>>> Hallvard Breien Furuseth <[email protected]> schrieb am 23.03.2015 um 13:53 in Nachricht <[email protected]>: > On 23. mars 2015 12:45, Ulrich Windl wrote: >> Related question: If the command above fails with "stronger confidentiality > required", and adding "-ZZ" fails with " TLS: hostname does not match CN in > peer certificate", how should a proper certificate look like? > > Read the OpenLDAP Admin Guide, section 16 (TLS). > In particular 16.1.1. Server Certificates.
Hi! According to your proposal I read: -- 16.1.1. Server Certificates The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the server's fully qualified domain name. Additional alias names and wildcards may be present in the subjectAltName certificate extension. More details on server certificate names are in RFC4513. -- So this does not answer my question of how to cover the ldapi:// URI. Or maybe there's an easier way to override the "confidentiality required" for ldapi://? You missed to read the essential part of my message, namely: "ldapwhoami -Y EXTERNAL -H ldapi://" (For a normal ldap: connection I have no problems with the settings) Regards, Ulrich
