Re: SSL based ldap server

[Aneela Saleem <aneela@platalytics.com>]

What if i want to access LDAP from external source? how would it recognize platalytics.com?

On Fri, Oct 2, 2015 at 1:18 PM, Michael Ströder <michael@stroeder.com> wrote:

Aneela Saleem wrote:
> Hi all,
>
> I have implemented LDAP over ssl. FQDN of LDAP server is "platalytics.com"
> and same is CN in the SSL certificate. But why is it so that when i run
> following command it works fine i.e.,
>
> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap://
> 127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
>
> but in case of ldaps, i have to provide FQDN as the hostname i.e.,
>
> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
> platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
>
> because following command does not work i.e.,
>
> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
> 127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'

The mandatory TLS hostname check is a prevention against MITM attacks.

ldaps://127.0.0.1 does not make sense anyway.

And even better you should use ldapi:// [1] for local access.

http://tools.ietf.org/html/draft-chu-ldap-ldapi

Ciao, Michael.