[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: insecure, convenient use of SSL

To: openldap-software@openldap.org
Subject: Re: insecure, convenient use of SSL
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Tue, 15 Apr 2008 14:55:16 +0200
Cc: Jason Dusek <jason.dusek@gmail.com>
Content-disposition: inline
In-reply-to: <42784f260804101642k756f7b3fw564af38b3339fe2@mail.gmail.com>
References: <42784f260804071743v5fc1468aw5035467df632879d@mail.gmail.com> <42784f260804101642k756f7b3fw564af38b3339fe2@mail.gmail.com>
User-agent: KMail/1.9.9

On Friday 11 April 2008 01:42:30 Jason Dusek wrote:
>  I'd like to set up LDAP command line tools to point to a server
>  -- say localhost -- that has a certificate with an arbitrary
>  name in it -- say `my-domain.com`.
>
>  I'm not entirely sure how to my LDAP tools to do that, though
>  -- or if it's possible. By default, OpenLDAP is wound up pretty
>  tight.

Either:
1)Add an entry to /etc/hosts so that the name on the certificate resolves to 
the correct IP address, and always use the name on any connection where you 
want certificate validation
or
2)Add 
TLS_REQCERT allow
to the OpenLDAP ldap.conf. If you are using anything besides OpenLDAP software 
(nss_ldap,pam_ldap) be aware that their configuration is not identical ...

Regards,
Buchan

Follow-Ups:
- Re: insecure, convenient use of SSL
  - From: kevin montuori <montuori@gmail.com>
- Re: insecure, convenient use of SSL
  - From: Philip Guenther <guenther+ldapsoft@sendmail.com>

References:
- insecure, convenient use of SSL
  - From: "Jason Dusek" <jason.dusek@gmail.com>

Prev by Date: Not able to get GSSAPI in supportedSASLMechanisms list
Next by Date: Re: insecure, convenient use of SSL
Index(es):
- Chronological
- Thread