[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: insecure, convenient use of SSL

To: openldap-software@openldap.org
Subject: Re: insecure, convenient use of SSL
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Tue, 15 Apr 2008 18:07:26 +0200
Cc: kevin montuori <montuori@gmail.com>
Content-disposition: inline
In-reply-to: <m2od8b6ym8.fsf@rerun.local>
References: <42784f260804071743v5fc1468aw5035467df632879d@mail.gmail.com> <200804151455.16509.bgmilne@staff.telkomsa.net> <m2od8b6ym8.fsf@rerun.local>
User-agent: KMail/1.9.9

On Tuesday 15 April 2008 15:23:11 kevin montuori wrote:
> >>>>> "BM" == Buchan Milne <bgmilne@staff.telkomsa.net> writes:
>  >>
>  >> I'd like to set up LDAP command line tools to point to a server
>  >> -- say localhost -- that has a certificate with an arbitrary
>  >> name in it -- say `my-domain.com`.
>
>  BM> Either:
>
>  BM> 1)Add an entry to /etc/hosts so that the name on the certificate
>  BM> resolves to the correct IP address, and always use the name on
>  BM> any connection where you want certificate validation or
>
>  BM> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are
>  BM> using anything besides OpenLDAP software (nss_ldap,pam_ldap) be
>  BM> aware that their configuration is not identical ...
>
> or, if you can, use the subjectAltName certificate extension.  see the
> administrator's guide, 14.1.1.  works as expected and there's no funky
> client side configuration required.

This solution assumes that you can change the cert (and even if you can, 
whether the CA supports/allows the subject alternative name extension), which 
is not necessarily a good assumption to make.

Regards,
Buchan

References:
- Re: insecure, convenient use of SSL
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: insecure, convenient use of SSL
  - From: kevin montuori <montuori@gmail.com>

Prev by Date: Confusion over MIT/Heimdal compatibility
Next by Date: Re: Not able to get GSSAPI in supportedSASLMechanisms list
Index(es):
- Chronological
- Thread