Hi all,
I am trying to do a ldapsearch against our Active Directory LDAPS like:
ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)'
The domain controllers have certificates generated with CNs like this:
subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01,
and a SAN defined as ldap.mydomain.ch.
Yet, I got an error like:
TLS: hostname (ldap.mydomain.ch) does not match common name in certificate (DC01).
An interesting fact is that if the CN is set to the fqdn like dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with ldap.mydomain.ch as SAN).
Isn't ldapsearch 2.4.44 capable of working with DN in subject (CN) or does it fail to lookup the SAN in such case?
Greetings
Lioh
On Wed, Feb 26, 2020 at 02:18:53PM +0000, M?ller Lioh wrote:
Hi all,
I am trying to do a ldapsearch against our Active Directory LDAPS like:
ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)'
The domain controllers have certificates generated with CNs like this:
subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01,
and a SAN defined as ldap.mydomain.ch.
Yet, I got an error like:
TLS: hostname (ldap.mydomain.ch) does not match common name in certificate (DC01).
An interesting fact is that if the CN is set to the fqdn like dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with ldap.mydomain.ch as SAN).
I may be misreading this, but this sounds like a TLS issue.
If you're using 'dc01.mydomain.ch' in your LDAP URI, then your client is successfully validating the certificate.
When you use 'ldap.mydomain.ch' in your LDAP URI, you client clearly says that the certificate from whatever server 'ldap.mydomain.ch' points to, does not have 'ldap.mydomain.ch' in it's SAN.
This is a TLS negotiation issue; you can't gotten as far as using LDAP yet.
Greetings
Lioh
Brian Reichert wrote:
On Wed, Feb 26, 2020 at 02:18:53PM +0000, M?ller Lioh wrote:
Hi all,
I am trying to do a ldapsearch against our Active Directory LDAPS like:
ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)'
The domain controllers have certificates generated with CNs like this:
subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01,
and a SAN defined as ldap.mydomain.ch.
Yet, I got an error like:
TLS: hostname (ldap.mydomain.ch) does not match common name in certificate (DC01).
An interesting fact is that if the CN is set to the fqdn like dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with ldap.mydomain.ch as SAN).
I may be misreading this, but this sounds like a TLS issue.
Wrong. The above error message comes from libldap.
If you're using 'dc01.mydomain.ch' in your LDAP URI, then your client is successfully validating the certificate.
When you use 'ldap.mydomain.ch' in your LDAP URI, you client clearly says that the certificate from whatever server 'ldap.mydomain.ch' points to, does not have 'ldap.mydomain.ch' in it's SAN.
This is a TLS negotiation issue; you can't gotten as far as using LDAP yet.
Definitely sounds like the SAN is not set correctly in the cert, but this is definitely libldap complaining, the TLS library doesn't do this hostname check.
Hi all,
I am trying to do a ldapsearch against our Active Directory LDAPS like:
ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)'
The domain controllers have certificates generated with CNs like this:
subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01,
and a SAN defined as ldap.mydomain.ch.
Yet, I got an error like:
TLS: hostname (ldap.mydomain.ch) does not match common name in certificate (DC01).
An interesting fact is that if the CN is set to the fqdn like dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with ldap.mydomain.ch as SAN).
I may be misreading this, but this sounds like a TLS issue.
Wrong. The above error message comes from libldap.
If you're using 'dc01.mydomain.ch' in your LDAP URI, then your client is successfully validating the certificate.
When you use 'ldap.mydomain.ch' in your LDAP URI, you client clearly says that the certificate from whatever server 'ldap.mydomain.ch' points to, does not have 'ldap.mydomain.ch' in it's SAN.
This is a TLS negotiation issue; you can't gotten as far as using LDAP yet.
Definitely sounds like the SAN is not set correctly in the cert, but this is definitely libldap complaining, the TLS library doesn't do this hostname check.
Does the SAN has to be configured in form of DNS:dc01.mydomain.ch ?
Greetings
Lioh
On Thu, Feb 27, 2020 at 12:23:07AM +0000, Howard Chu wrote:
Brian Reichert wrote:
An interesting fact is that if the CN is set to the fqdn like dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with ldap.mydomain.ch as SAN).
I may be misreading this, but this sounds like a TLS issue.
Wrong. The above error message comes from libldap.
Thanks for the clarification; I've not seen this class of error before...
Definitely sounds like the SAN is not set correctly in the cert, but this is definitely libldap complaining, the TLS library doesn't do this hostname check.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-technical@openldap.org
-
Brian Reichert -
Howard Chu -
Lioh Moeller -
Möller Lioh