Re: TLS fails

[Quanah Gibson-Mount <quanah@stanford.edu>]

On Wednesday 15 February 2006 15:40, Jon Roberts wrote:
> Quanah Gibson-Mount wrote:
> > On Wednesday 15 February 2006 14:23, Ran Li wrote:
> >>>>The funny thing is, TLS works fine from a remote host, but not on the
> >>
> >>server itself. I tried changing localhost to the actual DNS name of the
> >>server, but still I get the same error.
> >>is the ldap server a ldap client? my understanding is it has to be a
> >>ldap client in order to make ldapsearch over tls work.
> >
> > You have to use the name in your search that matches the name in the
> > certificate for TLS to work.
>
> In JLDAP clients I can connect to a remote ldaps server by using the ip
> address as hostname, even though I obviously did not use the ip as the
> name in the certificate. Is that advice specific to ldapsearch,
> StartTLS, or something else I might be confused about?

I'm guessing that JLDAP translates the IP address to the FQDN.

ldapsearch -ZZZ -h 171.67.16.11 uid=quanah uid
ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

--Quanah

-- 
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html