How to securely connect to multiple different LDAPS servers (Debian)
Posted
by
Pickle
on Server Fault
See other posts from Server Fault
or by Pickle
Published on 2013-07-03T16:33:32Z
Indexed on
2013/07/03
17:07 UTC
Read the original article
Hit count: 189
I'm trying to connect to multiple different LDAPS servers. A lot of the documentation I've seen recommends setting TLS_REQCERT never
, but that strikes me as horribly unsecure to not verify the certificate. So I've set that to demand
.
All the documentation I've seen says I need to update ldap.conf with a TLS_CACERT directive pointing to a .pem file. I've got that .pem file set up with the certificate from LDAP Server #1, and ldaps connections are happening fine.
I've now got to communicate securely with another LDAP server in another branch of my organization, that uses a different certificate. I've seen no documentation on how to do this, except 1 page that says I can simply put multiple (not chained) certificates in the same .pem file. I've done this and everything is working hunky dorey.
However, when I told a colleague what I did, he sounded like the sky was falling - putting 2 non-chained certificates into one .pem file is apparently the worst thing since ... ever.
Is there a more acceptable way to do this? Or is this the only accepted way?
© Server Fault or respective owner