Re[2]: [Exim] Report on Exim 4.12 and Openldap 2.1.10

Top Page
Delete this message
Reply to this message
Author: Peter A. Savitch
Date:  
To: Tony Earnshaw
CC: exim-users
Subject: Re[2]: [Exim] Report on Exim 4.12 and Openldap 2.1.10
Long time Tony,

Wednesday, January 08, 2003, 12:21:03 AM, you wrote:

[snip]

TE> For me the break point was Openldap 2.1.10 with BDB 4.1.24


TE> People (also Openldap.org) state 2.0.x as being "stable". But the
TE> Openldap designers and developers continually recommend upgrade to 2.1.x
TE> because of shortcomings in 2.0.x. The only "stable" version of 2.0.x is
TE> said to be 2.0.27, and development of the 2.0.x line is finished.


[snip]

As long as I was an original initiator of some OpenLDAP features (like
ldapi://, thanks to Philip for making them work), I have to warn You
about Exim <=> OpenLDAP-2.1.x:

1) LDAP TLS cert verification is incomplete in Exim. You have no
client-side options for setting up it's certs, CA certs, etc. But
LDAP library looks for system-wide ldap.conf for the CA cert, and Exim
have absolutely no information about this kind of behaviour.
While OpenLDAP-2.1 library defaults to hard cert verification, some
configurations would not be funcional. I've made a private hack.

2) ldap_auth over ldaps:// could be broken, because it must re-bind
the existing connection. In my partucular environment it was broken (a
lot of 'Unable to contact LDAP server' messages with 550).
But I didn't try 2.1.10 though.

3) About hard stress and 100% bus utilization: You have indexed Your
LDAP storage carefully, didn't You ? ;-)

4) I use ldapi:// for local and ldaps:// for remote (backup) LDAP
server access. That seems for me as the best practice.

PS Happy N.Y. and Merry Xmas to You, Tony. Sorry for the late.

--
Best regards,
 Peter                            mailto:spam4octan@highway.ru