Re: [exim] How do I specify LDAPS x509 options?

Inizio della pagina
Delete this message
Reply to this message
Autore: Ferenc Wagner
Data:  
To: exim-users
Oggetto: Re: [exim] How do I specify LDAPS x509 options?
Phil Pennock <exim-users@???> writes:

> On 2012-06-19 at 17:19 +0200, Ferenc Wagner wrote:
>
>> Our LDAP server requires SSL connections, so I use the ldaps:// schema
>> in the LDAP lookup URI. However, I also have to specify the CA
>> certificates and the certificate policy in my /etc/ldap/ldap.conf, like:
>>
>> TLS_CACERT    /etc/ssl/certs/ca-certificates.crt
>> TLS_REQCERT    demand

>>
>> However, I really don't like the configuration separated this way: what
>> if I needed different TLS_CACERT or TLS_REQCERT options in Exim than in
>> other places? Being unable to include these options in my Exim config
>> feels like a shortcoming. Specification chapter 9, section 17 (LDAP
>> authentication and control information) enumerates several options which
>> can be set, but the above two are not in that bunch. Is there a good
>> reason for this, were they omitted by mistake or do I overlook something?
>
> Those are tuning knobs for authentication and controls *within* an LDAP
> session; TLS control knobs are separate options, not part of the query.


Makes perfect sense, thanks!

> 14.6 Data lookups
> [...]
> ldap_ca_cert_dir     dir of CA certs to verify LDAP server's
> ldap_ca_cert_file    file of CA certs to verify LDAP server's
> ldap_cert_file       client cert file for LDAP
> ldap_cert_key        client key file for LDAP
> ldap_cipher_suite    TLS negotiation preference control
> ldap_default_servers used if no server in query
> ldap_require_cert    action to take without LDAP server cert
> ldap_start_tls       require TLS within LDAP
> ldap_version         set protocol version

>
> Added in Exim 4.75, we're currently at Exim 4.80.


Great, exactly what I need! Pity we're still runnig 4.72...

Aside, I'm usually fairly good at reading documentation, but I plainly
fell short in this case. May I suggest putting some pointer to these
options into 9.16 LDAP connection in the fine manual? It already
mentions ldap_default_servers several times; something like "for other
LDAP connection options (eg. TLS, version) see ldap_* in 14.6" would
suffice in my opinion.

Aside2, ldaps:/// tries to connect to port 389 if no port is specified
in ldap_default_servers (on Exim 4.72). Shouldn't it use 636 instead?
--
Thanks again,
Feri.