[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: insecure, convenient use of SSL

To: openldap-software@openldap.org
Subject: Re: insecure, convenient use of SSL
From: kevin montuori <montuori@gmail.com>
Date: Tue, 15 Apr 2008 09:23:11 -0400
In-reply-to: <200804151455.16509.bgmilne@staff.telkomsa.net> (Buchan Milne's message of "Tue, 15 Apr 2008 14:55:16 +0200")
Organization: mconsultancy
References: <42784f260804071743v5fc1468aw5035467df632879d@mail.gmail.com> <42784f260804101642k756f7b3fw564af38b3339fe2@mail.gmail.com> <200804151455.16509.bgmilne@staff.telkomsa.net>
User-agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.4 (Informed Management, darwin)

>>>>> "BM" == Buchan Milne <bgmilne@staff.telkomsa.net> writes:

 >> I'd like to set up LDAP command line tools to point to a server
 >> -- say localhost -- that has a certificate with an arbitrary
 >> name in it -- say `my-domain.com`.

 BM> Either:

 BM> 1)Add an entry to /etc/hosts so that the name on the certificate
 BM> resolves to the correct IP address, and always use the name on
 BM> any connection where you want certificate validation or

 BM> 2)Add TLS_REQCERT allow to the OpenLDAP ldap.conf. If you are
 BM> using anything besides OpenLDAP software (nss_ldap,pam_ldap) be
 BM> aware that their configuration is not identical ...

or, if you can, use the subjectAltName certificate extension.  see the
administrator's guide, 14.1.1.  works as expected and there's no funky
client side configuration required. 

k.

-- 
kevin montuori
montuori@gmail.com

Follow-Ups:
- Re: insecure, convenient use of SSL
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- insecure, convenient use of SSL
  - From: "Jason Dusek" <jason.dusek@gmail.com>
- Re: insecure, convenient use of SSL
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: insecure, convenient use of SSL
Next by Date: Re: LDAPMod field types
Index(es):
- Chronological
- Thread