[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem in authentication when multiple CA certificates are present

On Wed, 10 Aug 2011, sachin mishra wrote:

5. If step 3 fails, ldap_unbind (ld), start from step1 again except that LDAP_OPT_X_TLS_CACERTFILE will now have the next entry in the directory as input.

Is there anything wrong in this? Is there any better approach for this?

In most widely used applications, you'd probably be better off NOT handling TLS configuration, and just referring the user to appropriate ldap.conf(5)-syntax files and/or environment variables. Users tend to have personalized (and varying) security postures, and I'm a believer in the classic "give them rope" philosophy.

Now, maybe you expose some sort of nice interface to the ldap.conf(5) options, or perhaps you have an internal application and you really do want to (partially?) hard code the TLS configuration. In that case, I'd recommend you try using LDAP_OPT_X_TLS_CACERTDIR instead, and let the crypto library handle building the whole CA structure and the verification. This option is documented under ldap_set_option(3).

Obviously the method you write will (eventually) work, but it comes with needless cost and complexity.

(Please also note that this could be combined: you could remove your CA handling code, and still set a TLS_CACERTDIR in ldap.conf(5).)