openldap-bugs

openldap-bugs@openldap.org

1 participants
20966 discussions

Re: (ITS#9023) crash using ppolicy chaining from slave to master
by quanah＠symas.com 17 May '19

17 May '19

--On Friday, May 17, 2019 3:50 PM +0000 jpayanides(a)prosodie.com wrote: > Full_Name: JPh Ayanides > Version: 2.4.47 > OS: Linux Debian > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (195.46.216.78) > > > Hello, I cannot succeed in making the following configuration to work. > Instead of that, openldap crashes. > > I have 2 openldap servers in master-slave: the slave is installed on a > machine named rada, and a master is installed on another machine named > simby. The ppolicy is activated on rada and simby, and I use chain and > updateref in order to sync failures in ppolicy coming from rada back to > simby. When I test that feature, with trying a bind with a wrong > password, openldap on the slave crashes. I failed in understanding why, > even with gdb. Ensure you have debugging symbols installed, and provide a full backtrace of all threads from gdb. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#9023) crash using ppolicy chaining from slave to master
by jpayanides＠prosodie.com 17 May '19

17 May '19

Full_Name: JPh Ayanides Version: 2.4.47 OS: Linux Debian URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (195.46.216.78) Hello, I cannot succeed in making the following configuration to work. Instead of that, openldap crashes. I have 2 openldap servers in master-slave: the slave is installed on a machine named rada, and a master is installed on another machine named simby. The ppolicy is activated on rada and simby, and I use chain and updateref in order to sync failures in ppolicy coming from rada back to simby. When I test that feature, with trying a bind with a wrong password, openldap on the slave crashes. I failed in understanding why, even with gdb. Here is the configuration of rada: --------------------------- allow bind_v2 sizelimit size.hard=10000 sizelimit size.soft=500 # Schema and objectClass definitions include /appli/openldap/etc/openldap/schema/core.schema include /appli/openldap/etc/openldap/schema/cosine.schema include /appli/openldap/etc/openldap/schema/nis.schema include /appli/openldap/etc/openldap/schema/inetorgperson.schema include /appli/openldap/etc/openldap/schema/ppolicy.schema pidfile /appli/openldap-preprod/var/run/slapd.pid argsfile /appli/openldap-preprod/var/run/slapd.args loglevel -1 conn_max_pending 250 idletimeout 600 timelimit time.soft=60 timelimit time.hard=60 modulepath /appli/openldap/libexec/openldap moduleload back_bdb moduleload ppolicy moduleload back_ldap moduleload pw-sha2 password-hash {SSHA512} TLSVerifyClient never TLSCertificateKeyFile /appli/openldap-preprod/etc/private/auth.gdr.key TLSCertificateFile /appli/openldap-preprod/etc/certs/auth.gdr.crt TLSCACertificatePath /appli/openldap-preprod/etc/ca/ overlay chain chain-uri ldaps://simby.example:637 chain-idassert-bind bindmethod="simple" binddn="uid=mirrormode,dc=example" credentials="secret" mode="self" tls_reqcert=allow chain-tls none chain-return-error TRUE database bdb suffix "dc=example" rootdn "cn=admin,dc=example" rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXX dbconfig set_cachesize 0 128000000 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 directory "/appli/openldap-preprod/var/openldap-data" index objectClass,entryCSN,entryUUID eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub overlay ppolicy ppolicy_default "cn=pwdDefault,ou=policies,dc=example" ppolicy_hash_cleartext ppolicy_use_lockout ppolicy_forward_updates lastmod on syncrepl rid=002 provider=ldap://simby.example:390 binddn="uid=mirrormode,dc=example" credentials=secret bindmethod=simple searchbase="dc=example" schemachecking=off type=refreshAndPersist retry="60 +" tls_cacert="/appli/openldap-preprod/etc/ca/CADSI.pem" tls_reqcert=allow starttls=yes updateref ldaps://simby.example:637 access to attrs=userPassword by dn="cn=admin,dc=example" write by dn="cn=acadmin,dc=example" write by dn="uid=mirrormode,dc=example" read by dn="uid=rsasecureid,dc=example" auth by anonymous auth by dn="uid=test,ou=People,dc=example" none by * none access to attrs=shadowLastChange by dn="cn=admin,dc=example" write by dn="uid=mirrormode,dc=example" read by dn="uid=test,ou=People,dc=example" none by * read access to dn="uid=test,ou=People,dc=example" by dn="cn=admin,dc=example" write by * read database monitor access to * by * read ----------------------------- and here is the configuration file on the master: ---------------------------- allow bind_v2 sizelimit size.hard=10000 sizelimit size.soft=500 include /appli/openldap/etc/openldap/schema/core.schema include /appli/openldap/etc/openldap/schema/cosine.schema include /appli/openldap/etc/openldap/schema/nis.schema include /appli/openldap/etc/openldap/schema/inetorgperson.schema include /appli/openldap/etc/openldap/schema/ppolicy.schema pidfile /appli/openldap-preprod/var/run/slapd.pid argsfile /appli/openldap-preprod/var/run/slapd.args loglevel -1 modulepath /appli/openldap/libexec/openldap moduleload back_bdb moduleload syncprov moduleload ppolicy moduleload pw-sha2 password-hash {SSHA512} TLSCertificateKeyFile /appli/openldap-preprod/etc/private/simby.example.key TLSCertificateFile /appli/openldap-preprod/etc/certs/simby.example.pem TLSCACertificatePath /appli/openldap-preprod/etc/ca TLSverifyClient never database bdb suffix "dc=example" rootdn "cn=admin,dc=example" rootpw {SSHA}XXXXXXXXXXXXXXXXXXX directory "/appli/openldap-preprod/var/openldap-data" index objectclass,entryCSN,entryUUID eq index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 overlay ppolicy ppolicy_default "cn=pwdDefault,ou=policies,dc=example" ppolicy_use_lockout ppolicy_hash_cleartext lastmod on access to attrs=userPassword by dn="cn=admin,dc=example" write by dn="uid=mirrormode,dc=example" read by dn="cn=acadmin,dc=example" write by dn="cn=rsasecureid,dc=example" auth by anonymous auth by dn="uid=test,ou=People,dc=example" none by dn="cn=iam,dc=example" write by * none access to attrs=shadowLastChange by dn="cn=admin,dc=example" write by dn="uid=mirrormode,dc=example" read by dn="cn=acadmin,dc=example" write by dn="uid=test,ou=People,dc=example" none by dn="cn=iam,dc=example" write by * read access to dn="uid=test,ou=People,dc=example" by dn="cn=admin,dc=example" write by * read access to * by dn="uid=test,ou=People,dc=example" none by dn="uid=mirrormode,dc=example" read by dn="cn=admin,dc=example" write by dn="cn=acadmin,dc=example" write by dn="cn=iam,dc=example" write by * read access to dn="ou=People,dc=example" by dn="cn=acadmin,dc=example" write by * read database monitor access to * by * read --------------------------- In the log of the slave, I get at the end: May 17 16:37:12 rada slapd[546]: ==> bdb_bind: dn: uid=user1,ou=People,dc=example May 17 16:37:12 rada slapd[546]: bdb_dn2entry("uid=user1,ou=people,dc=example") May 17 16:37:12 rada slapd[546]: => access_allowed: result not in cache (userPassword) May 17 16:37:12 rada slapd[546]: => access_allowed: auth access to "uid=user1,ou=People,dc=example" "userPassword" requested May 17 16:37:12 rada slapd[546]: => acl_get: [1] attr userPassword May 17 16:37:12 rada slapd[546]: => acl_mask: access to entry "uid=user1,ou=People,dc=example", attr "userPassword" requested May 17 16:37:12 rada slapd[546]: => acl_mask: to value by "", (=0) May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: cn=admin,dc=example May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: cn=acadmin,dc=example May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: uid=mirrormode,dc=example May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: uid=rsasecureid,dc=example May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: ou=capge002,ou=application,dc=example May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: anonymous May 17 16:37:12 rada slapd[546]: <= acl_mask: [6] applying auth(=xd) (stop) May 17 16:37:12 rada slapd[546]: <= acl_mask: [6] mask: auth(=xd) May 17 16:37:12 rada slapd[546]: => slap_access_allowed: auth access granted by auth(=xd) May 17 16:37:12 rada slapd[546]: => access_allowed: auth access granted by auth(=xd) May 17 16:37:12 rada slapd[546]: send_ldap_result: conn=1000 op=0 p=3 May 17 16:37:12 rada slapd[546]: send_ldap_result: err=49 matched="" text="" May 17 16:37:12 rada slapd[546]: => bdb_entry_get: ndn: "uid=user1,ou=people,dc=example" May 17 16:37:12 rada slapd[546]: => bdb_entry_get: oc: "(null)", at: "(null)" May 17 16:37:12 rada slapd[546]: bdb_dn2entry("uid=user1,ou=people,dc=example") May 17 16:37:12 rada slapd[546]: => bdb_entry_get: found entry: "uid=user1,ou=people,dc=example" May 17 16:37:12 rada slapd[546]: bdb_entry_get: rc=0 May 17 16:37:12 rada slapd[546]: bdb_dn2entry("uid=user1,ou=people,dc=example") May 17 16:37:12 rada slapd[546]: send_ldap_result: conn=1000 op=0 p=3 May 17 16:37:12 rada slapd[546]: send_ldap_result: err=10 matched="" text="" May 17 16:37:12 rada slapd[546]: send_ldap_result: referral="ldaps://simby.example:637/uid=user1,ou=People,dc=example" May 17 16:37:12 rada slapd[546]: >>> dnPrettyNormal: <uid=user1,ou=People,dc=example> May 17 16:37:12 rada slapd[546]: <<< dnPrettyNormal: <uid=user1,ou=People,dc=example>, <uid=user1,ou=people,dc=example> May 17 16:37:12 rada slapd[546]: conn=1000 op=0 ldap_chain_op: ref="ldaps://simby.example:637/uid=user1,ou=People,dc=example" -> "ldaps://simby.example:637" May 17 16:37:12 rada slapd[546]: conn=1000 op=0 ldap_chain_op: ref="ldaps://simby.example:637/uid=user1,ou=People,dc=example": URI="ldaps://simby.example:637" found in cache May 17 16:37:12 rada slapd[546]: =>ldap_back_getconn: conn=1000 op=0: lc=0x838b4a8 inserted refcnt=1 rc=0 May 17 16:37:12 rada slapd[546]: daemon: activity on 1 descriptor May 17 16:37:12 rada slapd[546]: daemon: activity on: May 17 16:37:12 rada slapd[546]: May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=7 active_threads=1 tvp=zero May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=8 active_threads=1 tvp=zero May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=9 active_threads=1 tvp=zero May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=10 active_threads=1 tvp=zero and then the slave crashes with a code 0177 In the log of the master, I get: May 17 16:37:12 simby slapd[18544]: => slap_access_allowed: auth access granted by auth(=xd) May 17 16:37:12 simby slapd[18544]: => access_allowed: auth access granted by auth(=xd) May 17 16:37:12 simby slapd[18544]: conn=1001 op=0 BIND dn="uid=mirrormode,dc=example" mech=SIMPLE ssf=0 May 17 16:37:12 simby slapd[18544]: do_bind: v3 bind: "uid=mirrormode,dc=example" to "uid=mirrormode,dc=example" May 17 16:37:12 simby slapd[18544]: send_ldap_result: conn=1001 op=0 p=3 May 17 16:37:12 simby slapd[18544]: send_ldap_result: err=0 matched="" text="" May 17 16:37:12 simby slapd[18544]: => bdb_entry_get: ndn: "uid=mirrormode,dc=example" May 17 16:37:12 simby slapd[18544]: => bdb_entry_get: oc: "(null)", at: "(null)" May 17 16:37:12 simby slapd[18544]: bdb_dn2entry("uid=mirrormode,dc=example") May 17 16:37:12 simby slapd[18544]: => bdb_entry_get: found entry: "uid=mirrormode,dc=example" May 17 16:37:12 simby slapd[18544]: bdb_entry_get: rc=0 May 17 16:37:12 simby slapd[18544]: send_ldap_response: msgid=1 tag=97 err=0 May 17 16:37:12 simby slapd[18544]: conn=1001 op=0 RESULT tag=97 err=0 text= May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=7 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=8 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=9 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=10 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: activity on 3 descriptors May 17 16:37:12 simby slapd[18544]: daemon: activity on: May 17 16:37:12 simby slapd[18544]: 12r May 17 16:37:12 simby slapd[18544]: 15r May 17 16:37:12 simby slapd[18544]: May 17 16:37:12 simby slapd[18544]: daemon: read active on 12 May 17 16:37:12 simby slapd[18544]: connection_get(12) May 17 16:37:12 simby slapd[18544]: connection_get(12): got connid=1000 May 17 16:37:12 simby slapd[18544]: connection_read(12): checking for input on id=1000 May 17 16:37:12 simby slapd[18544]: ber_get_next on fd 12 failed errno=0 (Success) May 17 16:37:12 simby slapd[18544]: connection_read(12): input error=-2 id=1000, closing. May 17 16:37:12 simby slapd[18544]: connection_closing: readying conn=1000 sd=12 for close May 17 16:37:12 simby slapd[18544]: connection_close: conn=1000 sd=12 May 17 16:37:12 simby slapd[18544]: daemon: removing 12 May 17 16:37:12 simby slapd[18544]: conn=1000 fd=12 closed (connection lost) May 17 16:37:12 simby slapd[18544]: daemon: read active on 15 May 17 16:37:12 simby slapd[18544]: connection_get(15) May 17 16:37:12 simby slapd[18544]: connection_get(15): got connid=1001 May 17 16:37:12 simby slapd[18544]: connection_read(15): checking for input on id=1001 May 17 16:37:12 simby slapd[18544]: ber_get_next on fd 15 failed errno=0 (Success) May 17 16:37:12 simby slapd[18544]: connection_read(15): input error=-2 id=1001, closing. May 17 16:37:12 simby slapd[18544]: connection_closing: readying conn=1001 sd=15 for close May 17 16:37:12 simby slapd[18544]: connection_close: conn=1001 sd=15 May 17 16:37:12 simby slapd[18544]: daemon: removing 15 May 17 16:37:12 simby slapd[18544]: conn=1001 fd=15 closed (connection lost) May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=7 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=8 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=9 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=10 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: activity on 1 descriptor May 17 16:37:12 simby slapd[18544]: daemon: activity on: May 17 16:37:12 simby slapd[18544]: May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=7 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=8 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=9 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=10 active_threads=0 tvp=NULL ----------------------------- I am not sure to using the right configuration, but anyway, openldap should not crash.

1 0

Re: (ITS#8755) invalid file descriptor when closing tls connection
by ondra＠mistotebe.net 14 May '19

14 May '19

On Mon, May 13, 2019 at 03:32:19PM +0000, ondra(a)mistotebe.net wrote: > Yes, it looks like the main SockBuf closing is run twice, once in > ldap_free_connection and once directly in ldap_ld_free. I think we don't > enforce that SockBuf implementations set sb_fd != AC_SOCKET_INVALID, so > not sure yet if we can gate calling sb_close on that or something else. > > I'll see if there's a way to make this work better. There's a proposed patch at https://github.com/mistotebe/openldap/tree/its8755 -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#9008) module rpath incorrect
by quanah＠symas.com 13 May '19

13 May '19

--On Wednesday, April 17, 2019 11:19 AM +0000 ondra(a)openldap.org wrote: > Full_Name: Ondrej Kuznik > Version: re24/master > OS: Linux > URL: https://github.com/mistotebe/openldap/tree/its9008 > Submission from: (NULL) (82.10.24.68) > > > Modules that link against libraries not already present in slapd will > only try to look in the rpaths encoded in the module, not in slapd. And > there is no point encoding $(moduledir) there, since we never install > anything of substance there. All the while the libraries we need probably > live in $(libdir). > > The linked patch fixes this and makes it possible for $(moduledir) (the > path modules will be installed into) to be set at configure time. This patch depends on a custom version of libtool that is not available to others and can cause significant build breakage when building under a packaging system. More work needed, either removing libtool from the build process for OpenLDAP, or modifications to this work to allow it to work properly with a non-custom version of libtool. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8755) invalid file descriptor when closing tls connection
by ondra＠mistotebe.net 13 May '19

13 May '19

On Thu, Oct 12, 2017 at 10:01:35PM +0000, info(a)christianknueppel.de wrote: > I currently developing on a c software which is using Openldap with TLS > authentication. My software is working fine, but when i test it with valgrind, i > always get an invalid file descriptor when closing the connection. > > Here is the stacktrace from valgrind: > [...] > --> In function ldap_close_handle i call ldap_unbind_ext_s(ld, NULL, NULL). > > The connection is built with ldap_initialize(&ld, config.ldap_url) and > ldap_start_tls_s(ld, NULL, NULL). Options set with ldap_set_option() are > LDAP_OPT_X_TLS_REQUIRE_CERT to 2 (LDAP_OPT_X_TLS_DEMAND) and > LDAP_OPT_X_TLS_CACERTFILE are set to all SSL CA-Certificates > (/etc/ssl/certs/ca-certificates.crt). I run the ldap_unbind_ext_s command (for > test purpose) shortly after the start_tls command is finished. > When i use ldap_sasl_interactive_bind_s with DIGEST-MD5 instead of > ldap_start_tls_s, the warning doesn't appear. When i use both, tls and sasl, the > warning also appears. > > My computer running on Ubuntu 16.04.3 LTS (uname: 4.4.0-97-generic x86_64) with > libldap-2.4-2 (2.4.42+dfsg-2ubuntu3.2) and libgnutls30 (3.4.10-4ubuntu1.4). I > also tested it with the newest Ubuntu Artful Aardvark and the newest openldap > (2.4.45+dfsg-1ubuntu1) and gnutls(3.5.8-6ubuntu3) release, but it didn't has any > effect in my case. > > I also tryed to compiled openldap against openssl to see, if it might be a > gnutls bug, but the invalid file descriptor occurs again. The lower valgrind > stacktrace is done with openldap 2.4.45 and openssl 1.0.2g on the newest Artful > Aardvark 17.10. > [...] Yes, it looks like the main SockBuf closing is run twice, once in ldap_free_connection and once directly in ldap_ld_free. I think we don't enforce that SockBuf implementations set sb_fd != AC_SOCKET_INVALID, so not sure yet if we can gate calling sb_close on that or something else. I'll see if there's a way to make this work better. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8799) slaptest fails to properly convert chain configuration
by ondra＠mistotebe.net 13 May '19

13 May '19

On Wed, May 08, 2019 at 01:31:48PM +0000, ondra(a)mistotebe.net wrote: > On Mon, Jan 22, 2018 at 11:57:38PM +0000, ondra(a)mistotebe.net wrote: >> On Mon, Jan 22, 2018 at 09:59:21PM +0000, quanah(a)openldap.org wrote: >>> After doing conversion, the resulting cn=config database has *two* ldap backends >>> defined: >>> >>> dn: olcDatabase={-1}frontend,cn=config >>> dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config >>> dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf >> >> This is the catchall database used to handle referrals that are not >> handled by any other database you configure by hand. It collects all the >> chain-* settings that appear before the first chain-uri. >> >>> dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf >>> >>> The first instance ({0}ldap,...) isn't even valid. If you remove the entire >>> chain configuration from this database, and then attempt to import it, you get >>> the following: >> >> Yeah that is a problem. > > Turns out the problem is different yet. When the overlay is started up > after adding its entry, it generates a default backend internally. On > adding the above backend it now thinks it has a default one already (even > though there is no entry for it yet) and rejects it. There is now a patch here that exploits the above to know if the common backend has been added from slapd.conf/explicitly or implicitly like in the original report. https://github.com/mistotebe/openldap/tree/its8799 -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8700) Compile error
by quanah＠symas.com 10 May '19

10 May '19

--On Thursday, July 27, 2017 1:04 AM +0000 papachoco(a)gmail.com wrote: > I am getting the error below while compiling openldap 2.4.45 on the > latest macOS sierra (10.12.6). I am only setting two configuration options > > configure-options = > --disable-slapd > --disable-slurpd > > Undefined symbols for architecture x86_64: > "_ERR_remove_thread_state", referenced from: > _tlso_destroy in libldap.a(tls_o.o) Hello, What version of OpenSSL were you linking against? Thanks! --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#9022) Force slapadd to rewrite all entryCSN values
by quanah＠openldap.org 10 May '19

10 May '19

Full_Name: Quanah Gibson-Mount Version: OpenLDAP 2.4 OS: 2.4.47 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.128.44) Per the slapadd man page: -S SID Server ID to use in generated entryCSN. Also used for contextCSN if -w is set as well. Defaults to 0. However, if this is run against an export that already has entryCSN values in the entries, those values are not updated. This is problematic when wanting to update a database from single provider (SID0) to MMR (SID1+). I generally think that if the -S option is provided, and is non-zero, that all entryCSN values that currently have a "0" serverID in the entryCSN field should be updated to the specified -S value. In the above case, it would be critical to additionally flag -w on the end user part. This helps to clean up data when doing migrations.

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by darshankmistry＠yahoo.com 10 May '19

10 May '19

------=_Part_582781_95096894.1557523728570 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable thank you, this case can be closed. appreciate all your help and clarificat= ion. thanks agian Thank you, Darshankumar Mistry darshankmistry(a)yahoo.com =20 On Friday, May 10, 2019, 1:53:16 PM PDT, Howard Chu <hyc(a)symas.com> wro= te: =20 =20 darshankmistry(a)yahoo.com wrote: > ------=3D_Part_545863_1662769086.1557520342175 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: quoted-printable >=20 > thank you very much for quick response and openldap behavior configuratio= n.=3D > =3DC2=3DA0 > how we can ignore to look server name in subject of certificate so I can = us=3D > e LDAP server ip address instead of host name?=3DC2=3DA0 > Also want to know if there is any open CVE which says it is vulnerabiliti= es=3D >=C2=A0 to use LDAP server ip address instead of name in ldap configuration= .=3DC2=3DA0 Add the IP address in a subjectALternativeName extension to your server cer= tificate. The behavior here is specified in RFC4513. >=20 >=20 > Thank you, > Darshankumar Mistry > darshankmistry(a)yahoo.com > =3D20 >=20 >=C2=A0 =C2=A0 On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Moun= t <quanah@s=3D > ymas.com> wrote: =3D20 > =3D20 >=C2=A0 --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wr= ote: >=20 >> Full_Name: Darshankumar Mistry >> Version: >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) >> >> >> I would like to know why Open LDAP behavior was changed where we must >> have to configure FQDN name mentioned in certificate in order to work LD= A=3D > P >> authentication... else TLS start failing. >=20 > OpenLDAP has worked this way since I first started using it in 2002.=3DC2= =3DA0 =3D > This=3D20 > behavior is nothing new.=3DC2=3DA0 And this is the correct behavior. >=20 > This ITS will be closed. >=20 > --Quanah >=20 >=20 > -- >=20 > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >=20 >=C2=A0 =3D20 > ------=3D_Part_545863_1662769086.1557520342175 > Content-Type: text/html; charset=3DUTF-8 > Content-Transfer-Encoding: quoted-printable >=20 > <html><head></head><body><div class=3D3D"ydpf9876065yahoo-style-wrap" sty= le=3D > =3D3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><d= iv>t=3D > hank you very much for quick response and openldap behavior configuration= .&=3D > nbsp;</div><div><br></div><div>how we can ignore to look server name in s= ub=3D > ject of certificate so I can use LDAP server ip address instead of host n= am=3D > e? </div><div><br></div><div>Also want to know if there is any open = CV=3D > E which says it is vulnerabilities to use LDAP server ip address instead = of=3D >=C2=A0 name in ldap configuration. </div><div><br></div><div><br></di= v><div>=3D > <br></div><div class=3D3D"ydpf9876065signature"><div><span class=3D3D"ydp= f98760=3D > 65yui_3_7_2_102_1375813203128_121" style=3D3D"font-family:arial, sans-ser= if;c=3D > olor:rgb(80, 0, 80);">Thank you,</span><br class=3D3D"ydpf9876065yui_3_7_= 2_10=3D > 2_1375813203128_122" style=3D3D"font-family:arial, sans-serif;color:rgb(8= 0, 0=3D > , 80);"><span class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_123" styl= e=3D3D=3D > "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry= </=3D > span><br class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D3= D"font=3D > -family:arial, sans-serif;color:rgb(80, 0, 80);"><a href=3D3D"mailto:dars= hank=3D > mistry(a)yahoo.com" class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_125" = styl=3D > e=3D3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D3D"no= follow=3D > " target=3D3D"_blank">darshankmistry(a)yahoo.com</a><br></div></div></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 <div><br></div><div><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D20 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 </div><div id=3D3D"ydpb3d55fc2yahoo_quoted_756= 2650282" class=3D3D"ydpb3=3D > d55fc2yahoo_quoted"> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div style=3D3D"font-family:'Hel= vetica Neue', Helvetica, Arial, s=3D > ans-serif;font-size:13px;color:#26282a;"> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D20 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 On F= riday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson=3D > -Mount <quanah(a)symas.com> wrote: >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 </div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div>--On Friday, = May 10, 2019 8:52 PM +0000 <a href=3D3D"mai=3D > lto:darshankmistry@yahoo.com" rel=3D3D"nofollow" target=3D3D"_blank">dars= hankmi=3D > stry(a)yahoo.com</a> wrote:<br><br>> Full_Name: Darshankumar Mistry<br>&= gt=3D > ; Version:<br>> OS:<br>> URL: <a href=3D3D"ftp://ftp.openldap.org/i= ncom=3D > ing/" rel=3D3D"nofollow" target=3D3D"_blank">ftp://ftp.openldap.org/incom= ing/</=3D > a><br>> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)= <b=3D > r>><br>><br>> I would like to know why Open LDAP behavior was ch= an=3D > ged where we must<br>> have to configure FQDN name mentioned in certif= ic=3D > ate in order to work LDAP<br>> authentication... else TLS start failin= g.=3D > <br><br>OpenLDAP has worked this way since I first started using it in 20= 02=3D > .  This <br>behavior is nothing new.  And this is the correct b= eh=3D > avior.<br><br>This ITS will be closed.<br><br>--Quanah<br><br><br>--<br><= br=3D >> Quanah Gibson-Mount<br>Product Architect<br>Symas Corporation<br>Package= d,=3D >=C2=A0 certified, and supported LDAP solutions powered by OpenLDAP:<br>&lt= ;<a hre=3D > f=3D3D"http://www.symas.com" rel=3D3D"nofollow" target=3D3D"_blank">http:= //www.sy=3D > mas.com</a>><br><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 </div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 </div></body></html> > ------=3D_Part_545863_1662769086.1557520342175-- >=20 >=20 >=20 >=20 --=20 =C2=A0 -- Howard Chu =C2=A0 CTO, Symas Corp.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://www.symas.= com =C2=A0 Director, Highland Sun=C2=A0 =C2=A0 http://highlandsun.com/hyc/ =C2=A0 Chief Architect, OpenLDAP=C2=A0 http://www.openldap.org/project/ =20 ------=_Part_582781_95096894.1557523728570 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div class=3D"ydp2c59819dyahoo-style-wrap" style= =3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><div>t= hank you, this case can be closed. appreciate all your help and clarificati= on. thanks agian</div><div><br></div><div class=3D"ydp2c59819dsignature"><d= iv><span class=3D"ydp2c59819dyui_3_7_2_102_1375813203128_121" style=3D"font= -family:arial, sans-serif;color:rgb(80, 0, 80);">Thank you,</span><br class= =3D"ydp2c59819dyui_3_7_2_102_1375813203128_122" style=3D"font-family:arial,= sans-serif;color:rgb(80, 0, 80);"><span class=3D"ydp2c59819dyui_3_7_2_102_= 1375813203128_123" style=3D"font-family:arial, sans-serif;color:rgb(80, 0, = 80);">Darshankumar Mistry</span><br class=3D"ydp2c59819dyui_3_7_2_102_13758= 13203128_124" style=3D"font-family:arial, sans-serif;color:rgb(80, 0, 80);"= ><a href=3D"mailto:darshankmistry@yahoo.com" class=3D"ydp2c59819dyui_3_7_2_= 102_1375813203128_125" style=3D"color:rgb(17, 85, 204);font-family:arial, s= ans-serif;" rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.com</a>= <br></div></div></div> <div><br></div><div><br></div> =20 </div><div id=3D"ydp4544e9c6yahoo_quoted_7723269985" class=3D"ydp45= 44e9c6yahoo_quoted"> <div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s= ans-serif;font-size:13px;color:#26282a;"> =20 <div> On Friday, May 10, 2019, 1:53:16 PM PDT, Howard Chu &lt= ;hyc(a)symas.com> wrote: </div> <div><br></div> <div><br></div> <div><div dir=3D"ltr"><a href=3D"mailto:darshankmistry@yaho= o.com" rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.com</a> wrot= e:<br></div><div dir=3D"ltr">> ------=3D_Part_545863_1662769086.15575203= 42175<br></div><div dir=3D"ltr">> Content-Type: text/plain; charset=3DUT= F-8<br></div><div dir=3D"ltr">> Content-Transfer-Encoding: quoted-printa= ble<br></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> thank yo= u very much for quick response and openldap behavior configuration.=3D<br><= /div><div dir=3D"ltr">> =3DC2=3DA0<br></div><div dir=3D"ltr">> how we= can ignore to look server name in subject of certificate so I can us=3D<br= ></div><div dir=3D"ltr">> e LDAP server ip address instead of host name?= =3DC2=3DA0<br></div><div dir=3D"ltr">> Also want to know if there is any= open CVE which says it is vulnerabilities=3D<br></div><div dir=3D"ltr">&gt= ;  to use LDAP server ip address instead of name in ldap configuration= .=3DC2=3DA0<br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">Add the IP= address in a subjectALternativeName extension to your server certificate.<= br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">The behavior here is s= pecified in RFC4513.<br></div><div dir=3D"ltr">> <br></div><div dir=3D"l= tr">> <br></div><div dir=3D"ltr">> Thank you,<br></div><div dir=3D"lt= r">> Darshankumar Mistry<br></div><div dir=3D"ltr">> <a href=3D"mailt= o:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmist= ry(a)yahoo.com</a><br></div><div dir=3D"ltr">> =3D20<br></div><div dir=3D"= ltr">> <br></div><div dir=3D"ltr">>    On Friday, May 10, = 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <<a href=3D"mailto:quanah@s" = rel=3D"nofollow" target=3D"_blank">quanah@s</a>=3D<br></div><div dir=3D"ltr= ">> ymas.com> wrote: =3D20<br></div><div dir=3D"ltr">> =3D20<br></= div><div dir=3D"ltr">>  --On Friday, May 10, 2019 8:52 PM +0000 <a = href=3D"mailto:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank"= >darshankmistry(a)yahoo.com</a> wrote:<br></div><div dir=3D"ltr">> <br></d= iv><div dir=3D"ltr">>> Full_Name: Darshankumar Mistry<br></div><div d= ir=3D"ltr">>> Version:<br></div><div dir=3D"ltr">>> OS:<br></di= v><div dir=3D"ltr">>> URL: <a href=3D"ftp://ftp.openldap.org/incoming= /" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap.org/incoming/</a><= br></div><div dir=3D"ltr">>> Submission from: (NULL) (2001:420:10b:12= 72:fc1b:1ea:d311:6cac)<br></div><div dir=3D"ltr">>><br></div><div dir= =3D"ltr">>><br></div><div dir=3D"ltr">>> I would like to know w= hy Open LDAP behavior was changed where we must<br></div><div dir=3D"ltr">&= gt;> have to configure FQDN name mentioned in certificate in order to wo= rk LDA=3D<br></div><div dir=3D"ltr">> P<br></div><div dir=3D"ltr">>&g= t; authentication... else TLS start failing.<br></div><div dir=3D"ltr">>= <br></div><div dir=3D"ltr">> OpenLDAP has worked this way since I first= started using it in 2002.=3DC2=3DA0 =3D<br></div><div dir=3D"ltr">> Thi= s=3D20<br></div><div dir=3D"ltr">> behavior is nothing new.=3DC2=3DA0 An= d this is the correct behavior.<br></div><div dir=3D"ltr">> <br></div><d= iv dir=3D"ltr">> This ITS will be closed.<br></div><div dir=3D"ltr">>= <br></div><div dir=3D"ltr">> --Quanah<br></div><div dir=3D"ltr">> <b= r></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> --<br></div><= div dir=3D"ltr">> <br></div><div dir=3D"ltr">> Quanah Gibson-Mount<br= ></div><div dir=3D"ltr">> Product Architect<br></div><div dir=3D"ltr">&g= t; Symas Corporation<br></div><div dir=3D"ltr">> Packaged, certified, an= d supported LDAP solutions powered by OpenLDAP:<br></div><div dir=3D"ltr">&= gt; <<a href=3D"http://www.symas.com" rel=3D"nofollow" target=3D"_blank"= >http://www.symas.com</a>><br></div><div dir=3D"ltr">> <br></div><div= dir=3D"ltr">>  =3D20<br></div><div dir=3D"ltr">> ------=3D_Part= _545863_1662769086.1557520342175<br></div><div dir=3D"ltr">> Content-Typ= e: text/html; charset=3DUTF-8<br></div><div dir=3D"ltr">> Content-Transf= er-Encoding: quoted-printable<br></div><div dir=3D"ltr">> <br></div><div= dir=3D"ltr">> <html><head></head><body><div = class=3D3D"ydpf9876065yahoo-style-wrap" style=3D<br></div><div dir=3D"ltr">= > =3D3D"font-family:verdana, helvetica, sans-serif;font-size:13px;">&= lt;div><div>t=3D<br></div><div dir=3D"ltr">> hank you very much= for quick response and openldap behavior configuration.&=3D<br></div><= div dir=3D"ltr">> nbsp;</div><div><br></div><= div>how we can ignore to look server name in sub=3D<br></div><div dir=3D= "ltr">> ject of certificate so I can use LDAP server ip address instead = of host nam=3D<br></div><div dir=3D"ltr">> e?&nbsp;</div><d= iv><br></div><div>Also want to know if there is any op= en CV=3D<br></div><div dir=3D"ltr">> E which says it is vulnerabilities = to use LDAP server ip address instead of=3D<br></div><div dir=3D"ltr">>&= nbsp; name in ldap configuration.&nbsp;</div><div><br&gt= ;</div><div><br></div><div>=3D<br></div><div = dir=3D"ltr">> <br></div><div class=3D3D"ydpf9876065signat= ure"><div><span class=3D3D"ydpf98760=3D<br></div><div dir=3D"lt= r">> 65yui_3_7_2_102_1375813203128_121" style=3D3D"font-family:arial, sa= ns-serif;c=3D<br></div><div dir=3D"ltr">> olor:rgb(80, 0, 80);">Thank= you,</span><br class=3D3D"ydpf9876065yui_3_7_2_10=3D<br></div><di= v dir=3D"ltr">> 2_1375813203128_122" style=3D3D"font-family:arial, sans-= serif;color:rgb(80, 0=3D<br></div><div dir=3D"ltr">> , 80);"><span= class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D3D=3D<br></= div><div dir=3D"ltr">> "font-family:arial, sans-serif;color:rgb(80, 0, 8= 0);">Darshankumar Mistry</=3D<br></div><div dir=3D"ltr">> span>= <br class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D3D"fo= nt=3D<br></div><div dir=3D"ltr">> -family:arial, sans-serif;color:rgb(80= , 0, 80);"><a href=3D3D"mailto:darshank=3D<br></div><div dir=3D"ltr">= > <a href=3D"mailto:mistry@yahoo.com" rel=3D"nofollow" target=3D"_blank"= >mistry(a)yahoo.com</a>" class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_12= 5" styl=3D<br></div><div dir=3D"ltr">> e=3D3D"color:rgb(17, 85, 204);fon= t-family:arial, sans-serif;" rel=3D3D"nofollow=3D<br></div><div dir=3D"ltr"= >> " target=3D3D"_blank"><a href=3D"mailto:darshankmistry@yahoo.com" = rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.com</a></a>&l= t;br></div></div></div><br></div><div dir=3D"ltr">>=         <div><br></div><div>&l= t;br></div><br></div><div dir=3D"ltr">>      &nb= sp; =3D20<br></div><div dir=3D"ltr">>        </d= iv><div id=3D3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D3D"ydpb3= =3D<br></div><div dir=3D"ltr">> d55fc2yahoo_quoted"><br></div><div di= r=3D"ltr">>            <div style=3D3D= "font-family:'Helvetica Neue', Helvetica, Arial, s=3D<br></div><div dir=3D"= ltr">> ans-serif;font-size:13px;color:#26282a;"><br></div><div dir=3D= "ltr">>                =3D20<br>= </div><div dir=3D"ltr">>             =   <div><br></div><div dir=3D"ltr">>      &nb= sp;             On Friday, May 10, 2019, 12:= 58:38 PM PDT, Quanah Gibson=3D<br></div><div dir=3D"ltr">> -Mount &l= t;<a href=3D"mailto:quanah@symas.com" rel=3D"nofollow" target=3D"_blank">qu= anah(a)symas.com</a>&gt; wrote:<br></div><div dir=3D"ltr">>  &nbs= p;             </div><br></div><div di= r=3D"ltr">>                <= div><br></div><br></div><div dir=3D"ltr">>    &= nbsp;           <div><br></div>= <br></div><div dir=3D"ltr">>            &n= bsp;   <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href= =3D3D"mai=3D<br></div><div dir=3D"ltr">> lto:<a href=3D"mailto:darshankm= istry(a)yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.co= m</a>" rel=3D3D"nofollow" target=3D3D"_blank">darshankmi=3D<br></div><di= v dir=3D"ltr">> <a href=3D"mailto:stry@yahoo.com" rel=3D"nofollow" targe= t=3D"_blank">stry(a)yahoo.com</a></a> wrote:<br><br>&gt= ; Full_Name: Darshankumar Mistry<br>&gt=3D<br></div><div dir=3D"l= tr">> ; Version:<br>&gt; OS:<br>&gt; URL: <a href= =3D3D"<a href=3D"ftp://ftp.openldap.org/incom=3D" rel=3D"nofollow" target= =3D"_blank">ftp://ftp.openldap.org/incom=3D</a><br></div><div dir=3D"ltr">&= gt; ing/" rel=3D3D"nofollow" target=3D3D"_blank"><a href=3D"ftp://ftp.op= enldap.org/incoming/" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap= .org/incoming/</a></=3D<br></div><div dir=3D"ltr">> a><br>&a= mp;gt; Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b= =3D<br></div><div dir=3D"ltr">> r>&gt;<br>&gt;<br&gt= ;&gt; I would like to know why Open LDAP behavior was chan=3D<br></div>= <div dir=3D"ltr">> ged where we must<br>&gt; have to configure= FQDN name mentioned in certific=3D<br></div><div dir=3D"ltr">> ate in o= rder to work LDAP<br>&gt; authentication... else TLS start failin= g.=3D<br></div><div dir=3D"ltr">> <br><br>OpenLDAP has worke= d this way since I first started using it in 2002=3D<br></div><div dir=3D"l= tr">> .&nbsp; This <br>behavior is nothing new.&nbsp; And = this is the correct beh=3D<br></div><div dir=3D"ltr">> avior.<br>&= lt;br>This ITS will be closed.<br><br>--Quanah<br><= br><br>--<br><br=3D<br></div><div dir=3D"ltr">>> Qu= anah Gibson-Mount<br>Product Architect<br>Symas Corporation<= br>Packaged,=3D<br></div><div dir=3D"ltr">>  certified, and supp= orted LDAP solutions powered by OpenLDAP:<br>&lt;<a hre=3D<br>= </div><div dir=3D"ltr">> f=3D3D"<a href=3D"http://www.symas.com" rel=3D"= nofollow" target=3D"_blank">http://www.symas.com</a>" rel=3D3D"nofollow" ta= rget=3D3D"_blank"><a href=3D"http://www.sy=3D" rel=3D"nofollow" target= =3D"_blank">http://www.sy=3D</a><br></div><div dir=3D"ltr">> mas.com<= /a>&gt;<br><br></div><br></div><div dir=3D"ltr">&g= t;            </div><br></div><div dir= =3D"ltr">>        </div></body></htm= l><br></div><div dir=3D"ltr">> ------=3D_Part_545863_1662769086.15575= 20342175--<br></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> <= br></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> <br></div><d= iv dir=3D"ltr"><br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">-- <br= ></div><div dir=3D"ltr">  -- Howard Chu<br></div><div dir=3D"ltr">&nbs= p; CTO, Symas Corp.          <a href=3D"http://ww= w.symas.com" rel=3D"nofollow" target=3D"_blank">http://www.symas.com</a><br= ></div><div dir=3D"ltr">  Director, Highland Sun    <a href= =3D"http://highlandsun.com/hyc/" rel=3D"nofollow" target=3D"_blank">http://= highlandsun.com/hyc/</a><br></div><div dir=3D"ltr">  Chief Architect, = OpenLDAP  <a href=3D"http://www.openldap.org/project/" rel=3D"nofollow= " target=3D"_blank">http://www.openldap.org/project/</a><br></div></div> </div> </div></body></html> ------=_Part_582781_95096894.1557523728570--

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by hyc＠symas.com 10 May '19

10 May '19

darshankmistry(a)yahoo.com wrote: > ------=_Part_545863_1662769086.1557520342175 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > thank you very much for quick response and openldap behavior configuration.= > =C2=A0 > how we can ignore to look server name in subject of certificate so I can us= > e LDAP server ip address instead of host name?=C2=A0 > Also want to know if there is any open CVE which says it is vulnerabilities= > to use LDAP server ip address instead of name in ldap configuration.=C2=A0 Add the IP address in a subjectALternativeName extension to your server certificate. The behavior here is specified in RFC4513. > > > Thank you, > Darshankumar Mistry > darshankmistry(a)yahoo.com > =20 > > On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <quanah@s= > ymas.com> wrote: =20 > =20 > --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wrote: > >> Full_Name: Darshankumar Mistry >> Version: >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) >> >> >> I would like to know why Open LDAP behavior was changed where we must >> have to configure FQDN name mentioned in certificate in order to work LDA= > P >> authentication... else TLS start failing. > > OpenLDAP has worked this way since I first started using it in 2002.=C2=A0 = > This=20 > behavior is nothing new.=C2=A0 And this is the correct behavior. > > This ITS will be closed. > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > =20 > ------=_Part_545863_1662769086.1557520342175 > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <html><head></head><body><div class=3D"ydpf9876065yahoo-style-wrap" style= > =3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><div>t= > hank you very much for quick response and openldap behavior configuration.&= > nbsp;</div><div><br></div><div>how we can ignore to look server name in sub= > ject of certificate so I can use LDAP server ip address instead of host nam= > e? </div><div><br></div><div>Also want to know if there is any open CV= > E which says it is vulnerabilities to use LDAP server ip address instead of= > name in ldap configuration. </div><div><br></div><div><br></div><div>= > <br></div><div class=3D"ydpf9876065signature"><div><span class=3D"ydpf98760= > 65yui_3_7_2_102_1375813203128_121" style=3D"font-family:arial, sans-serif;c= > olor:rgb(80, 0, 80);">Thank you,</span><br class=3D"ydpf9876065yui_3_7_2_10= > 2_1375813203128_122" style=3D"font-family:arial, sans-serif;color:rgb(80, 0= > , 80);"><span class=3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D= > "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry</= > span><br class=3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D"font= > -family:arial, sans-serif;color:rgb(80, 0, 80);"><a href=3D"mailto:darshank= > mistry(a)yahoo.com" class=3D"ydpf9876065yui_3_7_2_102_1375813203128_125" styl= > e=3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D"nofollow= > " target=3D"_blank">darshankmistry(a)yahoo.com</a><br></div></div></div> > <div><br></div><div><br></div> > =20 > </div><div id=3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D"ydpb3= > d55fc2yahoo_quoted"> > <div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s= > ans-serif;font-size:13px;color:#26282a;"> > =20 > <div> > On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson= > -Mount <quanah(a)symas.com> wrote: > </div> > <div><br></div> > <div><br></div> > <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href=3D"mai= > lto:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmi= > stry(a)yahoo.com</a> wrote:<br><br>> Full_Name: Darshankumar Mistry<br>&gt= > ; Version:<br>> OS:<br>> URL: <a href=3D"ftp://ftp.openldap.org/incom= > ing/" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap.org/incoming/</= > a><br>> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b= > r>><br>><br>> I would like to know why Open LDAP behavior was chan= > ged where we must<br>> have to configure FQDN name mentioned in certific= > ate in order to work LDAP<br>> authentication... else TLS start failing.= > <br><br>OpenLDAP has worked this way since I first started using it in 2002= > .  This <br>behavior is nothing new.  And this is the correct beh= > avior.<br><br>This ITS will be closed.<br><br>--Quanah<br><br><br>--<br><br= >> Quanah Gibson-Mount<br>Product Architect<br>Symas Corporation<br>Packaged,= > certified, and supported LDAP solutions powered by OpenLDAP:<br><<a hre= > f=3D"http://www.symas.com" rel=3D"nofollow" target=3D"_blank">http://www.sy= > mas.com</a>><br><br></div> > </div> > </div></body></html> > ------=_Part_545863_1662769086.1557520342175-- > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs