Jeremiah,
I did the test with TLS_REQCERT set to 'allow' and got the same result as you. I am not sure what they mean by 'bad certificate' in the manual page of 'ldap.conf'.
Generally a bad certificate means a certificate whose signature cannot be verified by the SSL library, or a missing certificate. If a certificate is provided and the SSL library can verify it, then it will be used. If the hostname doesn't match, the connection will fail. I.e., hostname matches are never ignored once the certificate is verified. For a load balancing situation you must use subjectAltName's with the relevant names, that's all there is to it.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Howard Chu,
Sorry to resurrect this thread after so many months. I have a question as to why if I put in "TLS_REQCERT never" in my ldap.conf, openldap does any actions with any certificates. It seems to me from the man for ldap.conf, that never causes "The client will not request or check any server certificate."
In my instance (I still haven't solved this problem), I put in "TLS_REQCERT never" in my ldap.conf, but still get this error from openldap:
TLS: hostname (loadbalancer.example.com) does not match common name in certificate (server1.example.com).
Your thoughts?
Thanks, - Jeremiah