[Date Prev][Date Next]
Re: insecure, convenient use of SSL
Jason Dusek wrote:
I'd like to set up LDAP command line tools to point to a server
-- say localhost -- that has a certificate with an arbitrary
name in it -- say `my-domain.com`.
I'm not entirely sure how to my LDAP tools to do that, though
-- or if it's possible. By default, OpenLDAP is wound up pretty
You shouldn't use SSL in such a insecure way. I'd recommend to listen on
localhost in clear and listen on external interface with SSL. There's
no point in accessing ldaps://localhost except for testing.
slapd -h "ldap://127.0.0.1 ldaps://0.0.0.0"
This doesn't allow using StartTLS extended operation on the external
Or even better use ldapsearch -H ldapi:// (preferrably with
SASL/EXTERNAL bind -Y EXTERNAL) for local access if the client apps
slapd -h "ldap://127.0.0.1 ldapi:// ldaps://0.0.0.0"