Re: [exim] How do I specify LDAPS x509 options?

Pàgina inicial
Delete this message
Reply to this message
Autor: Phil Pennock
Data:  
A: Ferenc Wagner
CC: exim-users
Assumpte: Re: [exim] How do I specify LDAPS x509 options?
On 2012-06-19 at 17:19 +0200, Ferenc Wagner wrote:
> Our LDAP server requires SSL connections, so I use the ldaps:// schema
> in the LDAP lookup URI. However, I also have to specify the CA
> certificates and the certificate policy in my /etc/ldap/ldap.conf, like:
>
> TLS_CACERT    /etc/ssl/certs/ca-certificates.crt
> TLS_REQCERT    demand

>
> However, I really don't like the configuration separated this way: what
> if I needed different TLS_CACERT or TLS_REQCERT options in Exim than in
> other places? Being unable to include these options in my Exim config
> feels like a shortcoming. Specification chapter 9, section 17 (LDAP
> authentication and control information) enumerates several options which
> can be set, but the above two are not in that bunch. Is there a good
> reason for this, were they omitted by mistake or do I overlook something?


Those are tuning knobs for authentication and controls *within* an LDAP
session; TLS control knobs are separate options, not part of the query.

----------------------------8< cut here >8------------------------------
14.6 Data lookups
[...]
ldap_ca_cert_dir     dir of CA certs to verify LDAP server's
ldap_ca_cert_file    file of CA certs to verify LDAP server's
ldap_cert_file       client cert file for LDAP
ldap_cert_key        client key file for LDAP
ldap_cipher_suite    TLS negotiation preference control
ldap_default_servers used if no server in query
ldap_require_cert    action to take without LDAP server cert
ldap_start_tls       require TLS within LDAP
ldap_version         set protocol version
----------------------------8< cut here >8------------------------------


Each of those also has full documentation.

Added in Exim 4.75, we're currently at Exim 4.80.

-Phil