[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8364) [PATCH] back-meta idassert-bind tls_reqcert=never bug
Oh, thanks for clearing up the confusion, then is there anyway to
prevent openldap from sending its server certificate as a client one
when connecting to the meta target? I mean other than changing the
TLSVerifyClient on the remote host as we don't have access to do this.
Regards,
Quoting Howard Chu <hyc@symas.com>:
> mohammad@securiteam.io wrote:
>> Full_Name: Mohammad Nweider
>> Version: master
>> OS: Redhat Linux
>> URL:
>> https://www.securiteam.io/contribs/openldap/mohammad-20160131-0001-fix-backmeta-idassertbind-tlsreqcert-never-bug.patch
>> Submission from: (NULL) (89.100.154.148)
>>
>>
>> Hello,
>>
>> We've found a small bug when trying to run openldap with meta
>> backend, what we
>> were trying to achieve is to have our server listens on ssl/tls port and to
>> communicate with the meta targets over ssl/tls as well, but due to
>> the fact that
>> we're using a self-signed certificate and we don't have access to manage the
>> meta targets, we wanted to skip the client certificate verification when
>> connecting to the meta targets, so we tried adding idassert-bind
>> tls_reqcert=never to our meta config for this purpose, but unfortunately it
>> didn't work as expected.
>
> There is no bug here. The tls_reqcert setting controls whether the
> local node requires the remote target to provide a valid server
> certificate. It has nothing to do with client certificates at all.
>
>> Whenever openldap has a certificate/key either in
>> TLSCertificateFile/TLSCertificateKeyFile or in idassert-bind
>> tls_cert/tls_key
>> settings, it completely ignores tls_reqcert in idassert-bd%d!
>
> Because the reqcert setting has nothing to do with this.
>
> Closing this ITS.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/