Hi!
Invalid certificates are, well, invalid. The whole security model on certificates is based on certificates being valid. Beforte you try to mess with invalid certificates, please use valöid certificates. Complain if other parties provide such certificates, please complain. (I'm tired of new software being shipped with expired certificates...)
Regards, Ulrich
Jared list-389@legroom.net schrieb am 09.10.2013 um 00:41 in Nachricht
Hi, all. I'm having trouble figuring out how to allow SSL connections (using ldapsearch) to a single host with an invalid certificate. I know this can be done using TLS_REQCERT=allow (or never), but the same account also connects to multiple other hosts using certificate-based authentication, and the problem is that I can get those two configurations to work together.
To illustrate, here's the current ~/.ldaprc file for this user:
TLS_CERT /home/ldap/certs/admin.crt TLS_KEY /home/ldap/certs/admin.key TLS_REQCERT demand SASL_MECH external
That works fine for everything but this one new host. I'm not able to fix the the SSL issue on this host, so for now I need to work around it. If I replace the above ~/.ldaprc with this:
HOST server.domain.com PORT 636 TLS_REQCERT allow
Then ldapsearch works fine for this new server, but, of course, SASL/cert auth fails for everything else.
So, how do I get these to work together, with that first configuration example set as the default for all hosts *except* server.domain.com?
Here's what I've tried so far:
- Appending the configuration for server.domain.com to the existing
~/.ldaprc file - it doesn't have an effect, like the global stuff is overriding the host-specific options
- Adding the server.domain.com config to /etc/openldap/ldap.conf, but
~/.ldaprc takes precedence over this, so again it has no effect.
- Creating a separate ~/.ldaprc-server file and exporting
LDAPRC=.ldaprc-server - in this case, both ~/.ldaprc AND ~/.ldaprc-server are sourced (found using strace), so again my host-specific settings are ignored.
- exporting both LDAPNOINIT=true and LDAPRC=.ldaprc-server, but that
prevents either rc file from being sourced
- exporting LDAPNOINIT=true and calling ldapsearch with:
LDAPTLS_REQCERT=allow ldapsearch -H ldaps://server.domain.com ... - this also seems to have no effect, though
I'm sure I must be missing something simple, but I'm out of ideas at this point. Would appreciate any tips or pointers.
Thanks!
-- Jared