[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaprc with ldaps:// and ldap:// fallback

Dan White <dwhite@olp.net> wrote:

> Try:
> In this case, EXTERNAL should only be offered after successful TLS
> negotiation, or over a unix domain socket.
> If TLS negotiation fails, then a SASL bind won't work without selecting
> another mechanism.

But Idap.conf(5) says "The  server  certificate  is requested. If no
certificate is provided, the  session  proceeds  normally. ", which
suggests that the TLS negociation may succeed without a server
certificate being sent. Is that wrong?

Emmanuel Dreyfus