[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: default behavior of server certificate validation

On Thu, 19 Mar 2015, Bin Lu wrote:

Every time when connect to an ldaps url, it generates a fatal error due to ?unknown CA?. Is it possible to disable this check? [...] In connecting the LDAP server with LDAPs or (start)TLS, what is the default behavior of the server certificate validation? How can I disable the default behavior?

You're not giving a lot to go on here, but I assume you're talking about a client/libldap perspective. libldap's configuration file is documented in the ldap.conf(5) man page. I'll call particular attention to one option for TLS_REQCERT from the man page:

              demand | hard
                     These keywords are equivalent. The server certifi-
                     cate  is requested. If no certificate is provided,
                     or a bad certificate is provided, the  session  is
                     immediately  terminated.  This is the default set-

So, per the ldap.conf(5) man page, you can reconfigure the CAs and/or change this behavior with appropriate ldap.conf directives.

As a final note, if you're in the libldap context, ldap_set_option(3) describes the OpenLDAP specific TLS options to control this behavior programatically (i.e. via API, rather than via ldap.conf configuration file).