- openldap-bugs - openldap.org

[Issue 7089] ppolicy adds PWDFAILURETIME to organizationalUnit
by openldap-its＠openldap.org 22 Mar '22

22 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7089 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9813 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9810] New: slapacl peername
by openldap-its＠openldap.org 18 Mar '22

18 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9810 Issue ID: 9810 Summary: slapacl peername Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ratness(a)gmail.com Target Milestone: --- Found in 2.4.59 on a $WORK system, replicated in 2.6.1: [root@centos-s-1vcpu-1gb-ams3-01 ~]# rpm -qf /opt/symas/sbin/slapacl symas-openldap-servers-2.6.1-2.el7.x86_64 This is a box where I don't even have slapd running, but that's okay because my point is visible without it: [root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F /etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername.ip=127.0.0.1 entry/read usage: slapacl [-v] [-d debuglevel] [-f configfile] [-F configdir] [-o <name>[=<value>]] [-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>] -b DN [-u] [attr[/access][:value]] [...] When I ask for `-o peername.ip=127.0.0.1` the `slapacl` command bails out with usage, indicating a parse failure. If I then run `slapacl` with `-o peername=ip=127.0.0.1`, I get: [root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F /etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername=ip=127.0.0.1 entry/read invalid config directory /etc/openldap/slapd.d, error 2 slapacl: bad configuration directory! (which I would expect here since I have no server running) Demo on 2.4.59 at work: $ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D uid=replicator,ou=logins,dc=example -b 'mail=me(a)example.com,o=com,dc=mozilla' -o peername=ip=127.0.0.1 entry/read authcDN: "uid=replicator,ou=logins,dc=example" read access to entry: ALLOWED $ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D uid=replicator,ou=logins,dc=example -b 'mail=me(a)example.com,o=com,dc=mozilla' -o peername=ip=127.0.0.2 entry/read authcDN: "uid=replicator,ou=logins,dc=example" read access to entry: DENIED slapacl(8) mentions peername, but also aims us at slapd.access(5), which lists peername[.<peernamesytle>]. It's possible I'm dense and this isn't a bug, but minimally the equalsign repetition is really awkward to my eye. I'd suggest at least an example in slapacl(8) so it's easier to figure out. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9807] New: Cannot enable {ARGON2} passwd scheme support
by openldap-its＠openldap.org 14 Mar '22

14 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9807 Issue ID: 9807 Summary: Cannot enable {ARGON2} passwd scheme support Product: OpenLDAP Version: unspecified Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: gregory.widmer(a)gwidmer.fr Target Milestone: --- Created attachment 881 --> https://bugs.openldap.org/attachment.cgi?id=881&action=edit Trace of every executed command. I want to build OpenLDAP with argon2 support. Unfortunately, it doesn't work and I don't understand why. It seems to be a build issue. Here is how to reproduce the issue : I'm using a fresh install of Debian 11. The following packages were installed for this : - libargon2-dev - libltdl-dev - git - build-essential I am using the master branch of the git repository : https://git.openldap.org/openldap/openldap/-/commit/e8813b12b6188d5ba5f174f… I'm using root, and the repo is under /root/openldap. My objective is to : - Run slapd with {ARGON2} support - Set {ARGON2} as password-hash - Use slappasswd to create a password for LDAP admin in slapd.conf I ran the following commands : - apt install libltdl-dev libargon2-dev git build-essential -y - ./configure --with-argon2=libargon2 --enable-modules --enable-argon2=yes - make depend - make - make check - make install I then created a systemd service for slapd, reloaded daemons with systemctl then started the service. I got the following error : @(#) $OpenLDAP: slapd 2.X (Mar 12 2022 15:31:06) $ root@ldap:/root/openldap/servers/slapd /usr/local/etc/openldap/slapd.conf: line 65: <password-hash> scheme not available ({ARGON2}) /usr/local/etc/openldap/slapd.conf: line 65: <password-hash> no valid hashes found slapd stopped. connections_destroy: nothing to destroy. I don't understand how to build openldap with argon2. I did not find anything. You will find a global trace file for every command used with the program. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9805] New: member attributes managed by autogroup are lost when user attributes are adjusted
by openldap-its＠openldap.org 10 Mar '22

10 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9805 Issue ID: 9805 Summary: member attributes managed by autogroup are lost when user attributes are adjusted Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: contrib Assignee: bugs(a)openldap.org Reporter: michael.bobzin(a)baloise.ch Target Milestone: --- Hello OpenLDAP Team, we use nested groups in our OpenLDAP directory. User X is a member of group A. Group A is a member of group B. User X is therefore also a member of group B. To be able to find out all groups of user X with only one LDAP query we use the dynlist overlay together with the autogroup overlay. Group B is a dynamic group whose member attributes are set with autogroup, to allow a search for members. ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(member=cn=userx,ou=users,dc=basler,dc=ch)" dn Result: cn=groupA,ou=groups,dc=basler,dc=ch cn=groupB,ou=groups,dc=basler,dc=ch ----- Gruppe A ---------------------------------------------------------- dn: cn=groupA,ou=groups,dc=basler,dc=ch cn: groupA objectClass: top objectClass: groupOfNames member:cn=userX,ou=users,dc=basler,dc=ch ----- Gruppe B ---------------------------------------------------------- dn: cn=groupB,ou=groups,dc=basler,dc=ch cn: groupB objectClass: top objectClass: groupOfURLs memberURL: ldap:///ou=groups,dc=basler,dc=ch?member?one?(cn=groupA) # managed by autogroup member:cn=userX,ou=users,dc=basler,dc=ch ----------------------------------------------------------------------- This works until any attribute in the userX object is changed. The member attribute for userX created dynamically by autogroup is then deleted from groupB although userX is still a member of groupA and is therefore matched with the search in the memberURL attribute of groupB matched. The expected behaviour would be that the member attribute in groupB remains unchanged. ----------- configuration -------------------------- OpenLDAP 2.4.59 from https://www.ltb-project.org/download.html --------------- slapd.conf ------------------------- ... moduleload dynlist moduleload autogroup.so ... include /usr/local/openldap/etc/openldap/local-schema/dyngroup.schema ... overlay dynlist dynlist-attrset groupOfURLs memberURL overlay autogroup autogroup-attrset groupOfURLs memberURL member -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9497] New: back-ldif: test022-ppolicy failure
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9497 Issue ID: 9497 Summary: back-ldif: test022-ppolicy failure Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: hamano(a)osstech.co.jp Target Milestone: --- The test022-ppolicy with back-ldif fail for two issue. 1. too short pwdMaxAge ~~~ $ ./run -b ldif test022-ppolicy (snip) Testing password expiration Waiting seconds for password to expire... sleep: missing operand Try 'sleep --help' for more information. Password expiration test failed ~~~ The script tries test for lockout and then a test for password expiration. It will fail if the password has expired(pwdMaxAge: 30) by the time it starts the password expiration test. This is a timing issue and not directly caused by back-ldif. However, the issue is reproduced only with back-ldif in my environment. This test passed in my environment by extending pwdMaxAge by 5 seconds, but there may be a better way. 2. duplicate ldap control response ~~~ Reconfiguring policy to remove grace logins... Clearing forced reset... expr: syntax error: unexpected argument '15' Testing password expiration Waiting seconds for password to expire... sleep: missing operand Try 'sleep --help' for more information. ~~~ This is back-ldif issue. back-ldif responds duplicate ldap control response. -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 5840] mdb online indexing and shutdown
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=5840 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5840] mdb online indexing and shutdown
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=5840 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |DUPLICATE --- Comment #12 from Howard Chu <hyc(a)openldap.org> --- (In reply to Ondřej Kuzník from comment #11) > Is this resolved with ITS#8958? Yes *** This issue has been marked as a duplicate of issue 8958 *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8958] 2nd cn=config update blocks slapd while adding subordinate index
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=8958 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ralf(a)openldap.org --- Comment #42 from Howard Chu <hyc(a)openldap.org> --- *** Issue 5840 has been marked as a duplicate of this issue. *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5840] mdb online indexing and shutdown
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=5840 --- Comment #11 from Ondřej Kuzník <ondra(a)mistotebe.net> --- Is this resolved with ITS#8958? -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9798] New: Clearing pending ops on Bind
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9798 Issue ID: 9798 Summary: Clearing pending ops on Bind Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Some context first. The only universal way of reset an arbitrary (SASL) bind in progress, at least in my reading of RFC4511 is to send an anonymous bind op, so that's what the load balancer does when needed (the client goes away, etc.). Incidentally, this is also what the balancer chooses to do when the pending bind needs to be "abandoned" when the backend doesn't respond within a configured timeout. That's skating the edge of what RFC4511 allows, probably just past it. The issue: When slapd receives a bind and another operation X (lloadd sends the above mentioned "reset" bind) before that first bind starts processing, X gets added into conn->c_ops_pending and does c_n_pending_ops++. Bind then eventually invokes connection_abandon which forgets to zero out c_n_pending_ops and the connection remains unusable forever. On the surface that's trivial to fix and a fix is coming. On the other hand, operation X in the pending list is actually discarded too, so that kind of defeats the idea of trying to "abandon" the original bind and completely reset the connection state. Question is, do we want to retain the last bind in the pending list or does the balancer have to destroy the connection unconditionally when a bind times out? -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 8524] cn=config + ditContentRule
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=8524 --- Comment #3 from Ondřej Kuzník <ondra(a)mistotebe.net> --- Just like with attribute and objectclass definitions, these are stored under cn=schema,cn=config as the file that defined them or directly in cn=config if defined in slapd.conf directly (as you're doing here). Maybe keep them in a file that you also include. Don't know if we should document this behaviour or change it in some way. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7441] cn=config filters ignore {number}
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7441 --- Comment #2 from Ondřej Kuzník <ondra(a)mistotebe.net> --- The inconsistency part comes from bconfig not implementing be_compare. Instead, it relies on the frontend implementation, so while search goes through test_filter->...->ordered_value_match and other backends use slap_compare_entry which triggers the same, frontend's compare gets the actual values through backend_attribute and then calls value_find_ex, which doesn't care about SLAP_AT_ORDERED. Afterwards, allowing attr={index} assertions to match attr={index}value and attr={index}value to match itself only should be possible by adapting ordered_value_match (and value_find_ex or whatever we end up calling from the frontend). -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9748] New: Deleted values of pwdFailureTime seem to reappear
by openldap-its＠openldap.org 03 Mar '22

03 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9748 Issue ID: 9748 Summary: Deleted values of pwdFailureTime seem to reappear Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Created attachment 854 --> https://bugs.openldap.org/attachment.cgi?id=854&action=edit accesslog for uid=dm01-R2H2-956,ou=People,dc=example,dc=com Somehow, ppolicy seems to be able to reference values of pwdFailureTime that had been deleted before the actual bind even started. In the attached accesslog, trace, deletion of everything (including "20211115154510.478330Z") is recorded from reqSession: 3, then a bind comes in and the same value is explicitly removed again. -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 9800] New: ACL with set.expand in <who> clause does not work with deref control
by openldap-its＠openldap.org 03 Mar '22

03 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9800 Issue ID: 9800 Summary: ACL with set.expand in <who> clause does not work with deref control Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- This ACL returns correct values with a normal search requesting the attribute sudoUser: access to dn.subtree="ou=ae-dir" attrs=sudoUser val.regex="^%(.+)$" by set.expand="(user/-1 | user/aeSrvGroup)/aeLoginGroups & [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeGroup)(aeStatus=0)(cn=${v1}))]/entryDN" read by * none But it does not work with a search like this using deref control: ldapsearch -Q -E deref=aeVisibleSudoers:cn,sudoUser '(objectClass=aeSrvGroup)' For completeness see docs and schema for aeSrvGroup: https://www.ae-dir.com/docs.html#schema-oc-aeSrvGroup https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/master/fi… -- You are receiving this mail because: You are on the CC list for the issue.

1 1

[Issue 7335] Create process for updating man pages to handle both cn=config and slapd.conf configurations
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=7335 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.2 |2.7.0 Assignee|hyc(a)openldap.org |bugs(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Bug 9256] New: The ACLs required for SASL binding are not fully documented
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=9256 Bug ID: 9256 Summary: The ACLs required for SASL binding are not fully documented Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: kop(a)karlpinc.com Target Milestone: --- Created attachment 727 --> https://bugs.openldap.org/attachment.cgi?id=727&action=edit Patch massaging the SASL binding requirement docs While some ACL requirements for SASL binding are documented, some are not. E.g, that olcAuthzRegexp requires =x on objectClass when direct DN mapping is not documented. Other requirements can be reasoned out based on the existing documentation, but this can be very difficult when unfamiliar with all the moving parts and the places they are documented. E.g. knowing that (objectClass=*) is the default filter, and that there's _always_ _some_ filter, and connecting this with ACLs required to do search-based SASL mapping. The attached patch brings all the SASL binding requirements together in one place in the docs and makes everything explicit. The word "SASL" is included, for those searching for that keyword. I, Karl O. Pinc, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. -- You are receiving this mail because: You are on the CC list for the bug.

1 27

[Issue 9731] New: startup messages still go to syslog when logfile-only is on
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=9731 Issue ID: 9731 Summary: startup messages still go to syslog when logfile-only is on Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- When setting logfile-only on, slapd still logs its startup message to syslog: Oct 29 21:07:47 u18test slapd[18534]: @(#) $OpenLDAP: slapd 2.6.0 (Oct 29 2021 05:12:17) $#012#011openldap This is useful information to have consolidated into the specified logfile. Note that: 617c62a3.16f03fdb 0x7f9325ed67c0 slapd starting does make it to the logfile. However, it would be useful to have the build date and version in the specified logfile. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 6097] MMR problems with deletes
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=6097 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.2 |2.7.0 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8255 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #12 from Quanah Gibson-Mount <quanah(a)openldap.org> --- RE26: • 59605f9f by Ondřej Kuzník at 2022-02-28T17:36:11+00:00 ITS#8255 Clarify "sockresps result" behaviour -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8255 --- Comment #11 from Quanah Gibson-Mount <quanah(a)openldap.org> --- head: 73e882c8 by Ondřej Kuzník at 2022-02-24T15:32:36+00:00 ITS#8255 Clarify "sockresps result" behaviour -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 21 Feb '22

21 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #14 from Ondřej Kuzník <ondra(a)mistotebe.net> --- On Mon, Feb 21, 2022 at 10:46:12AM +0000, openldap-its(a)openldap.org wrote: > => The correct values for hashalgo should be described in the man-page. Since this depends entirely on the crypto library at runtime, not sure how we could do any better than saying "it depends", which is what I did in that linked commit, now at https://git.openldap.org/openldap/openldap/-/merge_requests/499 Can you suggest an alternate wording you think explains it better? Thanks, -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 21 Feb '22

21 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #13 from Michael Ströder <michael(a)stroeder.com> --- On 2/21/22 11:40, openldap-its(a)openldap.org wrote: > See the (commented) lines in the test: > https://code.stroeder.com/pymod/python-ldap0/src/branch/main/tests/test_lda… Ok, I've looked into the tests for TLS_PEERKEY_HASHALG to make it work. => The correct values for hashalgo should be described in the man-page. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 21 Feb '22

21 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #12 from Michael Ströder <michael(a)stroeder.com> --- (In reply to Ondřej Kuzník from comment #11) > It should be analogous to HTTP Public Key Pinning, that's why it's > working with keys, not certificates. Ah, ok. For python-ldap0 tests I've used for generation the SHA-256 hash: openssl rsa -in tests/tls/localhost.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64 But it does not work (with libldap 2.6.1): ldap0.CONNECT_ERROR: {'result': -11, 'desc': b'Connect error', 'ctrls': [], 'info': b'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'} See the (commented) lines in the test: https://code.stroeder.com/pymod/python-ldap0/src/branch/main/tests/test_lda… Assuming I got this right: https://code.stroeder.com/pymod/python-ldap0/commit/1ec4ad7ada7388835d5df8c… -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 21 Feb '22

21 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #11 from Ondřej Kuzník <ondra(a)mistotebe.net> --- How about https://git.openldap.org/ondra/openldap/-/commit/e020f3ba26fd6d42ce0f91299b… It should be analogous to HTTP Public Key Pinning, that's why it's working with keys, not certificates. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 19 Feb '22

19 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #10 from Michael Ströder <michael(a)stroeder.com> --- Is the key hash calculated over the raw public key? In which representation? Why not use the TLS server cert's finger-print? -- You are receiving this mail because: You are on the CC list for the issue.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs