disable ldap hostname verification?
angelo at twilio.com
Wed May 10 15:25:34 EDT 2017
> If it's a POC, just turn off TLS.
> I don't know what SSSD or ldap_tls_reqcert is, but while I'm sure it's
> quite possible to wire in a different hostname verifier, I don't think
> there's anything wired up to make that possible and you would have to go
> digging into ldaptive's javadocs.
if you are familiar with ldap and its clients (nslcd and sssd are the
historical linux ones) there has always been a way to setup up the client to
do a loose ssl handshake and accept whatever cert the server is offering
without running any hostname validation or crosscheck it with your client
bundle. I figured that shibboleth had some ldap property to bypass that or
just inject a specific ldaptive directive that would ignore hostname
validation inside the ldap data connector
For now I just turned off ssl/tls and I'm just connecting to
ldap://server:389 instead of ldaps://
View this message in context: http://shibboleth.1660669.n2.nabble.com/disable-ldap-hostname-verification-tp7557657p7633078.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
More information about the users