Mario Domgoergen wrote:
Hello,OpenLDAP changed their default setting for LDAP_OPT_X_TLS_REQUIRE_CERT from 0 to 2 in recent versions (haven't checked when). This breaks the expected effect of ldap_tls_check_peer. The function lak_connect() in lak.c only changes the default value of LDAP_OPT_X_TLS_REQUIRE_CERT if lak->conf->tls_check_peer is not 0. So when i set ldap_tls_check_peer to "no" (aka 0) in /etc/saslauthd.conf, LDAP_OPT_X_TLS_REQUIRE_CERT keeps its default value of 2 ("demand"). Attached patch solves this problem at least on debian lenny and squeeze.
This was changed in OpenLDAP May 4 2002, nearly a decade ago. Hard to call that a "recent" change.
Setting the value to 0 is almost always the wrong thing to do. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
