[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: RE: [pamldap] Can pam_ldap use SSL without TLS with and openldap client?
From: spangla () nationwide ! com
Date: 2003-01-30 15:53:32
[Download RAW message or body]
Howard,
Very cool - LDAP_OPT_X_TLS_NEVER instead of LDAP_OPT_X_TLS_REQUIRE_CERT.
Thats exactly what I was looking for. Now its official.
Thank you so much.
-Aaron
\
"Howard Chu" \
<hyc@highlandsun.com> To: <spangla@nationwide.com>; \
<M.J.Hulsman01@rf.rabobank.nl>
cc: <mike.corcoran@wright.edu>, \
<owner-pamldap@padl.com>, <pamldap@padl.com>
bcc: \
Subject: \
RE: [pamldap] Can pam_ldap use
SSL without TLS with and openldap \
client?
01/29/03 06:39 PM \
\
\
The suggested patch was not appropriate; I've committed a modified patch
for
this issue to the OpenLDAP CVS HEAD.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-pamldap@padl.com
> [mailto:owner-pamldap@padl.com]On Behalf Of spangla@nationwide.com
>
> The patch is ITS#2161. I had to use it since we have a cluster of
> eDirectory boxes and each node may (or may not) have a
> different hostname
> coded in the certificate. I tried turning certificate checking off.
> However even if certificate checking is off, the OpenLDAP
> developers insist
> that the hostname embedded in the certificate should be checked and
> mismatches should cause a connect failure. I disagree. If
> the client code
> turns off certificate checking, then why should it be forced
> to check the
> contents of the certificate?
>
> The patch makes the code work as documented and it allows for
> the option of
> OpenLDAP to connect to servers with malformed certificates
> when certificate
> checking is turned off. See below for the URL of the patch.
>
> -Aaron
>
> http://www.openldap.org/its/index.cgi/Incoming?id=2161
>
>
>
>
>
>
>
>
> "Hulsman, MJ (Mike)"
>
>
> <M.J.Hulsman01@rf.rabob To:
> "'spangla@nationwide.com'" <spangla@nationwide.com>;
> mike.corcoran@wright.edu
> ank.nl> cc:
> owner-pamldap@padl.com, pamldap@padl.com
>
> bcc:
>
>
> Sent by: Subject:
> RE: [pamldap] Can
> pam_ldap use
> owner-pamldap@padl.com SSL
> without TLS with and openldap client?
>
>
>
>
>
>
>
>
>
>
> 01/17/03 03:15 AM
>
>
>
>
>
>
>
>
>
>
>
>
> > 6) If you have no control over your server certificates, there is a
> > one-line patch to OpenLDAP that allows disabling of hostname
> > matches in
> > certificates. I can provide it. The OpenLDAP developers
> > veto'ed the patch
> > though.
>
> I searched for that patch but could not find it.
> Can you please point me to the place where i can get it.
>
> ================================================
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en
> de afzender direct te informeren door het bericht te retourneren.
> ================================================
> The information contained in this message may be confidential
> and is intended to be exclusively for the addressee. Should you
> receive this message unintentionally, please do not use the contents
> herein and notify the sender immediately by return e-mail.
>
>
>
>
>
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic