Re: [Exim] ldap lookups with starttls

Top Page
Delete this message
Reply to this message
Author: Douglas Gray Stephens
Date:  
To: Philip Hazel
CC: exim-users
Subject: Re: [Exim] ldap lookups with starttls
At 09:48 on 8-January-2002, Philip Hazel wrote:
> On Tue, 8 Jan 2002, Douglas Gray Stephens wrote:
>
> > I suspect that most people are calling LDAP from Exim to look up
> > details, but few are using it for authentication, so startssl may be
> > a nice to have option for a minority of users.
>
> I am not entirely sure how this differs from support for "ldaps" (which
> Exim 4 already has). In Exim 4 you can write
>
> ${if ldapauth{ldapquery}{yes string}{no string}}
>
> and the query can use "ldap" or "ldaps" as required.
>
> Basically, I want to know if it's worth my while understanding the
> posted patch's code for explicit startssl support, or whether "ldaps"
> can do all that is needed for Exim usage.


So given that exim has does not keep the LDAP session open, then there
no way to decide when to switch from "sniffable" ldap to starttls
("unsniffable").

In this case I agree that the current ldaps should be sufficient.

Does (or should) exim check the credentials for the encrypted session
(so in the Perl Net::LDAP module terms
How to verify the server's certificate, either 'none' (the server may
provide a certificate but it will not be checked - this may mean you
are be connected to the wrong server), 'optional' (verify if the
server offers a certificate), or 'require' (the server must provide a
certificate, and it must be valid.) If you set verify to optional or
require, you must also set either cafile or capath. The most secure
option is 'require'.
).

Douglas.

--

================================
Douglas GRAY STEPHENS
Global Infrastructure (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND

Phone  +44 1223 325295
Mobile +44 773 0051628
Fax    +44 1223 311830
Email DGrayStephens@???
================================