[Date Prev][Date Next]
Re: How do tool verify certs with ldapi:// ?
On Monday, 28. May 2012, Philip Guenther wrote:
> On Mon, 28 May 2012, Michael Ströder wrote:
> > Peter Marschall wrote:
> > > how do the openldap tools technically verfify certificates with
> > > ldapi:// ?
> > Which certs do you want to verify?
> I assume the answer is "the one the server returns when you do StartTLS on
> the ldapi:// connection".
> If that's not a sufficient option, and verifying certs is required, then
> it appears the code will treat the socket path as the hostname to verify
> for. For OpenSSL, for example, that means it'll compare it against any
> DNS: subjectAltNames as well as against the last CN component of the cert
That's not what the openldap tools do.
My cerver certificates do not contain the ldapi socket path as hostnames,
ldapsearch -LLL -x -H ldapi:/// -ZZ -s base -b ""
works and I want to find out how it does this.