[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8364) [PATCH] back-meta idassert-bind tls_reqcert=never bug

mohammad@securiteam.io wrote:
> Full_Name: Mohammad Nweider
> Version: master
> OS: Redhat Linux
> URL: https://www.securiteam.io/contribs/openldap/mohammad-20160131-0001-fix-backmeta-idassertbind-tlsreqcert-never-bug.patch
> Submission from: (NULL) (
> Hello,
> We've found a small bug when trying to run openldap with meta backend, what we
> were trying to achieve is to have our server listens on ssl/tls port and to
> communicate with the meta targets over ssl/tls as well, but due to the fact that
> we're using a self-signed certificate and we don't have access to manage the
> meta targets, we wanted to skip the client certificate verification when
> connecting to the meta targets, so we tried adding idassert-bind
> tls_reqcert=never to our meta config for this purpose, but unfortunately it
> didn't work as expected.

There is no bug here. The tls_reqcert setting controls whether the local node 
requires the remote target to provide a valid server certificate. It has 
nothing to do with client certificates at all.

> Whenever openldap has a certificate/key either in
> TLSCertificateFile/TLSCertificateKeyFile or in idassert-bind tls_cert/tls_key
> settings, it completely ignores tls_reqcert in idassert-bd%d!

Because the reqcert setting has nothing to do with this.

Closing this ITS.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/