1

I'm trying to configure secure LDAP client using the certificates (RootCA, IntermediateCA, IssuingCA and Server certificate) and created the truststore. openssl s_client works successfully but when I run ldapsearch I get the below error:

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer certificate

ldap.conf:

SASL_NOCANON    on
#Configration for LDAP
URI ldaps://ldapserver.abc.example.com/
BASE dc=ldapserver,dc=abc,dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

LDAP server FQDN: ldapserver.abc.example.com
Client FQDN: centos7.xyz.example.com

Do I need to create a new certificate for the client using the provided certificates, if yes how?

berndbausch
  • 1,033
  • 8
  • 12
Jos
  • 11
  • 1
  • 5
  • `openssl s_client` by default does not check cert hostname. Try `openssl s_client -connect myldapserver:636 -verify_hostname myldapserver -verify_return_error` – dave_thompson_085 Feb 17 '21 at 06:14
  • @dave_thompson_085 , thank you for your reply. I got 'Verify return code: 62 (Hostname mismatch)' error. I'm using wildcard cert, could that be the reason. If yes, then how can I fix this. – Jos Feb 17 '21 at 20:48
  • OpenSSL accepts wildcard cert if it's correct and the wildcard matches the (single) leftmost component as specified in 2830 and 4513 -- and others including 6125. (Actually 4513 allows wildcard only in SAN not CN, but OpenSSL allows both. You _should_ be using SAN this decade.) – dave_thompson_085 Feb 18 '21 at 06:18
  • @dave_thompson_085 , The wildcard cert has subject alternative name: DNS Name=*.ldapserver.abc.example.com Is this the right format. If yes, then why does it still say Hostname mismatch 'TLS: hostname (ldapserver.abc.example.com) does not match common name in certificate (Ldap Example).' – Jos Feb 18 '21 at 19:06
  • @dave_thompson_085 , got it working when I added TLS_REQSAN allow in ldap.conf. – Jos Feb 19 '21 at 03:02
  • The wildcard *.ldapserver.abc.example.com does NOT match ldapserver.abc.example.com; it would only match something like xyz.ldapserver.abc.example.com. See the RFCs as I said and/or https://serverfault.com/questions/1047111/ https://unix.stackexchange.com/questions/217959/ https://serverfault.com/questions/447222/ . If you're stuck with this cert then yes you'll have to disable checking. – dave_thompson_085 Feb 19 '21 at 08:58
  • You should add the TLS_REQSAN comment as an answer. (It's okay to answer your own question.) – Andrew Schulman Feb 19 '21 at 13:51

1 Answers1

0

Adding the below property in ldap.conf resolved this error:

TLS_REQSAN allow
bjoster
  • 4,805
  • 5
  • 25
  • 33
Jos
  • 11
  • 1
  • 5