Re: TLS: hostname does not match CN in peer certificate

["John Manning" <tri-racer@hotmail.com>]

Quanah Gibson-Mount <quanah@stanford.edu> wrote:

> > $ ldapsearch -v -D "cn=someuser, o=users" -H ldaps://foo.bar.tld:636 -ZZ
> > ldap_initialize( ldaps://foo.bar.tld:636 )
> > ldap_start_tls: Operations error (1)
> >         additional info: TLS is is already established
>
> You don't need -ZZ if you are using an LDAPS URL, as the LDAPS URL 
> indicates you want SSL encryption.

Thanks Quanah. Apologies for not being totally clear in the previous. I had 
spotted the redundancy between the "ldaps" scheme and the -ZZ option and 
tried it without the -ZZ option. But I got:

$ ldapsearch -v -D "cn=someuser, o=users" -H ldaps://foo.bar.tld:636
ldap_initialize( ldaps://foo.bar.tld:636 )
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
       additional info: SASL(-4): no mechanism available:

So I decided that that was probably wrong. From what you say, it seems that 
this is as it should have been and the problem is elsewhere. I'm not sure 
what the "no mechanism available" means. My understanding is that the 
mechanism I want is EXTERNAL and that this should delegate to the installed 
OpenSSL for a TLS connection. I can't see any further required configuration 
to make this happen.

Apologies if this is all very basic. I'm a humble web developer (not a 
sysadmin). The certificate I have has worked correctly previously from a 
Java web app (via JSSE) so I know that, in theory at least, I have enough to 
make an LDAP TLS connection. I'm just knee-deep in documentation for the 
last couple of days.

Thanks,

John.

_________________________________________________________________
Chat via voice, text or video - get MSN Messenger FREE! 
http://messenger.msn.co.uk