openldap-devel May 2007

openldap-devel@openldap.org

9 participants
14 discussions

Bind DN SSF
by Hallvard B Furuseth 13 May '07

13 May '07

A loose thought - haven't really thought it through, and don't know exactly how SSFs are used today either: I'm wondering if we need one or two "Bind DN SSF"s which describe how reliable a Bind DN is - how secure the server-side authentication system is, as well as the Bind method and connection security at the time of the Bind. Then one can set access controls, 'security' directive, and a new 'rootdn-ssf' directive which requires a certain quality of the rootdn/pw. Possibly rootdn-ssf should be nonzero by default, or nonzero by default for cn=config. The ultimate example of an insecure Bind DN is probably database config rootdn cn=foo,cn=nil # config's rootdn is very powerful database null suffix cn=nil bind on # accept any password for any DN which hopefully doesn't happen outside tests. (That's why this occurred to me, I'd like to support cd tests/ && ./run -b null. Not when one could accidentally write a test like this, though.) There are other reasons the quality of the authentication or password store might differ - different authentication methods, a sloppily-written back-perl instance, whatever. So as a source of the Bind DN SSF one would configure SSFs to subsystems used for authentication - databases, SASL, etc. -- Regards, Hallvard

1 0

Re: commit: ldap/servers/slapd schema_init.c
by Howard Chu 12 May '07

12 May '07

hyc(a)OpenLDAP.org wrote: > Update of /repo/OpenLDAP/pkg/ldap/servers/slapd > > Modified Files: > schema_init.c 1.395 -> 1.396 > > Log Message: > Use liblber for certificate Validation, Normalization These functions are no longer dependent on HAVE_TLS. I've only tested with X509v3 certificates, it probably needs a shakedown with X509v1 and X509v2 certs. Along with the other changes to integrate GNUtls support, I've changed the ldap_X509dn2bv function to expect a DER format berval for input. We no longer use OpenSSL-specific X509_NAME structures anywhere. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

back-monitor and "" rooted DBs
by Quanah Gibson-Mount 09 May '07

09 May '07

I have a database rooted at "", and would like to use the monitor backend as well. I found that if I put "database monitor" before the 'database ""' definition, it will load just fine. However, if it is defined afterwards, it fails to load, since "" overloads it context. I understand that that is correct from a technical standpoint, but IIRC, there have been issues in the past having "database monitor" come before other database definitions. I thought it would be worthwhile to allow "database monitor" to be instantiated after a 'database ""' definition. Thoughts? --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

3 2

tpool.c without a pool
by Hallvard B Furuseth 02 May '07

02 May '07

Has anyone got a variant of tpool.c which has the current interface but creates a new thread per operation instead of using a pool? (I'm trying to track down a memory corruption issue which disappears with --disable-threads, and I'm hoping the load of complaints from 'valgrind-2.2.0 --tool=helgrind' is due to the thread pool rather than genuine bugs or code which Helgrind can't deal with.) -- Regards, Hallvard

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel May 2007