On Mon, 28 May 2012, Michael Ströder wrote:
Peter Marschall wrote:
how do the openldap tools technically verfify certificates with ldapi:// ?
Which certs do you want to verify?
I assume the answer is "the one the server returns when you do StartTLS on the ldapi:// connection".
It's pretty unusual to do that, of course. The normal solution for authenticating the server in the ldapi case is to put the socket somewhere that only the trusted user can write to, so you know that the socket you connected to is trusted.
If that's not a sufficient option, and verifying certs is required, then it appears the code will treat the socket path as the hostname to verify for. For OpenSSL, for example, that means it'll compare it against any DNS: subjectAltNames as well as against the last CN component of the cert subject.
(A related question is what slapd will use as your authentication id for SASL EXTERNAL if you do TLS with a client cert on an ldapi socket: will it use the cert's subject or the "gidNumber=%d+uidNumber=%d,...etc" DN of the ldapi connection. The former seems like the obvious choice, being the "more recent" of the two in this case, and a quick look at the slapd code would seem to confirm that...but I would test it before designing a system to depend on it...)
Philip Guenther