Re: Self-signed server cert within our corp = failure

["Sankhadip Sengupta" <sdsgupta@cs.utah.edu>]

I know what you mean.Its probably not a good idea for security to allow 
connections without verifying the end-host authenticity.

But here's the thing that there is no prompt right during the ssl 
handshake.But if you can do the ssl handshake before letting the ldap 
connection initiate and then obtain the certificate of the CA this should 
solve it.But otherwise if you don't or you don't know which CA the server 
uses then this is the only way to go about.

Thanks

----- Original Message ----- 
From: "Howard Chu" <hyc@symas.com>
To: "Sankhadip Sengupta" <sdsgupta@cs.utah.edu>
Cc: <openldap-technical@openldap.org>
Sent: Thursday, January 22, 2009 7:26 PM
Subject: Re: Self-signed server cert within our corp = failure


> Sankhadip Sengupta wrote:
> > Hi,
> >
> >      You need to find out where your ldap.conf file is and add an entry 
> > to that
>
> Half right.
> > TLSREQCERT allow
>
> That's a bad idea.
>
> Read the ldap.conf(5) manpage, and add the TLS_CACERT setting.
>
> > Quoting Quanah Gibson-Mount<quanah@zimbra.com>:
> >
> > > --On Thursday, January 22, 2009 2:20 PM -0500 Jeff Blaine
> > > <jblaine@kickflop.net>  wrote:
> > >
> > > > OpenLDAP 2.4.11 client
> > > >
> > > > How do I subvert this bogusness?  The cert is legit.
> > > Provide the CA.
> > >
> > > --Quanah
> > >
> > >
> > > --
> > >
> > > Quanah Gibson-Mount
> > > Principal Software Engineer
> > > Zimbra, Inc
> > > --------------------
> > > Zimbra ::  the leader in open source messaging and collaboration
>
>
> --
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  http://www.openldap.org/project/