Date: Wed, 5 Dec 2007 15:37:53 +1300
From: "Steven Jones" <Steven.Jones@xxxxxxxxx>
Is there a way to search the list archives for topics?
Such as say,
"ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer
certificate"
Since the above message comes from the OpenLDAP tools/library, you'd have
better luck searching the OpenLDAP archives. www.openldap.org.
So what did I do wrong?
----
probably should only use uri and not host in /etc/openldap/ldap.conf
yep, I can take that out....
And it's clear that
ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate)
Sorry I fail to see it as that clear (until now you explain it anyway!)
....Working through the FDS/RDS documentation I seem to have failed to
notice that it clearly (if at all???) explains what cn= should equal or
indeed the setting in the ldap.conf needs to be the same....in terms of
DNS they do equal as ldap is a CNAME of vuwunicvfdsm001....
This is explained in the OpenLDAP Admin Guide.
http://www.openldap.org/doc/admin24/tls.html#TLS%20Certificates
The advantage of using a CNAME is I can upgrade the system and to a
simple CNAME change to replace the servers....
RFC2830 explicitly forbid clients from talking to a DNS server to verify the
server name. Therefore most clients would be unable to dereference a CNAME.
RFC4513 relaxes this constraint, and permits a client to use secure hostname
services (e.g. DNSSEC), but in practice there's no standard APIs to select or
control these services, so the RFC2830 constraint is still in force - the
hostname provided by the client must be used directly, without any other
mapping, in comparisons to the names in the server certificate. But as already
mentioned, you can include arbitrarily many subjectAltName extensions in the
certificate to provide aliases and domain wildcards.
Date: Tue, 04 Dec 2007 20:42:25 -0700
From: Craig White <craigwhite@xxxxxxxxxxx>
Lastly, you probably can add to both /etc/ldap.conf
and /etc/openldap/ldap.conf
ssl start_tls
and it should automatically use tls...
No. That's only legal for PADL's pam_ldap and nss_ldap. There is no equivalent
option for OpenLDAP's libldap because that is not a library-level issue, it's
application level. /etc/openldap/ldap.conf is only for library default
settings. There is no configuration file for client tool defaults.
Date: Tue, 04 Dec 2007 20:05:25 -0800
From: Satish Chetty <satish@xxxxxxxxxxxxxxx>
I am trying to do a ldapsearch with ssl enabled....and I get this error,
You can also try ldapsearch that comes with FDS (without -x option)
Also, if you want only encryption and not host identification, use
'tls_checkpeer no' in your ldap.conf
That is also only valid for pam_ldap and nss_ldap. In OpenLDAP that's what the
"TLS_REQCERT never" option is for, but in the versions of OpenLDAP that RedHat
ships, that are typically 3-5 years obsolete, that option doesn't quite work
as expected. I.e., the hostname check is performed regardless of the setting
of TLS_REQCERT.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
