9:09 a.m.
Here's where I've ended up with for ITS#8286. Only 2 real remaining
questions if this looks good (olcTLSCertificateKey and olcTLSVerifyClient).
Commit is currently
<https://github.com/quanah/openldap-scratch/commit/efef34db2f36e00a44c3f2d...
---------------- servers/slapd/bconfig.c -----------------------
olcConfigFile -- Changed to case exact match
olcConfigDir -- Changed to case exact match
olcArgsFile -- Changed to case exact match
olcLogFile -- case exact match
olcModulePath -- case exact match
olcPasswordCryptSaltFormat -- case ignore match
olcPidFile -- case exact match
olcPluginLogFile -- case exact match
olcRootPw -- octetStringMatch
olcSaslAuxprops -- case ignore match
olcSaslHost -- case ignore match
olcSaslRealm -- case exact match
olcSaslSecProps -- case exact match
olcSizeLimit -- case exact match
olcSubordinate -- case exact match
olcTCPBuffer -- case exact match
olcTimeLimit -- case exact match
olcTLSCACertificateFile -- case exact match
olcTLSCACertificatePath -- case exact match
olcTLSCertificateFile -- case exact match
olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX be
1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
olcTLSCertificateKeyFile -- case exact match
olcTLSCipherSuite -- case exact match
olcTLSCRLCheck -- case exact match
olcTLSCRLFile -- case exact match
olcTLSRandFile -- case exact match
olcTLSVerifyClient -- case exact match (Shouldn't this be an enum, like
olcMemberOfDangling ?)
olcTLSDHParamFile -- case exact match
olcTLSECName -- case exact match
olcTLSProtocolMin -- case exact match
---------------- BACKENDS -----------------------
--- back-asyncmeta
olcDbURI -- case exact match
olcDbStartTLS -- case exact match
olcDbACLPasswd -- DELETE
olcDbIDAssertBind -- case ignore match
olcDbTFSupport -- case ignore match
olcDbTimeout -- case ignore match
olcDbIdleTimeout -- case ignore match
olcDbNetworkTimeout -- case ignore match
olcDbCancel -- case ignore match
olcDbQuarantine -- case ignore match
olcDbDefaultTarget -- case ignore match
olcDbDnCacheTtl -- case ignore match
olcDbBindTimeout -- integer match
olcDbOnErr -- case ignore match
olcDbNretries -- case ignore match
olcDbClientPr -- case ignore match
olcDbKeepalive -- case ignore match
--- back-bdb/hdb
olcDbCheckpoint -- case ignore match
olcDbCryptFile -- case exact match
olcDbCryptKey -- case exact match
olcDbConfig -- IA5 case ignore match
olcDbLockDetect -- case ignore match
olcDbMode -- case ignore match
--- back-ldap
olcDbURI -- case exact match
olcDbStartTLS -- case exact match
olcDbACLPasswd -- DELETE
olcDbACLBind -- case ignore match
olcDbIDAssertPasswd -- DELETE
olcDbIDAssertBind -- case ignore match
olcDbIDAssertMode -- DELETE
olcDbTFSupport -- case ignore match
olcDbTimeout -- case ignore match
olcDbIdleTimeout -- case ignore match
olcDbConnTtl -- case ignore match
olcDbNetworkTimeout -- case ignore match
olcDbCancel -- case ignore match
olcDbQuarantine -- case ignore match
olcDbOnErr -- case ignore match
olcDbKeepalive -- case ignore match
--- back-mdb
olcDbDirectory -- Changed to case exact match
olcDbCheckpoint -- case ignore match
olcDbMode -- case ignore match
--- back-meta
olcDbURI -- case exact match
olcDbStartTLS -- case exact match
olcDbACLPasswd -- DELETE
olcDbIDAssertBind -- case ignore match
olcDbTFSupport -- case ignore match
olcDbTimeout -- case ignore match
olcDbIdleTimeout -- case ignore match
olcDbConnTtl -- case ignore match
olcDbNetworkTimeout -- case ignore match
olcDbCancel -- case ignore match
olcDbQuarantine -- case ignore match
olcDbDefaultTarget -- case ignore match
olcDbDnCacheTtl -- case ignore match
olcDbBindTimeout -- integer match
olcDbOnErr -- case ignore match
olcDbNretries -- case ignore match
olcDbClientPr -- case ignore match
olcDbKeepalive -- case ignore match
--- back-sql
olcDbHost -- case exact match
olcDbName -- case exact match
olcDbUser -- case exact match
olcDbPass -- case exact match
olcSqlConcatPattern -- case exact match
olcSqlSubtreeCond -- case exact match
olcSqlChildrenCond -- case exact match
olcSqlDnMatchCond-- case exact match
olcSqlOcQuery -- case exact match
olcSqlAtQuery -- case exact match
olcSqlInsEntryStmt -- case exact match
olcSqlUpperFunc -- case exact match
olcSqlStrcastFunc -- case exact match
olcSqlDelEntryStmt -- case exact match
olcSqlRenEntryStmt -- case exact match
olcSqlDelObjclassesStmt -- case exact match
olcSqlBaseObject -- case exact match
olcSqlLayer -- case exact match
olcSqlFetchAttrs -- case ignore match
olcSqlAliasingKeyword -- case exact match
olcSqlAliasingQuote -- case ignore match
olcSqlIdQuery -- case exact match
---------------- OVERLAYS -----------------------
--- accesslog.c
logpurge -- case ignore match
logold -- case exact match
--- auditlog.c
olcAuditLogFile -- case exact match
--- autoca.c
olcACAuserClass -- case ignore match
olcACAserverClass -- case ignore match
--- dds.c
olcDDSmaxTtl -- case ignore match
olcDDSminTtl -- case ignore match
olcDDSdefaultTtl -- case ignore match
olcDDSinterval -- case ignore match
olcDDStolerance -- case ignore match
--- dyngroup.c
olcDGAttrPair -- case ignore match
--- memberof.c
olcMemberOfDangling -- case ignore match
olcMemberOfGroupOC -- case ignore match
olcMemberOfMemberAD -- case ignore match
olcMemberOfMemberOfAD -- case ignore match
olcMemberOfDanglingError -- case ignore match
--- pcache.c
olcProxyCache -- case ignore match
olcPcachePosition -- case ignore match
olcPcacheMaxQueries -- case ignore match
--- rwm.c
olcRwmTFSupport -- case ignore match
--- syncprov.c
olcSpCheckpoint -- case ignore match
--- translucent.c
olcTranslucentLocal -- case ignore match
olcTranslucentRemote -- case ignore match
---------------- CONTRIB -----------------------
--- adremap.c
olcADremapDowncase -- case ignore match
olcADremapDNmap -- case ignore match
--- autogroup.c
olcAGmemberOfAd -- case ignore match
--- smbk5pwd.c
olcSmbK5PwdEnable -- case ignore match
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
9:53 a.m.
Quanah Gibson-Mount wrote:
Here's where I've ended up with for ITS#8286. Only 2 real
remaining questions if this looks good (olcTLSCertificateKey and olcTLSVerifyClient).
Commit is
currently
<https://github.com/quanah/openldap-scratch/commit/efef34db2f36e00a44c3f2d...
TLSCertificateKey is correct.
---------------- servers/slapd/bconfig.c -----------------------
olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the
SYNTAX be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
No, a key is not a certificate. Keys are stored in PKCS#8 encoding.
olcTLSCertificateKeyFile -- case exact match
olcTLSCipherSuite -- case exact match
olcTLSCRLCheck -- case exact match
olcTLSCRLFile -- case exact match
olcTLSRandFile -- case exact match
olcTLSVerifyClient -- case exact match (Shouldn't this be an enum, like
olcMemberOfDangling ?)
It already uses a verbmasks struct, same as olcMemberOfDangling.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9:58 a.m.
--On Tuesday, December 18, 2018 5:53 PM +0000 Howard Chu <hyc(a)symas.com>
wrote:
>
> ---------------- servers/slapd/bconfig.c -----------------------
> olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX
> be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
No, a key is not a certificate. Keys are stored in PKCS#8 encoding.
So what's the matching rule for it? ;)
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
10:08 a.m.
Quanah Gibson-Mount wrote:
--On Tuesday, December 18, 2018 5:53 PM +0000 Howard Chu
<hyc(a)symas.com> wrote:
>>
>> ---------------- servers/slapd/bconfig.c -----------------------
>
>> olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX
>> be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
>
> No, a key is not a certificate. Keys are stored in PKCS#8 encoding.
So what's the matching rule for it? ;)
I suppose it'll have to be octetStringMatch.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10:15 a.m.
--On Tuesday, December 18, 2018 6:08 PM +0000 Howard Chu <hyc(a)symas.com>
wrote:
Quanah Gibson-Mount wrote:
> --On Tuesday, December 18, 2018 5:53 PM +0000 Howard Chu <hyc(a)symas.com>
> wrote:
>
>>>
>>> ---------------- servers/slapd/bconfig.c -----------------------
>>
>>> olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX
>>> be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
>>
>> No, a key is not a certificate. Keys are stored in PKCS#8 encoding.
>
> So what's the matching rule for it? ;)
I suppose it'll have to be octetStringMatch.
Ok, done:
<https://github.com/quanah/openldap-scratch/commit/57026b565a092de45faf3f6...
That should cover ITS#8286.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
10:18 a.m.
Howard Chu wrote:
Quanah Gibson-Mount wrote:
> --On Tuesday, December 18, 2018 5:53 PM +0000 Howard Chu <hyc(a)symas.com>
wrote:
>
>>>
>>> ---------------- servers/slapd/bconfig.c -----------------------
>>
>>> olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX
>>> be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch?
>>
>> No, a key is not a certificate. Keys are stored in PKCS#8 encoding.
>
> So what's the matching rule for it? ;)
I suppose it'll have to be octetStringMatch.
The syntax needs to be changed, it should be 1.2.840.113549.1.8. I don't see
any benefit to using anything other than octetStringMatch though.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
765
days inactive
765
days old
5 comments
2 participants
participants (2)
-
Howard Chu -
Quanah Gibson-Mount