[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Other system use port 636 connect LDAP Server Error



On Thu, Sep 26, 2013 at 08:33:56AM -0700, Quanah Gibson-Mount wrote:
> --On Thursday, September 26, 2013 4:35 PM +0800 Tian Zhiying 
> <tianzy1225@thundersoft.com> wrote:
> 
> ># ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D
> ># "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W
> >ldap_bind: Can't contact LDAP server (-1)
> >        additional info: error:14090086:SSL
> >routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> >LDAP Server is Centos 5.8 64 OS, iptables serverice is closed state. What
> >is the cause?
> 
> The problem is a lack of understanding how SSL/TLS works.  You requested a 
> secure connection, you must use the hostname, not the IP address.

You can use an IP address, if that IP address is in the SAN (Subject
Alternate Name) list of the certificate.

  http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_

'Verify' usually refers to the signer of the certificate not being trusted.
'Validation' usually refers to the date range of the certificate being
correct.

  http://www.openssl.org/docs/apps/verify.html

Mind you, this is me leveraging OpenSSL's vocabulary.  There are
other SSL providers that may be in play.

> 
> --Quanah
> 
> --
> 
> Quanah Gibson-Mount
> Lead Engineer
> Zimbra Software, LLC
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration
> 

-- 
Brian Reichert				<reichert@numachi.com>
BSD admin/developer at large