8

im trying to connect LDAP over StartTLS but Im stuck with an issue. I've followed step by step this guide https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls and LDAP it's working OK as well as "ldapsearch -xZZ -h 172.25.80.144" on my Ubuntu Sever 12.04

However, in my Ubuntu Desktop 11.04 Client I get this error:

ldapsearch -x -H 172.25.80.144 -ZZ 
ldap_start_tls: Connect error (-11)
                additional info: **TLS: hostname does not match CN in peer certificate**

Server /etc/ldap/ldap.conf

 BASE dc=prueba,dc=borja
 URI  ldap://prueba.borja
 SIZELIMIT 12
 TIMELIMIT 15
 DEREF     never
 TLS_CACERT /etc/ssl/certs/ca-certificates.crt

Client /etc/ldap.conf

 ssl start_tls
 tls_checkpeer no

/etc/ldap/ldap.conf

 BASE dc=prueba,dc=borja
 URI  ldap://prueba.borja
 SIZELIMIT 12
 TIMELIMIT 15
 DEREF never
 TLS_REQCERT allow

Anybody could tell me how to fix this? I think that the hostname its ok.

Thanks!

borjamf
  • 89
  • 1
  • 1
  • 4
  • 6
    When you built your certificate (step 5) for that host did you set the CN value to `172.25.80.144`? If not, then shouldn't you be using the actual **hostname** when connecting with ldapsearch? The CN value you used in step 5 was the actually FQDN of the server right, and you have DNS setup properly? – Zoredache Nov 28 '12 at 22:07

2 Answers2

6

Try

TLS_REQCERT never

in /etc/ldap/ldap.conf. This will prevent checking of the certificate. Note that it makes the connection even less secure.

/etc/ldap.conf should not affect ldapsearch(1)

Also try dropping the second -Z on the command line. That might be what's forcing the fail even though you have TLS_REQCERT allow.

ptman
  • 27,124
  • 2
  • 26
  • 45
  • "Note that it makes the connection even less secure." If you do not validate certificates, then there is no need for TLS at all. You will even accept self-signed certificates from the worst script kiddies of the entire universe. – stackprotector Jul 26 '22 at 11:18
2

A couple of things I noticed looking at this post.

First, You are running your LDAP server over standard LDAP and not LDAPS. i.e. ldaps://prueba.borja

Second, based on your configuration there does not appear to be certificate configured for the LDAP server to serve. All is identified is the CA which is used for trusts when the server acts as a client in resolving a CA chain and / or sending the chain when the client requests it.

Finally, the error is from the client indicating that the TLS certificate being served has a Common Name(CN) and/or Subject Alternate Name(SAN) that was not requested by the client. This requires the client connecting to the LDAP server to do something like this

ldapsearch -x -H prueba.borja -ZZ

This requires the certificate to have a Common Name(CN) of prueba.borja or a Subject Alternate Name (SAN) of prueba.borja

Also, just as a reminder the certificate that the LDAP server serves must by signed by your certificate authority (CA) root and intermediates you may have. If not, you will get additional errors. If you are using a company generated certificate authority your administrator should be able to generate one. If you are using a public domain certificate authority, contact your vendor for certificate generation. In either case, make sure you tell them the adjustments to common name and/or subject alternate name to the name you identified.

Once you have everything setup correctly, a proper TLS handshake will occur successfully

thxmike
  • 153
  • 1
  • 10