[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapi security level?



At 10:16 PM 7/5/2004, Tony Earnshaw wrote:
>man, 05.07.2004 kl. 21.12 skrev Kurt D. Zeilenga:
>
>> So, maybe, some don't consider ldapi:// to be "more secure"
>> than TLS with a "strong" TLS cipher.  I find myself using
>> TLS (with strong ciphers) over ldapi://.  I don't find
>> that all that strange.
>
>Not often I'm taken aback, but ... How on earth do you do this?

ldapsearch -H ldapi:/// -ZZ ...

>With
>2.2.x on 2 different rigs (ldap.conf has 'uri            
>ldapi://%2fusr%2flocal%2fvar%2fslapd%2fldapi/'), I get:
>
>1134 [root:billy.demon.nl] /etc/postfix/maps # ldapsearch -ZZ -x
>'uid=tonni'
>ldap_start_tls: Connect error (-11)
>        additional info: TLS: hostname does not match CN in peer
>certificate

This error has little to do with the use of ldapi://, just
your run of the mill certificate verification failure.

>More important, perhaps: Why would you want to?

To ease my paranoia... or simply to take advantage of
TLS services such as mutual or server-only certificate-based
authentication.

Kurt