Here's where I've ended up with for ITS#8286. Only 2 real remaining questions if this looks good (olcTLSCertificateKey and olcTLSVerifyClient). Commit is currently https://github.com/quanah/openldap-scratch/commit/efef34db2f36e00a44c3f2dee3851a6faf65a399
---------------- servers/slapd/bconfig.c ----------------------- olcConfigFile -- Changed to case exact match olcConfigDir -- Changed to case exact match olcArgsFile -- Changed to case exact match olcLogFile -- case exact match olcModulePath -- case exact match olcPasswordCryptSaltFormat -- case ignore match olcPidFile -- case exact match olcPluginLogFile -- case exact match olcRootPw -- octetStringMatch olcSaslAuxprops -- case ignore match olcSaslHost -- case ignore match olcSaslRealm -- case exact match olcSaslSecProps -- case exact match olcSizeLimit -- case exact match olcSubordinate -- case exact match olcTCPBuffer -- case exact match olcTimeLimit -- case exact match olcTLSCACertificateFile -- case exact match olcTLSCACertificatePath -- case exact match olcTLSCertificateFile -- case exact match olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch? olcTLSCertificateKeyFile -- case exact match olcTLSCipherSuite -- case exact match olcTLSCRLCheck -- case exact match olcTLSCRLFile -- case exact match olcTLSRandFile -- case exact match olcTLSVerifyClient -- case exact match (Shouldn't this be an enum, like olcMemberOfDangling ?) olcTLSDHParamFile -- case exact match olcTLSECName -- case exact match olcTLSProtocolMin -- case exact match
---------------- BACKENDS ----------------------- --- back-asyncmeta olcDbURI -- case exact match olcDbStartTLS -- case exact match olcDbACLPasswd -- DELETE olcDbIDAssertBind -- case ignore match olcDbTFSupport -- case ignore match olcDbTimeout -- case ignore match olcDbIdleTimeout -- case ignore match olcDbNetworkTimeout -- case ignore match olcDbCancel -- case ignore match olcDbQuarantine -- case ignore match olcDbDefaultTarget -- case ignore match olcDbDnCacheTtl -- case ignore match olcDbBindTimeout -- integer match olcDbOnErr -- case ignore match olcDbNretries -- case ignore match olcDbClientPr -- case ignore match olcDbKeepalive -- case ignore match
--- back-bdb/hdb olcDbCheckpoint -- case ignore match olcDbCryptFile -- case exact match olcDbCryptKey -- case exact match olcDbConfig -- IA5 case ignore match olcDbLockDetect -- case ignore match olcDbMode -- case ignore match
--- back-ldap olcDbURI -- case exact match olcDbStartTLS -- case exact match olcDbACLPasswd -- DELETE olcDbACLBind -- case ignore match olcDbIDAssertPasswd -- DELETE olcDbIDAssertBind -- case ignore match olcDbIDAssertMode -- DELETE olcDbTFSupport -- case ignore match olcDbTimeout -- case ignore match olcDbIdleTimeout -- case ignore match olcDbConnTtl -- case ignore match olcDbNetworkTimeout -- case ignore match olcDbCancel -- case ignore match olcDbQuarantine -- case ignore match olcDbOnErr -- case ignore match olcDbKeepalive -- case ignore match
--- back-mdb olcDbDirectory -- Changed to case exact match olcDbCheckpoint -- case ignore match olcDbMode -- case ignore match
--- back-meta olcDbURI -- case exact match olcDbStartTLS -- case exact match olcDbACLPasswd -- DELETE olcDbIDAssertBind -- case ignore match olcDbTFSupport -- case ignore match olcDbTimeout -- case ignore match olcDbIdleTimeout -- case ignore match olcDbConnTtl -- case ignore match olcDbNetworkTimeout -- case ignore match olcDbCancel -- case ignore match olcDbQuarantine -- case ignore match olcDbDefaultTarget -- case ignore match olcDbDnCacheTtl -- case ignore match olcDbBindTimeout -- integer match olcDbOnErr -- case ignore match olcDbNretries -- case ignore match olcDbClientPr -- case ignore match olcDbKeepalive -- case ignore match
--- back-sql olcDbHost -- case exact match olcDbName -- case exact match olcDbUser -- case exact match olcDbPass -- case exact match olcSqlConcatPattern -- case exact match olcSqlSubtreeCond -- case exact match olcSqlChildrenCond -- case exact match olcSqlDnMatchCond-- case exact match olcSqlOcQuery -- case exact match olcSqlAtQuery -- case exact match olcSqlInsEntryStmt -- case exact match olcSqlUpperFunc -- case exact match olcSqlStrcastFunc -- case exact match olcSqlDelEntryStmt -- case exact match olcSqlRenEntryStmt -- case exact match olcSqlDelObjclassesStmt -- case exact match olcSqlBaseObject -- case exact match olcSqlLayer -- case exact match olcSqlFetchAttrs -- case ignore match olcSqlAliasingKeyword -- case exact match olcSqlAliasingQuote -- case ignore match olcSqlIdQuery -- case exact match
---------------- OVERLAYS ----------------------- --- accesslog.c logpurge -- case ignore match logold -- case exact match
--- auditlog.c olcAuditLogFile -- case exact match
--- autoca.c olcACAuserClass -- case ignore match olcACAserverClass -- case ignore match
--- dds.c olcDDSmaxTtl -- case ignore match olcDDSminTtl -- case ignore match olcDDSdefaultTtl -- case ignore match olcDDSinterval -- case ignore match olcDDStolerance -- case ignore match
--- dyngroup.c olcDGAttrPair -- case ignore match
--- memberof.c olcMemberOfDangling -- case ignore match olcMemberOfGroupOC -- case ignore match olcMemberOfMemberAD -- case ignore match olcMemberOfMemberOfAD -- case ignore match olcMemberOfDanglingError -- case ignore match
--- pcache.c olcProxyCache -- case ignore match olcPcachePosition -- case ignore match olcPcacheMaxQueries -- case ignore match
--- rwm.c olcRwmTFSupport -- case ignore match
--- syncprov.c olcSpCheckpoint -- case ignore match
--- translucent.c olcTranslucentLocal -- case ignore match olcTranslucentRemote -- case ignore match
---------------- CONTRIB ----------------------- --- adremap.c olcADremapDowncase -- case ignore match olcADremapDNmap -- case ignore match
--- autogroup.c olcAGmemberOfAd -- case ignore match
--- smbk5pwd.c olcSmbK5PwdEnable -- case ignore match
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
Here's where I've ended up with for ITS#8286. Only 2 real remaining questions if this looks good (olcTLSCertificateKey and olcTLSVerifyClient). Commit is currently https://github.com/quanah/openldap-scratch/commit/efef34db2f36e00a44c3f2dee3851a6faf65a399
TLSCertificateKey is correct.
---------------- servers/slapd/bconfig.c -----------------------
olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
No, a key is not a certificate. Keys are stored in PKCS#8 encoding.
olcTLSCertificateKeyFile -- case exact match olcTLSCipherSuite -- case exact match olcTLSCRLCheck -- case exact match olcTLSCRLFile -- case exact match olcTLSRandFile -- case exact match olcTLSVerifyClient -- case exact match (Shouldn't this be an enum, like olcMemberOfDangling ?)
It already uses a verbmasks struct, same as olcMemberOfDangling.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Tuesday, December 18, 2018 5:53 PM +0000 Howard Chu hyc@symas.com wrote:
---------------- servers/slapd/bconfig.c -----------------------
olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
No, a key is not a certificate. Keys are stored in PKCS#8 encoding.
So what's the matching rule for it? ;)
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
--On Tuesday, December 18, 2018 5:53 PM +0000 Howard Chu hyc@symas.com wrote:
---------------- servers/slapd/bconfig.c -----------------------
olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
No, a key is not a certificate. Keys are stored in PKCS#8 encoding.
So what's the matching rule for it? ;)
I suppose it'll have to be octetStringMatch.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Tuesday, December 18, 2018 6:08 PM +0000 Howard Chu hyc@symas.com wrote:
Quanah Gibson-Mount wrote:
--On Tuesday, December 18, 2018 5:53 PM +0000 Howard Chu hyc@symas.com wrote:
---------------- servers/slapd/bconfig.c -----------------------
olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
No, a key is not a certificate. Keys are stored in PKCS#8 encoding.
So what's the matching rule for it? ;)
I suppose it'll have to be octetStringMatch.
Ok, done:
https://github.com/quanah/openldap-scratch/commit/57026b565a092de45faf3f6bf9ec118fb2080341
That should cover ITS#8286.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Howard Chu wrote:
Quanah Gibson-Mount wrote:
--On Tuesday, December 18, 2018 5:53 PM +0000 Howard Chu hyc@symas.com wrote:
---------------- servers/slapd/bconfig.c -----------------------
olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
No, a key is not a certificate. Keys are stored in PKCS#8 encoding.
So what's the matching rule for it? ;)
I suppose it'll have to be octetStringMatch.
The syntax needs to be changed, it should be 1.2.840.113549.1.8. I don't see any benefit to using anything other than octetStringMatch though.
-
Howard Chu -
Quanah Gibson-Mount