Clair <clairst@uiuc.edu>