How do internet-facing, multi-domain ldap servers handle TLS?

2017-10-21 Thread John Lewis 
How do internet-facing, multi-domain ldap servers handle TLS?

Do they go multi-port or do they use one TLS certificate that covers
all of the domains, or do they get more IP addresses that are all on
different domains?

Re: Antw: Re: [Q] amendments to schemes existent

2017-10-21 Thread Zeus Panchenko 
Andrew Findlay  wrote:
> You could try using the extended search filter syntax:
> 
>   (dhcpOption:caseIgnoreSubstringsMatch:=boot*)
> 
> See RFC4515 for more details. In practice you will probably want to create a

I tried and failed ... where did I mistake? :(

for original ldapns.schema

1. search works with filter: (authorizedService=mail@hh001.umidb)
   (and without index it returns empty result)

   # base  with scope subtree
   # filter: (authorizedService=mail@hh001.umidb)
   # requesting: authorizedService uid
   #
   
   # mail@hh001.umidb, tafij.tafus, People, umidb
   dn: authorizedService=mail@hh001.umidb,uid=tafij.tafus,ou=People,dc=umidb
   uid: tafij.tafus@mail
   authorizedService: mail@hh001.umidb
   
   # tafij.tafus@hh001.umidb, mail@hh001.umidb, tafij.tafus, People, umidb
   dn: 
uid=tafij.tafus@hh001.umidb,authorizedService=mail@hh001.umidb,uid=tafij.t
afus,ou=People,dc=umidb
authorizedService: mail@hh001.umidb
uid: tafij.tafus@hh001.umidb
   
   # search result
   search: 2
   result: 0 Success



2. search, though empty, but works with filter: 
(authorizedService=m...@hh001.um*)

   # base  with scope subtree
   # filter: (authorizedService=m...@hh001.um*)
   # requesting: authorizedService uid
   #
   
   # search result
   search: 2
   result: 0 Success



3. search (expectedly) works with filter: 
(authorizedService:caseIgnoreMatch:=mail@hh001.umidb)

   # base  with scope subtree
   # filter: (authorizedService:caseIgnoreMatch:=mail@hh001.umidb)
   # requesting: authorizedService uid
   #
   
   # mail@hh001.umidb, tafij.tafus, People, umidb
   dn: authorizedService=mail@hh001.umidb,uid=tafij.tafus,ou=People,dc=umidb
   uid: tafij.tafus@mail
   authorizedService: mail@hh001.umidb
   
   # tafij.tafus@hh001.umidb, mail@hh001.umidb, tafij.tafus, People, umidb
   dn: 
uid=tafij.tafus@hh001.umidb,authorizedService=mail@hh001.umidb,uid=tafij.t
afus,ou=People,dc=umidb
authorizedService: mail@hh001.umidb
uid: tafij.tafus@hh001.umidb
   
   # search result
   search: 2
   result: 0 Success


4. search (unexpectedly) does not work at all with filter: 
(authorizedService:caseIgnoreSubstringsMatch:=m...@hh001.umi*)

   # base  with scope subtree
   # filter: (authorizedService:caseIgnoreSubstringsMatch:=m...@hh001.umi*)
   # requesting: authorizedService uid
   #
   
   ldap_search_ext: Bad search filter (-7)



so ... I'm again where I was ... schema patch is the kludge but still no other 
way to get that search :(

-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)

Re: Antw: Re: [Q] amendments to schemes existent

2017-10-21 Thread Zeus Panchenko 
Andrew Findlay  wrote:
> Try this:
>  (authorizedService:caseIgnoreSubstringsMatch:=m...@hh001.umi)

now there is no error message, though the result is still empty

alas ...

# base  with scope subtree
# filter: (authorizedService:caseIgnoreSubstringsMatch:=m...@hh001.umi)
# requesting: authorizedService uid
#

# search result
search: 2
result: 0 Success

-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)

Re: Antw: Re: [Q] amendments to schemes existent

2017-10-21 Thread Zeus Panchenko 
Ulrich Windl  wrote:
> But you are basically changing the semantics of attribute authorizedService:
> Before "*" was literal, after it is magic (substring match).
> 
> The discussion on which variant is more useful is a different issue ;-)

for *my* flow, the variant of original schema is unusable since I have
pleny of values and to hardcode all of them for all available searches
is not good idea, to my mind ...


if to return to the starting question:

is there other way to get originally SUBSTR-less attributes to be
matchable by substring, except hacking the scheme?

-- 
Zeus V. Panchenko   jid:z...@im.ibs.dn.ua
IT Dpt., I.B.S. LLC   GMT+2 (EET)


signature.asc
Description: PGP signature