Hi all,
I am trying to do a ldapsearch against our Active Directory LDAPS like:
ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)'
The domain controllers have certificates generated with CNs like this:
subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01,
and a SAN defined as ldap.mydomain.ch.
Yet, I got an error like:
TLS: hostname (ldap.mydomain.ch) does not match common name in certificate (DC01).
An interesting fact is that if the CN is set to the fqdn like dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with ldap.mydomain.ch as SAN).
I may be misreading this, but this sounds like a TLS issue.
Wrong. The above error message comes from libldap.
If you're using 'dc01.mydomain.ch' in your LDAP URI, then your client is successfully validating the certificate.
When you use 'ldap.mydomain.ch' in your LDAP URI, you client clearly says that the certificate from whatever server 'ldap.mydomain.ch' points to, does not have 'ldap.mydomain.ch' in it's SAN.
This is a TLS negotiation issue; you can't gotten as far as using LDAP yet.
Definitely sounds like the SAN is not set correctly in the cert, but this is definitely libldap complaining, the TLS library doesn't do this hostname check.
Does the SAN has to be configured in form of DNS:dc01.mydomain.ch ?
Greetings
Lioh