Am Fri, 18 Oct 2013 14:30:35 +0100 schrieb lejeczek <[email protected]>:
> > On 10/18/2013 11:59 AM, Christian Kratzer wrote: > > Hi, > > > > On Fri, 18 Oct 2013, lejeczek wrote: > > <snipp/> > >> hi Christian > >> > >> my case is, well should be a lot more simpler, one box with > >> > >> slapd.local.domain > >> slap.public.external > >> > >> and this one host I would like to be able to search > >> through on/via both hostnames/IPs with TLS > >> so I issue myself and sign a certificate, CA issuer is > >> CA.local.domain > >> > >> Subject: .......... CN=slapd.local.domain/email......... > >> and > >> X509v3 Subject Alternative Name: > >> DNS:slap.public.external, IP > >> Address:ex.te.rn.al > >> > >> ldapsearch -h slap.public.external -D > >> cn=manager,dc=local,dc=domain .... > >> result: > >> TLS: hostname (slap.public.external) does not match > >> common name in certificate (slapd.local.domain). > >> TLS: can't connect: TLS error -8157:Certificate extension > >> not found.. > >> ldap_start_tls: Connect error (-11) > >> additional info: TLS error -8157:Certificate extension > >> not found. > >> > >> whereas: > >> ldapsearch -h slap.local.domain -D > >> cn=manager,dc=local,dc=domain > >> works fine > >> could it be tools from be openldap-clients, a bug? > >> Apache's ldap toolkit for Eclipse seems to work and > >> connects to slap.public.external > > > > this should work. It does in two separate setups that I > > maintain. > > > > Which version is your openldap client ? > whole toolkit is Redhats 2.4.23-31.el6.x86_64 on RHEL 6.4 > > > > Have you configured the CA certificate for trust ? I have > > following in my /usr/local/etc/openldap/ldap.conf to > > configure the CA certificate: > > > for ldapsearch I use args in line for the command, also > debug it and see that wanted certificate is pulled in > > > [ck@ldaptest1]$ cat ~ldap/ldap.conf > > BASE dc=example,dc=org > > URI ldap://ldaptest1.cksoft.de > > TLS_CACERT > > /usr/local/etc/openldap/certs/cksoftware-gmbh-ca-2011-2031.cert > > > > TLS_REQCERT demand > > > >> btw, being novice with openssl, is there a way to print > >> extensions thus SAN of a certificate? > >> I can print and see it on the request. > > > > use following to dump the certificate: > > > > openssl s_client -text -in CERT.pem > and no such things for s_clients in the toolkit version as > above, > I normally view a certificate with: > > openssl x509 -issuer -subject -enddate -noout -text -in > CERT.pem -- and I cannot see subjectAltNames > > how could it be, given above is the right way to get all > relevant info of a certificate that request has > subjectAltNames but actual certificate misses it? You are requesting just a reduced set of data, openssl x509 -text -noout -in CERT.pem will present all relevant data. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
