Open onmp opened 6 days ago
Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014 See info in area-owners.md if you want to be subscribed.
I think this is misguided. There's an existing API for certificate validation (LdapSessionOptions.VerifyServerCertificates
) that follows established pattern used by other classes like SslStream
or HttpClientHandler
. The reason it's not implemented on non-Windows system is the lack or corresponding API in the native system LDAP library (*). The API proposed above would still suffer from the same underlying issue which is lack of certificate control at the lower level system API.
(*) See https://github.com/dotnet/runtime/issues/60972 for details.
Per offline discussion with @buyaa-n, moving to future. Please close if there is a valid alternative.
This is to provide a way for those who may not have the privilege to administer the system CA certificates store or those who do not want to add entries to the system CA stores permanently be able to verify the server certificate. This also addresses specifically that LdapSessionOptions.VerifyServerCertificates property is not supported on Linux and MAC OS for .NET CORE.
@onmp could you collaborate more on how you imagine this SessionOption.CaCertificates
would work further to replace LdapSessionOptions.VerifyServerCertificates
on Linux?
This issue has been marked needs-author-action
and may be missing some important information.
@onmp as a work around, could you set the env variable LDAPTLS_CACERTDIR
with the path where your CA certificates are located and run your client app?
Background and motivation
This is to provide a way for those who may not have the privilege to administer the system CA certificates store or those who do not want to add entries to the system CA stores permanently be able to verify the server certificate. This also addresses specifically that LdapSessionOptions.VerifyServerCertificates property is not supported on Linux and MAC OS for .NET CORE.
API Proposal