[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with TLVVerifyClient ? (ITS#2226)



Full_Name: Philip Inglesant
Version: 2.0.23
OS: FreeBSD 4.4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (195.157.3.115)


http://www.openldap.org/doc/admin21/tls.html says that there are four possible
values for the TLSVerifyClient directive: never | allow | try | demand. However,
a quick look at the source ../servers/slapd/config.c shows that it is parsing
the argument to this directive by 
                        i = atoi(cargv[1]);
                        rc = ldap_pvt_tls_set_option( NULL,
                                                     
LDAP_OPT_X_TLS_REQUIRE_CERT,
                                                      &i );
etc.

Either I am misunderstanding the code or the documentation is out of step with
the source. I have tried putting "demand" and various other values and the LDAP
server happily allows a client to bind to it without supplying a client
certificate. If I put "TLSVerifyClient 1", on the other hand, the bind fails
without a client certificate.