ldap tls question
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Apr 16 13:51:12 EDT 2026
>In the matter of security there is the non answered second part of the
>question. How to verify server certificate even when using ldaps? I see
>no option to specify CA certificate or demanding server certificate
>verification.
FWIW, I personally wouldn't say ldaps is "much more secure" than start_tls,
but fine, it's not something I care to argue about. But my memory is that
at least with OpenLDAP there is a configuration file where you can specify
all of these things. Also since OpenLDAP links against a separate TLS
library you could put server CA certificates in the "usual place" where
the TLS library implementation looks for those things. We use a non-public
PKI infrastructure for our LDAP server and we put those server certificates
in the appropriate place for the operating system and it Just Works.
--Ken
More information about the Kerberos
mailing list