Re: Idea for enabling LDAP SSL certificate checking

To: debian-edu@lists.debian.org
Subject: Re: Idea for enabling LDAP SSL certificate checking
From: Petter Reinholdtsen <pere@hungry.com>
Date: Thu, 12 Aug 2010 10:27:01 +0200
Message-id: <[🔎] 20100812082701.GA6851@login2.uio.no>
In-reply-to: <[🔎] 4C63ADD6.3010805@bzz.no>
References: <[🔎] 2fl62zgg4gz.fsf@login1.uio.no> <[🔎] 4C63ADD6.3010805@bzz.no>

[John S. Skogtvedt]
> In other words, if the certificate Common Name is "ldap", one has to
> connect to the server using the hostname "ldap". I know that that
> worked in lenny at least, I'll be very surprised if it doesn't in
> squeeze (but at least in lenny ldapvi had a bug making it the only
> program not to accept the certificate).

I suspect something changed between Lenny and Squeeze, as certificate
checking seem to have become stricter.

> This said, one can make it possible to use both "ldap" and
> "ldap.intern". Use e.g. "ldap.intern" as the Common Name, and put
> "DNS:ldap" in the subjectAltName (google openssl subjectAltName for
> more information).

Sound like a better idea, as it do not force us to change all
instances of ldap to ldap.intern.  Testing it now.

Happy hacking,
-- 
Petter Reinholdtsen

Reply to:

Follow-Ups:
- Re: Idea for enabling LDAP SSL certificate checking
  - From: Jonas Smedegaard <dr@jones.dk>

References:
- Idea for enabling LDAP SSL certificate checking
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: Idea for enabling LDAP SSL certificate checking
  - From: "John S. Skogtvedt" <jss@bzz.no>

Prev by Date: Re: Idea for enabling LDAP SSL certificate checking
Next by Date: Bug#570767: images should be available in squeeze
Previous by thread: Re: Idea for enabling LDAP SSL certificate checking
Next by thread: Re: Idea for enabling LDAP SSL certificate checking
Index(es):
- Date
- Thread