Re: [exim-dev] [Bug 1382] ldap_require_cert has no effect

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1382] ldap_require_cert has no effect
On Tue, Sep 10, 2013 at 09:28:27PM +0100, Phil Pennock wrote:

> ------- You are receiving this mail because: -------
> You are on the CC list for the bug.
>
> http://bugs.exim.org/show_bug.cgi?id=1382
>
>
>
>
> --- Comment #12 from Phil Pennock <pdp@???> 2013-09-10 21:28:27 ---
> The only LDAP implementation I've ever used is OpenLDAP; all my other knowledge
> comes from working with people reporting bugs during RC testing with other
> providers.
>
> My LDAP usage is fairly light and I don't currently use it in a mail-system, so
> I do not have the deep knowledge you're looking for, sorry.
>
> Hey Todd? Tag, you're it. ;) Thanks!


For what it is worth Postfix does not support the "try" and "allow"
values of OpenLDAP's TLS_REQCERT. The administrator can choose
only between "never" and "demand".

The "try" and "allow" values simply make no sense from a security
perspective. Postfix sets the per-connection option to one of:

    LDAP_OPT_X_TLS_DEMAND : LDAP_OPT_X_TLS_NEVER


depending on an administrator selected boolean option for the ldap
table. These settings seem to work on a per-connection basis, or
at least we've not had any bug reports about it since Postfix 2.5
(approximately six years ago).

If the OP's configuration works with "never" rather than "allow",
he should use that. The "allow" setting is I believe pointless.

-- 
    Viktor.