Oh, thanks for clearing up the confusion, then is there anyway to prevent openldap from sending its server certificate as a client one when connecting to the meta target? I mean other than changing the TLSVerifyClient on the remote host as we don't have access to do this.
Regards,
Quoting Howard Chu hyc@symas.com:
mohammad@securiteam.io wrote:
Full_Name: Mohammad Nweider Version: master OS: Redhat Linux URL: https://www.securiteam.io/contribs/openldap/mohammad-20160131-0001-fix-backm... Submission from: (NULL) (89.100.154.148)
Hello,
We've found a small bug when trying to run openldap with meta backend, what we were trying to achieve is to have our server listens on ssl/tls port and to communicate with the meta targets over ssl/tls as well, but due to the fact that we're using a self-signed certificate and we don't have access to manage the meta targets, we wanted to skip the client certificate verification when connecting to the meta targets, so we tried adding idassert-bind tls_reqcert=never to our meta config for this purpose, but unfortunately it didn't work as expected.
There is no bug here. The tls_reqcert setting controls whether the local node requires the remote target to provide a valid server certificate. It has nothing to do with client certificates at all.
Whenever openldap has a certificate/key either in TLSCertificateFile/TLSCertificateKeyFile or in idassert-bind tls_cert/tls_key settings, it completely ignores tls_reqcert in idassert-bd%d!
Because the reqcert setting has nothing to do with this.
Closing this ITS.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/