Re: SSL based ldap server

[Michael Ströder <michael@stroeder.com>]

Aneela Saleem wrote:
> Hi all,
> 
> I have implemented LDAP over ssl. FQDN of LDAP server is "platalytics.com"
> and same is CN in the SSL certificate. But why is it so that when i run
> following command it works fine i.e.,
> 
> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap://
> 127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
> 
> but in case of ldaps, i have to provide FQDN as the hostname i.e.,
> 
> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
> platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
> 
> because following command does not work i.e.,
> 
> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
> 127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'

The mandatory TLS hostname check is a prevention against MITM attacks.

ldaps://127.0.0.1 does not make sense anyway.

And even better you should use ldapi:// [1] for local access.

http://tools.ietf.org/html/draft-chu-ldap-ldapi

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature