[patch] Setting ldap_tls_check_peer has no effect with recent openldap versions

Howard Chu hyc at highlandsun.com
Fri Nov 11 13:58:09 EST 2011


Mario Domgoergen wrote:
> Hello,
>
> OpenLDAP changed their default setting for LDAP_OPT_X_TLS_REQUIRE_CERT
> from 0 to 2 in recent versions (haven't checked when). This breaks the
> expected effect of ldap_tls_check_peer. The function lak_connect() in
> lak.c only changes the default value of LDAP_OPT_X_TLS_REQUIRE_CERT if
> lak->conf->tls_check_peer is not 0. So when i set ldap_tls_check_peer to
> "no" (aka 0) in /etc/saslauthd.conf, LDAP_OPT_X_TLS_REQUIRE_CERT keeps
> its default value of 2 ("demand"). Attached patch solves this problem
> at least on debian lenny and squeeze.

This was changed in OpenLDAP May 4 2002, nearly a decade ago. Hard to call 
that a "recent" change.

Setting the value to 0 is almost always the wrong thing to do.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list