[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: insecure, convenient use of SSL



Jason Dusek wrote:
 I'd like to set up LDAP command line tools to point to a server
 -- say localhost -- that has a certificate with an arbitrary
 name in it -- say `my-domain.com`.

 I'm not entirely sure how to my LDAP tools to do that, though
 -- or if it's possible. By default, OpenLDAP is wound up pretty
 tight.

You shouldn't use SSL in such a insecure way. I'd recommend to listen on localhost in clear and listen on external interface with SSL. There's no point in accessing ldaps://localhost except for testing.


slapd -h "ldap://127.0.0.1 ldaps://0.0.0.0"

This doesn't allow using StartTLS extended operation on the external interface though.

Or even better use ldapsearch -H ldapi:// (preferrably with SASL/EXTERNAL bind -Y EXTERNAL) for local access if the client apps support it.

slapd -h "ldap://127.0.0.1 ldapi:// ldaps://0.0.0.0"

Ciao, Michael.