On Wed, 10 Aug 2011, sachin mishra wrote:
5. If step 3 fails, ldap_unbind (ld), start from step1 again except that
LDAP_OPT_X_TLS_CACERTFILE will now have the next entry in the directory as
input.
Is there anything wrong in this? Is there any better approach for this?
In most widely used applications, you'd probably be better off NOT
handling TLS configuration, and just referring the user to appropriate
ldap.conf(5)-syntax files and/or environment variables. Users tend to have
personalized (and varying) security postures, and I'm a believer in the
classic "give them rope" philosophy.
Now, maybe you expose some sort of nice interface to the ldap.conf(5)
options, or perhaps you have an internal application and you really do
want to (partially?) hard code the TLS configuration. In that case, I'd
recommend you try using LDAP_OPT_X_TLS_CACERTDIR instead, and let the
crypto library handle building the whole CA structure and the
verification. This option is documented under ldap_set_option(3).
Obviously the method you write will (eventually) work, but it comes with
needless cost and complexity.
(Please also note that this could be combined: you could remove your CA
handling code, and still set a TLS_CACERTDIR in ldap.conf(5).)
