[Date Prev][Date Next]
Re: How do tool verify certs with ldapi:// ?
On Mon, 28 May 2012, Michael Ströder wrote:
> Peter Marschall wrote:
> > how do the openldap tools technically verfify certificates with ldapi:// ?
> Which certs do you want to verify?
I assume the answer is "the one the server returns when you do StartTLS on
the ldapi:// connection".
It's pretty unusual to do that, of course. The normal solution for
authenticating the server in the ldapi case is to put the socket somewhere
that only the trusted user can write to, so you know that the socket you
connected to is trusted.
If that's not a sufficient option, and verifying certs is required, then
it appears the code will treat the socket path as the hostname to verify
for. For OpenSSL, for example, that means it'll compare it against any
DNS: subjectAltNames as well as against the last CN component of the cert
(A related question is what slapd will use as your authentication id for
SASL EXTERNAL if you do TLS with a client cert on an ldapi socket: will it
use the cert's subject or the "gidNumber=%d+uidNumber=%d,...etc" DN of the
ldapi connection. The former seems like the obvious choice, being the
"more recent" of the two in this case, and a quick look at the slapd code
would seem to confirm that...but I would test it before designing a system
to depend on it...)