Re: Idea for enabling LDAP SSL certificate checking
[John S. Skogtvedt]
> In other words, if the certificate Common Name is "ldap", one has to
> connect to the server using the hostname "ldap". I know that that
> worked in lenny at least, I'll be very surprised if it doesn't in
> squeeze (but at least in lenny ldapvi had a bug making it the only
> program not to accept the certificate).
I suspect something changed between Lenny and Squeeze, as certificate
checking seem to have become stricter.
> This said, one can make it possible to use both "ldap" and
> "ldap.intern". Use e.g. "ldap.intern" as the Common Name, and put
> "DNS:ldap" in the subjectAltName (google openssl subjectAltName for
> more information).
Sound like a better idea, as it do not force us to change all
instances of ldap to ldap.intern. Testing it now.
Happy hacking,
--
Petter Reinholdtsen
Reply to: