On Thu, Oct 31, 2013 at 01:04:56PM -0700, Todd Lyons wrote:
> Some very specific googling resulted in finding this OpenLDAP post:
> http://www.openldap.org/lists/openldap-technical/201202/msg00463.html
> ...which led to this post by Viktor on the Postfix mailing list:
> http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57688.html
>
> It seems Viktor had to slog through the same thing a few years back
> when OpenLDAP changed the behavior of the client libraries from 2.3 to
> 2.4.
That's funny, there I was dutifully keeping an eye on this thread
waiting to see whether you guys found a new subtlety I have to
worry about in the Postfix LDAP driver... :-) The Postfix patch
from 2009 is by now burned-in rather well, you should not find any
trouble using the same approach to set a per-connection TLS
verification level.
I'd forgotten the exact details, and no longer keep the OpenLDAP
sources on hand. This patch dates back to the time I hoarded
sources for a few dozen major.minor.micro versions of OpenLDAP from
2.0 to 2.4 and needed to RTFS multiple versions from time to time
to see when various API changes and bug fixes appeared.
While not all the API changes from 2.0 to 2.4 are an improvement
(deprecation of many simple interfaces in favour of more complex
low level functions was a mistake IMHO), overall the churn rate is
way down now, and OpenLDAP 2.4 is a reasonably mature interface.
--
Viktor.
P.S.
For what it's worth, I consider the "try" and "allow" levels to be
rather silly, Postfix only implements "none" or "demand" (TLS
authentication on or off). There really is no sensible middle
ground. Half-authenticated connections are just a waste of CPU
and pointless opportunities for various forms failure.
The wise thing IMHO is to only not offer snake-oil security levels
to users. They have a hard-enough time figuring out the security
settings that actually work.