[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: syncrepl, client certificate containing subjectAltName and non UTF-8 chars
Emmanuel Dreyfus wrote:
Hello
I'm trying to get multiple syncrepl-powered replicas available under the
same DNS name. I use OpenLDAP-2.3.32
Each replica has a certificate with
subjectAltName=DNS:ldap.example.net,DNS:host.example.net
Clients can hapily conntect to it, that part works.
And when restarting it, I get this error:
do_syncrep1: rid 217 ldap_sasl_interactive_bind_s failed (7)
I tried to use my certificate with ldapsearch. With an appropriate .ldaprc,
I can try this (the server here is the provider):
# ldapsearch -b "" -s base +
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: SASL(-4): no mechanism available:
Using a certificate that does not have subjectAltName, it works fine, so
the provider is not rejecting me.
Here are my certificates Subjects, the one without subjectAltName that works,
and the other one that breaks (obtained by openssl x509 -text, a bit
modified, but you have the point: yes there are ISO-8859-1 chars in O)
WORKS:
C=FR, ST=France, O=Exemple d'organisation accentuée, OU=foobarbuz,
CN=host.example.net/emailAddress=root@example.net
BREAKS:
C=FR, ST=France, O=Exemple d'organisation accentuée,
OU=foobarbuz/subjectAltName=DNS:ldap.example.net,DNS:host.example.net
CN=ldap.example.net/emailAddress=root@example.net
Playing with gdb shows that the server rejects the certificate in
libraries/libldap_r/utf-8.c:ldap_ucs_to_utf8s(), returning LDAP_INVALID_SYNTAX
From what you've posted above, I'm pretty sure you're not using
"subjectAltName" correctly. It is not a component of the certificate's subject,
it is an X.509 certificate extension. Read the OpenSSL documentation and fix
your certificates.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/