Your message dated Tue, 20 May 2014 15:46:50 -0700
with message-id
<camxh3qavq81smuxrn1auofpbvm79fhlp3hyka7hs73rxuot...@mail.gmail.com>
and subject line ldap.conf(5) mis-documents TLS_REQCERT
has caused the Debian Bug report #202635,
regarding ldap.conf(5) mis-documents TLS_REQCERT
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
202635: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=202635
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libldap2
Version: 2.1.22-1
Severity: normal
The ldap.conf(5) manpage documents the argument "demand" and "hard" as
being equivalent for TLS_REQCERT - but I observed different behaviour
at one point (broke with one and worked with the other, which I cannot
now duplicate), and looking at the code, they are clearly not the same
thing.
However, I do not understand how or why they are different, and it is
possible that the manpage is correct and the code is wrong.
There's also an undocumented "TLS" option, which may or may not be the
same thing as TLS_REQCERT.
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `' |
`- -><- |
pgpavRsvYJ1Ef.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Hi,
Looking at the sources like Torsten did, I think he misread it
slightly. (The relevant code is the same between 2.4.18 and now.)
Wherever LDAP_OPT_X_TLS_REQUIRE_CERT is considered, "demand" and
"hard" are treated identically.
For the case Torsten noted in ldap_int_open_connection, it's actually
looking at the LDAP_OPT_X_TLS option (ldo_tls_mode vs
ldo_tls_require_cert). That option is deprecated [1], undocumented [2]
(commented out in ldap_[sg]et_option(3)), and can't be controlled via
an ldap.conf(5) option any more [3]. Setting it to "hard" makes
opening a connection behave as if it were ldaps://, that is, it starts
TLS immediately without issuing STARTTLS, and any other value has no
effect.
[1] http://www.openldap.org/lists/openldap-software/200706/msg00159.html
[2]
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=b378944fc119c1d7778c73716b4ff639c14bf237
[3]
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=65bfb44e8eb10a2e3e7001b753b69c8fa24eead6
The -Z/-ZZ options of the client tools are implemented by separate
code in clients/tools/common.c.
AFAICT this does behave according to the documentation in every
version I've looked at, therefore closing the bug. Please do reopen if
you disagree with that conclusion.
thanks,
Ryan
--- End Message ---