https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #16 from [email protected] --- (In reply to Ondřej Kuzník from comment #15) > On Mon, Jun 12, 2023 at 01:15:21PM +0000, [email protected] wrote: > Slightly off-topic but if you configure ldaps:// and *require* client > certs, the session won't get set up to the point of touching anything > LDAP related until the client's proved it holds a certificate you trust. That's only true to a point. The client only needs to hold a certificate from a CA that I trust. The name on the certificate is validated with the ruleset. CAs issues many certificates, even to people with bad intentions. > Well, that by itself doesn't sound like enough for the OpenLDAP side, > hence the need for a new field. I suspect haproxy was looking at the size of the proxy-protocol packet when they decided not to give the full DN. The protocol packet really needs to fit in a single network packet. That might actually end up being a show stopper. And I still haven't looked at what haproxy _actually_ provides. Just because they put it in the spec doesn't mean they have implemented it. -- You are receiving this mail because: You are on the CC list for the issue.
