[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: why LDAP and LDAPS was opened contemporary

To: owen nirvana <freeespeech@gmail.com>
Subject: Re: why LDAP and LDAPS was opened contemporary
From: Indexer <indexer@internode.on.net>
Date: Fri, 2 Jul 2010 14:54:20 +0930
Cc: openldap-technical@openldap.org
In-reply-to: <AANLkTinwPkUub0_DuQAM-oQ27Bn3nYKu7ZKr35Us-oT5@mail.gmail.com>
References: <AANLkTikLWp9B_Kg12FxOw9_BN8-XSovM_LJHk-Xq6Ifl@mail.gmail.com> <233481E0-3F55-4189-AD9E-F95F55E687E8@internode.on.net> <AANLkTil6aGnGkLZVioLonKWl6nPxOP-cmzqWvEoBzbc2@mail.gmail.com> <AANLkTinwPkUub0_DuQAM-oQ27Bn3nYKu7ZKr35Us-oT5@mail.gmail.com>

The CN should be the fully qualified domain name, aka if my server is ldap.domain.com, the CN must match ldap.domain.com, and you must connect to the server using ldap://ldap.domain.com. It is the cause of most TLS issues.

On 02/07/2010, at 2:51 PM, owen nirvana wrote:

> create a new certificate and key , CN = Administrator,  no more verify
> failed, but
> 
> " ldap_start_tls : Can't Contact LDAP Server(-1)" is repoerted yet, no
> addition info
> 
> gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech@gmail.com>
> 
> 
> On Fri, Jul 2, 2010 at 12:47 PM, owen nirvana <freeespeech@gmail.com> wrote:
> 
>> thanks
>> 
>> about " Your servers CN on the certificate must also match the hostname of
>> the server."
>> 
>> is it means CN should be username of OS like Administrator, or  ldap server
>> name like "ldap.server"
>> gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech@gmail.com>
>> 
>> 
>> 
>> On Fri, Jul 2, 2010 at 11:24 AM, Indexer <indexer@internode.on.net> wrote:
>> 
>>> 
>>> On 02/07/2010, at 12:49 PM, owen nirvana wrote:
>>> 
>>>> I set tls options to use ldaps.
>>> 
>>> When using TLS you dont need LDAPS, you want to set your systems to
>>> ldap://ldap.server
>>> 
>>>> 
>>>> question 1:
>>>> port 389 is opened yet when I scan the LDAP Server by nmap, but I could
>>> not
>>>> connect it with Apache Directory Studio v1.5.3.
>>>> 
>>>> question 2:
>>>> Nmap tell me "server still supports SSLv2", but I set TLSCipherSuite is
>>>> HIGH:MEDIUM:-SSLv2
>>>> 
>>>> question 3:
>>>> I try to import some data with ldapmodify
>>>> 
>>>> ldapmodify -a -H ldap://mydomain.org:636 -D
>>> "cn=admin,dc=mydomain,dc=org" -x
>>>> -w whatever -f init.ldif
>>> 
>>> Try adding the -Z flag to turn on encryption. Your servers CN on the
>>> certificate must also match the hostname of the server.
>>> 
>>>> 
>>>> the following is error report:
>>>> 
>>>> ldap_start_tls : Can't Contact LDAP Server(-1)
>>>>   addition info: error: 14000092: SSL Routine: SSL3_GET_CERTFICATE:
>>>> certificate verify failed
>>>> 
>>>> ldap_sasl_bind(Simple): Can't Contact LDAP Server(-1)
>>>> 
>>>> 
>>>> gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech@gmail.com> <
>>> gtalk%3Afreeespeech@gmail.com <gtalk%253Afreeespeech@gmail.com>>
>>> 
>>> 
>>

Follow-Ups:
- Re: why LDAP and LDAPS was opened contemporary
  - From: owen nirvana <freeespeech@gmail.com>

References:
- why LDAP and LDAPS was opened contemporary
  - From: owen nirvana <freeespeech@gmail.com>
- Re: why LDAP and LDAPS was opened contemporary
  - From: Indexer <indexer@internode.on.net>
- Re: why LDAP and LDAPS was opened contemporary
  - From: owen nirvana <freeespeech@gmail.com>
- Re: why LDAP and LDAPS was opened contemporary
  - From: owen nirvana <freeespeech@gmail.com>

Prev by Date: Re: why LDAP and LDAPS was opened contemporary
Next by Date: Re: why LDAP and LDAPS was opened contemporary
Index(es):
- Chronological
- Thread