[Date Prev][Date Next]
Re: ldaprc with ldaps:// and ldap:// fallback
On 25/06/10 05:29 +0200, Emmanuel Dreyfus wrote:
Dan White <email@example.com> wrote:
In this case, EXTERNAL should only be offered after successful TLS
negotiation, or over a unix domain socket.
If TLS negotiation fails, then a SASL bind won't work without selecting
But Idap.conf(5) says "The server certificate is requested. If no
certificate is provided, the session proceeds normally. ", which
suggests that the TLS negociation may succeed without a server
certificate being sent. Is that wrong?
SASL EXTERNAL will only be offered if the server can identify you, or
derive an authentication identity, which it can never do if TLS does not
succeed - since it derives your identity from the contents of the client