On 2012-06-19 at 17:19 +0200, Ferenc Wagner wrote:
> Our LDAP server requires SSL connections, so I use the ldaps:// schema
> in the LDAP lookup URI. However, I also have to specify the CA
> certificates and the certificate policy in my /etc/ldap/ldap.conf, like:
>
> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
> TLS_REQCERT demand
>
> However, I really don't like the configuration separated this way: what
> if I needed different TLS_CACERT or TLS_REQCERT options in Exim than in
> other places? Being unable to include these options in my Exim config
> feels like a shortcoming. Specification chapter 9, section 17 (LDAP
> authentication and control information) enumerates several options which
> can be set, but the above two are not in that bunch. Is there a good
> reason for this, were they omitted by mistake or do I overlook something?
Those are tuning knobs for authentication and controls *within* an LDAP
session; TLS control knobs are separate options, not part of the query.
----------------------------8< cut here >8------------------------------
14.6 Data lookups
[...]
ldap_ca_cert_dir dir of CA certs to verify LDAP server's
ldap_ca_cert_file file of CA certs to verify LDAP server's
ldap_cert_file client cert file for LDAP
ldap_cert_key client key file for LDAP
ldap_cipher_suite TLS negotiation preference control
ldap_default_servers used if no server in query
ldap_require_cert action to take without LDAP server cert
ldap_start_tls require TLS within LDAP
ldap_version set protocol version
----------------------------8< cut here >8------------------------------
Each of those also has full documentation.
Added in Exim 4.75, we're currently at Exim 4.80.
-Phil
