https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #16 from sean@teletech.com.au --- (In reply to Ondřej Kuzník from comment #15)
On Mon, Jun 12, 2023 at 01:15:21PM +0000, openldap-its@openldap.org wrote:
Slightly off-topic but if you configure ldaps:// and *require* client certs, the session won't get set up to the point of touching anything LDAP related until the client's proved it holds a certificate you trust.
That's only true to a point. The client only needs to hold a certificate from a CA that I trust. The name on the certificate is validated with the ruleset. CAs issues many certificates, even to people with bad intentions.
Well, that by itself doesn't sound like enough for the OpenLDAP side, hence the need for a new field.
I suspect haproxy was looking at the size of the proxy-protocol packet when they decided not to give the full DN. The protocol packet really needs to fit in a single network packet. That might actually end up being a show stopper.
And I still haven't looked at what haproxy _actually_ provides. Just because they put it in the spec doesn't mean they have implemented it.