if CN must be the fully qualified domain name, so, a specific CA could not issue two certificate with the same CN if the LDAP Server need act as server and client contemporary.
how to issue two certificate to make ldap server to act as server and client contemporary gtalk:[email protected] <gtalk%[email protected]> On Fri, Jul 2, 2010 at 1:24 PM, Indexer <[email protected]> wrote: > The CN should be the fully qualified domain name, aka if my server is > ldap.domain.com, the CN must match ldap.domain.com, and you must connect > to the server using ldap://ldap.domain.com. It is the cause of most TLS > issues. > > On 02/07/2010, at 2:51 PM, owen nirvana wrote: > > > create a new certificate and key , CN = Administrator, no more verify > > failed, but > > > > " ldap_start_tls : Can't Contact LDAP Server(-1)" is repoerted yet, no > > addition info > > > > gtalk:[email protected] <gtalk%[email protected]> < > gtalk%[email protected] <gtalk%[email protected]>> > > > > > > On Fri, Jul 2, 2010 at 12:47 PM, owen nirvana <[email protected]> > wrote: > > > >> thanks > >> > >> about " Your servers CN on the certificate must also match the hostname > of > >> the server." > >> > >> is it means CN should be username of OS like Administrator, or ldap > server > >> name like "ldap.server" > >> gtalk:[email protected] <gtalk%[email protected]> < > gtalk%[email protected] <gtalk%[email protected]>> > >> > >> > >> > >> On Fri, Jul 2, 2010 at 11:24 AM, Indexer <[email protected]> > wrote: > >> > >>> > >>> On 02/07/2010, at 12:49 PM, owen nirvana wrote: > >>> > >>>> I set tls options to use ldaps. > >>> > >>> When using TLS you dont need LDAPS, you want to set your systems to > >>> ldap://ldap.server > >>> > >>>> > >>>> question 1: > >>>> port 389 is opened yet when I scan the LDAP Server by nmap, but I > could > >>> not > >>>> connect it with Apache Directory Studio v1.5.3. > >>>> > >>>> question 2: > >>>> Nmap tell me "server still supports SSLv2", but I set TLSCipherSuite > is > >>>> HIGH:MEDIUM:-SSLv2 > >>>> > >>>> question 3: > >>>> I try to import some data with ldapmodify > >>>> > >>>> ldapmodify -a -H ldap://mydomain.org:636 -D > >>> "cn=admin,dc=mydomain,dc=org" -x > >>>> -w whatever -f init.ldif > >>> > >>> Try adding the -Z flag to turn on encryption. Your servers CN on the > >>> certificate must also match the hostname of the server. > >>> > >>>> > >>>> the following is error report: > >>>> > >>>> ldap_start_tls : Can't Contact LDAP Server(-1) > >>>> addition info: error: 14000092: SSL Routine: SSL3_GET_CERTFICATE: > >>>> certificate verify failed > >>>> > >>>> ldap_sasl_bind(Simple): Can't Contact LDAP Server(-1) > >>>> > >>>> > >>>> gtalk:[email protected] <gtalk%[email protected]> < > gtalk%[email protected] <gtalk%[email protected]>> < > >>> gtalk%[email protected] <gtalk%[email protected]> < > gtalk%[email protected] <gtalk%[email protected]>>> > >>> > >>> > >> > >
