On Thu, 19 Mar 2015, Bin Lu wrote:
Every time when connect to an ldaps url, it generates a fatal error due
to ?unknown CA?. Is it possible to disable this check?
[...]
In connecting the LDAP server with LDAPs or (start)TLS, what is the
default behavior of the server certificate validation? How can I disable
the default behavior?
You're not giving a lot to go on here, but I assume you're talking about a
client/libldap perspective. libldap's configuration file is documented in
the ldap.conf(5) man page. I'll call particular attention to one option
for TLS_REQCERT from the man page:
demand | hard
These keywords are equivalent. The server certifi-
cate is requested. If no certificate is provided,
or a bad certificate is provided, the session is
immediately terminated. This is the default set-
ting.
So, per the ldap.conf(5) man page, you can reconfigure the CAs and/or
change this behavior with appropriate ldap.conf directives.
As a final note, if you're in the libldap context, ldap_set_option(3)
describes the OpenLDAP specific TLS options to control this behavior
programatically (i.e. via API, rather than via ldap.conf configuration
file).
