Howard Chu wrote:
It's pretty much unheard of for an LDAP server to trust TLS client certs issued by a CA different from the LDAP server's own CA. Since client certs are usually issued only to allow authentication, an LDAP server will only trust its own CA to issue identities to clients.
Not sure what you consider to be "pretty much unheard of". But I vaguely remember having already described this use case:
1. Assume *all* clients have to authenticate to the LDAP server to get properly authorized to even see data (no anon access).
2. Furthermore there is a config management system available at the site which already issues client certs for its own internal use (e.g. puppet with master and CA).
In this case you want to (re)use the config mgmt client certs to simple authenticate those particular LDAP clients but not want to use the config mgmt CA to be trusted also to issue server certs which ensures MITM protection for all other LDAP clients probably sending bind requests with clear-text passwords.
=> OpenLDAP's configuration should it possible to define different root CA chains for the local server cert and accepted client certs validation.
Ciao, Michael.
P.S.: You might have guessed: I'm using this in Æ-DIR to avoid having to set server passwords for thousands of servers.