Hi, On Monday, 28. May 2012, Philip Guenther wrote: > On Mon, 28 May 2012, Michael Ströder wrote: > > Peter Marschall wrote: > > > how do the openldap tools technically verfify certificates with > > > ldapi:// ? > > > > Which certs do you want to verify? > > I assume the answer is "the one the server returns when you do StartTLS on > the ldapi:// connection". Correct.
> If that's not a sufficient option, and verifying certs is required, then > it appears the code will treat the socket path as the hostname to verify > for. For OpenSSL, for example, that means it'll compare it against any > DNS: subjectAltNames as well as against the last CN component of the cert > subject. That's not what the openldap tools do. My cerver certificates do not contain the ldapi socket path as hostnames, yet ldapsearch -LLL -x -H ldapi:/// -ZZ -s base -b "" works and I want to find out how it does this. Best PEter -- Peter Marschall [email protected]
