[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: Allow invalid certificates for a single host

To: "Jared" <list-389@legroom.net>, <openldap-technical@openldap.org>
Subject: Antw: Allow invalid certificates for a single host
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Wed, 09 Oct 2013 08:08:32 +0200
Content-disposition: inline
In-reply-to: <52548A21.6070708@legroom.net>
References: <52548A21.6070708@legroom.net>

Hi!

Invalid certificates are, well, invalid. The whole security model on
certificates is based on certificates being valid. Beforte you try to mess with
invalid certificates, please use valÃid certificates. Complain if other parties
provide such certificates, please complain. (I'm tired of new software being
shipped with expired certificates...)

Regards,
Ulrich

>>> Jared <list-389@legroom.net> schrieb am 09.10.2013 um 00:41 in Nachricht
<52548A21.6070708@legroom.net>:
> Hi, all.  I'm having trouble figuring out how to allow SSL connections
> (using ldapsearch) to a single host with an invalid certificate.  I know
> this can be done using TLS_REQCERT=allow (or never), but the same
> account also connects to multiple other hosts using certificate-based
> authentication, and the problem is that I can get those two
> configurations to work together.
> 
> To illustrate, here's the current ~/.ldaprc file for this user:
> 
> TLS_CERT /home/ldap/certs/admin.crt
> TLS_KEY /home/ldap/certs/admin.key
> TLS_REQCERT demand
> SASL_MECH external
> 
> That works fine for everything but this one new host.  I'm not able to
> fix the the SSL issue on this host, so for now I need to work around it.
>  If I replace the above ~/.ldaprc with this:
> 
> HOST server.domain.com
> PORT 636
> TLS_REQCERT allow
> 
> Then ldapsearch works fine for this new server, but, of course,
> SASL/cert auth fails for everything else.
> 
> So, how do I get these to work together, with that first configuration
> example set as the default for all hosts *except* server.domain.com?
> 
> Here's what I've tried so far:
> 
> * Appending the configuration for server.domain.com to the existing
> ~/.ldaprc file - it doesn't have an effect, like the global stuff is
> overriding the host-specific options
> 
> * Adding the server.domain.com config to /etc/openldap/ldap.conf, but
> ~/.ldaprc takes precedence over this, so again it has no effect.
> 
> * Creating a separate ~/.ldaprc-server file and exporting
> LDAPRC=.ldaprc-server - in this case, both ~/.ldaprc AND
> ~/.ldaprc-server are sourced (found using strace), so again my
> host-specific settings are ignored.
> 
> * exporting both LDAPNOINIT=true and LDAPRC=.ldaprc-server, but that
> prevents either rc file from being sourced
> 
> * exporting LDAPNOINIT=true and calling ldapsearch with:
> LDAPTLS_REQCERT=allow ldapsearch -H ldaps://server.domain.com ... - this
> also seems to have no effect, though
> 
> I'm sure I must be missing something simple, but I'm out of ideas at
> this point.  Would appreciate any tips or pointers.
> 
> Thanks!
> 
> -- 
> Jared

References:
- Allow invalid certificates for a single host
  - From: Jared <list-389@legroom.net>

Prev by Date: Allow invalid certificates for a single host
Next by Date: Re: Allow invalid certificates for a single host
Index(es):
- Chronological
- Thread