From c5640a92c4f19b4db1159a5d4335e614eee1e3eb Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Wed, 18 Aug 2010 14:14:17 -0600 Subject: have to use LDAP_OPT_X_TLS_NEVER to defeat cert hostname checking Even though the ldap.conf man page is not really clear about this, looking at the code in libraries/libldap/tls2.c:ldap_int_tls_start() if you don't specify LDAP_OPT_X_TLS_REQUIRE_CERT as LDAP_OPT_X_TLS_NEVER it will check the hostname --- ldap/servers/slapd/ldaputil.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ldap/servers/slapd') diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c index 837f23eb..8b8cf94c 100644 --- a/ldap/servers/slapd/ldaputil.c +++ b/ldap/servers/slapd/ldaputil.c @@ -579,7 +579,7 @@ slapi_ldap_init_ext( } else { /* verify certificate only */ #if defined(USE_OPENLDAP) - ssl_strength = LDAP_OPT_X_TLS_ALLOW; + ssl_strength = LDAP_OPT_X_TLS_NEVER; #else /* !USE_OPENLDAP */ ssl_strength = LDAPSSL_AUTH_CERT; #endif /* !USE_OPENLDAP */ -- cgit