[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do tool verify certs with ldapi:// ?


On Monday, 28. May 2012, Michael StrÃder wrote:
> I think the standards are what is relevant here. The arbitrarily check for
> "localhost" does not make sense because "localhost" does not sufficiently
> specify the name of the server.

I fully concur, that it is not correct to use "localhost" in certificates.

> The server is an end entity for the CA and the CA guarantees having checked
> the server's identity (or checked whether someone was authorized to request
> a cert for the server's name). So I wouldn't trust any CA which issues
> certs for "localhost".

My certificates do neither contain "localhost" nor the path to the ldapi:// 
socket, yet both of the following commands work.
  ldapsearch -LLL  -x -H ldap://localhost/ -ZZ -s base -b ""
  ldapsearch -LLL  -x -H ldapi:/// -ZZ -s base -b ""

In my opinion, this can only have one of the folowing reasons:
* ldapsearch simply ignores the server certificate verification completely
* ldapsearch soes some "clever trick" to be able to do certificate verification.

Any ideas (ideally with references to the code) which of these options
ldapsearch (and the other openldap tools) choose?


Peter Marschall