On Wed, Feb 26, 2020 at 02:18:53PM +0000, M?ller Lioh wrote:
Hi all,
I am trying to do a ldapsearch against our Active Directory LDAPS like:
ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)'
The domain controllers have certificates generated with CNs like this:
subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01,
and a SAN defined as ldap.mydomain.ch.
Yet, I got an error like:
TLS: hostname (ldap.mydomain.ch) does not match common name in certificate (DC01).
An interesting fact is that if the CN is set to the fqdn like dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with ldap.mydomain.ch as SAN).
I may be misreading this, but this sounds like a TLS issue.
If you're using 'dc01.mydomain.ch' in your LDAP URI, then your client is successfully validating the certificate.
When you use 'ldap.mydomain.ch' in your LDAP URI, you client clearly says that the certificate from whatever server 'ldap.mydomain.ch' points to, does not have 'ldap.mydomain.ch' in it's SAN.
This is a TLS negotiation issue; you can't gotten as far as using LDAP yet.
Greetings
Lioh