[email protected] wrote: > Full_Name: Mohammad Nweider > Version: master > OS: Redhat Linux > URL: > https://www.securiteam.io/contribs/openldap/mohammad-20160131-0001-fix-backmeta-idassertbind-tlsreqcert-never-bug.patch > Submission from: (NULL) (89.100.154.148) > > > Hello, > > We've found a small bug when trying to run openldap with meta backend, what we > were trying to achieve is to have our server listens on ssl/tls port and to > communicate with the meta targets over ssl/tls as well, but due to the fact > that > we're using a self-signed certificate and we don't have access to manage the > meta targets, we wanted to skip the client certificate verification when > connecting to the meta targets, so we tried adding idassert-bind > tls_reqcert=never to our meta config for this purpose, but unfortunately it > didn't work as expected.
There is no bug here. The tls_reqcert setting controls whether the local node requires the remote target to provide a valid server certificate. It has nothing to do with client certificates at all. > Whenever openldap has a certificate/key either in > TLSCertificateFile/TLSCertificateKeyFile or in idassert-bind tls_cert/tls_key > settings, it completely ignores tls_reqcert in idassert-bd%d! Because the reqcert setting has nothing to do with this. Closing this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
