[Date Prev][Date Next] [Chronological] [Thread] [Top]

[multiple URIs + ERESET] or [2.0.27 and CA certs]

To: openldap-software@OpenLDAP.org
Subject: [multiple URIs + ERESET] or [2.0.27 and CA certs]
From: "spammy@flashmail.com" <spammy@flashmail.com>
Date: Wed, 21 Jan 2004 21:15:39 -0800

Hello all,

openldap version: 2.0.27

I was going to use pam_ldap/ldapsearch's SSL functionality
until I discovered that (at least) ldapsearch doesn't seem
to bother to verify certs (my self-signed cert goes by
unnoticed) with and w/o TLS_CACERT.  So, I figured I'd just
set up stunnel (to which I can explicitly supply and name my
self-signing CA cert) to proxy the connection, so all LDAP
applications just use local, non-SSL interfaces.  This is
even better, in a sense, since the LDAP clients don't need
to worry about SSL and certs and such...

Unfortunately, openldap and stunnel aren't playing too
nicely when multiple URIs are specified in ldap.conf and one
along the chain is unavailable; openldap only recovers from
stunnel closing the connection (when *it* realizes that the
LDAP server is down) sometimes, depending on how quickly it
closes it.  This results in randomly successful and
unsuccessful usages when (one of) the first LDAP server(s)
in the URI list is down.

Anyone know if theres a pre-fab solution to this?  Am I
missing some obvious things here?

Thanks,

-cg

Prev by Date: ldapmodify question
Next by Date: Question Regarding the use of TLS_CACERTDIR and TLS_CACERTFILE
Index(es):
- Chronological
- Thread