On Thu, 19 Mar 2015, Bin Lu wrote:
Every time when connect to an ldaps url, it generates a fatal error due to ?unknown CA?. Is it possible to disable this check? [...] In connecting the LDAP server with LDAPs or (start)TLS, what is the default behavior of the server certificate validation? How can I disable the default behavior?
You're not giving a lot to go on here, but I assume you're talking about a client/libldap perspective. libldap's configuration file is documented in the ldap.conf(5) man page. I'll call particular attention to one option for TLS_REQCERT from the man page:
demand | hard These keywords are equivalent. The server certifi- cate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. This is the default set- ting.
So, per the ldap.conf(5) man page, you can reconfigure the CAs and/or change this behavior with appropriate ldap.conf directives.
As a final note, if you're in the libldap context, ldap_set_option(3) describes the OpenLDAP specific TLS options to control this behavior programatically (i.e. via API, rather than via ldap.conf configuration file).