[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS LDAP Configuration w/Linux 5.0

To: openldap-technical@openldap.org
Subject: Re: TLS LDAP Configuration w/Linux 5.0
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Thu, 21 Feb 2008 09:28:09 +0200
Cc: "Mathis, Jim" <jim.mathis@lmco.com>
Content-disposition: inline
In-reply-to: <673954B3D6E9A14199B78659C4AD37EE0422CFCE@emss04m05.us.lmco.com>
References: <673954B3D6E9A14199B78659C4AD37EE0422CFCE@emss04m05.us.lmco.com>
User-agent: KMail/1.9.7

On Thursday 21 February 2008 00:07:28 Mathis, Jim wrote:
> OS: RH Enterprise Server 5.1
> Server Certificates: Created using a Common Name of "S80.com"
> Client Certificate: Copied "cacert.pem" from the server and placed into
> "/etc/openldap/cacerts/"

> uri ldaps://192.168.10.1/

> CLIENT /ETC/OPENLDAP/LDAP.CONF
>
> URI ldaps://192.168.10.1/

[...]

> ldapsearch -x 'uid=jmathis' -H ldaps://192.168.10.1
> ldap_bind: Can't contact LDAP server (-1)

The basic rules for SSL validation include "host name you connect to must 
match subject CN", so, if 192.168.10.1 is S80.com, then -H ldaps://S80.com 
should work ... but I guess it isn't, so you need to generate a new cert with 
the name your clients connect to (hostname part of URI).]

Regards,
Buchan

Follow-Ups:
- Re: TLS LDAP Configuration w/Linux 5.0
  - From: Howard Chu <hyc@symas.com>

References:
- TLS LDAP Configuration w/Linux 5.0
  - From: "Mathis, Jim" <jim.mathis@lmco.com>

Prev by Date: Re: Ppolicy issues
Next by Date: Re: ldapsearch for accont object class
Index(es):
- Chronological
- Thread