Sankhadip Sengupta wrote:
I know what you mean.Its probably not a good idea for security to allow connections without verifying the end-host authenticity.
But here's the thing that there is no prompt right during the ssl handshake.But if you can do the ssl handshake before letting the ldap connection initiate and then obtain the certificate of the CA this should solve it.But otherwise if you don't or you don't know which CA the server uses then this is the only way to go about.
None of that applies for this poster, since they clearly know that they have their own self-signed cert for their company.
Thanks
----- Original Message ----- From: "Howard Chu"hyc@symas.com To: "Sankhadip Sengupta"sdsgupta@cs.utah.edu Cc:openldap-technical@openldap.org Sent: Thursday, January 22, 2009 7:26 PM Subject: Re: Self-signed server cert within our corp = failure
Sankhadip Sengupta wrote:
Hi,
You need to find out where your ldap.conf file is and add an entryto that
Half right.
TLSREQCERT allow
That's a bad idea.
Read the ldap.conf(5) manpage, and add the TLS_CACERT setting.
Quoting Quanah Gibson-Mountquanah@zimbra.com:
--On Thursday, January 22, 2009 2:20 PM -0500 Jeff Blaine jblaine@kickflop.net wrote:
OpenLDAP 2.4.11 client
How do I subvert this bogusness? The cert is legit.
Provide the CA.
--Quanah