> Date: Wed, 5 Dec 2007 15:37:53 +1300 > From: "Steven Jones" <Steven.Jones at vuw.ac.nz> > Is there a way to search the list archives for topics? > > Such as say, > > "ldap_start_tls: Connect error (-11) > additional info: TLS: hostname does not match CN in peer > certificate" Since the above message comes from the OpenLDAP tools/library, you'd have better luck searching the OpenLDAP archives. www.openldap.org. >> So what did I do wrong? > ---- > probably should only use uri and not host in /etc/openldap/ldap.conf > > yep, I can take that out.... > > And it's clear that > > ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate) > > Sorry I fail to see it as that clear (until now you explain it anyway!) > > ....Working through the FDS/RDS documentation I seem to have failed to > notice that it clearly (if at all???) explains what cn= should equal or > indeed the setting in the ldap.conf needs to be the same....in terms of > DNS they do equal as ldap is a CNAME of vuwunicvfdsm001.... This is explained in the OpenLDAP Admin Guide. http://www.openldap.org/doc/admin24/tls.html#TLS%20Certificates > > The advantage of using a CNAME is I can upgrade the system and to a > simple CNAME change to replace the servers.... RFC2830 explicitly forbid clients from talking to a DNS server to verify the server name. Therefore most clients would be unable to dereference a CNAME. RFC4513 relaxes this constraint, and permits a client to use secure hostname services (e.g. DNSSEC), but in practice there's no standard APIs to select or control these services, so the RFC2830 constraint is still in force - the hostname provided by the client must be used directly, without any other mapping, in comparisons to the names in the server certificate. But as already mentioned, you can include arbitrarily many subjectAltName extensions in the certificate to provide aliases and domain wildcards. > Date: Tue, 04 Dec 2007 20:42:25 -0700 > From: Craig White <craigwhite at azapple.com> > Lastly, you probably can add to both /etc/ldap.conf > and /etc/openldap/ldap.conf > > ssl start_tls > > and it should automatically use tls... No. That's only legal for PADL's pam_ldap and nss_ldap. There is no equivalent option for OpenLDAP's libldap because that is not a library-level issue, it's application level. /etc/openldap/ldap.conf is only for library default settings. There is no configuration file for client tool defaults. > Date: Tue, 04 Dec 2007 20:05:25 -0800 > From: Satish Chetty <satish at suburbia.org.au> >> I am trying to do a ldapsearch with ssl enabled....and I get this error, > > You can also try ldapsearch that comes with FDS (without -x option) > > Also, if you want only encryption and not host identification, use > 'tls_checkpeer no' in your ldap.conf That is also only valid for pam_ldap and nss_ldap. In OpenLDAP that's what the "TLS_REQCERT never" option is for, but in the versions of OpenLDAP that RedHat ships, that are typically 3-5 years obsolete, that option doesn't quite work as expected. I.e., the hostname check is performed regardless of the setting of TLS_REQCERT. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
