[Date Prev][Date Next]
"TLS_REQCERT allow" rejects CN and hostname mismatch?
(openldap 2.4.25 on Debian GNU/Linux)
TLS_REQCERT allow is documented with
"The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad
certificate is provided, it will be ignored and the session proceeds normally."
But if I test it it looks like the common name (CN) is checked against
the hostname of the server:
$ cat /etc/ldap/ldap.conf
$ ldapsearch -x -d320 cn=*
TLS: hostname (thinker.domain.lan) does not match common name in
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
If I change TLS_REQCERT to never the ldapsearch command works like
Is it correct that "TLS_REQCERT allow" checks the CN and the hostname
and stops when they mismatch?
I found this old ITS entry with a patch which would document my
described behaviour in the manpage.
Is this part of "TLS_REQCERT allow" just missing in the documentation or
do I have a problem to understand this correctly?
thx for your answer.
NoÃl KÃthe <noel debian.org>
Debian GNU/Linux, www.debian.org