Re: Using Arbitrary X509 certificates for LDAPS authentication
Howard Chu wrote:
Stephen Cartwright wrote:
> I looked into this and I don't understand :( Would you please clarify
> why a DN such as "/C=CA/O=Grid/CN=host/somehost.somedomain.ca" is
> broken? You said "somehost.somedomain.ca" is not a valid RDN because
> it just has a value and not a type, however the RDN is not just
> "somehost.somedomain.ca" but "CN=host/somehost.somedomain.ca"
which
> has a type of "CN" and a value of "host/somehost.somedomain.ca"
does
> it not?
That wasn't clear to me from the output you posted before. Since you
were posting a DN that uses '/' as its RDN separator, the software that
generated this log output should have escaped the '/' in the attribute
value if that was really the situation. E.g., it should have looked like
/CN=host%2Fsomehost.somedomain.ca.
Using top-down-order and / as separator is the standard behaviour of OpenSSL.
:-/ One can also display subject and issuer names in certs with
openssl x509 -nameopt rfc2253
> If this RDN is in fact valid, I still don't understand why
DNs
> of the form
> "/C=CA/O=Grid/CN=host/somehost.somedomain.ca" seem to not work with LDAP.
At this point I have no idea what you're really working with. The
comment I posted originally may not apply to this situation at all.
Since this is about GRID services I guess someone falsely put a Kerberos
service prinicipal name in the CN attribute of the server cert. The cert has
to be corrected to contain exactly the FQDN of the server used during LDAP
connect *without* the prefix "host/".
Ciao, Michael.