add STARTTLS/certificate check to ldap machine resolvers

[jh23453]

Hello,

now we have added certificate checks to the user resolver - should we have the same
for the ldap machine resolver in privacyidea/lib/machines/ldap.py? I think yes :-)

[cornelinux]

Yes, we do!
So you are the guy who is using the machine resoler? ;-)
Tell me more about it. If you have any idea on improving it in regards to groups etc. Please take a look at #285

[jh23453]

Cornelius Kölbel <notifications@github.com> writes:

Yes, we do! So you are *the* *guy* who is using the machine resoler? ;-)

:-) Not really - I added the resolver when playing with yubikey-luks-enroll. But since my laptop is quite stable concerning usage of the yubikey it doesn't matter, if there is a machine resolver or not. For Host-Based-Access-Control I use FreeIPA. I had some older/test user resolvers which I deleted now, and I tought about deleting the machine resolver too - but noticed no TLS options there. And since I move to IPv6 I can't really identify a connection with an IPv4 machine resolver. I'm unsure how useful that might be - I could live without it :-)

Tell me more about it. If you have any idea on improving it in regards to groups etc. Please take a look at #285

I'll have a look, but I use FreeIPA for that locally. Jochen

[cornelinux]

take a look at the ldap user resolver and #639

[fredreichbier]

Looking into this, it seems like the LDAP machine resolver currently does not respect the No anonymous referral chasing option. Analogously to #658, the LDAP machine resolver always disables anonymous referral chasing. But that's an easy fix. :)

[cornelinux]

Closed by c5c91c4