Hi! Invalid certificates are, well, invalid. The whole security model on certificates is based on certificates being valid. Beforte you try to mess with invalid certificates, please use valöid certificates. Complain if other parties provide such certificates, please complain. (I'm tired of new software being shipped with expired certificates...)
Regards, Ulrich >>> Jared <[email protected]> schrieb am 09.10.2013 um 00:41 in Nachricht <[email protected]>: > Hi, all. I'm having trouble figuring out how to allow SSL connections > (using ldapsearch) to a single host with an invalid certificate. I know > this can be done using TLS_REQCERT=allow (or never), but the same > account also connects to multiple other hosts using certificate-based > authentication, and the problem is that I can get those two > configurations to work together. > > To illustrate, here's the current ~/.ldaprc file for this user: > > TLS_CERT /home/ldap/certs/admin.crt > TLS_KEY /home/ldap/certs/admin.key > TLS_REQCERT demand > SASL_MECH external > > That works fine for everything but this one new host. I'm not able to > fix the the SSL issue on this host, so for now I need to work around it. > If I replace the above ~/.ldaprc with this: > > HOST server.domain.com > PORT 636 > TLS_REQCERT allow > > Then ldapsearch works fine for this new server, but, of course, > SASL/cert auth fails for everything else. > > So, how do I get these to work together, with that first configuration > example set as the default for all hosts *except* server.domain.com? > > Here's what I've tried so far: > > * Appending the configuration for server.domain.com to the existing > ~/.ldaprc file - it doesn't have an effect, like the global stuff is > overriding the host-specific options > > * Adding the server.domain.com config to /etc/openldap/ldap.conf, but > ~/.ldaprc takes precedence over this, so again it has no effect. > > * Creating a separate ~/.ldaprc-server file and exporting > LDAPRC=.ldaprc-server - in this case, both ~/.ldaprc AND > ~/.ldaprc-server are sourced (found using strace), so again my > host-specific settings are ignored. > > * exporting both LDAPNOINIT=true and LDAPRC=.ldaprc-server, but that > prevents either rc file from being sourced > > * exporting LDAPNOINIT=true and calling ldapsearch with: > LDAPTLS_REQCERT=allow ldapsearch -H ldaps://server.domain.com ... - this > also seems to have no effect, though > > I'm sure I must be missing something simple, but I'm out of ideas at > this point. Would appreciate any tips or pointers. > > Thanks! > > -- > Jared
