[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Fedora-directory-users] Re: problem with cert for ssl on RHAS5



Date: Wed, 5 Dec 2007 15:37:53 +1300
From: "Steven Jones" <Steven Jones vuw ac nz>

Is there a way to search the list archives for topics?

Such as say,

"ldap_start_tls: Connect error (-11)
        additional info: TLS: hostname does not match CN in peer
certificate"

Since the above message comes from the OpenLDAP tools/library, you'd have better luck searching the OpenLDAP archives. www.openldap.org.

So what did I do wrong?
----
probably should only use uri and not host in /etc/openldap/ldap.conf

yep, I can take that out....

And it's clear that

ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate)

Sorry I fail to see it as that clear (until now you explain it anyway!)

....Working through the FDS/RDS documentation I seem to have failed to
notice that it clearly (if at all???) explains what cn= should equal or
indeed the setting in the ldap.conf needs to be the same....in terms of
DNS they do equal as ldap is a CNAME of vuwunicvfdsm001....

This is explained in the OpenLDAP Admin Guide.
http://www.openldap.org/doc/admin24/tls.html#TLS%20Certificates

The advantage of using a CNAME is I can upgrade the system and to a
simple CNAME change to replace the servers....

RFC2830 explicitly forbid clients from talking to a DNS server to verify the server name. Therefore most clients would be unable to dereference a CNAME. RFC4513 relaxes this constraint, and permits a client to use secure hostname services (e.g. DNSSEC), but in practice there's no standard APIs to select or control these services, so the RFC2830 constraint is still in force - the hostname provided by the client must be used directly, without any other mapping, in comparisons to the names in the server certificate. But as already mentioned, you can include arbitrarily many subjectAltName extensions in the certificate to provide aliases and domain wildcards.

Date: Tue, 04 Dec 2007 20:42:25 -0700
From: Craig White <craigwhite azapple com>

Lastly, you probably can add to both /etc/ldap.conf
and /etc/openldap/ldap.conf

ssl start_tls

and it should automatically use tls...

No. That's only legal for PADL's pam_ldap and nss_ldap. There is no equivalent option for OpenLDAP's libldap because that is not a library-level issue, it's application level. /etc/openldap/ldap.conf is only for library default settings. There is no configuration file for client tool defaults.

Date: Tue, 04 Dec 2007 20:05:25 -0800
From: Satish Chetty <satish suburbia org au>

I am trying to do a ldapsearch with ssl enabled....and I get this error,

	You can also try ldapsearch that comes with FDS (without -x option)

	Also, if you want only encryption and not host identification, use
'tls_checkpeer no' in your ldap.conf

That is also only valid for pam_ldap and nss_ldap. In OpenLDAP that's what the "TLS_REQCERT never" option is for, but in the versions of OpenLDAP that RedHat ships, that are typically 3-5 years obsolete, that option doesn't quite work as expected. I.e., the hostname check is performed regardless of the setting of TLS_REQCERT.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]