On Tuesday 15 April 2008 15:23:11 kevin montuori wrote: > >>>>> "BM" == Buchan Milne <[EMAIL PROTECTED]> writes: > >> > >> I'd like to set up LDAP command line tools to point to a server > >> -- say localhost -- that has a certificate with an arbitrary > >> name in it -- say `my-domain.com`. > > BM> Either: > > BM> 1)Add an entry to /etc/hosts so that the name on the certificate > BM> resolves to the correct IP address, and always use the name on > BM> any connection where you want certificate validation or > > BM> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are > BM> using anything besides OpenLDAP software (nss_ldap,pam_ldap) be > BM> aware that their configuration is not identical ... > > or, if you can, use the subjectAltName certificate extension. see the > administrator's guide, 14.1.1. works as expected and there's no funky > client side configuration required.
This solution assumes that you can change the cert (and even if you can, whether the CA supports/allows the subject alternative name extension), which is not necessarily a good assumption to make. Regards, Buchan
