On 10/18/2013 11:59 AM, Christian Kratzer wrote:
Hi,
On Fri, 18 Oct 2013, lejeczek wrote:
<snipp/> > hi Christian > > my case is, well should be a lot more simpler, one box with > > slapd.local.domain > slap.public.external > > and this one host I would like to be able to search > through on/via both hostnames/IPs with TLS > so I issue myself and sign a certificate, CA issuer is > CA.local.domain > > Subject: .......... CN=slapd.local.domain/email......... > and > X509v3 Subject Alternative Name: > DNS:slap.public.external, IP > Address:ex.te.rn.al > > ldapsearch -h slap.public.external -D > cn=manager,dc=local,dc=domain .... > result: > TLS: hostname (slap.public.external) does not match > common name in certificate (slapd.local.domain). > TLS: can't connect: TLS error -8157:Certificate extension > not found.. > ldap_start_tls: Connect error (-11) > additional info: TLS error -8157:Certificate extension > not found. > > whereas: > ldapsearch -h slap.local.domain -D > cn=manager,dc=local,dc=domain > works fine > could it be tools from be openldap-clients, a bug? > Apache's ldap toolkit for Eclipse seems to work and > connects to slap.public.external
this should work. It does in two separate setups that I maintain.
Which version is your openldap client ?
whole toolkit is Redhats 2.4.23-31.el6.x86_64 on RHEL 6.4
Have you configured the CA certificate for trust ? I have following in my /usr/local/etc/openldap/ldap.conf to configure the CA certificate:
for ldapsearch I use args in line for the command, also debug it and see that wanted certificate is pulled in
[ck@ldaptest1]$ cat ~ldap/ldap.conf BASE dc=example,dc=org URI ldap://ldaptest1.cksoft.de TLS_CACERT
/usr/local/etc/openldap/certs/cksoftware-gmbh-ca-2011-2031.cert
TLS_REQCERT demand
btw, being novice with openssl, is there a way to print extensions thus SAN of a certificate? I can print and see it on the request.
use following to dump the certificate:
openssl s_client -text -in CERT.pem
and no such things for s_clients in the toolkit version as above, I normally view a certificate with:
openssl x509 -issuer -subject -enddate -noout -text -in CERT.pem -- and I cannot see subjectAltNames
how could it be, given above is the right way to get all relevant info of a certificate that request has subjectAltNames but actual certificate misses it?
You should see the subjectAltNames.
If not your certificate is broken.
Greetings Christian