[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: How do tool verify certs with ldapi:// ?
Hi,
On Monday, 28. May 2012, Philip Guenther wrote:
> On Mon, 28 May 2012, Michael Ströder wrote:
> > Peter Marschall wrote:
> > > how do the openldap tools technically verfify certificates with
> > > ldapi:// ?
> >
> > Which certs do you want to verify?
>
> I assume the answer is "the one the server returns when you do StartTLS on
> the ldapi:// connection".
Correct.
> If that's not a sufficient option, and verifying certs is required, then
> it appears the code will treat the socket path as the hostname to verify
> for. For OpenSSL, for example, that means it'll compare it against any
> DNS: subjectAltNames as well as against the last CN component of the cert
> subject.
That's not what the openldap tools do.
My cerver certificates do not contain the ldapi socket path as hostnames,
yet
ldapsearch -LLL -x -H ldapi:/// -ZZ -s base -b ""
works and I want to find out how it does this.
Best
PEter
--
Peter Marschall
peter@adpm.de