On Monday 24 October 2005 17:53, John Manning wrote: > I need to have some web applications use a TLS/SSL connection to an LDAP > server for authentication. I have previously done this successfully (to the > same server) for a Java web application and now need to do it for a PHP > application (which uses the installed OpenLDAP client to contact the remote > LDAP server). I'm contacting the remote LDAP server by IP number and I'm > getting: > > TLS: hostname does not match CN in peer certificate > > This seems consistent with section 3.6 of the the TLS extension to LDAP > (http://www.rfc-editor.org/rfc/rfc2830.txt): > "The client MUST use the server hostname it used to open the LDAP > connection as the value to compare against the server name as expressed in > the server's certificate. The client MUST NOT use the server's canonical > DNS name or any other derived form of name." Note that this is the subject on the server certificate. > The remote LDAP server is a Novell server, which is its own CA, and the > certificate I was given has the following: > $ openssl x509 -in TrustedRootCert.pem -noout -subject > subject= /O=dev/OU=Organizational CA This is the subject of the CA cert, *not* the server certificate. > I'm assuming that I'm supposed to use a form of contacting the server that > matches this subject information, No, the subject on the server's cert. You should be able to get it (the value following CN= in the subject line) with OpenSSL's s_client command: $ openssl s_client -connect ldaphost:636 > but I can't see how I can do so. (There > isn't even a CN part.) I tried putting the identifier 'dev' in /etc/hosts > and use this instead of the IP number but that didn't work. It's not > possible in the short term to get an alternative certificate due to > staffing issues. Is there any way to get the OpenLDAP client to work with > this certificate? The same certificate (or at least one generated from the > same DER original, with the same subject) was used in a Java web > application to securely authenticate against the same LDAP server. It's > possible that the answer to this is just that OpenLDAP is more fussy about > matching the supplied host to the subject of the certificate, but I'm > hoping there's some way around it. You could disable certificate checking in the OpenLDAP ldap.conf (which should apply to php-ldap too). Regards, Buchan -- Buchan Milne ISP Systems Specialist B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpNsUo8d5Jes.pgp
Description: PGP signature