On Thu, 19 Mar 2009, alessio wrote:
In the ldap.conf man page I can read:
never The client will not request or check any server certificate.
This description in the manpage is incorrect (c.f ITS 4941). Setting
TLS_REQCERT actually just disables the client's check that the name from
the URI matches the cert's subjectAltName values or CN.
In this case the ldaps:// connection will be encrypted anyway?
It'll be encrypted, but with no protection from man-in-the-middle attacks,
or even detection of simple misconfigurations (CNAME pointing at wrong
"TLS_REQCERT allow" is only slightly better, doing the name check (so some
misconfigs will be caught) but still skipping the check for a known CA, so
it's still vulnerable to MitM attacks. If you're going to go to the
trouble to use TLS, why not distribute the certs and do it right?