On Thu, Jan 12, 2012 at 05:31:31PM +0100, Michael Ströder wrote: > We're using self-compiled OpenLDAP 2.4.27 under RHEL 6.1 linked > against OpenSSL 1.0.0 libs shipped with RHEL.
> Unfortunately we can't get StartTLS to work. It always fails: > > # /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap-srv01.rz.domain > ldap_start_tls: Connect error (-11) > additional info: TLS: hostname does not match CN in peer certificate > # /opt/xxxdir/bin/ldapsearch -x -ZZ ldap://ldap.domain > ldap_start_tls: Connect error (-11) > additional info: TLS: hostname does not match CN in peer certificate > > But OpenSSL lists the (IMO correct) hostnames in the server's certificate: > > ---------------------------------- snip ---------------------------------- > Subject: CN=ldap.domain,OU=xxx,O=xxx,C=DE > [..] > X509v3 Subject Alternative Name: > email:[email protected], > DNS:ldap.domain, > DNS:ldap-srv01.rz.domain, > DNS:ldap-srv02.rz.domain > ---------------------------------- snip ---------------------------------- > > Is the hostname check confused by the email in the first > subjectAltName sequence value? Probably not. I have just set up a test case like that and it works. All software is current versions on Debian Squeeze: @(#) $OpenLDAP: slapd 2.4.23 (Jun 15 2011 13:31:57) $ @incagijs:/home/thijs/debian/p-u/openldap-2.4.23/debian/build/servers/slapd OpenSSL 0.9.8o 01 Jun 2010 I usually find that the problem is with the client-side setup, probably not getting the right TLS_CACERT value (i.e. in your case maybe /opt/xxxdir/bin/ldapsearch is reading /opt/xxxdir/etc/openldap/ldap.conf rather than /etc/openldap/ldap.conf Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
