Steven Jones wrote:
An “improved” ldap.conf (with no ssl/TLS) for RHAS5 =============== # http://www.padl.com base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz TLS_REQCERT never uri ldap://ldap.vuw.ac.nz/ ssl no tls_cacertdir /etc/openldap/cacerts =============== Trying TLS with, =============== #ssl setup # http://www.padl.com base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz TLS_REQCERT allow #TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls uri ldap://ldap.vuw.ac.nz/ tls_cacertdir /etc/openldap/cacerts =============== Produces this error, [root@vuwunicoadmin01 etc]# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate Which is an interesting error…..
Yes, very. http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps <quote>NOTE - *Do not use cn=server-cert for your server certificate*. In step 7 of the linked instructions, it says to use certutil .... -s cn=server-cert - this will cause clients to fail to validate the cert. Instead, you must use the fully qualified domain name of your server host as the value of the cn attribute in the subject DN. For example, if your directory server hostname is foo.example.com, use
../shared/bin/certutil -S -n "Server-Cert" -s cn=foo.example.com -c "CA certificate" \ -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txtto generate your server cert. This is the minimum. You may wish to provide your clients with more details about your server. For more information, see RFC 1485 <http://www.ietf.org/rfc/rfc1485.txt>. You could choose to specify the subject DN like this:
../shared/bin/certutil ... -s "cn=foo.example.com,ou=engineering,o=example corp,c=us" ... </quote>Note that this also means that if you use cn=foo.example.com, clients must be able to resolve the server's IP address to "foo.example.com". If you don't care/can't do this, then use TLS_REQCERT never in your /etc/openldap/ldap.conf to make ldapsearch stop complaining. I highly recommend you do not do this though.
regards Steven ------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
