14 Jan
2012
14 Jan
'12
4:46 a.m.
A quick addition: SNI was defined to solve a problem not encountered with LDAP (name virtual hosting on a unique IP address). It also requires the client to be cooperative and announce the desired hostname in an extension (Server Name Indication) during TLS negotiation. Not supporting it in an LDAP context is not bad, or a lack of anything.
My opinion would be that the OP redefines his need.
--
Erwann.
Le 14 janv. 2012 13:23, "Erwann Abalea" eabalea@gmail.com a écrit :
>
> Can't SNI support be added?
>
> --
> Erwann.
>
> Le 14 janv. 2012 13:08, "Howard Chu" hyc@symas.com a écrit :
>
> >
> > Ronie Gilberto Henrich wrote:
> >>
> >> Hello,
> >>
> >> I need to be able to restrict ldap ou's access based on the
ldaps://FQDN used to query the ldap server.
> >> Let say I have the following in my ldap server:
> >> ou=domain
> >> ou=raincoatcompany.com
> >> ou=umbrellacompany.com
> >>
> >> Considering that both ldap.raincoatcompany.com and
ldap.umbrellacompany.com are resolving to IP address 10.0.0.10
> >> So, querying the ldap server using ldaps://
ldap.raincoatcompany.com/ou=domain should grant access only to the
following:
> >> ou=domain
> >> ou=raincoatcompany.com
> >> Is there any way to accomplish that with OpenLDAP?
> >
> > Not possible. slapd only sees the IP address of the incoming
connection, it has no way to know what DNS name was used to resolve to that
address.