Mailing List Archive: exim: users

How do I specify LDAPS x509 options?

Index | Next | Previous | View Threaded

wferi at niif

Jun 19, 2012, 8:19 AM

Post #1 of 4 (239 views)
Permalink

How do I specify LDAPS x509 options?

Hi,

Our LDAP server requires SSL connections, so I use the ldaps:// schema
in the LDAP lookup URI. However, I also have to specify the CA
certificates and the certificate policy in my /etc/ldap/ldap.conf, like:

TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT demand

However, I really don't like the configuration separated this way: what
if I needed different TLS_CACERT or TLS_REQCERT options in Exim than in
other places? Being unable to include these options in my Exim config
feels like a shortcoming. Specification chapter 9, section 17 (LDAP
authentication and control information) enumerates several options which
can be set, but the above two are not in that bunch. Is there a good
reason for this, were they omitted by mistake or do I overlook something?
--
Thanks,
Feri.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

Jun 19, 2012, 9:36 AM

Post #2 of 4 (237 views)
Permalink

Re: How do I specify LDAPS x509 options? [In reply to]

Ferenc Wagner wrote:
> Hi,
>

> reason for this, were they omitted by mistake or do I overlook something?

Given that Exim can be told in as fine a granularity as can be imagined
*where* to seek all manner of certs to match, I suspect you are looking
at the simplest general case, and not at the many other available options.

Often it is as simple as specifying a different..

/path-to/[bespoke cert collection]

. with part of the '/path/to' a something-or-other-dependent
substitution variable... IP number, UID, hostname, ToD, moon-phase,
colour of socks, cleanliness of undershorts ... whatever suits your need.

Bill
--
韓家標

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at spodhuis

Jun 19, 2012, 11:53 PM

Post #3 of 4 (233 views)
Permalink

Re: How do I specify LDAPS x509 options? [In reply to]

On 2012-06-19 at 17:19 +0200, Ferenc Wagner wrote:
> Our LDAP server requires SSL connections, so I use the ldaps:// schema
> in the LDAP lookup URI. However, I also have to specify the CA
> certificates and the certificate policy in my /etc/ldap/ldap.conf, like:
>
> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
> TLS_REQCERT demand
>
> However, I really don't like the configuration separated this way: what
> if I needed different TLS_CACERT or TLS_REQCERT options in Exim than in
> other places? Being unable to include these options in my Exim config
> feels like a shortcoming. Specification chapter 9, section 17 (LDAP
> authentication and control information) enumerates several options which
> can be set, but the above two are not in that bunch. Is there a good
> reason for this, were they omitted by mistake or do I overlook something?

Those are tuning knobs for authentication and controls *within* an LDAP
session; TLS control knobs are separate options, not part of the query.

----------------------------8< cut here >8------------------------------
14.6 Data lookups
[...]
ldap_ca_cert_dir dir of CA certs to verify LDAP server's
ldap_ca_cert_file file of CA certs to verify LDAP server's
ldap_cert_file client cert file for LDAP
ldap_cert_key client key file for LDAP
ldap_cipher_suite TLS negotiation preference control
ldap_default_servers used if no server in query
ldap_require_cert action to take without LDAP server cert
ldap_start_tls require TLS within LDAP
ldap_version set protocol version
----------------------------8< cut here >8------------------------------

Each of those also has full documentation.

Added in Exim 4.75, we're currently at Exim 4.80.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wferi at niif

Jun 20, 2012, 12:30 AM

Post #4 of 4 (228 views)
Permalink

Re: How do I specify LDAPS x509 options? [In reply to]

Phil Pennock <exim-users [at] spodhuis> writes:

> On 2012-06-19 at 17:19 +0200, Ferenc Wagner wrote:
>
>> Our LDAP server requires SSL connections, so I use the ldaps:// schema
>> in the LDAP lookup URI. However, I also have to specify the CA
>> certificates and the certificate policy in my /etc/ldap/ldap.conf, like:
>>
>> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
>> TLS_REQCERT demand
>>
>> However, I really don't like the configuration separated this way: what
>> if I needed different TLS_CACERT or TLS_REQCERT options in Exim than in
>> other places? Being unable to include these options in my Exim config
>> feels like a shortcoming. Specification chapter 9, section 17 (LDAP
>> authentication and control information) enumerates several options which
>> can be set, but the above two are not in that bunch. Is there a good
>> reason for this, were they omitted by mistake or do I overlook something?
>
> Those are tuning knobs for authentication and controls *within* an LDAP
> session; TLS control knobs are separate options, not part of the query.

Makes perfect sense, thanks!

> 14.6 Data lookups
> [...]
> ldap_ca_cert_dir dir of CA certs to verify LDAP server's
> ldap_ca_cert_file file of CA certs to verify LDAP server's
> ldap_cert_file client cert file for LDAP
> ldap_cert_key client key file for LDAP
> ldap_cipher_suite TLS negotiation preference control
> ldap_default_servers used if no server in query
> ldap_require_cert action to take without LDAP server cert
> ldap_start_tls require TLS within LDAP
> ldap_version set protocol version
>
> Added in Exim 4.75, we're currently at Exim 4.80.

Great, exactly what I need! Pity we're still runnig 4.72...

Aside, I'm usually fairly good at reading documentation, but I plainly
fell short in this case. May I suggest putting some pointer to these
options into 9.16 LDAP connection in the fine manual? It already
mentions ldap_default_servers several times; something like "for other
LDAP connection options (eg. TLS, version) see ldap_* in 14.6" would
suffice in my opinion.

Aside2, ldaps:/// tries to connect to port 389 if no port is specified
in ldap_default_servers (on Exim 4.72). Shouldn't it use 636 instead?
--
Thanks again,
Feri.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads