What if i want to access LDAP from external source? how would it recognize platalytics.com?
On Fri, Oct 2, 2015 at 1:18 PM, Michael Ströder michael@stroeder.com wrote:
Aneela Saleem wrote:
Hi all,
I have implemented LDAP over ssl. FQDN of LDAP server is "
platalytics.com"
and same is CN in the SSL certificate. But why is it so that when i run following command it works fine i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap:// 127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
but in case of ldaps, i have to provide FQDN as the hostname i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
ldaps://
platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
because following command does not work i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
ldaps://
127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
The mandatory TLS hostname check is a prevention against MITM attacks.
ldaps://127.0.0.1 does not make sense anyway.
And even better you should use ldapi:// [1] for local access.
http://tools.ietf.org/html/draft-chu-ldap-ldapi
Ciao, Michael.