[Date Prev][Date Next] [Chronological] [Thread] [Top]

"TLS_REQCERT allow" rejects CN and hostname mismatch?

To: openldap-technical@openldap.org
Subject: "TLS_REQCERT allow" rejects CN and hostname mismatch?
From: Noël Köthe <noel@debian.org>
Date: Fri, 14 Oct 2011 13:03:08 +0200
Organization: Debian GNU/Linux, www.debian.org

Hello,

(openldap 2.4.25 on Debian GNU/Linux)
TLS_REQCERT allow is documented with
"The server certificate is requested. If no certificate is provided, the session proceeds normally.  If  a  bad
certificate is provided, it will be ignored and the session proceeds normally."

But if I test it it looks like the common name (CN) is checked against
the hostname of the server:
$ cat /etc/ldap/ldap.conf 
BASE	dc=domain,dc=lan
URI	ldaps://localhost
TLS_CACERT /etc/ldap/ca.crt
TLS_REQCERT allow
$ ldapsearch -x -d320 cn=* 
TLS: hostname (thinker.domain.lan) does not match common name in
certificate (localhost).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

If I change TLS_REQCERT to never the ldapsearch command works like
expected.

Is it correct that "TLS_REQCERT allow" checks the CN and the hostname
and stops when they mismatch?

I found this old ITS entry with a patch which would document my
described behaviour in the manpage.
http://www.openldap.org/its/index.cgi/Documentation?id=4941;selectid=4941

Is this part of "TLS_REQCERT allow" just missing in the documentation or
do I have a problem to understand this correctly?

thx for your answer.

-- 
NoÃl KÃthe <noel debian.org>
Debian GNU/Linux, www.debian.org

Follow-Ups:
- Re: "TLS_REQCERT allow" rejects CN and hostname mismatch?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Syncrepl SSL fail
Next by Date: Re: adding monitor to cn=config on already running slapd
Index(es):
- Chronological
- Thread