[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS



Beck Zoltan Gyula wrote:

- I'm using Debian Sarge Linux

[...]

TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
issuer: -unknown-
TLS certificate verification: Error, Unknown error
connection_read(12): unable to get TLS client DN error=49 id=0
ldap_bind: Can't contact LDAP server (81)
        additional info: TLS: hostname does not match CN in peer

why the hostname does't match?!

1: You are supposed to have or to make a CA certificate, which you should use to sign the certificate request you have made.


2: Linux specific: The hostname that you enter for the certificate request should match the output of the command: 'hostname -f'.

3: You should enter the relevant details of server public key, server private key and CA certificate into the slapd.conf configuration file (man 5 slapd.conf) and the certs must be readable by the server uid.

4: The CA certificate and path should be entered into the client ldap.conf file (usually located in either in /etc/ldap or /usr/local/etc/openldap). man ldap.conf. The CA cert and path to it should be readable by all clients.

All certs must be in .pem format; hashes (like Apache/mod_ssl uses) are not used.

To verify that you have entered the correct subject info. into the server public key cert., you can do:

'openssl x509 -in /path/to/cert -text -noout'

--Tonni

--
Tony Earnshaw

Do not CC me or your mail will probably be rejected.
I don't like this, either. Blame it on Swen and a slow
Internet connection.

http://www.billy.demon.nl
Mail: billy-at-billy.demon.nl