Menu

#42 warnquota StartTLS support

None
closed-accepted
Jan Kara
ldap starttls (1)
5
2015-12-16
2015-10-09
Ian Allison
No

At the moment warnquota doesn't use TLS, though there is a mention of it in the warnquota.conf file. This patch adds an option called LDAP_TLS which accepts the usual options of never, allow, try or demand. If any of these are present ldap_start_tls_s is called with the appropriate option. The LDAP lookup then proceeds as before.

1 Attachments
add_starttls.patch

Discussion

  • Jan Kara

    Jan Kara - 2015-10-12

    The manpage says that if you specify URI in the warnquota.conf like ldaps://, then the connection will happen over TLS. So why do we need the option your patch adds? To be able to define how certificate validation should happen?

     

    • Ian Allison

      Ian Allison - 2015-10-12

      Hi Jan,

      Thanks for looking at my patch. Using ldaps (port 636) was designed for
      LDAPv2 and SSLv2, and is deprecated in LDAPv3 (
      https://www.ietf.org/rfc/rfc2830.txt), to be replaced with StartTLS. There
      is a short discussion here: http://www.openldap.org/faq/data/cache/605.html
      .

      At the moment ldaps works as a fallback, but is getting harder to use, you
      now have to explicitly turn it on in CentOS's OpenLDAP.

      Thanks,
      Ian

       

      Last edit: Ian Allison 2015-10-14

  • Jan Kara

    Jan Kara - 2015-12-16
    • status: open --> closed-accepted
    • assigned_to: Jan Kara
    • Group: -->
     

  • Jan Kara

    Jan Kara - 2015-12-16

    OK, I have added the patch to git. Thanks!

     

Anonymous
Anonymous

Add attachments
Cancel