Oh, thanks for clearing up the confusion, then is there anyway to prevent openldap from sending its server certificate as a client one when connecting to the meta target? I mean other than changing the TLSVerifyClient on the remote host as we don't have access to do this.
Regards, Quoting Howard Chu <[email protected]>: > [email protected] wrote: >> Full_Name: Mohammad Nweider >> Version: master >> OS: Redhat Linux >> URL: >> https://www.securiteam.io/contribs/openldap/mohammad-20160131-0001-fix-backmeta-idassertbind-tlsreqcert-never-bug.patch >> Submission from: (NULL) (89.100.154.148) >> >> >> Hello, >> >> We've found a small bug when trying to run openldap with meta >> backend, what we >> were trying to achieve is to have our server listens on ssl/tls port and to >> communicate with the meta targets over ssl/tls as well, but due to >> the fact that >> we're using a self-signed certificate and we don't have access to manage the >> meta targets, we wanted to skip the client certificate verification when >> connecting to the meta targets, so we tried adding idassert-bind >> tls_reqcert=never to our meta config for this purpose, but unfortunately it >> didn't work as expected. > > There is no bug here. The tls_reqcert setting controls whether the > local node requires the remote target to provide a valid server > certificate. It has nothing to do with client certificates at all. > >> Whenever openldap has a certificate/key either in >> TLSCertificateFile/TLSCertificateKeyFile or in idassert-bind >> tls_cert/tls_key >> settings, it completely ignores tls_reqcert in idassert-bd%d! > > Because the reqcert setting has nothing to do with this. > > Closing this ITS. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/
