On Mon, 28 May 2012, Peter Marschall wrote:
On Monday, 28. May 2012, Philip Guenther wrote:
...
If that's not a sufficient option, and verifying certs is required, then it appears the code will treat the socket path as the hostname to verify for. For OpenSSL, for example, that means it'll compare it against any DNS: subjectAltNames as well as against the last CN component of the cert subject.
That's not what the openldap tools do.
I'm glad I said "it appears", as appearances can be (and were) deceiving. :-)
Checking with a debugger, I see that my description was correct for the case where a path was specified in the URI, ala ldapi://%2fvar%2frun%2fldapi
If no path is specified (e.g., "ldapi://") then the checking code is passed a hostname of "localhost".
Philip Guenther