* Hallvard B Furuseth <h.b.furuseth@usit.uio.no> [0353 22:53]:Dick Davies writes: > * Hallvard B Furuseth <h.b.furuseth@usit.uio.no> [0349 18:49]: >> Well, you can turn off client-side server certificate validation, >> but... > > Incidentally, is there a way to disable server certificate checking in > the OpenLDAP client libraries?
See 'TLS_REQCERT <level>' in 'man ldap.conf', or ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &(int with value LDAP_OPT_X_TLS_<NEVER, ALLOW or TRY>)).
> We have some misconfigured ldap servers at work and had to resort to > hacking the tls code from 2.1 into 2.2....
The above options existed - undocumented - even in OpenLDAP 2.0.0. Hm. LDAP_OPT_X_TLS_REQUIRE_CERT is still undocumented.
Yeah, a ldap_set_option(3) manpage is long overdue. I usually resort to trawling through ldap.h for likely looking suspects :)
Thanks for the tip, that should work great for most of my needs.
File an ITS with the text. ;)
http://www.openldap.org/its/
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
"These censorship operations against schools and libraries are stronger than ever in the present religio-political climate. They often focus on fantasy and sf books, which foster that deadly enemy to bigotry and blind faith, the imagination." -- Ursula K. Le Guin