[Date Prev][Date Next] [Chronological] [Thread] [Top]

Allow invalid certificates for a single host

To: openldap-technical@openldap.org
Subject: Allow invalid certificates for a single host
From: Jared <list-389@legroom.net>
Date: Tue, 08 Oct 2013 17:41:37 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130930 Thunderbird/17.0.9

Hi, all.  I'm having trouble figuring out how to allow SSL connections
(using ldapsearch) to a single host with an invalid certificate.  I know
this can be done using TLS_REQCERT=allow (or never), but the same
account also connects to multiple other hosts using certificate-based
authentication, and the problem is that I can get those two
configurations to work together.

To illustrate, here's the current ~/.ldaprc file for this user:

TLS_CERT /home/ldap/certs/admin.crt
TLS_KEY /home/ldap/certs/admin.key
TLS_REQCERT demand
SASL_MECH external

That works fine for everything but this one new host.  I'm not able to
fix the the SSL issue on this host, so for now I need to work around it.
 If I replace the above ~/.ldaprc with this:

HOST server.domain.com
PORT 636
TLS_REQCERT allow

Then ldapsearch works fine for this new server, but, of course,
SASL/cert auth fails for everything else.

So, how do I get these to work together, with that first configuration
example set as the default for all hosts *except* server.domain.com?

Here's what I've tried so far:

* Appending the configuration for server.domain.com to the existing
~/.ldaprc file - it doesn't have an effect, like the global stuff is
overriding the host-specific options

* Adding the server.domain.com config to /etc/openldap/ldap.conf, but
~/.ldaprc takes precedence over this, so again it has no effect.

* Creating a separate ~/.ldaprc-server file and exporting
LDAPRC=.ldaprc-server - in this case, both ~/.ldaprc AND
~/.ldaprc-server are sourced (found using strace), so again my
host-specific settings are ignored.

* exporting both LDAPNOINIT=true and LDAPRC=.ldaprc-server, but that
prevents either rc file from being sourced

* exporting LDAPNOINIT=true and calling ldapsearch with:
LDAPTLS_REQCERT=allow ldapsearch -H ldaps://server.domain.com ... - this
also seems to have no effect, though

I'm sure I must be missing something simple, but I'm out of ideas at
this point.  Would appreciate any tips or pointers.

Thanks!

-- 
Jared

Follow-Ups:
- Antw: Allow invalid certificates for a single host
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
- Re: Allow invalid certificates for a single host
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: slapo-lastbind and chaining
Next by Date: Antw: Allow invalid certificates for a single host
Index(es):
- Chronological
- Thread