I have no knowledge of OPENLDAP so that is why I am emailing this list.
I have an vendor that is trying to connect to my active directory (which is windows 2003 native for the forest level and the domain level) via SSL (port 636) using LDAPSEARCH. They want to authenticate users against my active directory. My certificates that I created (microsoft assisted me on this part) One question I have - My certificates contain multiple DNS names (domain name and a simple DNS name - which I want the vendor to use) Does OPENLDAP have a problem with this setup on the certificate?
Question about the command lines they are trying. 1st cmd - ldapsearch -H ldaps://servername -x -D 'CN=name of user' | grep usernameofusertheywanttofind 2nd cmd - ldapsearch -H ldaps://servername -x -s base -D 'cn=name of user'
Any thoughts or opinions on this subject would greatly be appreciated.
Eric Sabo Senior Windows Systems Engineer Department of Computing Systems California University of Pennsylvania
At 08:59 AM 1/18/2007, Sabo, Eric wrote:
I have an vendor that is trying to connect to my active directory (which is windows 2003 native for the forest level and the domain level) via SSL (port 636) using LDAPSEARCH. They want to authenticate users against my active directory. My certificates that I created (microsoft assisted me on this part) One question I have - My certificates contain multiple DNS names (domain name and a simple DNS name - which I want the vendor to use) Does OPENLDAP have a problem with this setup on the certificate?
The OpenLDAP client library used by ldapsearch(1) implements server certificate checking as described in RFC 4513, supporting not only server name in the subject DN but also using a number of alternative subject name choices, namely dNSname and ipAddress.
Question about the command lines they are trying. 1st cmd - ldapsearch -H ldaps://servername -x -D 'CN=name of user' | grep usernameofusertheywanttofind 2nd cmd - ldapsearch -H ldaps://servername -x -s base -D 'cn=name of user'
Any thoughts or opinions on this subject would greatly be appreciated.
Well, I suggest you give it a go and see.
Kurt
openldap-software@openldap.org