Phil Pennock <[email protected]> writes: > On 2012-06-19 at 17:19 +0200, Ferenc Wagner wrote: > >> Our LDAP server requires SSL connections, so I use the ldaps:// schema >> in the LDAP lookup URI. However, I also have to specify the CA >> certificates and the certificate policy in my /etc/ldap/ldap.conf, like: >> >> TLS_CACERT /etc/ssl/certs/ca-certificates.crt >> TLS_REQCERT demand >> >> However, I really don't like the configuration separated this way: what >> if I needed different TLS_CACERT or TLS_REQCERT options in Exim than in >> other places? Being unable to include these options in my Exim config >> feels like a shortcoming. Specification chapter 9, section 17 (LDAP >> authentication and control information) enumerates several options which >> can be set, but the above two are not in that bunch. Is there a good >> reason for this, were they omitted by mistake or do I overlook something? > > Those are tuning knobs for authentication and controls *within* an LDAP > session; TLS control knobs are separate options, not part of the query.
Makes perfect sense, thanks! > 14.6 Data lookups > [...] > ldap_ca_cert_dir dir of CA certs to verify LDAP server's > ldap_ca_cert_file file of CA certs to verify LDAP server's > ldap_cert_file client cert file for LDAP > ldap_cert_key client key file for LDAP > ldap_cipher_suite TLS negotiation preference control > ldap_default_servers used if no server in query > ldap_require_cert action to take without LDAP server cert > ldap_start_tls require TLS within LDAP > ldap_version set protocol version > > Added in Exim 4.75, we're currently at Exim 4.80. Great, exactly what I need! Pity we're still runnig 4.72... Aside, I'm usually fairly good at reading documentation, but I plainly fell short in this case. May I suggest putting some pointer to these options into 9.16 LDAP connection in the fine manual? It already mentions ldap_default_servers several times; something like "for other LDAP connection options (eg. TLS, version) see ldap_* in 14.6" would suffice in my opinion. Aside2, ldaps:/// tries to connect to port 389 if no port is specified in ldap_default_servers (on Exim 4.72). Shouldn't it use 636 instead? -- Thanks again, Feri. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
