I create two new certificate for different LDAP Server, one customer and one provider.
run slapd -d 127 "ldaps://" in CLI they could verify each other, but I could not use ldapmodify to import data yet, error info is the same. gtalk:[email protected] <gtalk%[email protected]> On Fri, Jul 2, 2010 at 2:37 PM, owen nirvana <[email protected]> wrote: > if CN must be the fully qualified domain name, so, a specific CA could not > issue two certificate with the same CN if the LDAP Server need act as server > and client contemporary. > > how to issue two certificate to make ldap server to act as server and > client contemporary > gtalk:[email protected] <gtalk%[email protected]> > > > > On Fri, Jul 2, 2010 at 1:24 PM, Indexer <[email protected]> wrote: > >> The CN should be the fully qualified domain name, aka if my server is >> ldap.domain.com, the CN must match ldap.domain.com, and you must connect >> to the server using ldap://ldap.domain.com. It is the cause of most TLS >> issues. >> >> On 02/07/2010, at 2:51 PM, owen nirvana wrote: >> >> > create a new certificate and key , CN = Administrator, no more verify >> > failed, but >> > >> > " ldap_start_tls : Can't Contact LDAP Server(-1)" is repoerted yet, no >> > addition info >> > >> > gtalk:[email protected] <gtalk%[email protected]> < >> gtalk%[email protected] <gtalk%[email protected]>> >> > >> > >> > On Fri, Jul 2, 2010 at 12:47 PM, owen nirvana <[email protected]> >> wrote: >> > >> >> thanks >> >> >> >> about " Your servers CN on the certificate must also match the hostname >> of >> >> the server." >> >> >> >> is it means CN should be username of OS like Administrator, or ldap >> server >> >> name like "ldap.server" >> >> gtalk:[email protected] <gtalk%[email protected]> < >> gtalk%[email protected] <gtalk%[email protected]>> >> >> >> >> >> >> >> >> On Fri, Jul 2, 2010 at 11:24 AM, Indexer <[email protected]> >> wrote: >> >> >> >>> >> >>> On 02/07/2010, at 12:49 PM, owen nirvana wrote: >> >>> >> >>>> I set tls options to use ldaps. >> >>> >> >>> When using TLS you dont need LDAPS, you want to set your systems to >> >>> ldap://ldap.server >> >>> >> >>>> >> >>>> question 1: >> >>>> port 389 is opened yet when I scan the LDAP Server by nmap, but I >> could >> >>> not >> >>>> connect it with Apache Directory Studio v1.5.3. >> >>>> >> >>>> question 2: >> >>>> Nmap tell me "server still supports SSLv2", but I set TLSCipherSuite >> is >> >>>> HIGH:MEDIUM:-SSLv2 >> >>>> >> >>>> question 3: >> >>>> I try to import some data with ldapmodify >> >>>> >> >>>> ldapmodify -a -H ldap://mydomain.org:636 -D >> >>> "cn=admin,dc=mydomain,dc=org" -x >> >>>> -w whatever -f init.ldif >> >>> >> >>> Try adding the -Z flag to turn on encryption. Your servers CN on the >> >>> certificate must also match the hostname of the server. >> >>> >> >>>> >> >>>> the following is error report: >> >>>> >> >>>> ldap_start_tls : Can't Contact LDAP Server(-1) >> >>>> addition info: error: 14000092: SSL Routine: SSL3_GET_CERTFICATE: >> >>>> certificate verify failed >> >>>> >> >>>> ldap_sasl_bind(Simple): Can't Contact LDAP Server(-1) >> >>>> >> >>>> >> >>>> gtalk:[email protected] <gtalk%[email protected]> < >> gtalk%[email protected] <gtalk%[email protected]>> < >> >>> gtalk%[email protected] <gtalk%[email protected]> < >> gtalk%[email protected] <gtalk%[email protected]>>> >> >>> >> >>> >> >> >> >> >
