Re: why LDAP and LDAPS was opened contemporary

To: Indexer <indexer@internode.on.net>

Subject: Re: why LDAP and LDAPS was opened contemporary

From: owen nirvana <freeespeech@gmail.com>

Date: Fri, 2 Jul 2010 14:37:09 +0800

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=7fHgzkVKdToPRfXxYRnykUKg1HPvzHTMla73s9Nv1gg=; b=QM6edWADxP6UxvvEh0iFXwuGF9tKRv8duWufMZzNK00bIAwzR7q0Rq3sGJNX4AcOe0 UyRw+iK4qoFxJMiBvgaPyQFLjObRsgEGENWhTPuOuM03UOMOCf8pNZ/Yjc7eUuySCWEX 9k8XBZqmltLBCoU+oGoTd6Fg/uvl3EDPV+DEw=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=D8D+vT2v30smBYThmo1BoAjHVtVQOBThSN8XT99THCz3IgK0UC0aFNIx41Qu0nhNR5 VNLemiz5h9D95mF83e6XKxjTyXZm4rA1Ffqmd8BY0Zxg2BvktaFopRovn5S4w6Gcr4b1 g96iMWEEX0RATXve6iYGs+K2Cl9ZAN69eIINc=

In-reply-to: <A0BC090C-0228-4E2B-8242-DB3100C03DCD@internode.on.net>

References: <AANLkTikLWp9B_Kg12FxOw9_BN8-XSovM_LJHk-Xq6Ifl@mail.gmail.com> <233481E0-3F55-4189-AD9E-F95F55E687E8@internode.on.net> <AANLkTil6aGnGkLZVioLonKWl6nPxOP-cmzqWvEoBzbc2@mail.gmail.com> <AANLkTinwPkUub0_DuQAM-oQ27Bn3nYKu7ZKr35Us-oT5@mail.gmail.com> <A0BC090C-0228-4E2B-8242-DB3100C03DCD@internode.on.net>

gtalk:freeespeech@gmail.com

On Fri, Jul 2, 2010 at 1:24 PM, Indexer <indexer@internode.on.net> wrote:

The CN should be the fully qualified domain name, aka if my server is ldap.domain.com, the CN must match ldap.domain.com, and you must connect to the server using ldap://ldap.domain.com. It is the cause of most TLS issues.

On 02/07/2010, at 2:51 PM, owen nirvana wrote:

> create a new certificate and key , CN = Administrator, no more verify
> failed, but
>
> " ldap_start_tls : Can't Contact LDAP Server(-1)" is repoerted yet, no
> addition info
>

> gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech@gmail.com>

>
>
> On Fri, Jul 2, 2010 at 12:47 PM, owen nirvana <freeespeech@gmail.com> wrote:
>
>> thanks
>>
>> about " Your servers CN on the certificate must also match the hostname of
>> the server."
>>
>> is it means CN should be username of OS like Administrator, or ldap server
>> name like "ldap.server"

>> gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech@gmail.com>

>>
>>
>>
>> On Fri, Jul 2, 2010 at 11:24 AM, Indexer <indexer@internode.on.net> wrote:
>>
>>>
>>> On 02/07/2010, at 12:49 PM, owen nirvana wrote:
>>>
>>>> I set tls options to use ldaps.
>>>
>>> When using TLS you dont need LDAPS, you want to set your systems to
>>> ldap://ldap.server
>>>
>>>>
>>>> question 1:
>>>> port 389 is opened yet when I scan the LDAP Server by nmap, but I could
>>> not
>>>> connect it with Apache Directory Studio v1.5.3.
>>>>
>>>> question 2:
>>>> Nmap tell me "server still supports SSLv2", but I set TLSCipherSuite is
>>>> HIGH:MEDIUM:-SSLv2
>>>>
>>>> question 3:
>>>> I try to import some data with ldapmodify
>>>>
>>>> ldapmodify -a -H ldap://mydomain.org:636 -D
>>> "cn=admin,dc=mydomain,dc=org" -x
>>>> -w whatever -f init.ldif
>>>
>>> Try adding the -Z flag to turn on encryption. Your servers CN on the
>>> certificate must also match the hostname of the server.
>>>
>>>>
>>>> the following is error report:
>>>>
>>>> ldap_start_tls : Can't Contact LDAP Server(-1)
>>>> addition info: error: 14000092: SSL Routine: SSL3_GET_CERTFICATE:
>>>> certificate verify failed
>>>>
>>>> ldap_sasl_bind(Simple): Can't Contact LDAP Server(-1)
>>>>
>>>>
>>>> gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech@gmail.com> <

>>> gtalk%3Afreeespeech@gmail.com <gtalk%253Afreeespeech@gmail.com>>
>>>
>>>
>>