Re: Re[2]: [Exim] Report on Exim 4.12 and Openldap 2.1.10

Top Page
Delete this message
Reply to this message
Author: Tony Earnshaw
Date:  
To: Peter A. Savitch
Subject: Re: Re[2]: [Exim] Report on Exim 4.12 and Openldap 2.1.10
ons, 2003-01-08 kl. 17:36 skrev Peter A. Savitch:

> Long time Tony,


Long time tovaritsj.

> 1) LDAP TLS cert verification is incomplete in Exim. You have no
> client-side options for setting up it's certs, CA certs, etc. But
> LDAP library looks for system-wide ldap.conf for the CA cert, and Exim
> have absolutely no information about this kind of behaviour.
> While OpenLDAP-2.1 library defaults to hard cert verification, some
> configurations would not be funcional. I've made a private hack.


True. But Exim is the client and only has to accept the LDAP server's
certificate. Which he apparently does through /etc/ldap.conf.

> 2) ldap_auth over ldaps:// could be broken, because it must re-bind
> the existing connection. In my partucular environment it was broken (a
> lot of 'Unable to contact LDAP server' messages with 550).
> But I didn't try 2.1.10 though.


Yippee. One who backs me up. Actually, my whole post was about Exim
4.1.12 and Openldap 2.1.10, and how my troubles went away. However,
don't try Openldap 2.1.11; apparently it's broken.

> 3) About hard stress and 100% bus utilization: You have indexed Your
> LDAP storage carefully, didn't You ? ;-)


Yes. But one would have to appreciate my particular conditions to
understand *why* I should have 100% disk (not bus) utilization. I'm too
embarassed to say why, but I can't get away from it. Just say that I'm
now 110% happy.

> 4) I use ldapi:// for local and ldaps:// for remote (backup) LDAP
> server access. That seems for me as the best practice.


Definitely.

> PS Happy N.Y. and Merry Xmas to You, Tony. Sorry for the late.


I'll take the "Happy N.Y. and Merry Xmas" on account, thanks. Same to
you in 2003/2004 :)

Best,

Tony

--

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:        tonni@???
www:        http://www.billy.demon.nl