ldap/ssl failure: server name mismatch

IEM

Well-Known Member
Sep 4, 2018
71
11
48
49
Austria
i cannot connect my PMG to an LDAPS (ldap/ssl) server.

the LDAPS server uses a valid certificate (signed by letsencrypt), and I can use it just fine with e.g. ldapsearch -x -H ldaps://ldap.example.com`.

however with PMG, the connection is terminated, because of certificate errors.
The root cause for this is quite obviously because the `Server` field in the LDAP-Profile can only be an IP address.both IPv4 and IPv6 seems to be allowed, so the textfield is limited to the following characters
Code:
[0-9a-fA-Z.:]
now, my certificate is (as any good certificate) valid for the DNS-name (e.g. `ldap.example.com`) but not for the associated IP (`192.168.1.2`).

However, PMG/ldap seems to validate the subject name of the certificate against the IP address and fails.

my current workaround to the problem is to run a local ldap-proxy, that speaks LDAP to PMG, but communicates with the real server using LDAPS.


i don't really understand why I cannot add a domain name in the `server` field (and i even tried on the cmdline).
 
  • Like
Reactions: danielb
Same problem. Can't add my AD server as only IP address are allowed. My Samba4 server is configured to refuse plain text binds, so there's no way for PMG to accept the certificate.
 
BTW, another issue is that ldaps isn't being used at all because of a typo in /usr/share/perl5/PMG/LDAPCache.pm line 352

$opts->{schema} should be $opts->{scheme}
 
  • Like
Reactions: heutger