c) DNS server is not set up I.e., the certificate could be issued
with a name like “netact.operator”, but we’d be using 10.2.3.7, and
DNS has not been setup in the operator internal network >
But what we feel is that there should be an option to be chosen by
user to either ignore or enable hostname checking.
If you're using ldaps://10.2.3.7 for connecting without DNS resolving
you could add a subjectAltName extension to your server cert containing
this particular IP address. That's basically just another GeneralName type.
You could also tweak your local /etc/hosts (preferrably with decent
config mgt.) to correctly map FQDN "netact.operator" to the IP address.
Already we know
that HTTP clients, for example, browsers provide such option to user
and it's up to the user that whether to continue communication to the
server or not, if hostname mismatch occurs.
Note that web browsers are driven interactively by users whereas LDAP
clients are most times systems without direct user interaction. In the
interactive case you simply delegate the informed trust decision to the
user which is a bad thing to do anyway. Therefore web browsers will also
limit this functionality in the not so far future.
Due to MIME processing deficiencies of the ITS your messages are
displayed base64-encoded and therefore hard to read: