On 10/18/2013 10:41 AM, Christian Kratzer wrote:
Hi,
On Thu, 17 Oct 2013, lejeczek wrote:
dear all
I'm trying to set a seeminglysimple setup having a box with openldap I want it to use TLS on both internal and external hostnames/IPs
openldap was set up earlier and was/is working I generate TLS certificate with SAN everything seems working fine but when I ldapsearch on external fqdn/IP (which in the certificate is the subjectAltName) search fails whereas it succeeds on internal fqdn(which is the hostname/ CN in the certificate)
error is: additional info: TLS error -8157:Certificate extension not found.
is such a scenario even possible? having very same DN being served on more than one name via TLS?
If this is what you are looking for I can confirm that I have a setup with ldaps:// and ldap:// with TLS that uses subjectAltNames in the certificates.
Relevant parts of the x509 cert with customer name obfuscated
We have this on one server:
Subject: C=XX, ST=State, L=City, O=Company,CN=ldap1.example.org X509v3 Subject Alternative Name: DNS:ldap1.example.org, DNS:ldap1, DNS:ldap-cluster.example.org, DNS:ldap-cluster
We have this on the other server:
Subject: C=XX, ST=State, L=City, O=Company,CN=ldap2.example.org X509v3 Subject Alternative Name: DNS:ldap2.example.org, DNS:ldap2, DNS:ldap-cluster.example.org, DNS:ldap-cluster
We can connect to ldap-cluster.example.org just fine independent of to which server the load balancer directs the tcp connection to.
This is using openldap-2.4.36
hi Christian
my case is, well should be a lot more simpler, one box with
slapd.local.domain slap.public.external
and this one host I would like to be able to search through on/via both hostnames/IPs with TLS so I issue myself and sign a certificate, CA issuer is CA.local.domain
Subject: .......... CN=slapd.local.domain/email......... and X509v3 Subject Alternative Name: DNS:slap.public.external, IP Address:ex.te.rn.al
ldapsearch -h slap.public.external -D cn=manager,dc=local,dc=domain .... result: TLS: hostname (slap.public.external) does not match common name in certificate (slapd.local.domain). TLS: can't connect: TLS error -8157:Certificate extension not found.. ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found.
whereas: ldapsearch -h slap.local.domain -D cn=manager,dc=local,dc=domain works fine could it be tools from be openldap-clients, a bug? Apache's ldap toolkit for Eclipse seems to work and connects to slap.public.external
??
btw, being novice with openssl, is there a way to print extensions thus SAN of a certificate? I can print and see it on the request.
regards
Greetings Christian