[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do tool verify certs with ldapi:// ?

On Mon, 28 May 2012, Michael Ströder wrote:
> Peter Marschall wrote:
> > how do the openldap tools technically verfify certificates with ldapi:// ?
> Which certs do you want to verify?

I assume the answer is "the one the server returns when you do StartTLS on 
the ldapi:// connection".

It's pretty unusual to do that, of course.  The normal solution for 
authenticating the server in the ldapi case is to put the socket somewhere 
that only the trusted user can write to, so you know that the socket you 
connected to is trusted.

If that's not a sufficient option, and verifying certs is required, then 
it appears the code will treat the socket path as the hostname to verify 
for.  For OpenSSL, for example, that means it'll compare it against any 
DNS: subjectAltNames as well as against the last CN component of the cert 

(A related question is what slapd will use as your authentication id for 
SASL EXTERNAL if you do TLS with a client cert on an ldapi socket: will it 
use the cert's subject or the "gidNumber=%d+uidNumber=%d,...etc" DN of the 
ldapi connection.  The former seems like the obvious choice, being the 
"more recent" of the two in this case, and a quick look at the slapd code 
would seem to confirm that...but I would test it before designing a system 
to depend on it...)

Philip Guenther