Sean Gallagher wrote:
It seems there is no interest in this. That's disappointing but not unexpected. Personally, I find it reckless that slapd would accept and process packets from parties that would happily take a flame thrower to your server if it got them any advantage.
I would strongly encourage the OpenLDAP team to properly validate PKI client certificates and CLOSE THE CONNECTION if the client fails authentication.
That feature is already available using TLSVerifyClient in the slapd config.
I have made one proposal about how to add this functionality but I'm sure there are many ways to approach it.
In the mean time, I will continue using the proxy in front of slapd and would strongly recommend anyone using client certs for authentication without a dedicated CA to do the same.
Pure nonsense.
In all other repects,
thanks for a great product.
Sean.