https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #18 from Ondřej Kuzník ondra@mistotebe.net --- On Mon, Jun 12, 2023 at 09:06:16PM +0000, openldap-its@openldap.org wrote:
Slightly off-topic but if you configure ldaps:// and *require* client certs, the session won't get set up to the point of touching anything LDAP related until the client's proved it holds a certificate you trust.
That's only true to a point. The client only needs to hold a certificate from a CA that I trust. The name on the certificate is validated with the ruleset. CAs issues many certificates, even to people with bad intentions.
You choose what CAs are trusted to issue client certificates and this is independent from the CAs you trust for server certs. Could that be the trust anchor you're missing?
I suspect haproxy was looking at the size of the proxy-protocol packet when they decided not to give the full DN. The protocol packet really needs to fit in a single network packet. That might actually end up being a show stopper.
They probably were and that would be an implementation concern but I think they only ask for the initial part to be in the first packet.
Implementation in slapd might have to be stricter on this point and I would have highlighted it once it came to an implementation. Lloadd's connection set up is more flexible and permits even this part of connection establishment to be async.