[Issue 10066] fsync -> fcntl(F_FULLFSYNC) on Apple platforms?
https://bugs.openldap.org/show_bug.cgi?id=10066 --- Comment #2 from christophersa...@pacbell.net --- I did a bunch more reading, and the plot thickens a bit. It sounds like SQLite added it long ago at Apple's request but then Apple decided to not use it themselves, because there's such a heavy performance impact. (Source: Hipp's comment here: https://bugzilla.mozilla.org/show_bug.cgi?id=431863) Further, there's no way to turn it on in Apple-bundled SQLite (https://bonsaidb.io/blog/acid-on-apple/). mdbx does have it on by default, with an option to disable. I think it's murky enough that we probably don't do it, following Apple's actions rather than their docs? But I should instead be drawing on your much greater database expertise. Is it indeed true what people say: that most drives lie about fsync anyway, that this stuff doesn't matter that much, and that people mostly just prefer the speed? Seems like a strange world where no one actually gets the guarantees they talk about... -- You are receiving this mail because: You are on the CC list for the issue.
[Issue 10065] slapd needs a config option for the ssf of an external security proxy using "proxy protocol v2"
https://bugs.openldap.org/show_bug.cgi?id=10065 --- Comment #22 from s...@teletech.com.au --- (In reply to Howard Chu from comment #21) > Use slapo-autoca to create your own CA cert to manage your client certs. I wasn't aware you had your own CA infrastructure. Thanks for bringing it up. It certainly deserves a mention in this context. I actually already have a private CA which I could use for LDAP, but I wanted my clients to have public CA certs on their front-facing ports. I could use private CA certs for the back facing ports but I think it's easier to just have the proxy. -- You are receiving this mail because: You are on the CC list for the issue.
[Issue 10066] fsync -> fcntl(F_FULLFSYNC) on Apple platforms?
https://bugs.openldap.org/show_bug.cgi?id=10066 --- Comment #1 from Howard Chu --- Yeah, have seen this before but didn't bother with it. feel free to submit a patch for this. -- You are receiving this mail because: You are on the CC list for the issue.
[Issue 10065] slapd needs a config option for the ssf of an external security proxy using "proxy protocol v2"
https://bugs.openldap.org/show_bug.cgi?id=10065 --- Comment #21 from Howard Chu --- (In reply to sean from comment #20) > (In reply to Ondřej Kuzník from comment #18) > > > You choose what CAs are trusted to issue client certificates and this is > > independent from the CAs you trust for server certs. Could that be the > > trust anchor you're missing? > > Yeah, I understand that - and I don't use the ca bundle for that very > reason, just the single CA that I need to validate my clients, but it still > isn't a very exclusive club. That CA is Let's Encrypt. Use slapo-autoca to create your own CA cert to manage your client certs. -- You are receiving this mail because: You are on the CC list for the issue.
[Issue 10065] slapd needs a config option for the ssf of an external security proxy using "proxy protocol v2"
https://bugs.openldap.org/show_bug.cgi?id=10065 --- Comment #20 from s...@teletech.com.au --- (In reply to Ondřej Kuzník from comment #18) > You choose what CAs are trusted to issue client certificates and this is > independent from the CAs you trust for server certs. Could that be the > trust anchor you're missing? Yeah, I understand that - and I don't use the ca bundle for that very reason, just the single CA that I need to validate my clients, but it still isn't a very exclusive club. That CA is Let's Encrypt. -- You are receiving this mail because: You are on the CC list for the issue.
[Issue 10065] slapd needs a config option for the ssf of an external security proxy using "proxy protocol v2"
https://bugs.openldap.org/show_bug.cgi?id=10065 --- Comment #19 from Ondřej Kuzník --- On Mon, Jun 12, 2023 at 10:52:56PM +, openldap-...@openldap.org wrote: > If there was a simple qualification check that was applied to the authid > immediately after it was created, and the connection closed immediately if it > failed, I would happily do away with the proxy. > > Something like > > olcAuthzQualifyRegExp: [ACCEPT|REJECT] > > This seemed like a much bigger ask at the time. Now I'm not so sure. If you can rework e.g. olcAuthzRegexp to give you this power, I've seen other people calling for a similar feature. However no ideas yet on my part how to achieve this. -- You are receiving this mail because: You are on the CC list for the issue.
[Issue 10065] slapd needs a config option for the ssf of an external security proxy using "proxy protocol v2"
https://bugs.openldap.org/show_bug.cgi?id=10065 --- Comment #18 from Ondřej Kuzník --- On Mon, Jun 12, 2023 at 09:06:16PM +, openldap-...@openldap.org wrote: >> Slightly off-topic but if you configure ldaps:// and *require* client >> certs, the session won't get set up to the point of touching anything >> LDAP related until the client's proved it holds a certificate you trust. > > That's only true to a point. The client only needs to hold a certificate from > a > CA that I trust. The name on the certificate is validated with the ruleset. > CAs > issues many certificates, even to people with bad intentions. You choose what CAs are trusted to issue client certificates and this is independent from the CAs you trust for server certs. Could that be the trust anchor you're missing? > I suspect haproxy was looking at the size of the proxy-protocol packet when > they decided not to give the full DN. The protocol packet really needs to fit > in a single network packet. That might actually end up being a show stopper. They probably were and that would be an implementation concern but I think they only ask for the initial part to be in the first packet. Implementation in slapd might have to be stricter on this point and I would have highlighted it once it came to an implementation. Lloadd's connection set up is more flexible and permits even this part of connection establishment to be async. -- You are receiving this mail because: You are on the CC list for the issue.
