[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch with DN in CN

To: Brian Reichert <reichert@numachi.com>, M?ller Lioh <lioh.moeller@hsr.ch>
Subject: Re: ldapsearch with DN in CN
From: Howard Chu <hyc@symas.com>
Date: Thu, 27 Feb 2020 00:23:07 +0000
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-filter: OpenDKIM Filter v2.10.3 zmcc-2-mta-1.zmailcloud.com E904ACED49
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symas.com; s=37C7994C-28CA-11EA-A30F-68F90BB9D764; t=1582762991; bh=uOShkFNzz5EmNk9gab/1CctZvCSb6e03gOQu+rTVb70=; h=To:From:Message-ID:Date:MIME-Version; b=KqxZl/TGxQye4ervBjCBKrjCNgMnDtkEz2yclDYhOfap4VB5R7i6j52118Kv9hbO7 MQCi15DizOye/YYEgpSWmn2TVQtLN4cv+TPNCucLYXE2zPMq2gfOYaYeIefhn8JMQC 7DB4reg7xnWkXHIuSteBigce0q1spFnO+vO7sckYKX/bPct5oQgSjw4B4hix+9uhjP R4LeR9JCAHwx+MUuToJC0p7EdeP0frEoQPRUOLTbvl8S11/7Mvn0wa1I5KaXWeKMAF YRVdsPuDbAwb7/udxIXAVb1yzQqzjorIYwlcRl7W/FucCiggqF+kynt+VW6qNZnuJB khwb8A4b+Lpfw==
In-reply-to: <20200226204913.GD43966@numachi.com>
References: <0e8f0118049b4d70b3025d2ed439b895@hsr.ch> <20200226204913.GD43966@numachi.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53

Brian Reichert wrote:
> On Wed, Feb 26, 2020 at 02:18:53PM +0000, M?ller Lioh wrote:
>> Hi all,
>>
>> I am trying to do a ldapsearch against our Active Directory LDAPS like:
>>
>> ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)'
>>
>> The domain controllers have certificates generated with CNs like this:
>>
>> subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01,
>>
>> and a SAN defined as ldap.mydomain.ch.
>>
>> Yet, I got an error like:
>>
>> TLS: hostname (ldap.mydomain.ch) does not match common name in
>> certificate (DC01).
>>
>> An interesting fact is that if the CN is set to the fqdn like
>> dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with
>> ldap.mydomain.ch as SAN).
> 
> I may be misreading this, but this sounds like a TLS issue.

Wrong. The above error message comes from libldap.

> If you're using 'dc01.mydomain.ch' in your LDAP URI, then your
> client is successfully validating the certificate.
> 
> When you use 'ldap.mydomain.ch' in your LDAP URI, you client clearly
> says that the certificate from whatever server 'ldap.mydomain.ch'
> points to, does not have 'ldap.mydomain.ch' in it's SAN.
> 
> This is a TLS negotiation issue; you can't gotten as far as using
> LDAP yet.

Definitely sounds like the SAN is not set correctly in the cert,
but this is definitely libldap complaining, the TLS library doesn't
do this hostname check.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: ldapsearch with DN in CN
  - From: Lioh Moeller <lioh.moeller@hsr.ch>
- Re: ldapsearch with DN in CN
  - From: Brian Reichert <reichert@numachi.com>

References:
- ldapsearch with DN in CN
  - From: Möller Lioh <lioh.moeller@hsr.ch>
- Re: ldapsearch with DN in CN
  - From: Brian Reichert <reichert@numachi.com>

Prev by Date: Re: ldapsearch with DN in CN
Next by Date: Re: ldapsearch with DN in CN
Index(es):
- Chronological
- Thread