[Fedora-directory-users] password history question
Mark McLoughlin
markmc at redhat.com
Tue Jan 10 08:20:39 UTC 2006
On Mon, 2006-01-09 at 20:56 +0100, Jo De Troy wrote:
> Hi Susan,
>
> yes it is. Below you can see my /etc/openldap/ldap.conf
> #
> HOST ldapserver
> BASE dc=example,dc=com
> TLS_REQCERT allow
> TLS_CACERT /etc/openldap/cacerts/cacert
>
> The openssl command Mark pointed to works fine. From that output I
> grabbed the CAcert and stored it the file I'm referencing in
> the /etc/openldap/ldap.conf
What's "ldapsearch -d 10" saying?
> I'm wondering if the certificate I created is correct. Should the cn
> in the certificate have the hostname as value? I guess it should or
> not?
In order for ldapsearch to verify the certificate, you need to contact
the ldap server with the same hostname which is specified in the
certificate. You can do that by making the subject of the cert
"ldapserver.foo.com" or (I think, but haven't tried) by setting the
subjectAltName extension to something like:
subjectAltName = DNS:ldapserver.foo.com,IP:135.208.5.2
In which case you could contact it with either the subject name or the
alternative subject names.
Cheers,
Mark.
More information about the Fedora-directory-users
mailing list