Hi, all. I'm having trouble figuring out how to allow SSL connections (using ldapsearch) to a single host with an invalid certificate. I know this can be done using TLS_REQCERT=allow (or never), but the same account also connects to multiple other hosts using certificate-based authentication, and the problem is that I can get those two configurations to work together.
To illustrate, here's the current ~/.ldaprc file for this user:
TLS_CERT /home/ldap/certs/admin.crt TLS_KEY /home/ldap/certs/admin.key TLS_REQCERT demand SASL_MECH external
That works fine for everything but this one new host. I'm not able to fix the the SSL issue on this host, so for now I need to work around it. If I replace the above ~/.ldaprc with this:
HOST server.domain.com PORT 636 TLS_REQCERT allow
Then ldapsearch works fine for this new server, but, of course, SASL/cert auth fails for everything else.
So, how do I get these to work together, with that first configuration example set as the default for all hosts *except* server.domain.com?
Here's what I've tried so far:
* Appending the configuration for server.domain.com to the existing ~/.ldaprc file - it doesn't have an effect, like the global stuff is overriding the host-specific options
* Adding the server.domain.com config to /etc/openldap/ldap.conf, but ~/.ldaprc takes precedence over this, so again it has no effect.
* Creating a separate ~/.ldaprc-server file and exporting LDAPRC=.ldaprc-server - in this case, both ~/.ldaprc AND ~/.ldaprc-server are sourced (found using strace), so again my host-specific settings are ignored.
* exporting both LDAPNOINIT=true and LDAPRC=.ldaprc-server, but that prevents either rc file from being sourced
* exporting LDAPNOINIT=true and calling ldapsearch with: LDAPTLS_REQCERT=allow ldapsearch -H ldaps://server.domain.com ... - this also seems to have no effect, though
I'm sure I must be missing something simple, but I'm out of ideas at this point. Would appreciate any tips or pointers.
Thanks!