Hi,
how do the openldap tools technically verfify certificates with ldapi:// ?
With ldapi, you don't have a hostname or IP address, so how do the openldap
tools do it?
I tried to browse the code but got losat somewhere ion the way.
Any hints to the code or a short step-by-step explanation will
Peter Marschall wrote:
> how do the openldap tools technically verfify certificates with ldapi:// ?
Which certs do you want to verify?
> With ldapi, you don't have a hostname or IP address, so how do the openldap
> tools do it?
Are you talking about SASL/EXTERNAL? There are no certs involved at
Hi,
On Monday, 28. May 2012, Michael Ströder wrote:
> > how do the openldap tools technically verfify certificates with ldapi://
> > ?
> Which certs do you want to verify?
>
> > With ldapi, you don't have a hostname or IP address, so how do the
> > openldap tools do it?
>
> Are you talking about
On Mon, 28 May 2012, Michael Ströder wrote:
> Peter Marschall wrote:
> > how do the openldap tools technically verfify certificates with ldapi:// ?
>
> Which certs do you want to verify?
I assume the answer is "the one the server returns when you do StartTLS on
the ldapi:// connection".
It's pr
Hi,
On Monday, 28. May 2012, Philip Guenther wrote:
> On Mon, 28 May 2012, Michael Ströder wrote:
> > Peter Marschall wrote:
> > > how do the openldap tools technically verfify certificates with
> > > ldapi:// ?
> >
> > Which certs do you want to verify?
>
> I assume the answer is "the one the s
Peter Marschall wrote:
> On Monday, 28. May 2012, Philip Guenther wrote:
>> On Mon, 28 May 2012, Michael Ströder wrote:
>>> Peter Marschall wrote:
how do the openldap tools technically verfify certificates with
ldapi:// ?
>>>
>>> Which certs do you want to verify?
>>
>> I assume the answe
On Mon, 28 May 2012, Peter Marschall wrote:
> On Monday, 28. May 2012, Philip Guenther wrote:
...
> > If that's not a sufficient option, and verifying certs is required,
> > then it appears the code will treat the socket path as the hostname to
> > verify for. For OpenSSL, for example, that mean
Hi Michael,
On Monday, 28. May 2012, Michael Ströder wrote:
> Peter Marschall wrote:
> > On Monday, 28. May 2012, Philip Guenther wrote:
> >> On Mon, 28 May 2012, Michael Ströder wrote:
> >>> Peter Marschall wrote:
> how do the openldap tools technically verfify certificates with
> ldapi
Peter Marschall wrote:
> On Monday, 28. May 2012, Michael Ströder wrote:
>> Peter Marschall wrote:
>>> On Monday, 28. May 2012, Philip Guenther wrote:
On Mon, 28 May 2012, Michael Ströder wrote:
> Peter Marschall wrote:
>> how do the openldap tools technically verfify certificates with
Michael Ströder wrote:
> => StartTLS over LDAP is undefined and probably every API should simple refuse
> it at all or accept any server cert. In both cases the underlying LDAPI
> channel is fully trusted anyway.
>
> If the client really would like to implement an additional *security* check
> tha
Michael Ströder wrote:
> => StartTLS over LDAP is undefined
^^
Hmmpf. An "I" was missing here. So it means: StartTLS over LDAPI is undefined.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
Hi,
On Monday, 28. May 2012, Michael Ströder wrote:
> I think the standards are what is relevant here. The arbitrarily check for
> "localhost" does not make sense because "localhost" does not sufficiently
> specify the name of the server.
I fully concur, that it is not correct to use "localhost"
On Mon, 28 May 2012, Philip Guenther wrote:
> If no path is specified (e.g., "ldapi://") then the checking code is
> passed a hostname of "localhost".
...which then remaps that to the local hostname (if available) for the
actual check.
Huh. So for any URI that doesn't specify a host component,
Hi,
On Monday, 28. May 2012, Philip Guenther wrote:
> ...which then remaps that to the local hostname (if available) for the
> actual check.
>
> Huh. So for any URI that doesn't specify a host component, be it
> "ldapi://" or "ldap://"; or "ldaps://", the OpenLDAP tools will connect to
> the def
14 matches
Mail list logo
