[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and TLS



On 06/14/13 15:56 -0400, Rodney Simioni wrote:
I did a 'openssl x509 -in wildcard.securesites.com.cert -text -noout'

I got 'CN=*.securesites.com'

My /etc/openldap/cacerts looks like:

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/wildcard.securesites.com.cert
URI ldap://fl1-lsh99apa007.securesites.com/
BASE dc=wh,dc=local

That looks like an ldap.conf file. Your certificate should be configured
within your slapd config and not your client config, unless it is a self
signed certificate.

See the manpage for slapd.conf or slapd-config, and the Admin Guide for
the appropriate TLS config.

But when I do a ' ldapsearch -d -1 -x -LLL -ZZ', I get:

ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.227.2.90:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)

-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Friday, June 14, 2013 3:45 PM
To: Rodney Simioni
Cc: openldap-technical@openldap.org
Subject: Re: LDAP and TLS

On 06/14/13 14:42 -0400, Rodney Simioni wrote:
Hi,

In order to for LDAP to work with TLS, does the certificate names need
to match the server name?

My admin gave me a certificate but it's called wildcard.com.cert, the
name of my server is not 'wildcard'.

Analyze the contents of the cert and verify the CN is really '*.example.com':

openssl x509 -in wildcard.com.cert -text -noout

If so, then your LDAP clients probably will accept it as a valid
certificate (this typically works for web browsers), but your mileage may
vary.

We have worked with a wild card certificate provider before. In addition
to offering a *.example.com cert, they may also offer a certain number of
tertiary certificates (e.g. ldap.example.com) priced in with the wild card
cert.

--
Dan White