Found the following in a specification
The identity verification consists of:
- Check the host name format in LDAP configuration and classify it as either DNS or IP.
If the host name has the DNS format then extract host name and domain.
2. Extract the names from x509 SUBJECT_ALT_NAME section of the incoming server certificate.
3. Iterate over the list acquired in step 2.
3.1If the current alt. name is of DNS type and the step 1 classification is DNS then compare both host names. If they are equal then flag successful verification and stop checking further.
3.2If the current alt. name is of DNS type and the step 1 classification is DNS then check for '*.' prefix (wildcard). If so, do two sanity checks: a. 2nd character of alt. name is '.'. ; and b. The lengths match; After the sanity checks compare the domain parts and if matches then flag successful verification and stop checking further.
3.3.If the current alt. name is of IP type and the step 1 classification is IP then compare both host IP addresses. If they are equal then flag successful verification and stop checking further.
4 If no x509 SUBJECT_ALT_NAME section is found then extract the CN
4.1 If the CN is equal to the LDAP configuration host name then flag successful verification, if not then
4.2 Check for '*.' prefix (wildcard). If so, do two sanity checks: a. 2nd character of alt. name is '.'. ; and b. The lengths match;
After the sanity checks compare the domain parts and if matches then flag successful verification and stop checking further.
5. If all previous checks have failed then flag failed verification
See examples
