[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS: hostname does not match CN in peer certificate

Quanah Gibson-Mount <quanah@stanford.edu> wrote:

$ ldapsearch -v -D "cn=someuser, o=users" -H ldaps://foo.bar.tld:636 -ZZ
ldap_initialize( ldaps://foo.bar.tld:636 )
ldap_start_tls: Operations error (1)
        additional info: TLS is is already established

You don't need -ZZ if you are using an LDAPS URL, as the LDAPS URL indicates you want SSL encryption.

Thanks Quanah. Apologies for not being totally clear in the previous. I had spotted the redundancy between the "ldaps" scheme and the -ZZ option and tried it without the -ZZ option. But I got:

$ ldapsearch -v -D "cn=someuser, o=users" -H ldaps://foo.bar.tld:636
ldap_initialize( ldaps://foo.bar.tld:636 )
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
       additional info: SASL(-4): no mechanism available:

So I decided that that was probably wrong. From what you say, it seems that this is as it should have been and the problem is elsewhere. I'm not sure what the "no mechanism available" means. My understanding is that the mechanism I want is EXTERNAL and that this should delegate to the installed OpenSSL for a TLS connection. I can't see any further required configuration to make this happen.

Apologies if this is all very basic. I'm a humble web developer (not a sysadmin). The certificate I have has worked correctly previously from a Java web app (via JSSE) so I know that, in theory at least, I have enough to make an LDAP TLS connection. I'm just knee-deep in documentation for the last couple of days.



Chat via voice, text or video - get MSN Messenger FREE! http://messenger.msn.co.uk