[exim] ldap_ca_cert_file for two distinct CA-Chains

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Olaf Hopp (SCC) via Exim-users
Dátum:  
Címzett: exim-users
Tárgy: [exim] ldap_ca_cert_file for two distinct CA-Chains
Dear Collegues,
I have two different LDAP servers out of my control.
One of them moved to certs from LetsEncrypt, the other is still
using certs from our company CA.
In the past both of them used our company CA and I had the full chain
of the CA defined with option "ldap_ca_cert_file = myCAchain.pem"
and I also set "ldap_require_cert = hard"

With the one LDAP server starting to use LetsEncrypt-Certs I ran into troubles.
Filling the file myCAchain.pem with the LE-Chain satisfies the one LDAP query
but breaks the other one.
So I filled the ldap_ca_cert_file = myCAchain.pem
with *both* CA-Chains and this seems to work.

My question is, if this is the intended way to resolve this issue ?


The docs says:
This option indicates which file contains CA certificates for verifying a TLS certificate presented by an LDAP server

In the past I thought, that this file can hould only *one* CA chain

Regards, Olaf


--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Dipl.-Geophys. Olaf Hopp

Zirkel 2
Gebäude 20.21, Raum 316
76131 Karlsruhe

Telefon: +49 721 608-48009
E-Mail: Olaf.Hopp@???
Web: www.scc.kit.edu

Sitz der Körperschaft:
Kaiserstraße 12, 76131 Karlsruhe

KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/