On Wednesday, 6 June 2007, West, Jon (NIH/NIMH) [C] wrote: > my server is 'myserver.com' but I'm hosting the ldap domain > 'NOTmyserver.com' (test.com in this case) I have to use myserver.com when > creating the cert, not the ldap domain correct? Certificates have nothing to do with a base dn (or a realm), and LDAP servers don't host domains (unless you're actually using bind sdb_ldap, or something similar), but suffixes/base DNs. For certificate validation: -The date/time on the client must be within the validity period of the certificate -The certificate must be issued by a CA trusted by the client -The certificate must be issued with a subject CN (or subjectAlternativeName) value that matches the *name* (IP address is possible if the subjectAlternativeName lists the IP and the client software supports this) the *client application* connects to. DNS does not matter. All that matters is that when you use -h server.mydomain.com, the subject CN (or subjectAl on the cert offered by the server that responds must be server.mydomain.com. You can't use -h server with subject CN of my.server.com (even if -h server resolves to -h server.mydomain.com), as the name the software is using does not match the cert. So, explain what "serveraddress" is whenever you post a command you are using ... BTW: You may also want to consider upgrading: 2.2.13 to: http://anorien.warwick.ac.uk/mirrors/buchan/openldap/rhel4/ 2.0.27 to: http://anorien.warwick.ac.uk/mirrors/buchan/openldap/rhel3/ (more up-to-date packages are built, I just can't upload them at present) > <wjon@mail.nih.gov> wrote: > > yes, I've actually have it looking at the cert but I still get a > > connection error when using TLS I think I understand it > > ldap_start_tls: Connect error (-11) > > additional info: TLS: hostname does not match CN in peer > > certificate I think this means is because I used 'test.com' as the server > > name when generating the cert rather then the actual server? test.com is > > just the test domain I am using > > Hi, > > Please keep replies to the list. > > This error means that the host name in the certificate does not match the > hostname for the server. They must match to establish a TLS connection. -- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpKQlIxCfV19.pgp
Description: PGP signature