At the moment warnquota doesn't use TLS, though there is a mention of it in the warnquota.conf file. This patch adds an option called LDAP_TLS which accepts the usual options of never, allow, try or demand. If any of these are present ldap_start_tls_s is called with the appropriate option. The LDAP lookup then proceeds as before.
Anonymous
The manpage says that if you specify URI in the warnquota.conf like ldaps://, then the connection will happen over TLS. So why do we need the option your patch adds? To be able to define how certificate validation should happen?
Hi Jan,
Thanks for looking at my patch. Using ldaps (port 636) was designed for
LDAPv2 and SSLv2, and is deprecated in LDAPv3 (
https://www.ietf.org/rfc/rfc2830.txt), to be replaced with StartTLS. There
is a short discussion here: http://www.openldap.org/faq/data/cache/605.html
.
At the moment ldaps works as a fallback, but is getting harder to use, you
now have to explicitly turn it on in CentOS's OpenLDAP.
Thanks,
Ian
Last edit: Ian Allison 2015-10-14
OK, I have added the patch to git. Thanks!