Sean Gallagher wrote: > It seems there is no interest in this. That's disappointing but not > unexpected. Personally, I find it reckless that slapd would accept and > process packets from > parties that would happily take a flame thrower to your server if it got them > any advantage. > > I would strongly encourage the OpenLDAP team to properly validate PKI client > certificates and CLOSE THE CONNECTION if the client fails authentication.
That feature is already available using TLSVerifyClient in the slapd config. > > I have made one proposal about how to add this functionality but I'm sure > there are many ways to approach it. > > In the mean time, I will continue using the proxy in front of slapd and would > strongly recommend anyone using client certs for authentication without a > dedicated CA to do the same. Pure nonsense. > > In all other repects, > > thanks for a great product. > > Sean. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
