[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: default behavior of server certificate validation
- To: Bin Lu <blu@paloaltonetworks.com>
- Subject: RE: default behavior of server certificate validation
- From: Aaron Richton <richton@nbcs.rutgers.edu>
- Date: Thu, 19 Mar 2015 08:51:41 -0400 (EDT)
- Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- In-reply-to: <841A051D8BD4144AA7B5AC63D97F9F051799CCFA@sjccmbxpw01p.paloaltonetworks.local>
- References: <841A051D8BD4144AA7B5AC63D97F9F051799CCCA@sjccmbxpw01p.paloaltonetworks.local> <841A051D8BD4144AA7B5AC63D97F9F051799CCFA@sjccmbxpw01p.paloaltonetworks.local>
- User-agent: Alpine 2.02 (SOC 1266 2009-07-14)
On Thu, 19 Mar 2015, Bin Lu wrote:
Every time when connect to an ldaps url, it generates a fatal error due
to ?unknown CA?. Is it possible to disable this check?
[...]
In connecting the LDAP server with LDAPs or (start)TLS, what is the
default behavior of the server certificate validation? How can I disable
the default behavior?
You're not giving a lot to go on here, but I assume you're talking about a
client/libldap perspective. libldap's configuration file is documented in
the ldap.conf(5) man page. I'll call particular attention to one option
for TLS_REQCERT from the man page:
demand | hard
These keywords are equivalent. The server certifi-
cate is requested. If no certificate is provided,
or a bad certificate is provided, the session is
immediately terminated. This is the default set-
ting.
So, per the ldap.conf(5) man page, you can reconfigure the CAs and/or
change this behavior with appropriate ldap.conf directives.
As a final note, if you're in the libldap context, ldap_set_option(3)
describes the OpenLDAP specific TLS options to control this behavior
programatically (i.e. via API, rather than via ldap.conf configuration
file).