Hi,
On Monday, 28. May 2012, Philip Guenther wrote:
On Mon, 28 May 2012, Michael Ströder wrote:
Peter Marschall wrote:
how do the openldap tools technically verfify certificates with ldapi:// ?
Which certs do you want to verify?
I assume the answer is "the one the server returns when you do StartTLS on the ldapi:// connection".
Correct.
If that's not a sufficient option, and verifying certs is required, then it appears the code will treat the socket path as the hostname to verify for. For OpenSSL, for example, that means it'll compare it against any DNS: subjectAltNames as well as against the last CN component of the cert subject.
That's not what the openldap tools do. My cerver certificates do not contain the ldapi socket path as hostnames, yet ldapsearch -LLL -x -H ldapi:/// -ZZ -s base -b "" works and I want to find out how it does this.
Best PEter