openldap-bugs May 2019

openldap-bugs@openldap.org

19 participants
51 discussions

(ITS#9022) Force slapadd to rewrite all entryCSN values
by quanah＠openldap.org 10 May '19

10 May '19

Full_Name: Quanah Gibson-Mount Version: OpenLDAP 2.4 OS: 2.4.47 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.128.44) Per the slapadd man page: -S SID Server ID to use in generated entryCSN. Also used for contextCSN if -w is set as well. Defaults to 0. However, if this is run against an export that already has entryCSN values in the entries, those values are not updated. This is problematic when wanting to update a database from single provider (SID0) to MMR (SID1+). I generally think that if the -S option is provided, and is non-zero, that all entryCSN values that currently have a "0" serverID in the entryCSN field should be updated to the specified -S value. In the above case, it would be critical to additionally flag -w on the end user part. This helps to clean up data when doing migrations.

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by darshankmistry＠yahoo.com 10 May '19

10 May '19

------=_Part_582781_95096894.1557523728570 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable thank you, this case can be closed. appreciate all your help and clarificat= ion. thanks agian Thank you, Darshankumar Mistry darshankmistry(a)yahoo.com =20 On Friday, May 10, 2019, 1:53:16 PM PDT, Howard Chu <hyc(a)symas.com> wro= te: =20 =20 darshankmistry(a)yahoo.com wrote: > ------=3D_Part_545863_1662769086.1557520342175 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: quoted-printable >=20 > thank you very much for quick response and openldap behavior configuratio= n.=3D > =3DC2=3DA0 > how we can ignore to look server name in subject of certificate so I can = us=3D > e LDAP server ip address instead of host name?=3DC2=3DA0 > Also want to know if there is any open CVE which says it is vulnerabiliti= es=3D >=C2=A0 to use LDAP server ip address instead of name in ldap configuration= .=3DC2=3DA0 Add the IP address in a subjectALternativeName extension to your server cer= tificate. The behavior here is specified in RFC4513. >=20 >=20 > Thank you, > Darshankumar Mistry > darshankmistry(a)yahoo.com > =3D20 >=20 >=C2=A0 =C2=A0 On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Moun= t <quanah@s=3D > ymas.com> wrote: =3D20 > =3D20 >=C2=A0 --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wr= ote: >=20 >> Full_Name: Darshankumar Mistry >> Version: >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) >> >> >> I would like to know why Open LDAP behavior was changed where we must >> have to configure FQDN name mentioned in certificate in order to work LD= A=3D > P >> authentication... else TLS start failing. >=20 > OpenLDAP has worked this way since I first started using it in 2002.=3DC2= =3DA0 =3D > This=3D20 > behavior is nothing new.=3DC2=3DA0 And this is the correct behavior. >=20 > This ITS will be closed. >=20 > --Quanah >=20 >=20 > -- >=20 > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >=20 >=C2=A0 =3D20 > ------=3D_Part_545863_1662769086.1557520342175 > Content-Type: text/html; charset=3DUTF-8 > Content-Transfer-Encoding: quoted-printable >=20 > <html><head></head><body><div class=3D3D"ydpf9876065yahoo-style-wrap" sty= le=3D > =3D3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><d= iv>t=3D > hank you very much for quick response and openldap behavior configuration= .&=3D > nbsp;</div><div><br></div><div>how we can ignore to look server name in s= ub=3D > ject of certificate so I can use LDAP server ip address instead of host n= am=3D > e? </div><div><br></div><div>Also want to know if there is any open = CV=3D > E which says it is vulnerabilities to use LDAP server ip address instead = of=3D >=C2=A0 name in ldap configuration. </div><div><br></div><div><br></di= v><div>=3D > <br></div><div class=3D3D"ydpf9876065signature"><div><span class=3D3D"ydp= f98760=3D > 65yui_3_7_2_102_1375813203128_121" style=3D3D"font-family:arial, sans-ser= if;c=3D > olor:rgb(80, 0, 80);">Thank you,</span><br class=3D3D"ydpf9876065yui_3_7_= 2_10=3D > 2_1375813203128_122" style=3D3D"font-family:arial, sans-serif;color:rgb(8= 0, 0=3D > , 80);"><span class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_123" styl= e=3D3D=3D > "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry= </=3D > span><br class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D3= D"font=3D > -family:arial, sans-serif;color:rgb(80, 0, 80);"><a href=3D3D"mailto:dars= hank=3D > mistry(a)yahoo.com" class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_125" = styl=3D > e=3D3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D3D"no= follow=3D > " target=3D3D"_blank">darshankmistry(a)yahoo.com</a><br></div></div></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 <div><br></div><div><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D20 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 </div><div id=3D3D"ydpb3d55fc2yahoo_quoted_756= 2650282" class=3D3D"ydpb3=3D > d55fc2yahoo_quoted"> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div style=3D3D"font-family:'Hel= vetica Neue', Helvetica, Arial, s=3D > ans-serif;font-size:13px;color:#26282a;"> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D20 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 On F= riday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson=3D > -Mount <quanah(a)symas.com> wrote: >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 </div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div>--On Friday, = May 10, 2019 8:52 PM +0000 <a href=3D3D"mai=3D > lto:darshankmistry@yahoo.com" rel=3D3D"nofollow" target=3D3D"_blank">dars= hankmi=3D > stry(a)yahoo.com</a> wrote:<br><br>> Full_Name: Darshankumar Mistry<br>&= gt=3D > ; Version:<br>> OS:<br>> URL: <a href=3D3D"ftp://ftp.openldap.org/i= ncom=3D > ing/" rel=3D3D"nofollow" target=3D3D"_blank">ftp://ftp.openldap.org/incom= ing/</=3D > a><br>> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)= <b=3D > r>><br>><br>> I would like to know why Open LDAP behavior was ch= an=3D > ged where we must<br>> have to configure FQDN name mentioned in certif= ic=3D > ate in order to work LDAP<br>> authentication... else TLS start failin= g.=3D > <br><br>OpenLDAP has worked this way since I first started using it in 20= 02=3D > .  This <br>behavior is nothing new.  And this is the correct b= eh=3D > avior.<br><br>This ITS will be closed.<br><br>--Quanah<br><br><br>--<br><= br=3D >> Quanah Gibson-Mount<br>Product Architect<br>Symas Corporation<br>Package= d,=3D >=C2=A0 certified, and supported LDAP solutions powered by OpenLDAP:<br>&lt= ;<a hre=3D > f=3D3D"http://www.symas.com" rel=3D3D"nofollow" target=3D3D"_blank">http:= //www.sy=3D > mas.com</a>><br><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 </div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 </div></body></html> > ------=3D_Part_545863_1662769086.1557520342175-- >=20 >=20 >=20 >=20 --=20 =C2=A0 -- Howard Chu =C2=A0 CTO, Symas Corp.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://www.symas.= com =C2=A0 Director, Highland Sun=C2=A0 =C2=A0 http://highlandsun.com/hyc/ =C2=A0 Chief Architect, OpenLDAP=C2=A0 http://www.openldap.org/project/ =20 ------=_Part_582781_95096894.1557523728570 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div class=3D"ydp2c59819dyahoo-style-wrap" style= =3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><div>t= hank you, this case can be closed. appreciate all your help and clarificati= on. thanks agian</div><div><br></div><div class=3D"ydp2c59819dsignature"><d= iv><span class=3D"ydp2c59819dyui_3_7_2_102_1375813203128_121" style=3D"font= -family:arial, sans-serif;color:rgb(80, 0, 80);">Thank you,</span><br class= =3D"ydp2c59819dyui_3_7_2_102_1375813203128_122" style=3D"font-family:arial,= sans-serif;color:rgb(80, 0, 80);"><span class=3D"ydp2c59819dyui_3_7_2_102_= 1375813203128_123" style=3D"font-family:arial, sans-serif;color:rgb(80, 0, = 80);">Darshankumar Mistry</span><br class=3D"ydp2c59819dyui_3_7_2_102_13758= 13203128_124" style=3D"font-family:arial, sans-serif;color:rgb(80, 0, 80);"= ><a href=3D"mailto:darshankmistry@yahoo.com" class=3D"ydp2c59819dyui_3_7_2_= 102_1375813203128_125" style=3D"color:rgb(17, 85, 204);font-family:arial, s= ans-serif;" rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.com</a>= <br></div></div></div> <div><br></div><div><br></div> =20 </div><div id=3D"ydp4544e9c6yahoo_quoted_7723269985" class=3D"ydp45= 44e9c6yahoo_quoted"> <div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s= ans-serif;font-size:13px;color:#26282a;"> =20 <div> On Friday, May 10, 2019, 1:53:16 PM PDT, Howard Chu &lt= ;hyc(a)symas.com> wrote: </div> <div><br></div> <div><br></div> <div><div dir=3D"ltr"><a href=3D"mailto:darshankmistry@yaho= o.com" rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.com</a> wrot= e:<br></div><div dir=3D"ltr">> ------=3D_Part_545863_1662769086.15575203= 42175<br></div><div dir=3D"ltr">> Content-Type: text/plain; charset=3DUT= F-8<br></div><div dir=3D"ltr">> Content-Transfer-Encoding: quoted-printa= ble<br></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> thank yo= u very much for quick response and openldap behavior configuration.=3D<br><= /div><div dir=3D"ltr">> =3DC2=3DA0<br></div><div dir=3D"ltr">> how we= can ignore to look server name in subject of certificate so I can us=3D<br= ></div><div dir=3D"ltr">> e LDAP server ip address instead of host name?= =3DC2=3DA0<br></div><div dir=3D"ltr">> Also want to know if there is any= open CVE which says it is vulnerabilities=3D<br></div><div dir=3D"ltr">&gt= ;  to use LDAP server ip address instead of name in ldap configuration= .=3DC2=3DA0<br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">Add the IP= address in a subjectALternativeName extension to your server certificate.<= br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">The behavior here is s= pecified in RFC4513.<br></div><div dir=3D"ltr">> <br></div><div dir=3D"l= tr">> <br></div><div dir=3D"ltr">> Thank you,<br></div><div dir=3D"lt= r">> Darshankumar Mistry<br></div><div dir=3D"ltr">> <a href=3D"mailt= o:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmist= ry(a)yahoo.com</a><br></div><div dir=3D"ltr">> =3D20<br></div><div dir=3D"= ltr">> <br></div><div dir=3D"ltr">>    On Friday, May 10, = 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <<a href=3D"mailto:quanah@s" = rel=3D"nofollow" target=3D"_blank">quanah@s</a>=3D<br></div><div dir=3D"ltr= ">> ymas.com> wrote: =3D20<br></div><div dir=3D"ltr">> =3D20<br></= div><div dir=3D"ltr">>  --On Friday, May 10, 2019 8:52 PM +0000 <a = href=3D"mailto:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank"= >darshankmistry(a)yahoo.com</a> wrote:<br></div><div dir=3D"ltr">> <br></d= iv><div dir=3D"ltr">>> Full_Name: Darshankumar Mistry<br></div><div d= ir=3D"ltr">>> Version:<br></div><div dir=3D"ltr">>> OS:<br></di= v><div dir=3D"ltr">>> URL: <a href=3D"ftp://ftp.openldap.org/incoming= /" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap.org/incoming/</a><= br></div><div dir=3D"ltr">>> Submission from: (NULL) (2001:420:10b:12= 72:fc1b:1ea:d311:6cac)<br></div><div dir=3D"ltr">>><br></div><div dir= =3D"ltr">>><br></div><div dir=3D"ltr">>> I would like to know w= hy Open LDAP behavior was changed where we must<br></div><div dir=3D"ltr">&= gt;> have to configure FQDN name mentioned in certificate in order to wo= rk LDA=3D<br></div><div dir=3D"ltr">> P<br></div><div dir=3D"ltr">>&g= t; authentication... else TLS start failing.<br></div><div dir=3D"ltr">>= <br></div><div dir=3D"ltr">> OpenLDAP has worked this way since I first= started using it in 2002.=3DC2=3DA0 =3D<br></div><div dir=3D"ltr">> Thi= s=3D20<br></div><div dir=3D"ltr">> behavior is nothing new.=3DC2=3DA0 An= d this is the correct behavior.<br></div><div dir=3D"ltr">> <br></div><d= iv dir=3D"ltr">> This ITS will be closed.<br></div><div dir=3D"ltr">>= <br></div><div dir=3D"ltr">> --Quanah<br></div><div dir=3D"ltr">> <b= r></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> --<br></div><= div dir=3D"ltr">> <br></div><div dir=3D"ltr">> Quanah Gibson-Mount<br= ></div><div dir=3D"ltr">> Product Architect<br></div><div dir=3D"ltr">&g= t; Symas Corporation<br></div><div dir=3D"ltr">> Packaged, certified, an= d supported LDAP solutions powered by OpenLDAP:<br></div><div dir=3D"ltr">&= gt; <<a href=3D"http://www.symas.com" rel=3D"nofollow" target=3D"_blank"= >http://www.symas.com</a>><br></div><div dir=3D"ltr">> <br></div><div= dir=3D"ltr">>  =3D20<br></div><div dir=3D"ltr">> ------=3D_Part= _545863_1662769086.1557520342175<br></div><div dir=3D"ltr">> Content-Typ= e: text/html; charset=3DUTF-8<br></div><div dir=3D"ltr">> Content-Transf= er-Encoding: quoted-printable<br></div><div dir=3D"ltr">> <br></div><div= dir=3D"ltr">> <html><head></head><body><div = class=3D3D"ydpf9876065yahoo-style-wrap" style=3D<br></div><div dir=3D"ltr">= > =3D3D"font-family:verdana, helvetica, sans-serif;font-size:13px;">&= lt;div><div>t=3D<br></div><div dir=3D"ltr">> hank you very much= for quick response and openldap behavior configuration.&=3D<br></div><= div dir=3D"ltr">> nbsp;</div><div><br></div><= div>how we can ignore to look server name in sub=3D<br></div><div dir=3D= "ltr">> ject of certificate so I can use LDAP server ip address instead = of host nam=3D<br></div><div dir=3D"ltr">> e?&nbsp;</div><d= iv><br></div><div>Also want to know if there is any op= en CV=3D<br></div><div dir=3D"ltr">> E which says it is vulnerabilities = to use LDAP server ip address instead of=3D<br></div><div dir=3D"ltr">>&= nbsp; name in ldap configuration.&nbsp;</div><div><br&gt= ;</div><div><br></div><div>=3D<br></div><div = dir=3D"ltr">> <br></div><div class=3D3D"ydpf9876065signat= ure"><div><span class=3D3D"ydpf98760=3D<br></div><div dir=3D"lt= r">> 65yui_3_7_2_102_1375813203128_121" style=3D3D"font-family:arial, sa= ns-serif;c=3D<br></div><div dir=3D"ltr">> olor:rgb(80, 0, 80);">Thank= you,</span><br class=3D3D"ydpf9876065yui_3_7_2_10=3D<br></div><di= v dir=3D"ltr">> 2_1375813203128_122" style=3D3D"font-family:arial, sans-= serif;color:rgb(80, 0=3D<br></div><div dir=3D"ltr">> , 80);"><span= class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D3D=3D<br></= div><div dir=3D"ltr">> "font-family:arial, sans-serif;color:rgb(80, 0, 8= 0);">Darshankumar Mistry</=3D<br></div><div dir=3D"ltr">> span>= <br class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D3D"fo= nt=3D<br></div><div dir=3D"ltr">> -family:arial, sans-serif;color:rgb(80= , 0, 80);"><a href=3D3D"mailto:darshank=3D<br></div><div dir=3D"ltr">= > <a href=3D"mailto:mistry@yahoo.com" rel=3D"nofollow" target=3D"_blank"= >mistry(a)yahoo.com</a>" class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_12= 5" styl=3D<br></div><div dir=3D"ltr">> e=3D3D"color:rgb(17, 85, 204);fon= t-family:arial, sans-serif;" rel=3D3D"nofollow=3D<br></div><div dir=3D"ltr"= >> " target=3D3D"_blank"><a href=3D"mailto:darshankmistry@yahoo.com" = rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.com</a></a>&l= t;br></div></div></div><br></div><div dir=3D"ltr">>=         <div><br></div><div>&l= t;br></div><br></div><div dir=3D"ltr">>      &nb= sp; =3D20<br></div><div dir=3D"ltr">>        </d= iv><div id=3D3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D3D"ydpb3= =3D<br></div><div dir=3D"ltr">> d55fc2yahoo_quoted"><br></div><div di= r=3D"ltr">>            <div style=3D3D= "font-family:'Helvetica Neue', Helvetica, Arial, s=3D<br></div><div dir=3D"= ltr">> ans-serif;font-size:13px;color:#26282a;"><br></div><div dir=3D= "ltr">>                =3D20<br>= </div><div dir=3D"ltr">>             =   <div><br></div><div dir=3D"ltr">>      &nb= sp;             On Friday, May 10, 2019, 12:= 58:38 PM PDT, Quanah Gibson=3D<br></div><div dir=3D"ltr">> -Mount &l= t;<a href=3D"mailto:quanah@symas.com" rel=3D"nofollow" target=3D"_blank">qu= anah(a)symas.com</a>&gt; wrote:<br></div><div dir=3D"ltr">>  &nbs= p;             </div><br></div><div di= r=3D"ltr">>                <= div><br></div><br></div><div dir=3D"ltr">>    &= nbsp;           <div><br></div>= <br></div><div dir=3D"ltr">>            &n= bsp;   <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href= =3D3D"mai=3D<br></div><div dir=3D"ltr">> lto:<a href=3D"mailto:darshankm= istry(a)yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.co= m</a>" rel=3D3D"nofollow" target=3D3D"_blank">darshankmi=3D<br></div><di= v dir=3D"ltr">> <a href=3D"mailto:stry@yahoo.com" rel=3D"nofollow" targe= t=3D"_blank">stry(a)yahoo.com</a></a> wrote:<br><br>&gt= ; Full_Name: Darshankumar Mistry<br>&gt=3D<br></div><div dir=3D"l= tr">> ; Version:<br>&gt; OS:<br>&gt; URL: <a href= =3D3D"<a href=3D"ftp://ftp.openldap.org/incom=3D" rel=3D"nofollow" target= =3D"_blank">ftp://ftp.openldap.org/incom=3D</a><br></div><div dir=3D"ltr">&= gt; ing/" rel=3D3D"nofollow" target=3D3D"_blank"><a href=3D"ftp://ftp.op= enldap.org/incoming/" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap= .org/incoming/</a></=3D<br></div><div dir=3D"ltr">> a><br>&a= mp;gt; Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b= =3D<br></div><div dir=3D"ltr">> r>&gt;<br>&gt;<br&gt= ;&gt; I would like to know why Open LDAP behavior was chan=3D<br></div>= <div dir=3D"ltr">> ged where we must<br>&gt; have to configure= FQDN name mentioned in certific=3D<br></div><div dir=3D"ltr">> ate in o= rder to work LDAP<br>&gt; authentication... else TLS start failin= g.=3D<br></div><div dir=3D"ltr">> <br><br>OpenLDAP has worke= d this way since I first started using it in 2002=3D<br></div><div dir=3D"l= tr">> .&nbsp; This <br>behavior is nothing new.&nbsp; And = this is the correct beh=3D<br></div><div dir=3D"ltr">> avior.<br>&= lt;br>This ITS will be closed.<br><br>--Quanah<br><= br><br>--<br><br=3D<br></div><div dir=3D"ltr">>> Qu= anah Gibson-Mount<br>Product Architect<br>Symas Corporation<= br>Packaged,=3D<br></div><div dir=3D"ltr">>  certified, and supp= orted LDAP solutions powered by OpenLDAP:<br>&lt;<a hre=3D<br>= </div><div dir=3D"ltr">> f=3D3D"<a href=3D"http://www.symas.com" rel=3D"= nofollow" target=3D"_blank">http://www.symas.com</a>" rel=3D3D"nofollow" ta= rget=3D3D"_blank"><a href=3D"http://www.sy=3D" rel=3D"nofollow" target= =3D"_blank">http://www.sy=3D</a><br></div><div dir=3D"ltr">> mas.com<= /a>&gt;<br><br></div><br></div><div dir=3D"ltr">&g= t;            </div><br></div><div dir= =3D"ltr">>        </div></body></htm= l><br></div><div dir=3D"ltr">> ------=3D_Part_545863_1662769086.15575= 20342175--<br></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> <= br></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> <br></div><d= iv dir=3D"ltr"><br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">-- <br= ></div><div dir=3D"ltr">  -- Howard Chu<br></div><div dir=3D"ltr">&nbs= p; CTO, Symas Corp.          <a href=3D"http://ww= w.symas.com" rel=3D"nofollow" target=3D"_blank">http://www.symas.com</a><br= ></div><div dir=3D"ltr">  Director, Highland Sun    <a href= =3D"http://highlandsun.com/hyc/" rel=3D"nofollow" target=3D"_blank">http://= highlandsun.com/hyc/</a><br></div><div dir=3D"ltr">  Chief Architect, = OpenLDAP  <a href=3D"http://www.openldap.org/project/" rel=3D"nofollow= " target=3D"_blank">http://www.openldap.org/project/</a><br></div></div> </div> </div></body></html> ------=_Part_582781_95096894.1557523728570--

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by hyc＠symas.com 10 May '19

10 May '19

darshankmistry(a)yahoo.com wrote: > ------=_Part_545863_1662769086.1557520342175 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > thank you very much for quick response and openldap behavior configuration.= > =C2=A0 > how we can ignore to look server name in subject of certificate so I can us= > e LDAP server ip address instead of host name?=C2=A0 > Also want to know if there is any open CVE which says it is vulnerabilities= > to use LDAP server ip address instead of name in ldap configuration.=C2=A0 Add the IP address in a subjectALternativeName extension to your server certificate. The behavior here is specified in RFC4513. > > > Thank you, > Darshankumar Mistry > darshankmistry(a)yahoo.com > =20 > > On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <quanah@s= > ymas.com> wrote: =20 > =20 > --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wrote: > >> Full_Name: Darshankumar Mistry >> Version: >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) >> >> >> I would like to know why Open LDAP behavior was changed where we must >> have to configure FQDN name mentioned in certificate in order to work LDA= > P >> authentication... else TLS start failing. > > OpenLDAP has worked this way since I first started using it in 2002.=C2=A0 = > This=20 > behavior is nothing new.=C2=A0 And this is the correct behavior. > > This ITS will be closed. > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > =20 > ------=_Part_545863_1662769086.1557520342175 > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <html><head></head><body><div class=3D"ydpf9876065yahoo-style-wrap" style= > =3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><div>t= > hank you very much for quick response and openldap behavior configuration.&= > nbsp;</div><div><br></div><div>how we can ignore to look server name in sub= > ject of certificate so I can use LDAP server ip address instead of host nam= > e? </div><div><br></div><div>Also want to know if there is any open CV= > E which says it is vulnerabilities to use LDAP server ip address instead of= > name in ldap configuration. </div><div><br></div><div><br></div><div>= > <br></div><div class=3D"ydpf9876065signature"><div><span class=3D"ydpf98760= > 65yui_3_7_2_102_1375813203128_121" style=3D"font-family:arial, sans-serif;c= > olor:rgb(80, 0, 80);">Thank you,</span><br class=3D"ydpf9876065yui_3_7_2_10= > 2_1375813203128_122" style=3D"font-family:arial, sans-serif;color:rgb(80, 0= > , 80);"><span class=3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D= > "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry</= > span><br class=3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D"font= > -family:arial, sans-serif;color:rgb(80, 0, 80);"><a href=3D"mailto:darshank= > mistry(a)yahoo.com" class=3D"ydpf9876065yui_3_7_2_102_1375813203128_125" styl= > e=3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D"nofollow= > " target=3D"_blank">darshankmistry(a)yahoo.com</a><br></div></div></div> > <div><br></div><div><br></div> > =20 > </div><div id=3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D"ydpb3= > d55fc2yahoo_quoted"> > <div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s= > ans-serif;font-size:13px;color:#26282a;"> > =20 > <div> > On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson= > -Mount <quanah(a)symas.com> wrote: > </div> > <div><br></div> > <div><br></div> > <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href=3D"mai= > lto:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmi= > stry(a)yahoo.com</a> wrote:<br><br>> Full_Name: Darshankumar Mistry<br>&gt= > ; Version:<br>> OS:<br>> URL: <a href=3D"ftp://ftp.openldap.org/incom= > ing/" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap.org/incoming/</= > a><br>> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b= > r>><br>><br>> I would like to know why Open LDAP behavior was chan= > ged where we must<br>> have to configure FQDN name mentioned in certific= > ate in order to work LDAP<br>> authentication... else TLS start failing.= > <br><br>OpenLDAP has worked this way since I first started using it in 2002= > .  This <br>behavior is nothing new.  And this is the correct beh= > avior.<br><br>This ITS will be closed.<br><br>--Quanah<br><br><br>--<br><br= >> Quanah Gibson-Mount<br>Product Architect<br>Symas Corporation<br>Packaged,= > certified, and supported LDAP solutions powered by OpenLDAP:<br><<a hre= > f=3D"http://www.symas.com" rel=3D"nofollow" target=3D"_blank">http://www.sy= > mas.com</a>><br><br></div> > </div> > </div></body></html> > ------=_Part_545863_1662769086.1557520342175-- > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by quanah＠symas.com 10 May '19

10 May '19

--On Friday, May 10, 2019 9:32 PM +0000 darshan mistry <darshankmistry(a)yahoo.com> wrote: > how we can ignore to look server name in subject of certificate so I can > use LDAP server ip address instead of host name? If you want to allow connecting over the IP address with TLS, then add it as a subjectAltName value in the certificate, for example: subjectAltName=IP:1.2.3.4 > Also want to know if there is any open CVE which says it is > vulnerabilities to use LDAP server ip address instead of name in ldap > configuration. I'm not aware of any such CVE or why there would be one. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by darshankmistry＠yahoo.com 10 May '19

10 May '19

------=_Part_545863_1662769086.1557520342175 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable thank you very much for quick response and openldap behavior configuration.= =C2=A0 how we can ignore to look server name in subject of certificate so I can us= e LDAP server ip address instead of host name?=C2=A0 Also want to know if there is any open CVE which says it is vulnerabilities= to use LDAP server ip address instead of name in ldap configuration.=C2=A0 Thank you, Darshankumar Mistry darshankmistry(a)yahoo.com =20 On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <quanah@s= ymas.com> wrote: =20 =20 --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wrote: > Full_Name: Darshankumar Mistry > Version: > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) > > > I would like to know why Open LDAP behavior was changed where we must > have to configure FQDN name mentioned in certificate in order to work LDA= P > authentication... else TLS start failing. OpenLDAP has worked this way since I first started using it in 2002.=C2=A0 = This=20 behavior is nothing new.=C2=A0 And this is the correct behavior. This ITS will be closed. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com> =20 ------=_Part_545863_1662769086.1557520342175 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div class=3D"ydpf9876065yahoo-style-wrap" style= =3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><div>t= hank you very much for quick response and openldap behavior configuration.&= nbsp;</div><div><br></div><div>how we can ignore to look server name in sub= ject of certificate so I can use LDAP server ip address instead of host nam= e? </div><div><br></div><div>Also want to know if there is any open CV= E which says it is vulnerabilities to use LDAP server ip address instead of= name in ldap configuration. </div><div><br></div><div><br></div><div>= <br></div><div class=3D"ydpf9876065signature"><div><span class=3D"ydpf98760= 65yui_3_7_2_102_1375813203128_121" style=3D"font-family:arial, sans-serif;c= olor:rgb(80, 0, 80);">Thank you,</span><br class=3D"ydpf9876065yui_3_7_2_10= 2_1375813203128_122" style=3D"font-family:arial, sans-serif;color:rgb(80, 0= , 80);"><span class=3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D= "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry</= span><br class=3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D"font= -family:arial, sans-serif;color:rgb(80, 0, 80);"><a href=3D"mailto:darshank= mistry(a)yahoo.com" class=3D"ydpf9876065yui_3_7_2_102_1375813203128_125" styl= e=3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D"nofollow= " target=3D"_blank">darshankmistry(a)yahoo.com</a><br></div></div></div> <div><br></div><div><br></div> =20 </div><div id=3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D"ydpb3= d55fc2yahoo_quoted"> <div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s= ans-serif;font-size:13px;color:#26282a;"> =20 <div> On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson= -Mount <quanah(a)symas.com> wrote: </div> <div><br></div> <div><br></div> <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href=3D"mai= lto:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmi= stry(a)yahoo.com</a> wrote:<br><br>> Full_Name: Darshankumar Mistry<br>&gt= ; Version:<br>> OS:<br>> URL: <a href=3D"ftp://ftp.openldap.org/incom= ing/" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap.org/incoming/</= a><br>> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b= r>><br>><br>> I would like to know why Open LDAP behavior was chan= ged where we must<br>> have to configure FQDN name mentioned in certific= ate in order to work LDAP<br>> authentication... else TLS start failing.= <br><br>OpenLDAP has worked this way since I first started using it in 2002= .  This <br>behavior is nothing new.  And this is the correct beh= avior.<br><br>This ITS will be closed.<br><br>--Quanah<br><br><br>--<br><br= >Quanah Gibson-Mount<br>Product Architect<br>Symas Corporation<br>Packaged,= certified, and supported LDAP solutions powered by OpenLDAP:<br><<a hre= f=3D"http://www.symas.com" rel=3D"nofollow" target=3D"_blank">http://www.sy= mas.com</a>><br><br></div> </div> </div></body></html> ------=_Part_545863_1662769086.1557520342175--

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by quanah＠symas.com 10 May '19

10 May '19

--On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wrote: > Full_Name: Darshankumar Mistry > Version: > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) > > > I would like to know why Open LDAP behavior was changed where we must > have to configure FQDN name mentioned in certificate in order to work LDAP > authentication... else TLS start failing. OpenLDAP has worked this way since I first started using it in 2002. This behavior is nothing new. And this is the correct behavior. This ITS will be closed. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by darshankmistry＠yahoo.com 10 May '19

10 May '19

Full_Name: Darshankumar Mistry Version: OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) I would like to know why Open LDAP behavior was changed where we must have to configure FQDN name mentioned in certificate in order to work LDAP authentication... else TLS start failing. I am getting below error and I know that I am using IP address of LDAP server in my configuration instead of certificate subject name (FQDN of ldap server) TLS: can't connect: TLS: hostname does not match CN in peer certificate

1 0

Re: (ITS#8708) SASL EXTERNAL binds and sasl-secprops minssf
by quanah＠symas.com 09 May '19

09 May '19

--On Wednesday, May 08, 2019 12:56 PM -0400 David Hawes <dhawes(a)vt.edu> wrote: >> Hi David, >> >> I believe this was fixed with ITS#8796 (part of the 2.4.46 release). Can >> you confirm? > > Confirmed. ITS#8796 fixes #8708. Hi David, Thanks for the quick confirmation! I've closed ITS#8708 and noted that the fix for ITS#8796 resolved it. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#9020) Inconsistent cn=config objectClasses for overlays
by quanah＠openldap.org 09 May '19

09 May '19

Full_Name: Quanah Gibson-Mount Version: 2.4 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.128.44) The majority of supported overlays use an objectClass of the format: olcOVERLAYConfig However, there are two overlays that do *not* follow this format, which is confusing. memberOf -> olcMemberOf dynlist -> olcDynamicList For 2.5, I would suggest we change these to be consistent with all the other overlays and document this change in the Admin Guide section on upgrade notes etc.

1 0

Re: (ITS#8708) SASL EXTERNAL binds and sasl-secprops minssf
by quanah＠symas.com 08 May '19

08 May '19

--On Tuesday, August 08, 2017 7:08 PM +0000 dhawes(a)gmail.com wrote: > Full_Name: David Hawes > Version: 2.4.45 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2001:468:c80:2103:0:523:da5e:da5e) Hi David, I believe this was fixed with ITS#8796 (part of the 2.4.46 release). Can you confirm? Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2019