Re: [Exim] LDAP over TLS failing to bind/lookup.

Pàgina inicial
Delete this message
Reply to this message
Autor: Peter A. Savitch
Data:  
A: Eric Renfro
Assumpte: Re: [Exim] LDAP over TLS failing to bind/lookup.
Hello Eric,

Tuesday, August 20, 2002, 2:03:27 PM, you wrote:

ER> I've tested this same auth against using ldapsearch using -ZZ to make sure it
ER> worked over TLS, and it succeeded.


ER> Also, the same thing worked, using ldap, versus ldaps. I just would prefer it
ER> over TLS for obvious security reasons.


I guess the certificate verification fails.
Which LDAP do You use? If it's OpenLDAP, try debugging (slapd -d -1).
Verification might fail if the server or client certificates are bad
or TLS library founds untrusted self-signed certificate in chain (You
must specify CA certificate).

Regarding OpenLDAP.
You can try to set TLSCACertificateFile in slapd.conf and TLS_CACERT
in /etc/ldap.conf. OpenLDAP library uses environment, which is
*INSECURE* in this circumstances. There is no complete workaround at
this time. Local user can set variable to disable /etc/ldap.conf
processing, that is, to disable CA You supplied.

See my post in openldap-software list:
http://www.openldap.org/lists/openldap-software/200208/msg00285.html

I suggest You to use ldapi:// url scheme. The patch is available.

--
Best regards,
 Peter                            mailto:spam4octan@highway.ru