At 03:41 PM 2/15/2006, Quanah Gibson-Mount wrote: >On Wednesday 15 February 2006 15:40, Jon Roberts wrote: >> Quanah Gibson-Mount wrote: >> > On Wednesday 15 February 2006 14:23, Ran Li wrote: >> >>>>The funny thing is, TLS works fine from a remote host, but not on the >> >> >> >>server itself. I tried changing localhost to the actual DNS name of the >> >>server, but still I get the same error. >> >>is the ldap server a ldap client? my understanding is it has to be a >> >>ldap client in order to make ldapsearch over tls work. >> > >> > You have to use the name in your search that matches the name in the >> > certificate for TLS to work. >> >> In JLDAP clients I can connect to a remote ldaps server by using the ip >> address as hostname, even though I obviously did not use the ip as the >> name in the certificate. Is that advice specific to ldapsearch, >> StartTLS, or something else I might be confused about? > >I'm guessing that JLDAP translates the IP address to the FQDN.
Which is counter to both general and LDAP-specific TLS certificate verification rules. One shouldn't trust DNS. Sounds like a JLDAP bug to me. >ldapsearch -ZZZ -h 171.67.16.11 uid=quanah uid >ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL >routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Assuming the certificate doesn't list the IP address 171.67.16.11 as a alternative subject name (which ldapsearch(1) should check), correct. Kurt
