Hi,
On Fri, 18 Oct 2013, lejeczek wrote:
<snipp/>
hi Christian
my case is, well should be a lot more simpler, one box with
slapd.local.domain
slap.public.external
and this one host I would like to be able to search
through on/via both hostnames/IPs with TLS
so I issue myself and sign a certificate, CA issuer is
CA.local.domain
Subject: .......... CN=slapd.local.domain/email.........
and
X509v3 Subject Alternative Name:
DNS:slap.public.external, IP
Address:ex.te.rn.al
ldapsearch -h slap.public.external -D
cn=manager,dc=local,dc=domain ....
result:
TLS: hostname (slap.public.external) does not match
common name in certificate (slapd.local.domain).
TLS: can't connect: TLS error -8157:Certificate extension
not found..
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension
not found.
whereas:
ldapsearch -h slap.local.domain -D
cn=manager,dc=local,dc=domain
works fine
could it be tools from be openldap-clients, a bug?
Apache's ldap toolkit for Eclipse seems to work and
connects to slap.public.external
this should work. It does in two separate setups that I
maintain.
Which version is your openldap client ?
[ck@ldaptest1]$ cat ~ldap/ldap.conf
BASE dc=example,dc=org
URI ldap://ldaptest1.cksoft.de
TLS_CACERT
/usr/local/etc/openldap/certs/cksoftware-gmbh-ca-2011-2031.cert
TLS_REQCERT demand
btw, being novice with openssl, is there a way to print
extensions thus SAN of a certificate?
I can print and see it on the request.
use following to dump the certificate:
openssl s_client -text -in CERT.pem