openldap-bugs

openldap-bugs@openldap.org

1 participants
21114 discussions

Re: (ITS#8755) invalid file descriptor when closing tls connection
by ondra＠mistotebe.net 14 May '19

14 May '19

On Mon, May 13, 2019 at 03:32:19PM +0000, ondra(a)mistotebe.net wrote: > Yes, it looks like the main SockBuf closing is run twice, once in > ldap_free_connection and once directly in ldap_ld_free. I think we don't > enforce that SockBuf implementations set sb_fd != AC_SOCKET_INVALID, so > not sure yet if we can gate calling sb_close on that or something else. > > I'll see if there's a way to make this work better. There's a proposed patch at https://github.com/mistotebe/openldap/tree/its8755 -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#9008) module rpath incorrect
by quanah＠symas.com 14 May '19

14 May '19

--On Wednesday, April 17, 2019 11:19 AM +0000 ondra(a)openldap.org wrote: > Full_Name: Ondrej Kuznik > Version: re24/master > OS: Linux > URL: https://github.com/mistotebe/openldap/tree/its9008 > Submission from: (NULL) (82.10.24.68) > > > Modules that link against libraries not already present in slapd will > only try to look in the rpaths encoded in the module, not in slapd. And > there is no point encoding $(moduledir) there, since we never install > anything of substance there. All the while the libraries we need probably > live in $(libdir). > > The linked patch fixes this and makes it possible for $(moduledir) (the > path modules will be installed into) to be set at configure time. This patch depends on a custom version of libtool that is not available to others and can cause significant build breakage when building under a packaging system. More work needed, either removing libtool from the build process for OpenLDAP, or modifications to this work to allow it to work properly with a non-custom version of libtool. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8755) invalid file descriptor when closing tls connection
by ondra＠mistotebe.net 13 May '19

13 May '19

On Thu, Oct 12, 2017 at 10:01:35PM +0000, info(a)christianknueppel.de wrote: > I currently developing on a c software which is using Openldap with TLS > authentication. My software is working fine, but when i test it with valgrind, i > always get an invalid file descriptor when closing the connection. > > Here is the stacktrace from valgrind: > [...] > --> In function ldap_close_handle i call ldap_unbind_ext_s(ld, NULL, NULL). > > The connection is built with ldap_initialize(&ld, config.ldap_url) and > ldap_start_tls_s(ld, NULL, NULL). Options set with ldap_set_option() are > LDAP_OPT_X_TLS_REQUIRE_CERT to 2 (LDAP_OPT_X_TLS_DEMAND) and > LDAP_OPT_X_TLS_CACERTFILE are set to all SSL CA-Certificates > (/etc/ssl/certs/ca-certificates.crt). I run the ldap_unbind_ext_s command (for > test purpose) shortly after the start_tls command is finished. > When i use ldap_sasl_interactive_bind_s with DIGEST-MD5 instead of > ldap_start_tls_s, the warning doesn't appear. When i use both, tls and sasl, the > warning also appears. > > My computer running on Ubuntu 16.04.3 LTS (uname: 4.4.0-97-generic x86_64) with > libldap-2.4-2 (2.4.42+dfsg-2ubuntu3.2) and libgnutls30 (3.4.10-4ubuntu1.4). I > also tested it with the newest Ubuntu Artful Aardvark and the newest openldap > (2.4.45+dfsg-1ubuntu1) and gnutls(3.5.8-6ubuntu3) release, but it didn't has any > effect in my case. > > I also tryed to compiled openldap against openssl to see, if it might be a > gnutls bug, but the invalid file descriptor occurs again. The lower valgrind > stacktrace is done with openldap 2.4.45 and openssl 1.0.2g on the newest Artful > Aardvark 17.10. > [...] Yes, it looks like the main SockBuf closing is run twice, once in ldap_free_connection and once directly in ldap_ld_free. I think we don't enforce that SockBuf implementations set sb_fd != AC_SOCKET_INVALID, so not sure yet if we can gate calling sb_close on that or something else. I'll see if there's a way to make this work better. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8799) slaptest fails to properly convert chain configuration
by ondra＠mistotebe.net 13 May '19

13 May '19

On Wed, May 08, 2019 at 01:31:48PM +0000, ondra(a)mistotebe.net wrote: > On Mon, Jan 22, 2018 at 11:57:38PM +0000, ondra(a)mistotebe.net wrote: >> On Mon, Jan 22, 2018 at 09:59:21PM +0000, quanah(a)openldap.org wrote: >>> After doing conversion, the resulting cn=config database has *two* ldap backends >>> defined: >>> >>> dn: olcDatabase={-1}frontend,cn=config >>> dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config >>> dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf >> >> This is the catchall database used to handle referrals that are not >> handled by any other database you configure by hand. It collects all the >> chain-* settings that appear before the first chain-uri. >> >>> dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf >>> >>> The first instance ({0}ldap,...) isn't even valid. If you remove the entire >>> chain configuration from this database, and then attempt to import it, you get >>> the following: >> >> Yeah that is a problem. > > Turns out the problem is different yet. When the overlay is started up > after adding its entry, it generates a default backend internally. On > adding the above backend it now thinks it has a default one already (even > though there is no entry for it yet) and rejects it. There is now a patch here that exploits the above to know if the common backend has been added from slapd.conf/explicitly or implicitly like in the original report. https://github.com/mistotebe/openldap/tree/its8799 -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8700) Compile error
by quanah＠symas.com 11 May '19

11 May '19

--On Thursday, July 27, 2017 1:04 AM +0000 papachoco(a)gmail.com wrote: > I am getting the error below while compiling openldap 2.4.45 on the > latest macOS sierra (10.12.6). I am only setting two configuration options > > configure-options = > --disable-slapd > --disable-slurpd > > Undefined symbols for architecture x86_64: > "_ERR_remove_thread_state", referenced from: > _tlso_destroy in libldap.a(tls_o.o) Hello, What version of OpenSSL were you linking against? Thanks! --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#9022) Force slapadd to rewrite all entryCSN values
by quanah＠openldap.org 10 May '19

10 May '19

Full_Name: Quanah Gibson-Mount Version: OpenLDAP 2.4 OS: 2.4.47 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.128.44) Per the slapadd man page: -S SID Server ID to use in generated entryCSN. Also used for contextCSN if -w is set as well. Defaults to 0. However, if this is run against an export that already has entryCSN values in the entries, those values are not updated. This is problematic when wanting to update a database from single provider (SID0) to MMR (SID1+). I generally think that if the -S option is provided, and is non-zero, that all entryCSN values that currently have a "0" serverID in the entryCSN field should be updated to the specified -S value. In the above case, it would be critical to additionally flag -w on the end user part. This helps to clean up data when doing migrations.

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by darshankmistry＠yahoo.com 10 May '19

10 May '19

------=_Part_582781_95096894.1557523728570 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable thank you, this case can be closed. appreciate all your help and clarificat= ion. thanks agian Thank you, Darshankumar Mistry darshankmistry(a)yahoo.com =20 On Friday, May 10, 2019, 1:53:16 PM PDT, Howard Chu <hyc(a)symas.com> wro= te: =20 =20 darshankmistry(a)yahoo.com wrote: > ------=3D_Part_545863_1662769086.1557520342175 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: quoted-printable >=20 > thank you very much for quick response and openldap behavior configuratio= n.=3D > =3DC2=3DA0 > how we can ignore to look server name in subject of certificate so I can = us=3D > e LDAP server ip address instead of host name?=3DC2=3DA0 > Also want to know if there is any open CVE which says it is vulnerabiliti= es=3D >=C2=A0 to use LDAP server ip address instead of name in ldap configuration= .=3DC2=3DA0 Add the IP address in a subjectALternativeName extension to your server cer= tificate. The behavior here is specified in RFC4513. >=20 >=20 > Thank you, > Darshankumar Mistry > darshankmistry(a)yahoo.com > =3D20 >=20 >=C2=A0 =C2=A0 On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Moun= t <quanah@s=3D > ymas.com> wrote: =3D20 > =3D20 >=C2=A0 --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wr= ote: >=20 >> Full_Name: Darshankumar Mistry >> Version: >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) >> >> >> I would like to know why Open LDAP behavior was changed where we must >> have to configure FQDN name mentioned in certificate in order to work LD= A=3D > P >> authentication... else TLS start failing. >=20 > OpenLDAP has worked this way since I first started using it in 2002.=3DC2= =3DA0 =3D > This=3D20 > behavior is nothing new.=3DC2=3DA0 And this is the correct behavior. >=20 > This ITS will be closed. >=20 > --Quanah >=20 >=20 > -- >=20 > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >=20 >=C2=A0 =3D20 > ------=3D_Part_545863_1662769086.1557520342175 > Content-Type: text/html; charset=3DUTF-8 > Content-Transfer-Encoding: quoted-printable >=20 > <html><head></head><body><div class=3D3D"ydpf9876065yahoo-style-wrap" sty= le=3D > =3D3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><d= iv>t=3D > hank you very much for quick response and openldap behavior configuration= .&=3D > nbsp;</div><div><br></div><div>how we can ignore to look server name in s= ub=3D > ject of certificate so I can use LDAP server ip address instead of host n= am=3D > e? </div><div><br></div><div>Also want to know if there is any open = CV=3D > E which says it is vulnerabilities to use LDAP server ip address instead = of=3D >=C2=A0 name in ldap configuration. </div><div><br></div><div><br></di= v><div>=3D > <br></div><div class=3D3D"ydpf9876065signature"><div><span class=3D3D"ydp= f98760=3D > 65yui_3_7_2_102_1375813203128_121" style=3D3D"font-family:arial, sans-ser= if;c=3D > olor:rgb(80, 0, 80);">Thank you,</span><br class=3D3D"ydpf9876065yui_3_7_= 2_10=3D > 2_1375813203128_122" style=3D3D"font-family:arial, sans-serif;color:rgb(8= 0, 0=3D > , 80);"><span class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_123" styl= e=3D3D=3D > "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry= </=3D > span><br class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D3= D"font=3D > -family:arial, sans-serif;color:rgb(80, 0, 80);"><a href=3D3D"mailto:dars= hank=3D > mistry(a)yahoo.com" class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_125" = styl=3D > e=3D3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D3D"no= follow=3D > " target=3D3D"_blank">darshankmistry(a)yahoo.com</a><br></div></div></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 <div><br></div><div><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D20 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 </div><div id=3D3D"ydpb3d55fc2yahoo_quoted_756= 2650282" class=3D3D"ydpb3=3D > d55fc2yahoo_quoted"> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div style=3D3D"font-family:'Hel= vetica Neue', Helvetica, Arial, s=3D > ans-serif;font-size:13px;color:#26282a;"> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D20 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 On F= riday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson=3D > -Mount <quanah(a)symas.com> wrote: >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 </div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <div>--On Friday, = May 10, 2019 8:52 PM +0000 <a href=3D3D"mai=3D > lto:darshankmistry@yahoo.com" rel=3D3D"nofollow" target=3D3D"_blank">dars= hankmi=3D > stry(a)yahoo.com</a> wrote:<br><br>> Full_Name: Darshankumar Mistry<br>&= gt=3D > ; Version:<br>> OS:<br>> URL: <a href=3D3D"ftp://ftp.openldap.org/i= ncom=3D > ing/" rel=3D3D"nofollow" target=3D3D"_blank">ftp://ftp.openldap.org/incom= ing/</=3D > a><br>> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)= <b=3D > r>><br>><br>> I would like to know why Open LDAP behavior was ch= an=3D > ged where we must<br>> have to configure FQDN name mentioned in certif= ic=3D > ate in order to work LDAP<br>> authentication... else TLS start failin= g.=3D > <br><br>OpenLDAP has worked this way since I first started using it in 20= 02=3D > .  This <br>behavior is nothing new.  And this is the correct b= eh=3D > avior.<br><br>This ITS will be closed.<br><br>--Quanah<br><br><br>--<br><= br=3D >> Quanah Gibson-Mount<br>Product Architect<br>Symas Corporation<br>Package= d,=3D >=C2=A0 certified, and supported LDAP solutions powered by OpenLDAP:<br>&lt= ;<a hre=3D > f=3D3D"http://www.symas.com" rel=3D3D"nofollow" target=3D3D"_blank">http:= //www.sy=3D > mas.com</a>><br><br></div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 </div> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 </div></body></html> > ------=3D_Part_545863_1662769086.1557520342175-- >=20 >=20 >=20 >=20 --=20 =C2=A0 -- Howard Chu =C2=A0 CTO, Symas Corp.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://www.symas.= com =C2=A0 Director, Highland Sun=C2=A0 =C2=A0 http://highlandsun.com/hyc/ =C2=A0 Chief Architect, OpenLDAP=C2=A0 http://www.openldap.org/project/ =20 ------=_Part_582781_95096894.1557523728570 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div class=3D"ydp2c59819dyahoo-style-wrap" style= =3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><div>t= hank you, this case can be closed. appreciate all your help and clarificati= on. thanks agian</div><div><br></div><div class=3D"ydp2c59819dsignature"><d= iv><span class=3D"ydp2c59819dyui_3_7_2_102_1375813203128_121" style=3D"font= -family:arial, sans-serif;color:rgb(80, 0, 80);">Thank you,</span><br class= =3D"ydp2c59819dyui_3_7_2_102_1375813203128_122" style=3D"font-family:arial,= sans-serif;color:rgb(80, 0, 80);"><span class=3D"ydp2c59819dyui_3_7_2_102_= 1375813203128_123" style=3D"font-family:arial, sans-serif;color:rgb(80, 0, = 80);">Darshankumar Mistry</span><br class=3D"ydp2c59819dyui_3_7_2_102_13758= 13203128_124" style=3D"font-family:arial, sans-serif;color:rgb(80, 0, 80);"= ><a href=3D"mailto:darshankmistry@yahoo.com" class=3D"ydp2c59819dyui_3_7_2_= 102_1375813203128_125" style=3D"color:rgb(17, 85, 204);font-family:arial, s= ans-serif;" rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.com</a>= <br></div></div></div> <div><br></div><div><br></div> =20 </div><div id=3D"ydp4544e9c6yahoo_quoted_7723269985" class=3D"ydp45= 44e9c6yahoo_quoted"> <div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s= ans-serif;font-size:13px;color:#26282a;"> =20 <div> On Friday, May 10, 2019, 1:53:16 PM PDT, Howard Chu &lt= ;hyc(a)symas.com> wrote: </div> <div><br></div> <div><br></div> <div><div dir=3D"ltr"><a href=3D"mailto:darshankmistry@yaho= o.com" rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.com</a> wrot= e:<br></div><div dir=3D"ltr">> ------=3D_Part_545863_1662769086.15575203= 42175<br></div><div dir=3D"ltr">> Content-Type: text/plain; charset=3DUT= F-8<br></div><div dir=3D"ltr">> Content-Transfer-Encoding: quoted-printa= ble<br></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> thank yo= u very much for quick response and openldap behavior configuration.=3D<br><= /div><div dir=3D"ltr">> =3DC2=3DA0<br></div><div dir=3D"ltr">> how we= can ignore to look server name in subject of certificate so I can us=3D<br= ></div><div dir=3D"ltr">> e LDAP server ip address instead of host name?= =3DC2=3DA0<br></div><div dir=3D"ltr">> Also want to know if there is any= open CVE which says it is vulnerabilities=3D<br></div><div dir=3D"ltr">&gt= ;  to use LDAP server ip address instead of name in ldap configuration= .=3DC2=3DA0<br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">Add the IP= address in a subjectALternativeName extension to your server certificate.<= br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">The behavior here is s= pecified in RFC4513.<br></div><div dir=3D"ltr">> <br></div><div dir=3D"l= tr">> <br></div><div dir=3D"ltr">> Thank you,<br></div><div dir=3D"lt= r">> Darshankumar Mistry<br></div><div dir=3D"ltr">> <a href=3D"mailt= o:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmist= ry(a)yahoo.com</a><br></div><div dir=3D"ltr">> =3D20<br></div><div dir=3D"= ltr">> <br></div><div dir=3D"ltr">>    On Friday, May 10, = 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <<a href=3D"mailto:quanah@s" = rel=3D"nofollow" target=3D"_blank">quanah@s</a>=3D<br></div><div dir=3D"ltr= ">> ymas.com> wrote: =3D20<br></div><div dir=3D"ltr">> =3D20<br></= div><div dir=3D"ltr">>  --On Friday, May 10, 2019 8:52 PM +0000 <a = href=3D"mailto:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank"= >darshankmistry(a)yahoo.com</a> wrote:<br></div><div dir=3D"ltr">> <br></d= iv><div dir=3D"ltr">>> Full_Name: Darshankumar Mistry<br></div><div d= ir=3D"ltr">>> Version:<br></div><div dir=3D"ltr">>> OS:<br></di= v><div dir=3D"ltr">>> URL: <a href=3D"ftp://ftp.openldap.org/incoming= /" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap.org/incoming/</a><= br></div><div dir=3D"ltr">>> Submission from: (NULL) (2001:420:10b:12= 72:fc1b:1ea:d311:6cac)<br></div><div dir=3D"ltr">>><br></div><div dir= =3D"ltr">>><br></div><div dir=3D"ltr">>> I would like to know w= hy Open LDAP behavior was changed where we must<br></div><div dir=3D"ltr">&= gt;> have to configure FQDN name mentioned in certificate in order to wo= rk LDA=3D<br></div><div dir=3D"ltr">> P<br></div><div dir=3D"ltr">>&g= t; authentication... else TLS start failing.<br></div><div dir=3D"ltr">>= <br></div><div dir=3D"ltr">> OpenLDAP has worked this way since I first= started using it in 2002.=3DC2=3DA0 =3D<br></div><div dir=3D"ltr">> Thi= s=3D20<br></div><div dir=3D"ltr">> behavior is nothing new.=3DC2=3DA0 An= d this is the correct behavior.<br></div><div dir=3D"ltr">> <br></div><d= iv dir=3D"ltr">> This ITS will be closed.<br></div><div dir=3D"ltr">>= <br></div><div dir=3D"ltr">> --Quanah<br></div><div dir=3D"ltr">> <b= r></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> --<br></div><= div dir=3D"ltr">> <br></div><div dir=3D"ltr">> Quanah Gibson-Mount<br= ></div><div dir=3D"ltr">> Product Architect<br></div><div dir=3D"ltr">&g= t; Symas Corporation<br></div><div dir=3D"ltr">> Packaged, certified, an= d supported LDAP solutions powered by OpenLDAP:<br></div><div dir=3D"ltr">&= gt; <<a href=3D"http://www.symas.com" rel=3D"nofollow" target=3D"_blank"= >http://www.symas.com</a>><br></div><div dir=3D"ltr">> <br></div><div= dir=3D"ltr">>  =3D20<br></div><div dir=3D"ltr">> ------=3D_Part= _545863_1662769086.1557520342175<br></div><div dir=3D"ltr">> Content-Typ= e: text/html; charset=3DUTF-8<br></div><div dir=3D"ltr">> Content-Transf= er-Encoding: quoted-printable<br></div><div dir=3D"ltr">> <br></div><div= dir=3D"ltr">> <html><head></head><body><div = class=3D3D"ydpf9876065yahoo-style-wrap" style=3D<br></div><div dir=3D"ltr">= > =3D3D"font-family:verdana, helvetica, sans-serif;font-size:13px;">&= lt;div><div>t=3D<br></div><div dir=3D"ltr">> hank you very much= for quick response and openldap behavior configuration.&=3D<br></div><= div dir=3D"ltr">> nbsp;</div><div><br></div><= div>how we can ignore to look server name in sub=3D<br></div><div dir=3D= "ltr">> ject of certificate so I can use LDAP server ip address instead = of host nam=3D<br></div><div dir=3D"ltr">> e?&nbsp;</div><d= iv><br></div><div>Also want to know if there is any op= en CV=3D<br></div><div dir=3D"ltr">> E which says it is vulnerabilities = to use LDAP server ip address instead of=3D<br></div><div dir=3D"ltr">>&= nbsp; name in ldap configuration.&nbsp;</div><div><br&gt= ;</div><div><br></div><div>=3D<br></div><div = dir=3D"ltr">> <br></div><div class=3D3D"ydpf9876065signat= ure"><div><span class=3D3D"ydpf98760=3D<br></div><div dir=3D"lt= r">> 65yui_3_7_2_102_1375813203128_121" style=3D3D"font-family:arial, sa= ns-serif;c=3D<br></div><div dir=3D"ltr">> olor:rgb(80, 0, 80);">Thank= you,</span><br class=3D3D"ydpf9876065yui_3_7_2_10=3D<br></div><di= v dir=3D"ltr">> 2_1375813203128_122" style=3D3D"font-family:arial, sans-= serif;color:rgb(80, 0=3D<br></div><div dir=3D"ltr">> , 80);"><span= class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D3D=3D<br></= div><div dir=3D"ltr">> "font-family:arial, sans-serif;color:rgb(80, 0, 8= 0);">Darshankumar Mistry</=3D<br></div><div dir=3D"ltr">> span>= <br class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D3D"fo= nt=3D<br></div><div dir=3D"ltr">> -family:arial, sans-serif;color:rgb(80= , 0, 80);"><a href=3D3D"mailto:darshank=3D<br></div><div dir=3D"ltr">= > <a href=3D"mailto:mistry@yahoo.com" rel=3D"nofollow" target=3D"_blank"= >mistry(a)yahoo.com</a>" class=3D3D"ydpf9876065yui_3_7_2_102_1375813203128_12= 5" styl=3D<br></div><div dir=3D"ltr">> e=3D3D"color:rgb(17, 85, 204);fon= t-family:arial, sans-serif;" rel=3D3D"nofollow=3D<br></div><div dir=3D"ltr"= >> " target=3D3D"_blank"><a href=3D"mailto:darshankmistry@yahoo.com" = rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.com</a></a>&l= t;br></div></div></div><br></div><div dir=3D"ltr">>=         <div><br></div><div>&l= t;br></div><br></div><div dir=3D"ltr">>      &nb= sp; =3D20<br></div><div dir=3D"ltr">>        </d= iv><div id=3D3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D3D"ydpb3= =3D<br></div><div dir=3D"ltr">> d55fc2yahoo_quoted"><br></div><div di= r=3D"ltr">>            <div style=3D3D= "font-family:'Helvetica Neue', Helvetica, Arial, s=3D<br></div><div dir=3D"= ltr">> ans-serif;font-size:13px;color:#26282a;"><br></div><div dir=3D= "ltr">>                =3D20<br>= </div><div dir=3D"ltr">>             =   <div><br></div><div dir=3D"ltr">>      &nb= sp;             On Friday, May 10, 2019, 12:= 58:38 PM PDT, Quanah Gibson=3D<br></div><div dir=3D"ltr">> -Mount &l= t;<a href=3D"mailto:quanah@symas.com" rel=3D"nofollow" target=3D"_blank">qu= anah(a)symas.com</a>&gt; wrote:<br></div><div dir=3D"ltr">>  &nbs= p;             </div><br></div><div di= r=3D"ltr">>                <= div><br></div><br></div><div dir=3D"ltr">>    &= nbsp;           <div><br></div>= <br></div><div dir=3D"ltr">>            &n= bsp;   <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href= =3D3D"mai=3D<br></div><div dir=3D"ltr">> lto:<a href=3D"mailto:darshankm= istry(a)yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmistry(a)yahoo.co= m</a>" rel=3D3D"nofollow" target=3D3D"_blank">darshankmi=3D<br></div><di= v dir=3D"ltr">> <a href=3D"mailto:stry@yahoo.com" rel=3D"nofollow" targe= t=3D"_blank">stry(a)yahoo.com</a></a> wrote:<br><br>&gt= ; Full_Name: Darshankumar Mistry<br>&gt=3D<br></div><div dir=3D"l= tr">> ; Version:<br>&gt; OS:<br>&gt; URL: <a href= =3D3D"<a href=3D"ftp://ftp.openldap.org/incom=3D" rel=3D"nofollow" target= =3D"_blank">ftp://ftp.openldap.org/incom=3D</a><br></div><div dir=3D"ltr">&= gt; ing/" rel=3D3D"nofollow" target=3D3D"_blank"><a href=3D"ftp://ftp.op= enldap.org/incoming/" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap= .org/incoming/</a></=3D<br></div><div dir=3D"ltr">> a><br>&a= mp;gt; Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b= =3D<br></div><div dir=3D"ltr">> r>&gt;<br>&gt;<br&gt= ;&gt; I would like to know why Open LDAP behavior was chan=3D<br></div>= <div dir=3D"ltr">> ged where we must<br>&gt; have to configure= FQDN name mentioned in certific=3D<br></div><div dir=3D"ltr">> ate in o= rder to work LDAP<br>&gt; authentication... else TLS start failin= g.=3D<br></div><div dir=3D"ltr">> <br><br>OpenLDAP has worke= d this way since I first started using it in 2002=3D<br></div><div dir=3D"l= tr">> .&nbsp; This <br>behavior is nothing new.&nbsp; And = this is the correct beh=3D<br></div><div dir=3D"ltr">> avior.<br>&= lt;br>This ITS will be closed.<br><br>--Quanah<br><= br><br>--<br><br=3D<br></div><div dir=3D"ltr">>> Qu= anah Gibson-Mount<br>Product Architect<br>Symas Corporation<= br>Packaged,=3D<br></div><div dir=3D"ltr">>  certified, and supp= orted LDAP solutions powered by OpenLDAP:<br>&lt;<a hre=3D<br>= </div><div dir=3D"ltr">> f=3D3D"<a href=3D"http://www.symas.com" rel=3D"= nofollow" target=3D"_blank">http://www.symas.com</a>" rel=3D3D"nofollow" ta= rget=3D3D"_blank"><a href=3D"http://www.sy=3D" rel=3D"nofollow" target= =3D"_blank">http://www.sy=3D</a><br></div><div dir=3D"ltr">> mas.com<= /a>&gt;<br><br></div><br></div><div dir=3D"ltr">&g= t;            </div><br></div><div dir= =3D"ltr">>        </div></body></htm= l><br></div><div dir=3D"ltr">> ------=3D_Part_545863_1662769086.15575= 20342175--<br></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> <= br></div><div dir=3D"ltr">> <br></div><div dir=3D"ltr">> <br></div><d= iv dir=3D"ltr"><br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">-- <br= ></div><div dir=3D"ltr">  -- Howard Chu<br></div><div dir=3D"ltr">&nbs= p; CTO, Symas Corp.          <a href=3D"http://ww= w.symas.com" rel=3D"nofollow" target=3D"_blank">http://www.symas.com</a><br= ></div><div dir=3D"ltr">  Director, Highland Sun    <a href= =3D"http://highlandsun.com/hyc/" rel=3D"nofollow" target=3D"_blank">http://= highlandsun.com/hyc/</a><br></div><div dir=3D"ltr">  Chief Architect, = OpenLDAP  <a href=3D"http://www.openldap.org/project/" rel=3D"nofollow= " target=3D"_blank">http://www.openldap.org/project/</a><br></div></div> </div> </div></body></html> ------=_Part_582781_95096894.1557523728570--

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by hyc＠symas.com 10 May '19

10 May '19

darshankmistry(a)yahoo.com wrote: > ------=_Part_545863_1662769086.1557520342175 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > thank you very much for quick response and openldap behavior configuration.= > =C2=A0 > how we can ignore to look server name in subject of certificate so I can us= > e LDAP server ip address instead of host name?=C2=A0 > Also want to know if there is any open CVE which says it is vulnerabilities= > to use LDAP server ip address instead of name in ldap configuration.=C2=A0 Add the IP address in a subjectALternativeName extension to your server certificate. The behavior here is specified in RFC4513. > > > Thank you, > Darshankumar Mistry > darshankmistry(a)yahoo.com > =20 > > On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <quanah@s= > ymas.com> wrote: =20 > =20 > --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wrote: > >> Full_Name: Darshankumar Mistry >> Version: >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) >> >> >> I would like to know why Open LDAP behavior was changed where we must >> have to configure FQDN name mentioned in certificate in order to work LDA= > P >> authentication... else TLS start failing. > > OpenLDAP has worked this way since I first started using it in 2002.=C2=A0 = > This=20 > behavior is nothing new.=C2=A0 And this is the correct behavior. > > This ITS will be closed. > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > =20 > ------=_Part_545863_1662769086.1557520342175 > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <html><head></head><body><div class=3D"ydpf9876065yahoo-style-wrap" style= > =3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><div>t= > hank you very much for quick response and openldap behavior configuration.&= > nbsp;</div><div><br></div><div>how we can ignore to look server name in sub= > ject of certificate so I can use LDAP server ip address instead of host nam= > e? </div><div><br></div><div>Also want to know if there is any open CV= > E which says it is vulnerabilities to use LDAP server ip address instead of= > name in ldap configuration. </div><div><br></div><div><br></div><div>= > <br></div><div class=3D"ydpf9876065signature"><div><span class=3D"ydpf98760= > 65yui_3_7_2_102_1375813203128_121" style=3D"font-family:arial, sans-serif;c= > olor:rgb(80, 0, 80);">Thank you,</span><br class=3D"ydpf9876065yui_3_7_2_10= > 2_1375813203128_122" style=3D"font-family:arial, sans-serif;color:rgb(80, 0= > , 80);"><span class=3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D= > "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry</= > span><br class=3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D"font= > -family:arial, sans-serif;color:rgb(80, 0, 80);"><a href=3D"mailto:darshank= > mistry(a)yahoo.com" class=3D"ydpf9876065yui_3_7_2_102_1375813203128_125" styl= > e=3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D"nofollow= > " target=3D"_blank">darshankmistry(a)yahoo.com</a><br></div></div></div> > <div><br></div><div><br></div> > =20 > </div><div id=3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D"ydpb3= > d55fc2yahoo_quoted"> > <div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s= > ans-serif;font-size:13px;color:#26282a;"> > =20 > <div> > On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson= > -Mount <quanah(a)symas.com> wrote: > </div> > <div><br></div> > <div><br></div> > <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href=3D"mai= > lto:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmi= > stry(a)yahoo.com</a> wrote:<br><br>> Full_Name: Darshankumar Mistry<br>&gt= > ; Version:<br>> OS:<br>> URL: <a href=3D"ftp://ftp.openldap.org/incom= > ing/" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap.org/incoming/</= > a><br>> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b= > r>><br>><br>> I would like to know why Open LDAP behavior was chan= > ged where we must<br>> have to configure FQDN name mentioned in certific= > ate in order to work LDAP<br>> authentication... else TLS start failing.= > <br><br>OpenLDAP has worked this way since I first started using it in 2002= > .  This <br>behavior is nothing new.  And this is the correct beh= > avior.<br><br>This ITS will be closed.<br><br>--Quanah<br><br><br>--<br><br= >> Quanah Gibson-Mount<br>Product Architect<br>Symas Corporation<br>Packaged,= > certified, and supported LDAP solutions powered by OpenLDAP:<br><<a hre= > f=3D"http://www.symas.com" rel=3D"nofollow" target=3D"_blank">http://www.sy= > mas.com</a>><br><br></div> > </div> > </div></body></html> > ------=_Part_545863_1662769086.1557520342175-- > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by quanah＠symas.com 10 May '19

10 May '19

--On Friday, May 10, 2019 9:32 PM +0000 darshan mistry <darshankmistry(a)yahoo.com> wrote: > how we can ignore to look server name in subject of certificate so I can > use LDAP server ip address instead of host name? If you want to allow connecting over the IP address with TLS, then add it as a subjectAltName value in the certificate, for example: subjectAltName=IP:1.2.3.4 > Also want to know if there is any open CVE which says it is > vulnerabilities to use LDAP server ip address instead of name in ldap > configuration. I'm not aware of any such CVE or why there would be one. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#9021) TLS: can't connect: TLS: hostname does not match CN in peer certificate
by darshankmistry＠yahoo.com 10 May '19

10 May '19

------=_Part_545863_1662769086.1557520342175 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable thank you very much for quick response and openldap behavior configuration.= =C2=A0 how we can ignore to look server name in subject of certificate so I can us= e LDAP server ip address instead of host name?=C2=A0 Also want to know if there is any open CVE which says it is vulnerabilities= to use LDAP server ip address instead of name in ldap configuration.=C2=A0 Thank you, Darshankumar Mistry darshankmistry(a)yahoo.com =20 On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson-Mount <quanah@s= ymas.com> wrote: =20 =20 --On Friday, May 10, 2019 8:52 PM +0000 darshankmistry(a)yahoo.com wrote: > Full_Name: Darshankumar Mistry > Version: > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac) > > > I would like to know why Open LDAP behavior was changed where we must > have to configure FQDN name mentioned in certificate in order to work LDA= P > authentication... else TLS start failing. OpenLDAP has worked this way since I first started using it in 2002.=C2=A0 = This=20 behavior is nothing new.=C2=A0 And this is the correct behavior. This ITS will be closed. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com> =20 ------=_Part_545863_1662769086.1557520342175 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <html><head></head><body><div class=3D"ydpf9876065yahoo-style-wrap" style= =3D"font-family:verdana, helvetica, sans-serif;font-size:13px;"><div><div>t= hank you very much for quick response and openldap behavior configuration.&= nbsp;</div><div><br></div><div>how we can ignore to look server name in sub= ject of certificate so I can use LDAP server ip address instead of host nam= e? </div><div><br></div><div>Also want to know if there is any open CV= E which says it is vulnerabilities to use LDAP server ip address instead of= name in ldap configuration. </div><div><br></div><div><br></div><div>= <br></div><div class=3D"ydpf9876065signature"><div><span class=3D"ydpf98760= 65yui_3_7_2_102_1375813203128_121" style=3D"font-family:arial, sans-serif;c= olor:rgb(80, 0, 80);">Thank you,</span><br class=3D"ydpf9876065yui_3_7_2_10= 2_1375813203128_122" style=3D"font-family:arial, sans-serif;color:rgb(80, 0= , 80);"><span class=3D"ydpf9876065yui_3_7_2_102_1375813203128_123" style=3D= "font-family:arial, sans-serif;color:rgb(80, 0, 80);">Darshankumar Mistry</= span><br class=3D"ydpf9876065yui_3_7_2_102_1375813203128_124" style=3D"font= -family:arial, sans-serif;color:rgb(80, 0, 80);"><a href=3D"mailto:darshank= mistry(a)yahoo.com" class=3D"ydpf9876065yui_3_7_2_102_1375813203128_125" styl= e=3D"color:rgb(17, 85, 204);font-family:arial, sans-serif;" rel=3D"nofollow= " target=3D"_blank">darshankmistry(a)yahoo.com</a><br></div></div></div> <div><br></div><div><br></div> =20 </div><div id=3D"ydpb3d55fc2yahoo_quoted_7562650282" class=3D"ydpb3= d55fc2yahoo_quoted"> <div style=3D"font-family:'Helvetica Neue', Helvetica, Arial, s= ans-serif;font-size:13px;color:#26282a;"> =20 <div> On Friday, May 10, 2019, 12:58:38 PM PDT, Quanah Gibson= -Mount <quanah(a)symas.com> wrote: </div> <div><br></div> <div><br></div> <div>--On Friday, May 10, 2019 8:52 PM +0000 <a href=3D"mai= lto:darshankmistry@yahoo.com" rel=3D"nofollow" target=3D"_blank">darshankmi= stry(a)yahoo.com</a> wrote:<br><br>> Full_Name: Darshankumar Mistry<br>&gt= ; Version:<br>> OS:<br>> URL: <a href=3D"ftp://ftp.openldap.org/incom= ing/" rel=3D"nofollow" target=3D"_blank">ftp://ftp.openldap.org/incoming/</= a><br>> Submission from: (NULL) (2001:420:10b:1272:fc1b:1ea:d311:6cac)<b= r>><br>><br>> I would like to know why Open LDAP behavior was chan= ged where we must<br>> have to configure FQDN name mentioned in certific= ate in order to work LDAP<br>> authentication... else TLS start failing.= <br><br>OpenLDAP has worked this way since I first started using it in 2002= .  This <br>behavior is nothing new.  And this is the correct beh= avior.<br><br>This ITS will be closed.<br><br>--Quanah<br><br><br>--<br><br= >Quanah Gibson-Mount<br>Product Architect<br>Symas Corporation<br>Packaged,= certified, and supported LDAP solutions powered by OpenLDAP:<br><<a hre= f=3D"http://www.symas.com" rel=3D"nofollow" target=3D"_blank">http://www.sy= mas.com</a>><br><br></div> </div> </div></body></html> ------=_Part_545863_1662769086.1557520342175--

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs