On Tuesday 15 April 2008 15:23:11 kevin montuori wrote:
"BM" == Buchan Milne bgmilne@staff.telkomsa.net writes:
I'd like to set up LDAP command line tools to point to a server -- say localhost -- that has a certificate with an arbitrary name in it -- say `my-domain.com`.
BM> Either:
BM> 1)Add an entry to /etc/hosts so that the name on the certificate BM> resolves to the correct IP address, and always use the name on BM> any connection where you want certificate validation or
BM> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are BM> using anything besides OpenLDAP software (nss_ldap,pam_ldap) be BM> aware that their configuration is not identical ...
or, if you can, use the subjectAltName certificate extension. see the administrator's guide, 14.1.1. works as expected and there's no funky client side configuration required.
This solution assumes that you can change the cert (and even if you can, whether the CA supports/allows the subject alternative name extension), which is not necessarily a good assumption to make.
Regards, Buchan