[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client - Server Authentication Using Certificates

To: openldap-software@OpenLDAP.org
Subject: Re: Client - Server Authentication Using Certificates
From: Donn Cave <donn@u.washington.edu>
Date: Mon, 10 May 2004 10:56:56 -0700
In-reply-to: <409FB149.8070008@cern.ch>

On Monday, May 10, 2004, at 09:43 AM, Laurence wrote:

Please note that I have substituted my actual hostname for host.invalid.

The first problem is with my certificate. Due to the computing policy we have here, the CN in the subject of the certificate is CN=host/host.invalid and hence when I try to do the ldapsearch I obtain the following error message.

TLS: hostname (host.invalid) does not match common name in certificate (host/host.invalid).

The first question would be, is it possible to "tune" this with the ldap configuration or does it make an assumption that the name on the certificate has to be the same as the hostname.

Some clients, including OpenLDAP, will look first at the `Subject Alternative Name' field, in the certificate. If your site generates its own certificates and doesn't have any policy on that field, it could be an option.

	Donn Cave, donn@u.washington.edu

References:
- Re: Client - Server Authentication Using Certificates
  - From: Laurence <Laurence.Field@cern.ch>

Prev by Date: Re: Client - Server Authentication Using Certificates
Next by Date: Developing new syntaxes and ordering rules
Index(es):
- Chronological
- Thread