Bonjour,
You have to first start by defining your new schema. Here's an example
below for your 2 attributes, and an auxiliary object class (i.e. a class
that can be added to any kind of entry, in addition to their existing
object classes) allowing the use of these attributes. The birthday needs to
2017-01-23 10:48 GMT+01:00 Francesco Sordi :
> The attribute has been defined by ETSI here:
> https://www.itu.int/rec/dologin.asp?lang=e&id=T-REC-X.
> 520-201210-S!Cor3!PDF-E&type=items
>
This attribute wasn't defined by ETSI, but by the X.500 committee. ETSI
uses it for eIDAS purposes.
as I wro
Bonjour,
2017-01-23 8:55 GMT+01:00 Michael Ströder :
> Francesco Sordi wrote:
> > Unfortunately ITU did not clarify if this attribute is part of a new
> class (i.e. legal
> > person) or if it is an attribute for the organization objectclass or
> another one.
> > I would like to find an exixsting
Bonsoir,
2015-02-27 22:10 GMT+01:00 Bram Cymet :
> Hi,
>
> I am using openldap 2.4.26. My system ignores case when doing binds:
>
> Feb 27 16:08:08 devauth slapd[2437]: conn=2723 op=1 BIND
> dn="uid=bcy...@cbnco.com,ou=test_websales_users,dc=ls,dc=cbn" method=128
> Feb 27 16:08:08 devauth slapd[2
2014-10-19 15:36 GMT+02:00 Howard Chu :
> Joe Friedeggs wrote:
>
>> Pardon my ignorance on the subject, but I need to understand this:
>>
>> > You've probably all heard about this "new" attack several times by
>> now. Just
>> > to confirm what's already been stated - this attack only affects HTT
Now you've got another problem. Why do you have 2 different CAs with the
same private key?
It's getting more off-topic, sorry.
2014-04-14 20:23 GMT+02:00 Emmanuel Dreyfus :
> Erwann Abalea wrote:
>
> > It considers that the CRL found at "hash".r0 isn
It considers that the CRL found at "hash".r0 isn't valid or sufficient to
give a revocation status of your certificate.
Could you post the subscriber certificate, its issuing CA cert, and the
corresponding CRL somewhere?
2014-04-14 10:32 GMT+02:00 Emmanuel Dreyfus :
> On Sun, Apr 13, 2014 at 12
TLS trace: SSL3 alert read:fatal:unknown CA
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca.
531ecbee connection_read(11): TLS accept failure
While I disagreed with you on some PKI-related topics, I fully agree with
you on that specific one.
GnuTLS is bad.
(back reading that new triple handshake TLS attack)
2014-03-04 20:40 GMT+01:00 Howard Chu :
> http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-
> hundreds-of
2013/10/21 Howard Chu
> lejeczek wrote:
>
>> that was me, the way I tried to sing certificate were...
>> incorrect
>>
>> apologies and great and many thanks to everybody
>>
>> I can now ldapsearch on both slapd.domain.local and
>> slap.domain.external with -ZZZ, all good (only cannot
>> confirm i
It should work, but depends on the checks performed by the TLS+crypto
toolkit.
Using the CN to hold the hostname/IP is deprecated, and this field is now
ignored by some libraries if the SAN extension is present.
2013/10/17 lejeczek
> dear all
>
> I'm trying to set a seeminglysimple setup
> hav
2013/5/3 Nicolas Mora :
> Thank for your answers,
>
> Given the context, I would go for the postaladdress field if the entries are
> in RW mode, but if I can't have empty fields, is there a non ambiguous way
> to determine the different parts of the field when I use $ as a separator.
No.
In the fo
2013/5/3 Quanah Gibson-Mount :
> --On Friday, May 03, 2013 7:01 PM +0200 Erwann Abalea
> wrote:
>
>> 2013/5/3 Quanah Gibson-Mount
>>> --On Friday, May 03, 2013 6:24 PM +0200 Erwann Abalea
>>> wrote:
>>>> Can't you use the postalAddress attribut
2013/5/3 Quanah Gibson-Mount
> --On Friday, May 03, 2013 6:24 PM +0200 Erwann Abalea
> wrote:
>
> Can't you use the postalAddress attribute?
>> With your examples, it should be something like:
>> postalAddress: 123 1st av$Montreal$QC$GGG RT3$CA
>>
>> p
Bonjour,
The countryCode can't have multiple values:
attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' )
DESC 'RFC2256: ISO-3166 country 2-letter code'
SUP name SINGLE-VALUE )
Can't you use the postalAddress attribute?
With your examples, it should be something like:
postalAddress
Following RFC2849 (LDIF), it seems the multiple attributes on a single line
isn't supported.
mod-spec = ("add:" / "delete:" / "replace:")
FILL AttributeDescription SEP
*attrval-spec
"-" SEP
Attribute
For values lasting several lines (like your certificate), prefix each line
after the first by a space or tab character. This space or tab character
will be stripped by whatever you feed your ldif with.
2013/3/12 Jignesh Patel
> userCertificate;binary::
> MIIDdzCCAuCgAwIBAgIIEVQGxMF17akwDQYJKoZIh
"::
> userCertificate;binary:: <
> file://Users/jignesh/install/direct/tools/terretta.der
>
> On Mar 11, 2013, at 5:29 PM, Erwann Abalea wrote:
>
> userCertificate;binary:< file://path/to/terreta.der
>
>
--
Erwann.
Your certificate is fine, your LDIF file is incorrect.
"userCertificate;binary: terreta.der" should be changed either into:
userCertificate;binary:< file://path/to/terreta.der
or
userCertificate;binary:: base64 of your terreta.der file
2013/3/11 Jignesh Patel
> I have a requirement to search C
It looks like your cn value is ISO-8859-{1,15}.
Convert it into UTF8. All strings MUST be UTF8 encoded.
2013/3/11 arantza serrano
> Hello,
>
> **
>
> I’m trying to import my LDIF where some attributes are in base64:
>
> ** **
>
> /opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn <<
e binary representation of the certificate that
> you then decoded again in order to get the certificate details?
>
> -Jon C. Kidder
> American Electric Power
> Middleware Services
> 614-716-4970
>
>
> *Erwann Abalea *
> Sent by: openldap-technical-boun...@openlda
cate requires a binary encoded x.509 certificate.
>
> -Jon C. Kidder
> American Electric Power
> Middleware Services
> 614-716-4970
>
>
> *Erwann Abalea *
> Sent by: openldap-technical-boun...@openldap.org
>
> 02/07/2013 10:06 AM
> To
> jckid...@aep.com
&g
I disagree here.
Decoding the Base64 presented shows the start of a certificate. It looks
like it's a v3 certificate, with a serialNumber equal to
0x4000d1bdcd0d49bf664c00ce8524, but the hashalg is something private
(OID 1.3.6.1.4.1.3670.1.2), which is owned by Mr Pavlov Roman. We also have
th
Bonjour,
1.3.6.1.4.1.1466.115.121.1.40 stands for "octet string". That is, something
binary without any meaning.
1.3.6.1.4.1.1466.115.121.1.8 stands for "X.509 certificate", something with
a structure that can (and will) be parsed by OpenLDAP so it can use it with
standardized search filters.
Yo
You're not expanding it, you're altering it.
The 'name' attribute type is defined by X.520, and used as is by
RFC45xx(19?). There's no default sorting rule for this attribute.
Changing its definition is not an expansion.
The commonName attribute is an expansion of the name attribute (it is based
o
2012/12/11 Philip Guenther
> On Tue, 11 Dec 2012, Victor Sudakov wrote:
> [...]
> > If I wanted to reproduce the Outlook's incorrect request, what
> > ldapsearch command line should that be?
>
> Just leave out the explicit rule:
> ldapsearch -E sss=cn '(cn=*)' cn
>
-E '!sss=cn'
The reque
2012/12/7 Victor Sudakov
> Mark Coetser wrote:
> > > >
> > > the problem can be that Outlook use SSSVLV controls on attributes
> > > without ordering rules in OpenLDAP. Unfortunately, the 'name'
> > > attribute has no ordering rules, so you can't sort results on
> name
> > >
-- Forwarded message --
From: Erwann Abalea
Date: 2012/12/3
Subject: Re: Difference between 2.4.30 and 2.3.43 in certificateMatch.
To: Mike Hulsman
2012/12/3 Mike Hulsman
>
> Quoting Erwann Abalea :
>
> 2012/12/3 Mike Hulsman
>>
>>
2012/12/3 Mike Hulsman
>
> Quoting Howard Chu :
>
>>
>> [...]
> No. Read RFC4523.
>>
>
> After a lot of reading and testing I still cannot get it working.
>
> I read RFC4523 and am now doing an ldap search of (usercertificate:**
> certificateExactMatch:=**certificate_serial_number$**
> certifica
You may try this instead:
postalAddress:: TmllZGVyc8OkY2hzaXNjaGVzIExhbmRlc2FtdCBmw7xyIFZlcmJyYXVjaGVyc2No
dXR6IHVuZCBMZWJlbnNtaXR0ZWxzaWNoZXJoZWl0LCBEZXplcm5hdCAyMywgUG9z
dGZhY2ggMzk0OSwgMjYwMjkgT2xkZW5idXJn
This is UTF-8 encoded (required by RFC4519+RFC4517).
2012/11/2 Pörschke, Gunnar :
> W
Bonsoir,
2012/10/8 Tobias Hachmer :
> I'm using openldap 2.4.28 on ubuntu server and configured TLS.
> I want to allow write operations only when ssf=256 is used. (security
> update_ssf=256)
[...]
> 1. Why is the client connecting with ssf=128?
That's a result of ciphersuite negociation.
> 2. C
Bonjour,
I'm no LDAP expert, so what follows may be stupid. I'm OK with this,
but I'd prefer receiving pointers to make my mind clearer.
Looking at your network capture, I see the search you're doing has its
baseObject set to "msisdn=982868;dc=MSISDN,dc=C-NTDB". Is the
semicolon intentional?
I think that even in the cn=config case, a stop/start is necessary,
because database can't be deleted, and I doubt a backend change can be
performed dynamically.
Maybe even some manual LDIF editing is necessary, something evil ;)
2012/8/15 Gavin Henry :
>>> Clearly I need to upgrade and see if thi
LDAP context is not bad, or a lack of anything.
My opinion would be that the OP redefines his need.
--
Erwann.
Le 14 janv. 2012 13:23, "Erwann Abalea" a écrit :
>
> Can't SNI support be added?
>
> --
> Erwann.
>
> Le 14 janv. 2012 13:08, "Howard Chu&quo
Can't SNI support be added?
--
Erwann.
Le 14 janv. 2012 13:08, "Howard Chu" a écrit :
>
> Ronie Gilberto Henrich wrote:
>>
>> Hello,
>>
>> I need to be able to restrict ldap ou's access based on the ldaps://FQDN
used to query the ldap server.
>> Let say I have the following in my ldap server:
>
Le 6 août 2011 16:30, "Michael Ströder" a écrit :
>
> Erwann ABALEA wrote:
> >
> > Le 6 août 2011 15:49, "Michael Ströder" > <mailto:mich...@stroeder.com>> a écrit :
> >>
> >> harry.j...@arcor.de <mailto:harry.j...@arc
Le 6 août 2011 15:49, "Michael Ströder" a écrit :
>
> harry.j...@arcor.de wrote:
> > The cleanest approach is to modify your OU entries:
> >
> > objectClass: top
> > objectClass: organizationalUnit
> > objectClass: extensibleObject
> >
> > Now, all attributes which are defined in any schema are al
Le 3 août 2011 19:08, "renu abraham" a écrit :
> ldapsearch -x -H ldap://127.0.0.1:389/ -D "cn=manager,ou=system,o=example"
-w secret
Is that the real command? There's a mismatch between "o=example" here, and
the declared "o=example.com" below.
> suffix o=example.com
> rootdn cn=manager,ou=syste
2011/8/2 Howard Chu :
> David Hawes wrote:
[...]
>> What is gained is that the server can be explicit about what client
>> certificates it will accept. This is useful if you want to use a
>> separate CA for client auth and do not want to accept certs from the CA
>> that signed the server's cert.
>
2011/8/2 Howard Chu :
> Erwann ABALEA wrote:
>>
>> 2011/8/1 Howard Chu:
>>>
>>> David Hawes wrote:
>>
>> [...]
>>>
>>> Think about why you would configure such a setup, and what it actually
>>> means. When you have a certific
2011/8/2 Howard Chu :
> Erwann ABALEA wrote:
>> 2011/8/1 Howard Chu:
>> [...]
>>>
>>> If there were indeed anything to be gained by such a feature, it would
>>> also
>>> need to be implemented on clients. Look around - do any web browsers
>>
2011/8/1 Howard Chu :
> David Hawes wrote:
[...]
> Think about why you would configure such a setup, and what it actually
> means. When you have a certificate of your own, signed by a particular CA,
> that obviously means that you must trust that CA. If you're going to accept
> a cert from another
2011/8/1 Howard Chu :
[...]
> If there were indeed anything to be gained by such a feature, it would also
> need to be implemented on clients. Look around - do any web browsers allow
> you to isolate CAs like this?
Yes. You can basically isolate CAs into 3 categories (they can interleave):
- CAs
2011/7/29 Howard Chu :
> Erwann ABALEA wrote:
>> If the support for JIS, Chinese, and Greek characters were to be
>> included in the 1993 edition, and this edition has never been
>> published, couldn't it be possible to ignore them?
>> X.680 (1997 edition) also ref
2011/7/30 Howard Chu :
> Frank Swasey wrote:
>> On 7/29/11 3:09 PM, Philip Guenther wrote:
>>> On Fri, 29 Jul 2011, Francis Swasey wrote:
I have tried placing both the server certificate and the intermediate
certificate in the same file. OpenLDAP won't start if I put the
intermediat
2011/7/29 Howard Chu :
> Erwann ABALEA wrote:
[...]
>> I'm reading now libldap/t61.c. I just read the IETF draft, and the
>> numerous tables... What a mess. X.680 has a reference to T.61
>> recommendation, which was deleted some years ago, and I'm not clever
>>
2011/7/29 Howard Chu :
> Howard Chu wrote:
>> Erwann ABALEA wrote:
>>> Do you have any document or pointer to understand the task of
>>> converting to/from T.61, and incompatible character sets you talked
>>> about? I Googled for this, but I'm not sure of
First, sorry for having placed this thread in private, that was
unintentional (maybe I should reconsider using a "reply to all" by
default). Group added.
2011/7/29 Howard Chu :
> Erwann ABALEA wrote:
[...]
>> In fact, I know such a CA that was generated some months ago, w
2011/4/21 Jose Ildefonso Camargo Tolosa :
> On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA wrote:
>> 2011/4/21 Jose Ildefonso Camargo Tolosa :
>> [...]
>>>> Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
>>>
>>> Ok
2011/4/21 Jose Ildefonso Camargo Tolosa :
[...]
>> Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
>
> Ok can you elaborate? if you can do this, I feel that this is
> almost a security problem (where you can bypass LDAP authentication by
> using an external auth that w
2011/4/21 Jose Ildefonso Camargo Tolosa :
> On Thu, Apr 21, 2011 at 11:47 AM, Olivier Guillard
> wrote:
>>> No, that is not the meaning of "add".
>>
>> In that case, how can you change
>> olcRootPW: MySecretPassword
>
> If you forgot your rootdn pass, and have no other user that with write
> privi
OpenLDAP won't parse the certificate for you. Unless you define your own
attributes, and populate them at certificate insertion with certificates
fields, then no, you won't be able to just request your directory and
retrieve certificate fields.
Le 20 avr. 2011 13:47, "Leonardo" a écrit :
> Hello,
52 matches
Mail list logo