The CN should be the fully qualified domain name, aka if my server is ldap.domain.com, the CN must match ldap.domain.com, and you must connect to the server using ldap://ldap.domain.com. It is the cause of most TLS issues.
On 02/07/2010, at 2:51 PM, owen nirvana wrote: > create a new certificate and key , CN = Administrator, no more verify > failed, but > > " ldap_start_tls : Can't Contact LDAP Server(-1)" is repoerted yet, no > addition info > > gtalk:[email protected] <gtalk%[email protected]> > > > On Fri, Jul 2, 2010 at 12:47 PM, owen nirvana <[email protected]> wrote: > >> thanks >> >> about " Your servers CN on the certificate must also match the hostname of >> the server." >> >> is it means CN should be username of OS like Administrator, or ldap server >> name like "ldap.server" >> gtalk:[email protected] <gtalk%[email protected]> >> >> >> >> On Fri, Jul 2, 2010 at 11:24 AM, Indexer <[email protected]> wrote: >> >>> >>> On 02/07/2010, at 12:49 PM, owen nirvana wrote: >>> >>>> I set tls options to use ldaps. >>> >>> When using TLS you dont need LDAPS, you want to set your systems to >>> ldap://ldap.server >>> >>>> >>>> question 1: >>>> port 389 is opened yet when I scan the LDAP Server by nmap, but I could >>> not >>>> connect it with Apache Directory Studio v1.5.3. >>>> >>>> question 2: >>>> Nmap tell me "server still supports SSLv2", but I set TLSCipherSuite is >>>> HIGH:MEDIUM:-SSLv2 >>>> >>>> question 3: >>>> I try to import some data with ldapmodify >>>> >>>> ldapmodify -a -H ldap://mydomain.org:636 -D >>> "cn=admin,dc=mydomain,dc=org" -x >>>> -w whatever -f init.ldif >>> >>> Try adding the -Z flag to turn on encryption. Your servers CN on the >>> certificate must also match the hostname of the server. >>> >>>> >>>> the following is error report: >>>> >>>> ldap_start_tls : Can't Contact LDAP Server(-1) >>>> addition info: error: 14000092: SSL Routine: SSL3_GET_CERTFICATE: >>>> certificate verify failed >>>> >>>> ldap_sasl_bind(Simple): Can't Contact LDAP Server(-1) >>>> >>>> >>>> gtalk:[email protected] <gtalk%[email protected]> < >>> gtalk%[email protected] <gtalk%[email protected]>> >>> >>> >>
