It seems there is no interest in this. That's disappointing but not
unexpected. Personally, I find it reckless that slapd would accept and
process packets from parties that would happily take a flame thrower to
your server if it got them any advantage.
I would strongly encourage the OpenLDAP team to properly validate PKI
client certificates and CLOSE THE CONNECTION if the client fails
authentication.
I have made one proposal about how to add this functionality but I'm
sure there are many ways to approach it.
In the mean time, I will continue using the proxy in front of slapd and
would strongly recommend anyone using client certs for authentication
without a dedicated CA to do the same.
In all other repects,
thanks for a great product.
Sean.
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
