[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP proxy with features

> Note that in OL 2.3 you can have a complete variety of TLS policies,
> i.e. the proxy can: use an "ldaps://" URI; enforce the use of StartTLS
> on a plain "ldap://"; URI, or propagate StartTLS if used by the original
> client: see the "tls" directive in slapd-ldap(5).  I've tested all of
> them with current HEAD code, and it seems to work as expected, even with
> rewrite/remap in the middle.

As a side note, I have been unable to enforce client cert verification
between the proxy and the remote server.  Everything works fine if
TLSVerifyClient is not set in slapd.conf(5), thus resulting in "never",
the default.  Note that client/server works fine with TLSVerifyClient in
the server's slapd.conf(5) and TLS_REQCERT in the client's ldap.conf(5)
respectively set to "demand", but if a (supposedly) well-configured
proxy is put in between, and the remote server has TLSVerifyClient set
to "demand", the proxy's certificate evaluation fails at the remote
server's side.  I haven't yet determined where and why it fails; stay


Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it