Aneela Saleem wrote:
Hi all,
I have implemented LDAP over ssl. FQDN of LDAP server is "platalytics.com" and same is CN in the SSL certificate. But why is it so that when i run following command it works fine i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap:// 127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
but in case of ldaps, i have to provide FQDN as the hostname i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
because following command does not work i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// 127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
The mandatory TLS hostname check is a prevention against MITM attacks.
ldaps://127.0.0.1 does not make sense anyway.
And even better you should use ldapi:// [1] for local access.
http://tools.ietf.org/html/draft-chu-ldap-ldapi
Ciao, Michael.