Michael Ströder wrote:
=> StartTLS over LDAP is undefined and probably every API should simple refuse it at all or accept any server cert. In both cases the underlying LDAPI channel is fully trusted anyway.
If the client really would like to implement an additional *security* check that a rogue attacker did not trick the client to connect to another Unix domain socket (MITM service) checking the server's identity by matching "localhost" also does not make sense to me.
A rough idea: GeneralName can be an URI. So the LDAPI URI should be in subjectAltName extension and checked by the client (if some name has to be checked at all). Anything else is nonsense.
Ciao, Michael.