sudhir.singam@nokia.com wrote:

Full_Name: Singam Sudhir Reddy Version: master branch OS: fedora URL: ftp://ftp.openldap.org/incoming/sudhirsingam-180506.patch Submission from: (NULL) (61.1.232.154)

The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by NOKIA. NOKIA has not assigned rights and/or interest in this work to any party. I, SINGAM SUDHIR REDDY authorized by NOKIA, my employer, to release this work under the following terms.

NOKIA hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

---

Description:

This is minor enhancement to introduce a new LDAP option "LDAP_OPT_X_TLS_DEMAND_EXCL_HOSTNAME_CHECK" to ignore hostname checking by client in TLS communication mode. This is very similar to "LDAP_OPT_X_TLS_DEMAND" LDAP option except that HOSTNAME checking is ignored.

This option can be set by client either by using LDAP API "ldap_set_option" or can be globally set in the configuration file /etc/openldap/ldap.conf like below.

TLS_REQCERT demand_excl_hostname_check

Purpose:

Generally operators use same set of certificates for different services (from different hosts) which support TLS communication. When such certificates are used, this option gives facility for openldap based services to ignore hostname checking at client side.

No. If you're using a single set of certificates for multiple hosts you should be using a wildcard cert. Closing this ITS.