Hallvard Breien Furuseth h.b.furuseth@usit.uio.no schrieb am 23.03.2015 um
13:53 in Nachricht 55100CDD.1000805@usit.uio.no:
On 23. mars 2015 12:45, Ulrich Windl wrote:
Related question: If the command above fails with "stronger confidentiality
required", and adding "-ZZ" fails with " TLS: hostname does not match CN in peer certificate", how should a proper certificate look like?
Read the OpenLDAP Admin Guide, section 16 (TLS). In particular 16.1.1. Server Certificates.
Hi!
According to your proposal I read: -- 16.1.1. Server Certificates
The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the server's fully qualified domain name. Additional alias names and wildcards may be present in the subjectAltName certificate extension. More details on server certificate names are in RFC4513. --
So this does not answer my question of how to cover the ldapi:// URI. Or maybe there's an easier way to override the "confidentiality required" for ldapi://?
You missed to read the essential part of my message, namely: "ldapwhoami -Y EXTERNAL -H ldapi://"
(For a normal ldap: connection I have no problems with the settings)
Regards, Ulrich