Brian Reichert wrote: > On Wed, Feb 26, 2020 at 02:18:53PM +0000, M?ller Lioh wrote: >> Hi all, >> >> I am trying to do a ldapsearch against our Active Directory LDAPS like: >> >> ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W >> -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub >> '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)' >> >> The domain controllers have certificates generated with CNs like this: >> >> subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01, >> >> and a SAN defined as ldap.mydomain.ch. >> >> Yet, I got an error like: >> >> TLS: hostname (ldap.mydomain.ch) does not match common name in >> certificate (DC01). >> >> An interesting fact is that if the CN is set to the fqdn like >> dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with >> ldap.mydomain.ch as SAN). > > I may be misreading this, but this sounds like a TLS issue.
Wrong. The above error message comes from libldap. > If you're using 'dc01.mydomain.ch' in your LDAP URI, then your > client is successfully validating the certificate. > > When you use 'ldap.mydomain.ch' in your LDAP URI, you client clearly > says that the certificate from whatever server 'ldap.mydomain.ch' > points to, does not have 'ldap.mydomain.ch' in it's SAN. > > This is a TLS negotiation issue; you can't gotten as far as using > LDAP yet. Definitely sounds like the SAN is not set correctly in the cert, but this is definitely libldap complaining, the TLS library doesn't do this hostname check. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
