I create two new certificate for different LDAP Server, one customer and one provider.
run slapd -d 127 "ldaps://" in CLI
they could verify each other, but I could not use ldapmodify to import data yet, error info is the same.
gtalk:freeespeech@gmail.com gtalk%3Afreeespeech@gmail.com
On Fri, Jul 2, 2010 at 2:37 PM, owen nirvana freeespeech@gmail.com wrote:
if CN must be the fully qualified domain name, so, a specific CA could not issue two certificate with the same CN if the LDAP Server need act as server and client contemporary.
how to issue two certificate to make ldap server to act as server and client contemporary gtalk:freeespeech@gmail.com gtalk%3Afreeespeech@gmail.com
On Fri, Jul 2, 2010 at 1:24 PM, Indexer indexer@internode.on.net wrote:
The CN should be the fully qualified domain name, aka if my server is ldap.domain.com, the CN must match ldap.domain.com, and you must connect to the server using ldap://ldap.domain.com. It is the cause of most TLS issues.
On 02/07/2010, at 2:51 PM, owen nirvana wrote:
create a new certificate and key , CN = Administrator, no more verify failed, but
" ldap_start_tls : Can't Contact LDAP Server(-1)" is repoerted yet, no addition info
gtalk:freeespeech@gmail.com gtalk%3Afreeespeech@gmail.com <
gtalk%3Afreeespeech@gmail.com gtalk%253Afreeespeech@gmail.com>
On Fri, Jul 2, 2010 at 12:47 PM, owen nirvana freeespeech@gmail.com
wrote:
thanks
about " Your servers CN on the certificate must also match the hostname
of
the server."
is it means CN should be username of OS like Administrator, or ldap
server
name like "ldap.server" gtalk:freeespeech@gmail.com gtalk%3Afreeespeech@gmail.com <
gtalk%3Afreeespeech@gmail.com gtalk%253Afreeespeech@gmail.com>
On Fri, Jul 2, 2010 at 11:24 AM, Indexer indexer@internode.on.net
wrote:
On 02/07/2010, at 12:49 PM, owen nirvana wrote:
I set tls options to use ldaps.
When using TLS you dont need LDAPS, you want to set your systems to ldap://ldap.server
question 1: port 389 is opened yet when I scan the LDAP Server by nmap, but I
could
not
connect it with Apache Directory Studio v1.5.3.
question 2: Nmap tell me "server still supports SSLv2", but I set TLSCipherSuite
is
HIGH:MEDIUM:-SSLv2
question 3: I try to import some data with ldapmodify
ldapmodify -a -H ldap://mydomain.org:636 -D
"cn=admin,dc=mydomain,dc=org" -x
-w whatever -f init.ldif
Try adding the -Z flag to turn on encryption. Your servers CN on the certificate must also match the hostname of the server.
the following is error report:
ldap_start_tls : Can't Contact LDAP Server(-1) addition info: error: 14000092: SSL Routine: SSL3_GET_CERTFICATE: certificate verify failed
ldap_sasl_bind(Simple): Can't Contact LDAP Server(-1)
gtalk:freeespeech@gmail.com gtalk%3Afreeespeech@gmail.com <
gtalk%3Afreeespeech@gmail.com gtalk%253Afreeespeech@gmail.com> <
gtalk%3Afreeespeech@gmail.com gtalk%253Afreeespeech@gmail.com <
gtalk%253Afreeespeech@gmail.com gtalk%25253Afreeespeech@gmail.com>>