On Mon, 2006-01-09 at 20:56 +0100, Jo De Troy wrote: > Hi Susan, > > yes it is. Below you can see my /etc/openldap/ldap.conf > # > HOST ldapserver > BASE dc=example,dc=com > TLS_REQCERT allow > TLS_CACERT /etc/openldap/cacerts/cacert > > The openssl command Mark pointed to works fine. From that output I > grabbed the CAcert and stored it the file I'm referencing in > the /etc/openldap/ldap.conf What's "ldapsearch -d 10" saying? > I'm wondering if the certificate I created is correct. Should the cn > in the certificate have the hostname as value? I guess it should or > not? In order for ldapsearch to verify the certificate, you need to contact the ldap server with the same hostname which is specified in the certificate. You can do that by making the subject of the cert "ldapserver.foo.com" or (I think, but haven't tried) by setting the subjectAltName extension to something like: subjectAltName = DNS:ldapserver.foo.com,IP:135.208.5.2 In which case you could contact it with either the subject name or the alternative subject names. Cheers, Mark.
