Mercurial > kallithea
diff docs/setup.rst @ 6330:7ce3897bacd0
auth: make ldap OPT_X_TLS_CACERTDIR configurable
A location was hardcoded. The location was wrong for many systems and prevented
actual TLS from working. Also, it should not be necessary with modern Pythons.
For some reason, instead of removing it, we now decide to expose it to the
user. Choice FTW!
| author | Mads Kiilerich <madski@unity3d.com> |
|---|---|
| date | Tue, 15 Nov 2016 22:53:41 +0100 |
| parents | d6942b2b421c |
| children | 949c843bb535 |
line wrap: on
line diff
--- a/docs/setup.rst Tue Nov 15 22:53:41 2016 +0100 +++ b/docs/setup.rst Tue Nov 15 22:53:41 2016 +0100 @@ -235,10 +235,8 @@ Certificate Checks : optional How SSL certificates verification is handled -- this is only useful when `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security - while the other options are susceptible to man-in-the-middle attacks. SSL - certificates can be installed to /etc/openldap/cacerts so that the - DEMAND or HARD options can be used with self-signed certificates or - certificates that do not have traceable certificates of authority. + with mandatory certificate validation, while the other options are + susceptible to man-in-the-middle attacks. NEVER A serve certificate will never be requested or checked. @@ -260,6 +258,16 @@ HARD The same as DEMAND. +.. _Custom CA Certificates: + +Custom CA Certificates : optional + Directory used by OpenSSL to find CAs for validating the LDAP server certificate. + Python 2.7.10 and later default to using the system certificate store, and + this should thus not be necessary when using certificates signed by a CA + trusted by the system. + It can be set to something like `/etc/openldap/cacerts` on older systems or + if using self-signed certificates. + .. _Base DN: Base DN : required