Re: birthday and maiden name are not in the standard schema

Bonjour, You have to first start by defining your new schema. Here's an example below for your 2 attributes, and an auxiliary object class (i.e. a class that can be added to any kind of entry, in addition to their existing object classes) allowing the use of these attributes. The birthday needs to

Re: organizationIdentifier ATTRIBUTE mapping

2017-01-23 10:48 GMT+01:00 Francesco Sordi : > The attribute has been defined by ETSI here: > https://www.itu.int/rec/dologin.asp?lang=e&id=T-REC-X. > 520-201210-S!Cor3!PDF-E&type=items > This attribute wasn't defined by ETSI, but by the X.500 committee. ETSI uses it for eIDAS purposes. as I wro

Re: organizationIdentifier ATTRIBUTE mapping

Bonjour, 2017-01-23 8:55 GMT+01:00 Michael Ströder : > Francesco Sordi wrote: > > Unfortunately ITU did not clarify if this attribute is part of a new > class (i.e. legal > > person) or if it is an attribute for the organization objectclass or > another one. > > I would like to find an exixsting

Re: Case Sensitive Binds

Bonsoir, 2015-02-27 22:10 GMT+01:00 Bram Cymet : > Hi, > > I am using openldap 2.4.26. My system ignores case when doing binds: > > Feb 27 16:08:08 devauth slapd[2437]: conn=2723 op=1 BIND > dn="uid=bcy...@cbnco.com,ou=test_websales_users,dc=ls,dc=cbn" method=128 > Feb 27 16:08:08 devauth slapd[2

Re: POODLE SSLv3 downgrade attack

2014-10-19 15:36 GMT+02:00 Howard Chu : > Joe Friedeggs wrote: > >> Pardon my ignorance on the subject, but I need to understand this: >> >> > You've probably all heard about this "new" attack several times by >> now. Just >> > to confirm what's already been stated - this attack only affects HTT

Re: CRL with OpenSSL

Now you've got another problem. Why do you have 2 different CAs with the same private key? It's getting more off-topic, sorry. 2014-04-14 20:23 GMT+02:00 Emmanuel Dreyfus : > Erwann Abalea wrote: > > > It considers that the CRL found at "hash".r0 isn

Re: CRL with OpenSSL

It considers that the CRL found at "hash".r0 isn't valid or sufficient to give a revocation status of your certificate. Could you post the subscriber certificate, its issuing CA cert, and the corresponding CRL somewhere? 2014-04-14 10:32 GMT+02:00 Emmanuel Dreyfus : > On Sun, Apr 13, 2014 at 12

Re: Stuck with SSL issue

TLS trace: SSL3 alert read:fatal:unknown CA ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. 531ecbee connection_read(11): TLS accept failure

Re: Critical GnuTLS bug ...

While I disagreed with you on some PKI-related topics, I fully agree with you on that specific one. GnuTLS is bad. (back reading that new triple handshake TLS attack) 2014-03-04 20:40 GMT+01:00 Howard Chu : > http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux- > hundreds-of

Re: Subject Alternative Name in TLS - does this work?

2013/10/21 Howard Chu > lejeczek wrote: > >> that was me, the way I tried to sing certificate were... >> incorrect >> >> apologies and great and many thanks to everybody >> >> I can now ldapsearch on both slapd.domain.local and >> slap.domain.external with -ZZZ, all good (only cannot >> confirm i

Re: Subject Alternative Name in TLS - does this work?

It should work, but depends on the checks performed by the TLS+crypto toolkit. Using the CN to hold the hostname/IP is deprecated, and this field is now ignored by some libraries if the SAN extension is present. 2013/10/17 lejeczek > dear all > > I'm trying to set a seeminglysimple setup > hav

Re: Questions about multiple identical values in a field

2013/5/3 Nicolas Mora : > Thank for your answers, > > Given the context, I would go for the postaladdress field if the entries are > in RW mode, but if I can't have empty fields, is there a non ambiguous way > to determine the different parts of the field when I use $ as a separator. No. In the fo

Re: Questions about multiple identical values in a field

2013/5/3 Quanah Gibson-Mount : > --On Friday, May 03, 2013 7:01 PM +0200 Erwann Abalea > wrote: > >> 2013/5/3 Quanah Gibson-Mount >>> --On Friday, May 03, 2013 6:24 PM +0200 Erwann Abalea >>> wrote: >>>> Can't you use the postalAddress attribut

Re: Questions about multiple identical values in a field

2013/5/3 Quanah Gibson-Mount > --On Friday, May 03, 2013 6:24 PM +0200 Erwann Abalea > wrote: > > Can't you use the postalAddress attribute? >> With your examples, it should be something like: >> postalAddress: 123 1st av$Montreal$QC$GGG RT3$CA >> >> p

Re: Questions about multiple identical values in a field

Bonjour, The countryCode can't have multiple values: attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' ) DESC 'RFC2256: ISO-3166 country 2-letter code' SUP name SINGLE-VALUE ) Can't you use the postalAddress attribute? With your examples, it should be something like: postalAddress

Re: ldapmodify: multiple additions

Following RFC2849 (LDIF), it seems the multiple attributes on a single line isn't supported. mod-spec = ("add:" / "delete:" / "replace:") FILL AttributeDescription SEP *attrval-spec "-" SEP Attribute

Re: S/Mime configuration

For values lasting several lines (like your certificate), prefix each line after the first by a space or tab character. This space or tab character will be stripped by whatever you feed your ldif with. 2013/3/12 Jignesh Patel > userCertificate;binary:: > MIIDdzCCAuCgAwIBAgIIEVQGxMF17akwDQYJKoZIh

Re: S/Mime configuration

":: > userCertificate;binary:: < > file://Users/jignesh/install/direct/tools/terretta.der > > On Mar 11, 2013, at 5:29 PM, Erwann Abalea wrote: > > userCertificate;binary:< file://path/to/terreta.der > > -- Erwann.

Re: S/Mime configuration

Your certificate is fine, your LDIF file is incorrect. "userCertificate;binary: terreta.der" should be changed either into: userCertificate;binary:< file://path/to/terreta.der or userCertificate;binary:: base64 of your terreta.der file 2013/3/11 Jignesh Patel > I have a requirement to search C

Re: Import base64 info

It looks like your cn value is ISO-8859-{1,15}. Convert it into UTF8. All strings MUST be UTF8 encoded. 2013/3/11 arantza serrano > Hello, > > ** > > I’m trying to import my LDIF where some attributes are in base64: > > ** ** > > /opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn <<

Re: import Certificate to userCertificate

e binary representation of the certificate that > you then decoded again in order to get the certificate details? > > -Jon C. Kidder > American Electric Power > Middleware Services > 614-716-4970 > > > *Erwann Abalea * > Sent by: openldap-technical-boun...@openlda

Re: import Certificate to userCertificate

cate requires a binary encoded x.509 certificate. > > -Jon C. Kidder > American Electric Power > Middleware Services > 614-716-4970 > > > *Erwann Abalea * > Sent by: openldap-technical-boun...@openldap.org > > 02/07/2013 10:06 AM > To > jckid...@aep.com &g

Re: import Certificate to userCertificate

I disagree here. Decoding the Base64 presented shows the start of a certificate. It looks like it's a v3 certificate, with a serialNumber equal to 0x4000d1bdcd0d49bf664c00ce8524, but the hashalg is something private (OID 1.3.6.1.4.1.3670.1.2), which is owned by Mr Pavlov Roman. We also have th

Re: import Certificate to userCertificate

Bonjour, 1.3.6.1.4.1.1466.115.121.1.40 stands for "octet string". That is, something binary without any meaning. 1.3.6.1.4.1.1466.115.121.1.8 stands for "X.509 certificate", something with a structure that can (and will) be parsed by OpenLDAP so it can use it with standardized search filters. Yo

Re: OpenLDAP as an address book for MS Outlook

You're not expanding it, you're altering it. The 'name' attribute type is defined by X.520, and used as is by RFC45xx(19?). There's no default sorting rule for this attribute. Changing its definition is not an expansion. The commonName attribute is an expansion of the name attribute (it is based o

Re: OpenLDAP as an address book for MS Outlook

2012/12/11 Philip Guenther > On Tue, 11 Dec 2012, Victor Sudakov wrote: > [...] > > If I wanted to reproduce the Outlook's incorrect request, what > > ldapsearch command line should that be? > > Just leave out the explicit rule: > ldapsearch -E sss=cn '(cn=*)' cn > -E '!sss=cn' The reque

Re: OpenLDAP as an address book for MS Outlook

2012/12/7 Victor Sudakov > Mark Coetser wrote: > > > > > > > the problem can be that Outlook use SSSVLV controls on attributes > > > without ordering rules in OpenLDAP. Unfortunately, the 'name' > > > attribute has no ordering rules, so you can't sort results on > name > > >

Fwd: Difference between 2.4.30 and 2.3.43 in certificateMatch.

-- Forwarded message -- From: Erwann Abalea Date: 2012/12/3 Subject: Re: Difference between 2.4.30 and 2.3.43 in certificateMatch. To: Mike Hulsman 2012/12/3 Mike Hulsman > > Quoting Erwann Abalea : > > 2012/12/3 Mike Hulsman >> >>

Re: Difference between 2.4.30 and 2.3.43 in certificateMatch.

2012/12/3 Mike Hulsman > > Quoting Howard Chu : > >> >> [...] > No. Read RFC4523. >> > > After a lot of reading and testing I still cannot get it working. > > I read RFC4523 and am now doing an ldap search of (usercertificate:** > certificateExactMatch:=**certificate_serial_number$** > certifica

Re: openldap 2.2.x

You may try this instead: postalAddress:: TmllZGVyc8OkY2hzaXNjaGVzIExhbmRlc2FtdCBmw7xyIFZlcmJyYXVjaGVyc2No dXR6IHVuZCBMZWJlbnNtaXR0ZWxzaWNoZXJoZWl0LCBEZXplcm5hdCAyMywgUG9z dGZhY2ggMzk0OSwgMjYwMjkgT2xkZW5idXJn This is UTF-8 encoded (required by RFC4519+RFC4517). 2012/11/2 Pörschke, Gunnar : > W

Re: how to tell client to use ssf=256 instead of ssf=128

Bonsoir, 2012/10/8 Tobias Hachmer : > I'm using openldap 2.4.28 on ubuntu server and configured TLS. > I want to allow write operations only when ssf=256 is used. (security > update_ssf=256) [...] > 1. Why is the client connecting with ssf=128? That's a result of ciphersuite negociation. > 2. C

Re: Performance of MDB and BDB Please suggest?

Bonjour, I'm no LDAP expert, so what follows may be stupid. I'm OK with this, but I'd prefer receiving pointers to make my mind clearer. Looking at your network capture, I see the search you're doing has its baseObject set to "msisdn=982868;dc=MSISDN,dc=C-NTDB". Is the semicolon intentional?

Re: delta-syncrepl stopped receiving changes

I think that even in the cn=config case, a stop/start is necessary, because database can't be deleted, and I doubt a backend change can be performed dynamically. Maybe even some manual LDIF editing is necessary, something evil ;) 2012/8/15 Gavin Henry : >>> Clearly I need to upgrade and see if thi

Re: View or filter based on ldaps://FQDN

LDAP context is not bad, or a lack of anything. My opinion would be that the OP redefines his need. -- Erwann. Le 14 janv. 2012 13:23, "Erwann Abalea" a écrit : > > Can't SNI support be added? > > -- > Erwann. > > Le 14 janv. 2012 13:08, "Howard Chu&quo

Re: View or filter based on ldaps://FQDN

Can't SNI support be added? -- Erwann. Le 14 janv. 2012 13:08, "Howard Chu" a écrit : > > Ronie Gilberto Henrich wrote: >> >> Hello, >> >> I need to be able to restrict ldap ou's access based on the ldaps://FQDN used to query the ldap server. >> Let say I have the following in my ldap server: >

Re: Customizing organizationalUnit

Le 6 août 2011 16:30, "Michael Ströder" a écrit : > > Erwann ABALEA wrote: > > > > Le 6 août 2011 15:49, "Michael Ströder" > <mailto:mich...@stroeder.com>> a écrit : > >> > >> harry.j...@arcor.de <mailto:harry.j...@arc

Re: Customizing organizationalUnit

Le 6 août 2011 15:49, "Michael Ströder" a écrit : > > harry.j...@arcor.de wrote: > > The cleanest approach is to modify your OU entries: > > > > objectClass: top > > objectClass: organizationalUnit > > objectClass: extensibleObject > > > > Now, all attributes which are defined in any schema are al

Re: Ldap issue

Le 3 août 2011 19:08, "renu abraham" a écrit : > ldapsearch -x -H ldap://127.0.0.1:389/ -D "cn=manager,ou=system,o=example" -w secret Is that the real command? There's a mismatch between "o=example" here, and the declared "o=example.com" below. > suffix o=example.com > rootdn cn=manager,ou=syste

Re: SSL server certificate that has an intermediary certificate in the chain

2011/8/2 Howard Chu : > David Hawes wrote: [...] >> What is gained is that the server can be explicit about what client >> certificates it will accept.  This is useful if you want to use a >> separate CA for client auth and do not want to accept certs from the CA >> that signed the server's cert. >

Re: SSL server certificate that has an intermediary certificate in the chain

2011/8/2 Howard Chu : > Erwann ABALEA wrote: >> >> 2011/8/1 Howard Chu: >>> >>> David Hawes wrote: >> >> [...] >>> >>> Think about why you would configure such a setup, and what it actually >>> means. When you have a certific

Re: SSL server certificate that has an intermediary certificate in the chain

2011/8/2 Howard Chu : > Erwann ABALEA wrote: >> 2011/8/1 Howard Chu: >> [...] >>> >>> If there were indeed anything to be gained by such a feature, it would >>> also >>> need to be implemented on clients. Look around - do any web browsers >>

Re: SSL server certificate that has an intermediary certificate in the chain

2011/8/1 Howard Chu : > David Hawes wrote: [...] > Think about why you would configure such a setup, and what it actually > means. When you have a certificate of your own, signed by a particular CA, > that obviously means that you must trust that CA. If you're going to accept > a cert from another

Re: SSL server certificate that has an intermediary certificate in the chain

2011/8/1 Howard Chu : [...] > If there were indeed anything to be gained by such a feature, it would also > need to be implemented on clients. Look around - do any web browsers allow > you to isolate CAs like this? Yes. You can basically isolate CAs into 3 categories (they can interleave): - CAs

Re: invalid syntax when teletexstring

2011/7/29 Howard Chu : > Erwann ABALEA wrote: >> If the support for JIS, Chinese, and Greek characters were to be >> included in the 1993 edition, and this edition has never been >> published, couldn't it be possible to ignore them? >> X.680 (1997 edition) also ref

Re: SSL server certificate that has an intermediary certificate in the chain

2011/7/30 Howard Chu : > Frank Swasey wrote: >> On 7/29/11 3:09 PM, Philip Guenther wrote: >>> On Fri, 29 Jul 2011, Francis Swasey wrote: I have tried placing both the server certificate and the intermediate certificate in the same file.  OpenLDAP won't start if I put the intermediat

Re: invalid syntax when teletexstring

2011/7/29 Howard Chu : > Erwann ABALEA wrote: [...] >> I'm reading now libldap/t61.c. I just read the IETF draft, and the >> numerous tables... What a mess. X.680 has a reference to T.61 >> recommendation, which was deleted some years ago, and I'm not clever >>

Re: invalid syntax when teletexstring

2011/7/29 Howard Chu : > Howard Chu wrote: >> Erwann ABALEA wrote: >>> Do you have any document or pointer to understand the task of >>> converting to/from T.61, and incompatible character sets you talked >>> about? I Googled for this, but I'm not sure of

Re: invalid syntax when teletexstring

First, sorry for having placed this thread in private, that was unintentional (maybe I should reconsider using a "reply to all" by default). Group added. 2011/7/29 Howard Chu : > Erwann ABALEA wrote: [...] >> In fact, I know such a CA that was generated some months ago, w

Re: Installation openLDAP in Debian

2011/4/21 Jose Ildefonso Camargo Tolosa : > On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA wrote: >> 2011/4/21 Jose Ildefonso Camargo Tolosa : >> [...] >>>> Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL. >>> >>> Ok

Re: Installation openLDAP in Debian

2011/4/21 Jose Ildefonso Camargo Tolosa : [...] >> Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL. > > Ok can you elaborate? if you can do this, I feel that this is > almost a security problem (where you can bypass LDAP authentication by > using an external auth that w

Re: Installation openLDAP in Debian

2011/4/21 Jose Ildefonso Camargo Tolosa : > On Thu, Apr 21, 2011 at 11:47 AM, Olivier Guillard > wrote: >>> No, that is not the meaning of "add". >> >> In that case, how can you change >> olcRootPW: MySecretPassword > > If you forgot your rootdn pass, and have no other user that with write > privi

Re: userCertificate

OpenLDAP won't parse the certificate for you. Unless you define your own attributes, and populate them at certificate insertion with certificates fields, then no, you won't be able to just request your directory and retrieve certificate fields. Le 20 avr. 2011 13:47, "Leonardo" a écrit : > Hello,