On 06/14/13 15:56 -0400, Rodney Simioni wrote:
I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout' I got 'CN=*.securesites.com' My /etc/openldap/cacerts looks like: TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/wildcard.securesites.com.cert URI ldap://fl1-lsh99apa007.securesites.com/ BASE dc=wh,dc=local
That looks like an ldap.conf file. Your certificate should be configured within your slapd config and not your client config, unless it is a self signed certificate. See the manpage for slapd.conf or slapd-config, and the Admin Guide for the appropriate TLS config.
But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get: ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.227.2.90:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, June 14, 2013 3:45 PM To: Rodney Simioni Cc: openldap-technical@openldap.org Subject: Re: LDAP and TLS On 06/14/13 14:42 -0400, Rodney Simioni wrote:Hi, In order to for LDAP to work with TLS, does the certificate names need to match the server name? My admin gave me a certificate but it's called wildcard.com.cert, the name of my server is not 'wildcard'.Analyze the contents of the cert and verify the CN is really '*.example.com': openssl x509 -in wildcard.com.cert -text -noout If so, then your LDAP clients probably will accept it as a valid certificate (this typically works for web browsers), but your mileage may vary. We have worked with a wild card certificate provider before. In addition to offering a *.example.com cert, they may also offer a certain number of tertiary certificates (e.g. ldap.example.com) priced in with the wild card cert.
-- Dan White