wferi at niif
Jun 20, 2012, 12:30 AM
Post #4 of 4
Phil Pennock <exim-users [at] spodhuis> writes:
> On 2012-06-19 at 17:19 +0200, Ferenc Wagner wrote:
>> Our LDAP server requires SSL connections, so I use the ldaps:// schema
>> in the LDAP lookup URI. However, I also have to specify the CA
>> certificates and the certificate policy in my /etc/ldap/ldap.conf, like:
>> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
>> TLS_REQCERT demand
>> However, I really don't like the configuration separated this way: what
>> if I needed different TLS_CACERT or TLS_REQCERT options in Exim than in
>> other places? Being unable to include these options in my Exim config
>> feels like a shortcoming. Specification chapter 9, section 17 (LDAP
>> authentication and control information) enumerates several options which
>> can be set, but the above two are not in that bunch. Is there a good
>> reason for this, were they omitted by mistake or do I overlook something?
> Those are tuning knobs for authentication and controls *within* an LDAP
> session; TLS control knobs are separate options, not part of the query.
Makes perfect sense, thanks!
> 14.6 Data lookups
> ldap_ca_cert_dir dir of CA certs to verify LDAP server's
> ldap_ca_cert_file file of CA certs to verify LDAP server's
> ldap_cert_file client cert file for LDAP
> ldap_cert_key client key file for LDAP
> ldap_cipher_suite TLS negotiation preference control
> ldap_default_servers used if no server in query
> ldap_require_cert action to take without LDAP server cert
> ldap_start_tls require TLS within LDAP
> ldap_version set protocol version
> Added in Exim 4.75, we're currently at Exim 4.80.
Great, exactly what I need! Pity we're still runnig 4.72...
Aside, I'm usually fairly good at reading documentation, but I plainly
fell short in this case. May I suggest putting some pointer to these
options into 9.16 LDAP connection in the fine manual? It already
mentions ldap_default_servers several times; something like "for other
LDAP connection options (eg. TLS, version) see ldap_* in 14.6" would
suffice in my opinion.
Aside2, ldaps:/// tries to connect to port 389 if no port is specified
in ldap_default_servers (on Exim 4.72). Shouldn't it use 636 instead?
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/