Brian Reichert wrote:
On Wed, Feb 26, 2020 at 02:18:53PM +0000, M?ller Lioh wrote:
> Hi all,
> I am trying to do a ldapsearch against our Active Directory LDAPS like:
> ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H
ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub
> The domain controllers have certificates generated with CNs like this:
> subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01,
> and a SAN defined as ldap.mydomain.ch.
> Yet, I got an error like:
> TLS: hostname (ldap.mydomain.ch) does not match common name in
> certificate (DC01).
> An interesting fact is that if the CN is set to the fqdn like
> dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with
> ldap.mydomain.ch as SAN).
I may be misreading this, but this sounds like a TLS issue.
Wrong. The above error message comes from libldap.
If you're using 'dc01.mydomain.ch' in your LDAP URI, then
client is successfully validating the certificate.
When you use 'ldap.mydomain.ch' in your LDAP URI, you client clearly
says that the certificate from whatever server 'ldap.mydomain.ch'
points to, does not have 'ldap.mydomain.ch' in it's SAN.
This is a TLS negotiation issue; you can't gotten as far as using
Definitely sounds like the SAN is not set correctly in the cert,
but this is definitely libldap complaining, the TLS library doesn't
do this hostname check.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/