[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP and TLS

To: "Dan White" <dwhite@olp.net>
Subject: RE: LDAP and TLS
From: "Rodney Simioni" <rodney.simioni@verio.net>
Date: Fri, 14 Jun 2013 15:56:56 -0400
Cc: openldap-technical@openldap.org
Content-class: urn:content-classes:message
Importance: normal
In-reply-to: <20130614194518.GE5377@dan.olp.net>
References: <0971982CF6B9AB418FFD5FEF7F50CB9F0603DA01@IAD-WPRD-XCHB03.corp.verio.net> <20130614194518.GE5377@dan.olp.net>
Thread-index: Ac5pN7OBDkFRnvTQQF6Y33oWsHG5YQAALS5w
Thread-topic: LDAP and TLS

I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'

I got 'CN=*.securesites.com'

My /etc/openldap/cacerts looks like:

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/wildcard.securesites.com.cert
URI ldap://fl1-lsh99apa007.securesites.com/
BASE dc=wh,dc=local

But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:

ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.227.2.90:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)

-----Original Message-----
From: Dan White [mailto:dwhite@olp.net] 
Sent: Friday, June 14, 2013 3:45 PM
To: Rodney Simioni
Cc: openldap-technical@openldap.org
Subject: Re: LDAP and TLS

On 06/14/13 14:42 -0400, Rodney Simioni wrote:
>Hi,
>
>In order to for LDAP to work with TLS, does the certificate names need 
>to match the server name?
>
>My admin gave me a certificate but it's called wildcard.com.cert, the 
>name of my server is not 'wildcard'.

Analyze the contents of the cert and verify the CN is really '*.example.com':

openssl x509 -in wildcard.com.cert -text -noout

If so, then your LDAP clients probably will accept it as a valid certificate (this typically works for web browsers), but your mileage may vary.

We have worked with a wild card certificate provider before. In addition to offering a *.example.com cert, they may also offer a certain number of tertiary certificates (e.g. ldap.example.com) priced in with the wild card cert.

--
Dan White

This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free.  Thank you.

Follow-Ups:
- Re: LDAP and TLS
  - From: Dan White <dwhite@olp.net>

References:
- LDAP and TLS
  - From: "Rodney Simioni" <rodney.simioni@verio.net>
- Re: LDAP and TLS
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: LDAP and TLS
Next by Date: Re: LDAP and TLS
Index(es):
- Chronological
- Thread