Re: [nssldap] Using tls_cert/key without rootbinddn

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: lambam80 <lambam80 [at] hotmail.com>
To: nssldap [at] padl.com
Subject: Re: [nssldap] Using tls_cert/key without rootbinddn
Date: Wed, 20 May 2009 01:26:15 -0700 (PDT)

Iain was kind enought to reply offline. I'll put his comments here.

> Note that sending a client-cert with TLS does *not perform* an LDAP Bind.

> > Q1. Do we know what purpose it serves, then ? Why bother specifying
> client cert, and key, in the file /etc/ldap.conf ?  

Requiring clients to offer a cert signed by a specific trusted CA
wouldprovide a means of 
disallowing 'foreign' hosts from usefully being ableto access and LDAPS
server.

> > Aside: If I've understood correctly the password (bindpw secret) in the
> file /etc/ldap.conf is only supported in clear text :-( 

That is correct.

> < and pointing me in the direction of SASL/EXTERNAL.
> > I also misunderstood ! Can you please elaborate on the use of
> SASL/EXTERNAL ? For example, what options
> did you use in /etc/ldap.conf to enable SASL/EXTERNAL? 

Due to other constraints, SASL/EXTERNAL was not pursued.

Re: [nssldap] Using tls_cert/key without rootbinddn, lambam80
- Re: [nssldap] Using tls_cert/key without rootbinddn, lambam80

Prev by Date: Re: [nssldap] Using tls_cert/key without rootbinddn
Next by Date: [nssldap] Re: [pamldap] self signed cert
Previous by thread: Re: [nssldap] Using tls_cert/key without rootbinddn
Next by thread: [nssldap] Re: [pamldap] self signed cert