Re: 2.4 commit review
Ryan Tandy wrote: >> ITS#9069 Do not call gnutls_global_set_mutex() > > Subject to hyc's approval, but I think this could go in. It's been in Debian > since 10.0 and Ubuntu since 19.04, no negative feedback. OK, sounds fine then. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: 2.4 commit review
On Fri, Nov 01, 2019 at 09:31:07AM -0700, Quanah Gibson-Mount wrote: ITS#8753 Set minimum GnuTLS version to 3.2.2 Not on its own. Only needed if the rest of that ITS goes (guessing no). ITS#9069 Do not call gnutls_global_set_mutex() Subject to hyc's approval, but I think this could go in. It's been in Debian since 10.0 and Ubuntu since 19.04, no negative feedback.
Re: Session tracking control
On 11/5/19 11:30 AM, Howard Chu wrote: > It looks like we currently parse this control, but only to allow > logging its contents, and nothing more. Seems like it would be useful > to carry the parsed info along with the o_authz struct, and make it > usable in the ACL engine. This would allow setting ACLs that can > distinguish between different applications acting on behalf of a > given user (or service).> > Any security downside to this? If the LDAP client got hacked the content of the control value cannot be trusted. So security considerations similar like with proxy authz apply. Anyway I'd like to have it available also in set-based ACLs. Furthermore I'd like to have normal peer address available in set-based ACLs e.g. to grant auth access to userPassword only to bind requests coming from a certain IP address stored in the attribute of a user's entry (e.g. 'aeRemoteHost' in Æ-DIR [1] and [2]). Ciao, Michael. [1] https://www.ae-dir.com/docs.html#schema-oc-aeUser-attributes [2] https://www.ae-dir.com/docs.html#schema-oc-aeService-attributes smime.p7s Description: S/MIME Cryptographic Signature
Session tracking control
It looks like we currently parse this control, but only to allow logging its contents, and nothing more. Seems like it would be useful to carry the parsed info along with the o_authz struct, and make it usable in the ACL engine. This would allow setting ACLs that can distinguish between different applications acting on behalf of a given user (or service). Any security downside to this? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/