[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap client cert validation



2016-08-06 20:03 GMT+03:00 Ryan Tandy <ryan@nardis.ca>:
> On Sat, Aug 06, 2016 at 07:14:37PM +0300, Matwey V. Kornilov wrote:
>>
>> After inspecting source code I've just found that TLS_KEY and TLS_CERT
>> are ignored if located in /etc/openldap/ldap.conf.
>> Why does it not written in man ldap.conf(5) explicitly?
>
>
> It is.
>
>       TLS_CERT <filename>
>              Specifies the file that contains the client certificate.  This
> is a user-only option.
>
> [...]
>
>       TLS_KEY <filename>
>              Specifies the file that contains the private key that matches
> the certificate stored in the TLS_CERT file. Currently, the private key must
> not be protected with a password, so it is of  critical  importance  that
>              the key file is protected carefully.  This is a user-only
> option.
>
> "User-only" is defined at the top of the page:
>
>         Some options are user-only.  Such options are ignored if present in
> the ldap.conf (or file specified by LDAPCONF).

However, I'll prepare a patch issuing a warning in
openldap_ldap_init_w_conf. Don't you mind?

-- 
With best regards,
Matwey V. Kornilov
http://blog.matwey.name
xmpp://0x2207@jabber.ru