Re: [nssldap] Using tls_cert/key without rootbinddn
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Using tls_cert/key without rootbinddn
- From: lambam80 <lambam80 [at] hotmail.com>
- To: nssldap [at] padl.com
- Subject: Re: [nssldap] Using tls_cert/key without rootbinddn
- Date: Wed, 20 May 2009 01:26:15 -0700 (PDT)
Iain was kind enought to reply offline. I'll put his comments here.
> Note that sending a client-cert with TLS does *not perform* an LDAP Bind.
> > Q1. Do we know what purpose it serves, then ? Why bother specifying
> client cert, and key, in the file /etc/ldap.conf ?
Requiring clients to offer a cert signed by a specific trusted CA
wouldprovide a means of
disallowing 'foreign' hosts from usefully being ableto access and LDAPS
server.
> > Aside: If I've understood correctly the password (bindpw secret) in the
> file /etc/ldap.conf is only supported in clear text :-(
That is correct.
> < and pointing me in the direction of SASL/EXTERNAL.
> > I also misunderstood ! Can you please elaborate on the use of
> SASL/EXTERNAL ? For example, what options
> did you use in /etc/ldap.conf to enable SASL/EXTERNAL?
Due to other constraints, SASL/EXTERNAL was not pursued.