https://bugs.openldap.org/show_bug.cgi?id=10065
Quanah Gibson-Mount changed:
What|Removed |Added
Status|RESOLVED|VERIFIED
--
You are receiving this m
https://bugs.openldap.org/show_bug.cgi?id=10065
Quanah Gibson-Mount changed:
What|Removed |Added
Target Milestone|2.7.0 |---
Status|UNCONFIRMED
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #25 from Quanah Gibson-Mount ---
(In reply to sean from comment #24)
> How? I'm not on any mailing list.
https://lists.openldap.org as noted on the front page of the
https://www.openldap.org website under Support -> Mailing lists.
--
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #24 from s...@teletech.com.au ---
(In reply to Ondřej Kuzník from comment #23)
> Why do you need the same certificate for someone's inbound traffic and
> the one they use to identify themselves to OpenLDAP (client
> certificate)?
Not som
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #23 from Ondřej Kuzník ---
On Tue, Jun 13, 2023 at 10:08:28PM +, openldap-...@openldap.org wrote:
>> Use slapo-autoca to create your own CA cert to manage your client certs.
>
> I wasn't aware you had your own CA infrastructure. Tha
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #22 from s...@teletech.com.au ---
(In reply to Howard Chu from comment #21)
> Use slapo-autoca to create your own CA cert to manage your client certs.
I wasn't aware you had your own CA infrastructure. Thanks for bringing it up.
It cert
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #21 from Howard Chu ---
(In reply to sean from comment #20)
> (In reply to Ondřej Kuzník from comment #18)
>
> > You choose what CAs are trusted to issue client certificates and this is
> > independent from the CAs you trust for server
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #20 from s...@teletech.com.au ---
(In reply to Ondřej Kuzník from comment #18)
> You choose what CAs are trusted to issue client certificates and this is
> independent from the CAs you trust for server certs. Could that be the
> trust an
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #19 from Ondřej Kuzník ---
On Mon, Jun 12, 2023 at 10:52:56PM +, openldap-...@openldap.org wrote:
> If there was a simple qualification check that was applied to the authid
> immediately after it was created, and the connection close
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #18 from Ondřej Kuzník ---
On Mon, Jun 12, 2023 at 09:06:16PM +, openldap-...@openldap.org wrote:
>> Slightly off-topic but if you configure ldaps:// and *require* client
>> certs, the session won't get set up to the point of touchin
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #17 from s...@teletech.com.au ---
This is looking much more complex than what I first envisioned. When I first
lodged this report I thought it was the ssf that governed the EXTERNAL
mechanism and that getting it to work would be as simple
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #16 from s...@teletech.com.au ---
(In reply to Ondřej Kuzník from comment #15)
> On Mon, Jun 12, 2023 at 01:15:21PM +, openldap-...@openldap.org wrote:
> Slightly off-topic but if you configure ldaps:// and *require* client
> certs,
https://bugs.openldap.org/show_bug.cgi?id=10065
Quanah Gibson-Mount changed:
What|Removed |Added
Keywords|needs_review|
Target Milestone|---
openldap-...@openldap.org wrote:
> https://bugs.openldap.org/show_bug.cgi?id=10065
>
> --- Comment #6 from Quanah Gibson-Mount ---
> Ok, I was incorrect about SASL/EXTERNAL although I swear I was told at one
> point it doesn't require cyrus-sasl (which IMHO would be rather nice).
>
> Generally,
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #15 from Ondřej Kuzník ---
On Mon, Jun 12, 2023 at 01:15:21PM +, openldap-...@openldap.org wrote:
>> You can always make this the first ACL in the list (in your analogy,
>> putting a security guard/gate that checks people even get ac
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #14 from s...@teletech.com.au ---
(In reply to Ondřej Kuzník from comment #13)
> On Mon, Jun 12, 2023 at 12:33:49PM +, openldap-...@openldap.org wrote:
> You can always make this the first ACL in the list (in your analogy,
> putting
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #13 from Ondřej Kuzník ---
On Mon, Jun 12, 2023 at 12:33:49PM +, openldap-...@openldap.org wrote:
>> Wait a minute, so are you using the DN or identity of the sockname?
>
> All the sockets have the same DN because they all come form
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #12 from s...@teletech.com.au ---
(In reply to Ondřej Kuzník from comment #11)
> On Mon, Jun 12, 2023 at 11:00:29AM +, openldap-...@openldap.org wrote:
> Wait a minute, so are you using the DN or identity of the sockname?
All the so
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #11 from Ondřej Kuzník ---
On Mon, Jun 12, 2023 at 11:00:29AM +, openldap-...@openldap.org wrote:
> Secondly, My comments were based on the openLDAP clients. I have observed that
> if you specify a mechanism with the -Y switch, they
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #10 from s...@teletech.com.au ---
> I think you're overcomplicating things. Trying to have clients that
> ignore the rootDSE isn't going to land well when it's possible to do
> things according to the protocol.
Firstly, this post was wri
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #9 from Ondřej Kuzník ---
On Mon, Jun 12, 2023 at 01:01:25AM +, openldap-...@openldap.org wrote:
> I have really only spoken about what slapd puts into it's
> "supportedSASLMechanisms" attribute. If the client is preconfigured to use
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #8 from s...@teletech.com.au ---
(In reply to sean from comment #7)
> it would be hard completely remove it.
Thinking more about this. I see in RFC4513 Section 4: "Upon initial
establishment of the LDAP session, the session has an anonym
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #7 from s...@teletech.com.au ---
(In reply to Quanah Gibson-Mount from comment #6)
> I was told at one
> point it doesn't require cyrus-sasl (which IMHO would be rather nice).
I have really only spoken about what slapd puts into it's
"su
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #6 from Quanah Gibson-Mount ---
Ok, I was incorrect about SASL/EXTERNAL although I swear I was told at one
point it doesn't require cyrus-sasl (which IMHO would be rather nice).
Generally, the gist here is that it would be useful for th
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #5 from s...@teletech.com.au ---
(In reply to Howard Chu from comment #4)
> > The LDAP clients would expect the "PLAIN" and "EXTERNAL" mechanisms to be
> > available after authenticating with TLS to the LDAP proxy.
>
> LDAP clients do n
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #4 from Howard Chu ---
> The LDAP clients would expect the "PLAIN" and "EXTERNAL" mechanisms to be
> available after authenticating with TLS to the LDAP proxy.
LDAP clients do not use SASL/PLAIN. See RFC4513 section 5.2.1.
--
You are
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #3 from s...@teletech.com.au ---
(In reply to Quanah Gibson-Mount from comment #1)
> Pretty much everything in this report is incorrect and is not how things
> function. I suggest reading the slapd.conf(5) man page in better detail.
Thi
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #2 from s...@teletech.com.au ---
** Motivation **
slapd employs a very fine-grained access permission model with many permission
categories that can be applied down to the attribute level. This is complex
code that presents a very large
https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #1 from Quanah Gibson-Mount ---
Pretty much everything in this report is incorrect and is not how things
function. I suggest reading the slapd.conf(5) man page in better detail.
I would note that the EXTERNAL SASL mechanism has nothing
29 matches
Mail list logo
