Hi, On Fri, 18 Oct 2013, lejeczek wrote: <snipp/>
hi Christian my case is, well should be a lot more simpler, one box with slapd.local.domain slap.public.externaland this one host I would like to be able to search through on/via both hostnames/IPs with TLSso I issue myself and sign a certificate, CA issuer is CA.local.domain Subject: .......... CN=slapd.local.domain/email......... and X509v3 Subject Alternative Name: DNS:slap.public.external, IP Address:ex.te.rn.al ldapsearch -h slap.public.external -D cn=manager,dc=local,dc=domain .... result:TLS: hostname (slap.public.external) does not match common name in certificate (slapd.local.domain).TLS: can't connect: TLS error -8157:Certificate extension not found.. ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found. whereas: ldapsearch -h slap.local.domain -D cn=manager,dc=local,dc=domain works finecould it be tools from be openldap-clients, a bug? Apache's ldap toolkit for Eclipse seems to work and connects to slap.public.external
this should work. It does in two separate setups that I maintain. Which version is your openldap client ? Have you configured the CA certificate for trust ? I have following in my /usr/local/etc/openldap/ldap.conf to configure the CA certificate: [ck@ldaptest1]$ cat ~ldap/ldap.conf BASE dc=example,dc=org URI ldap://ldaptest1.cksoft.de TLS_CACERT /usr/local/etc/openldap/certs/cksoftware-gmbh-ca-2011-2031.cert TLS_REQCERT demand
btw, being novice with openssl, is there a way to print extensions thus SAN of a certificate?I can print and see it on the request.
use following to dump the certificate: openssl s_client -text -in CERT.pem You should see the subjectAltNames. If not your certificate is broken. Greetings Christian -- Christian Kratzer CK Software GmbH Email: ck@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer