[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nssldap
Subject:    [nssldap] SSL hostname checking
From:       Antti Tikkanen <antti.tikkanen () hut ! fi>
Date:       2002-07-31 9:57:05
[Download RAW message or body]

I have been puzzled for a while now, since I have not been able to get
nss_ldap with SSL (not TLS) working with some OpenLDAP library versions.

Specifically, OpenLDAP 2.0.11 works just fine. I had a problem with
LDAP_OPT_X_TLS_REQUIRE_CERT which it didn't seem to recognize, but
otherwise things worked fine.

However, when I tried OpenLDAP 2.0.23, things seemed to fail. I got an
LDAP_SERVER_DOWN error, which I traced down to a LDAP_CONNECTION_ERROR
from tls.c. This was because it was comparing (as I understand) the value
from the servers certificate to the value from /etc/ldap.conf "host"
parameter. I was using the servers IP address in the conf file, so things
did not work. After I replaced the IP address with the servers hostname,
everything was ok.

I had set tls_checkpeer to 'no'. Is this supposed to happen? Anyways, if
someone else is having the same problem, this is the cause.

Regards,
Antti


-- 

Antti.Tikkanen@hut.fi
Helsinki University of Technology
Computing Centre


[prev in list] [next in list] [prev in thread] [next in thread]