[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS
On Sun, Nov 02, 2003 at 12:50:50PM +0100, Beck Zoltan Gyula wrote:
> why the hostname does't match?!
You have several problems here. Taking a few lines from your mmessage:
> - testserver:/etc/ldap# host 10.0.0.185
> Name: testserver.aitia
I would be worried by that name - it would never be valid on the
Internet. Is it properly registered in your internal DNS?
> ldapsearch -x -H ldaps://localhost/ -b 'dc=aitia,dc=intra'
The certificate you generated was for testserver.aitia so it is not
valid for 'localhost'. You must address the server by the name in the
certificate:
ldaps://testserver.aitia/
That is the reason for this error:
> connection_read(12): unable to get TLS client DN error=49 id=0
> ldap_bind: Can't contact LDAP server (81)
> additional info: TLS: hostname does not match CN in peer
> certificate
(In fact you do not need to use ldaps if TLS is enabled, as the LDAP
clients will upgrade a normal LDAP connection to an encrypted one if
they find TLS.)
> TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
> issuer: -unknown-
That suggests that you have not installed the certificate in the right
places. The server needs a copy of the certificate *and* a copy of the
secret key that it was made from. You should have something like this
in slapd.conf:
TLSCertificateFile /usr/local/etc/openldap/keys/cert
TLSCertificateKeyFile /usr/local/etc/openldap/keys/key
TLSCACertificateFile /usr/local/etc/openldap/keys/cacert
Note that I have included *two* certificates here: one is for the
Certification Authority that signed the server certificate. If you did
not make a CA then your server certificate will be 'self signed' -
this means that the certificate was used to sign itself.
You also need to put the CA certificate and/or the server certificate
in the right place for the *client* programs to find them. This is
probably /etc/ssl but you need to work out the proper filename if you
are not using a CA. To do this, use the command:
openssl x509 -noout -subject_hash < certfile
The result will be something like '94132cf6'. This will be the base
part of the filename, so do this:
cp certfile /etc/ssl/94132cf6.0
If you made a CA key/cert pair and used it to sign the server
certificate then all you need to do is copy the CA cert to
/etc/ssl/ca.cert on the client machine and add these lines to
/etc/ldap.conf:
tls_checkpeer yes
tls_cacertfile /etc/ssl/ca.cert
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
- Follow-Ups:
- Re: TLS
- From: Beck Zoltan Gyula <beckzg@midnight.hu>
- References:
- TLS
- From: Beck Zoltan Gyula <beckzg@midnight.hu>