On 23. mars 2015 12:45, Ulrich Windl wrote:
Related question: If the command above fails with "stronger confidentiality required", and adding "-ZZ" fails with " TLS: hostname does not match CN in peer certificate", how should a proper certificate look like?
Read the OpenLDAP Admin Guide, section 16 (TLS). In particular 16.1.1. Server Certificates.
Hallvard Breien Furuseth h.b.furuseth@usit.uio.no schrieb am 23.03.2015 um
13:53 in Nachricht 55100CDD.1000805@usit.uio.no:
On 23. mars 2015 12:45, Ulrich Windl wrote:
Related question: If the command above fails with "stronger confidentiality
required", and adding "-ZZ" fails with " TLS: hostname does not match CN in peer certificate", how should a proper certificate look like?
Read the OpenLDAP Admin Guide, section 16 (TLS). In particular 16.1.1. Server Certificates.
Hi!
According to your proposal I read: -- 16.1.1. Server Certificates
The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the server's fully qualified domain name. Additional alias names and wildcards may be present in the subjectAltName certificate extension. More details on server certificate names are in RFC4513. --
So this does not answer my question of how to cover the ldapi:// URI. Or maybe there's an easier way to override the "confidentiality required" for ldapi://?
You missed to read the essential part of my message, namely: "ldapwhoami -Y EXTERNAL -H ldapi://"
(For a normal ldap: connection I have no problems with the settings)
Regards, Ulrich
Hi,
So this does not answer my question of how to cover the ldapi:// URI. Or maybe there's an easier way to override the "confidentiality required" for ldapi://?
You missed to read the essential part of my message, namely: "ldapwhoami -Y EXTERNAL -H ldapi://"
(For a normal ldap: connection I have no problems with the settings)
Have a look at the global option localSSF (or olcLocalSSF). Set this to the value that is required for your slapd, for example 256.
Regards, Dirk
On 24. mars 2015 09:42, Ulrich Windl wrote:
You missed to read the essential part of my message, namely: "ldapwhoami -Y EXTERNAL -H ldapi://"
Whoops, sorry. No, I don't know what the "hostname" should be in this case. The (URI-escapd?) socket filename, maybe. You could check the code, and maybe submit a doc patch:-)
openldap-technical@openldap.org
-
Dirk Kastens -
Hallvard Breien Furuseth -
Ulrich Windl