TLS: hostname does not match CN in peer certificate

Try

TLS_REQCERT never

in /etc/ldap/ldap.conf. This will prevent checking of the certificate. Note that it makes the connection even less secure.

/etc/ldap.conf should not affect ldapsearch(1)

Also try dropping the second -Z on the command line. That might be what's forcing the fail even though you have TLS_REQCERT allow.


A couple of things I noticed looking at this post.

First, You are running your LDAP server over standard LDAP and not LDAPS. i.e. ldaps://prueba.borja

Second, based on your configuration there does not appear to be certificate configured for the LDAP server to serve. All is identified is the CA which is used for trusts when the server acts as a client in resolving a CA chain and / or sending the chain when the client requests it.

Finally, the error is from the client indicating that the TLS certificate being served has a Common Name(CN) and/or Subject Alternate Name(SAN) that was not requested by the client. This requires the client connecting to the LDAP server to do something like this

ldapsearch -x -H prueba.borja -ZZ

This requires the certificate to have a Common Name(CN) of prueba.borja or a Subject Alternate Name (SAN) of prueba.borja

Also, just as a reminder the certificate that the LDAP server serves must by signed by your certificate authority (CA) root and intermediates you may have. If not, you will get additional errors. If you are using a company generated certificate authority your administrator should be able to generate one. If you are using a public domain certificate authority, contact your vendor for certificate generation. In either case, make sure you tell them the adjustments to common name and/or subject alternate name to the name you identified.

Once you have everything setup correctly, a proper TLS handshake will occur successfully