https://bugs.openldap.org/show_bug.cgi?id=9655
Issue ID: 9655 Summary: Expose the SNI hostname to olcAccess Product: OpenLDAP Version: 2.5.4 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: dpa-openldap@aegee.org Target Milestone: ---
Since OpenLDAP now supports SNI, it apparently knows to which Host the client has connected, when the server is reachable under many names.
• Expose the negotiated hostname to oclAccess and provide example how to limit the namingContext on the root DSE based on the requested host
Rationale: HTTP servers offer the concept of virtual domains, where they serve different content behind the same IP, based on the Host: header. I want to offer public, anonymous LDAP access, but the returned results shall be completely different, and depend on the contacted host. The statements in the <WHO> field peername=<peername>, sockname=<sockname>, domain=<domain>, and sockurl=<sockurl> are evaluated only based on the contacting system (do not depend on the requested domain). (Maybe the “contacting sockurl” can do this, but this is not very clear from the documentation). So they serve similar purpose, but ignore SNI.