Full_Name: Quanah Gibson-Mount
Version: 2.4.30
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.108.184.39)
>From the manual page:
olcTLSVerifyClient: <level>
Specifies what checks to perform on client certificates in an
incoming TLS session, if any. The <level> can be specified as
one of the following keywords:
never This is the default. slapd will not ask the client for a
certificate.
allow The client certificate is requested. If no certificate
is provided, the session proceeds normally. If a bad
certificate is provided, it will be ignored and the ses-
sion proceeds normally.
try The client certificate is requested. If no certificate
is provided, the session proceeds normally. If a bad
certificate is provided, the session is immediately ter-
minated.
demand | hard | true
These keywords are all equivalent, for compatibility rea-
sons. The client certificate is requested. If no cer-
tificate is provided, or a bad certificate is provided,
the session is immediately terminated.
Note that a valid client certificate is required in order
to use the SASL EXTERNAL authentication mechanism with a
TLS session. As such, a non-default olcTLSVerifyClient
setting must be chosen to enable SASL EXTERNAL authenti-
cation.
However, the code has:
static slap_verbmasks vfykeys[] = {
{ BER_BVC("never"), LDAP_OPT_X_TLS_NEVER },
{ BER_BVC("demand"), LDAP_OPT_X_TLS_DEMAND },
{ BER_BVC("try"), LDAP_OPT_X_TLS_TRY },
{ BER_BVC("hard"), LDAP_OPT_X_TLS_HARD },
{ BER_BVNULL, 0 }
};
Which means:
a) allow is missing
b) true is missing
c) demand and hard set different flags. Not sure if that means any difference
functionality wise, but according to the manual page, demand/true/hard are
supposed to be the same behavior.
