[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapsearch with DN in CN
On Wed, Feb 26, 2020 at 02:18:53PM +0000, M?ller Lioh wrote:
> Hi all,
>
> I am trying to do a ldapsearch against our Active Directory LDAPS like:
>
> ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)'
>
> The domain controllers have certificates generated with CNs like this:
>
> subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01,
>
> and a SAN defined as ldap.mydomain.ch.
>
> Yet, I got an error like:
>
> TLS: hostname (ldap.mydomain.ch) does not match common name in
> certificate (DC01).
>
> An interesting fact is that if the CN is set to the fqdn like
> dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with
> ldap.mydomain.ch as SAN).
I may be misreading this, but this sounds like a TLS issue.
If you're using 'dc01.mydomain.ch' in your LDAP URI, then your
client is successfully validating the certificate.
When you use 'ldap.mydomain.ch' in your LDAP URI, you client clearly
says that the certificate from whatever server 'ldap.mydomain.ch'
points to, does not have 'ldap.mydomain.ch' in it's SAN.
This is a TLS negotiation issue; you can't gotten as far as using
LDAP yet.
> Greetings
>
> Lioh
>
--
Brian Reichert <reichert@numachi.com>
BSD admin/developer at large