[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Getting SSL/TSL to work





--On Sunday, March 13, 2005 11:47 PM +0000 Dick Davies <rasputnik@hellooperator.net> wrote:

* Hallvard B Furuseth <h.b.furuseth@usit.uio.no> [0353 22:53]:
Dick Davies writes:
> * Hallvard B Furuseth <h.b.furuseth@usit.uio.no> [0349 18:49]:
>> Well, you can turn off client-side server certificate validation,
>> but...
>
> Incidentally, is there a way to disable server certificate checking in
> the OpenLDAP client libraries?

See 'TLS_REQCERT <level>' in 'man ldap.conf',
or ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
   &(int with value LDAP_OPT_X_TLS_<NEVER, ALLOW or TRY>)).

> We have some misconfigured ldap servers at work and had to resort to
> hacking the tls code from 2.1 into 2.2....

The above options existed - undocumented - even in OpenLDAP 2.0.0.
Hm.  LDAP_OPT_X_TLS_REQUIRE_CERT is still undocumented.

Yeah, a ldap_set_option(3) manpage is long overdue. I usually resort to trawling through ldap.h for likely looking suspects :)

Thanks for the tip, that should work great for most of my needs.

File an ITS with the text. ;)

http://www.openldap.org/its/

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin