[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap client cert validation

To: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>, openldap-technical@openldap.org
Subject: Re: openldap client cert validation
From: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>
Date: Sat, 6 Aug 2016 20:13:08 +0300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ECdpmEMv3qb0fZXKOj8FF4E9zeYcfxPaE2zRFfHA8e0=; b=B5kY/qK56sUZmJjI+wX+zPahSakM06TLYlb83y7rQ2MP3AXefgn8HgQ5TP+QdIcHli DSze8lA7G2ICXViWkFBOIO/PfpNgr6Nm+s3aMa/2jLOmmCrmvxCNVeE22MEY5JiCFM8J TGs3pbArbqM+gSxkLvw24fArofk96sHPkR9S7mgSzojv0oAajEPLMuA4QWDF01tx30mQ vZMls+2g+z0C74bBnrM07oByG57K1ngtBRD8Bye0ze60MpqGFW6txQdaHd2hIBp0Nzic 56bls9sbJb334BPqRzQNFeJ49fnvoPOErWmFo+IQii/gzSBQKxaUTm/ubA25md2Nm7jN 6OkA==
In-reply-to: <20160806170334.GA611@kiwi>
References: <CAJs94EaLpfd5gH-Qgtde9Z_rsC6MX9ON5m2M0ptUcCEGcxK9Hg@mail.gmail.com> <CAJs94EYodPWhscNhM35LM7ABOSmrLn7Pqit6ORangFX6eZqepQ@mail.gmail.com> <20160806170334.GA611@kiwi>

2016-08-06 20:03 GMT+03:00 Ryan Tandy <ryan@nardis.ca>:
> On Sat, Aug 06, 2016 at 07:14:37PM +0300, Matwey V. Kornilov wrote:
>>
>> After inspecting source code I've just found that TLS_KEY and TLS_CERT
>> are ignored if located in /etc/openldap/ldap.conf.
>> Why does it not written in man ldap.conf(5) explicitly?
>
>
> It is.
>
>       TLS_CERT <filename>
>              Specifies the file that contains the client certificate.  This
> is a user-only option.
>
> [...]
>
>       TLS_KEY <filename>
>              Specifies the file that contains the private key that matches
> the certificate stored in the TLS_CERT file. Currently, the private key must
> not be protected with a password, so it is of  critical  importance  that
>              the key file is protected carefully.  This is a user-only
> option.
>
> "User-only" is defined at the top of the page:
>
>         Some options are user-only.  Such options are ignored if present in
> the ldap.conf (or file specified by LDAPCONF).

However, I'll prepare a patch issuing a warning in
openldap_ldap_init_w_conf. Don't you mind?

-- 
With best regards,
Matwey V. Kornilov
http://blog.matwey.name
xmpp://0x2207@jabber.ru

References:
- openldap client cert validation
  - From: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>
- Re: openldap client cert validation
  - From: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>
- Re: openldap client cert validation
  - From: Ryan Tandy <ryan@nardis.ca>

Prev by Date: Re: openldap client cert validation
Next by Date: contextCSN attribute update on replication
Index(es):
- Chronological
- Thread