disable ldap hostname verification?

Ghilteras angelo at twilio.com
Wed May 10 15:25:34 EDT 2017

> If it's a POC, just turn off TLS.

> I don't know what SSSD or ldap_tls_reqcert is, but while I'm sure it's
> quite possible to wire in a different hostname verifier, I don't think
> there's anything wired up to make that possible and you would have to go
> digging into ldaptive's javadocs.

if you are familiar with ldap and its clients (nslcd and sssd are the
historical linux ones) there has always been a way to setup up the client to
do a loose ssl handshake and accept whatever cert the server is offering
without running any hostname validation or crosscheck it with your client
bundle. I figured that shibboleth had some ldap property to bypass that or
just inject a specific ldaptive directive that would ignore hostname
validation inside the ldap data connector

For now I just turned off ssl/tls and I'm just connecting to
ldap://server:389 instead of ldaps:// 

View this message in context: http://shibboleth.1660669.n2.nabble.com/disable-ldap-hostname-verification-tp7557657p7633078.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

More information about the users mailing list