mohammad(a)securiteam.io wrote:
Full_Name: Mohammad Nweider
Version: master
OS: Redhat Linux
URL:
https://www.securiteam.io/contribs/openldap/mohammad-20160131-0001-fix-ba...
Submission from: (NULL) (89.100.154.148)
Hello,
We've found a small bug when trying to run openldap with meta backend, what we
were trying to achieve is to have our server listens on ssl/tls port and to
communicate with the meta targets over ssl/tls as well, but due to the fact that
we're using a self-signed certificate and we don't have access to manage the
meta targets, we wanted to skip the client certificate verification when
connecting to the meta targets, so we tried adding idassert-bind
tls_reqcert=never to our meta config for this purpose, but unfortunately it
didn't work as expected.
There is no bug here. The tls_reqcert setting controls whether the local node
requires the remote target to provide a valid server certificate. It has
nothing to do with client certificates at all.
Whenever openldap has a certificate/key either in
TLSCertificateFile/TLSCertificateKeyFile or in idassert-bind tls_cert/tls_key
settings, it completely ignores tls_reqcert in idassert-bd%d!
Because the reqcert setting has nothing to do with this.
Closing this ITS.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/