[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS
Beck Zoltan Gyula wrote:
- I'm using Debian Sarge Linux
[...]
TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
issuer: -unknown-
TLS certificate verification: Error, Unknown error
connection_read(12): unable to get TLS client DN error=49 id=0
ldap_bind: Can't contact LDAP server (81)
additional info: TLS: hostname does not match CN in peer
why the hostname does't match?!
1: You are supposed to have or to make a CA certificate, which you
should use to sign the certificate request you have made.
2: Linux specific: The hostname that you enter for the certificate
request should match the output of the command: 'hostname -f'.
3: You should enter the relevant details of server public key, server
private key and CA certificate into the slapd.conf configuration file
(man 5 slapd.conf) and the certs must be readable by the server uid.
4: The CA certificate and path should be entered into the client
ldap.conf file (usually located in either in /etc/ldap or
/usr/local/etc/openldap). man ldap.conf. The CA cert and path to it
should be readable by all clients.
All certs must be in .pem format; hashes (like Apache/mod_ssl uses) are
not used.
To verify that you have entered the correct subject info. into the
server public key cert., you can do:
'openssl x509 -in /path/to/cert -text -noout'
--Tonni
--
Tony Earnshaw
Do not CC me or your mail will probably be rejected.
I don't like this, either. Blame it on Swen and a slow
Internet connection.
http://www.billy.demon.nl
Mail: billy-at-billy.demon.nl
- References:
- TLS
- From: Beck Zoltan Gyula <beckzg@midnight.hu>