[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: external authentication source

>>> Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no> schrieb am 23.03.2015 um
13:53 in Nachricht <55100CDD.1000805@usit.uio.no>:
> On 23. mars 2015 12:45, Ulrich Windl wrote:
>> Related question: If the command above fails with "stronger confidentiality 
> required", and adding "-ZZ" fails with " TLS: hostname does not match CN in 
> peer certificate", how should a proper certificate look like?
> Read the OpenLDAP Admin Guide, section 16 (TLS).
> In particular 16.1.1. Server Certificates.


According to your proposal I read:
16.1.1. Server Certificates

The DN of a server certificate must use the CN attribute to name the server,
and the CN must carry the server's fully qualified domain name. Additional
alias names and wildcards may be present in the subjectAltName certificate
extension. More details on server certificate names are in RFC4513.

So this does not answer my question of how to cover the ldapi:// URI. Or maybe there's an easier way to override the "confidentiality required" for ldapi://?

You missed to read the essential part of my message, namely:
"ldapwhoami -Y EXTERNAL -H ldapi://"

(For a normal ldap: connection I have no problems with the settings)