[Date Prev][Date Next]
Re: ldap client can't contact server with SubjectAltName used
OK, thanks. I'll try that. Unfortunately, I don't have control of the
CA. Our corporate division manages that, and yes it is Entrust. I will
ask them to regenerate the cert.
Niels Frimodt Sørensen wrote:
It seems to me that you are using an Entrust PKI to generate the
certificate? If this is the case ensure that you set the
subjectAltName in SMA with "" surrounding it - if not SMA prepends the
Venlig hilsen/Kind regards
Niels Frimodt Sørensen
Howard Chu skrev:
Seed, Steven wrote:
Sending again, because I'm not sure if the first message got through
since I had not acknowledged my membership...
Steven Seed wrote:
I have an ldap server set up with a SSL certificate such that the
CN=hostname.fqdn. In the same certificate I have created a
SubjectAltName with several DNS aliases. With everything configured
properly in my ldap.conf file, I can make TLS connections to my
ldap server as long as I use the hostname that matches the CN, but
if I change my connection to use one of the aliases in the
SubjectAltName I get:
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer
An openssl dump of the certificate yields the following in the
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
X509v3 CRL Distribution Points:
DirName:/DC=com/DC=disney/OU=PKI/CN=The Walt Disney
Company Enterprise CA/CN=CRL27
Can anyone help me figure out what is going wrong? This is the same
with both version 2.2.13 and 2.3.32 of openldap. Does the
SubjectAltName format look correct?
Your subjectAltName appears to have encoded an email extension with
the string "dns:....." as its value, instead of an actual dns
extension. So basically, your subjectAltName is wrong.
Steven L. Seed
Sr. Systems Administrator
Walt Disney Feature Animation
|\ .-"` `"-. /| I HAVE BEEN CHOSEN...
| \.'( ') (' ) (. )`./ | FAREWELL MY FRIENDS...
\_ _/ I GO ONTO A BETTER PLACE!
\ `~"'=::='"~` /
( `""~~""` )