Re: View or filter based on ldaps://FQDN

[Howard Chu <hyc@symas.com>]

Erwann Abalea wrote:
> Can't SNI support be added?

Perhaps. It depends on which version of TLS library is being used.
> --
> Erwann.
>
> Le 14 janv. 2012 13:08, "Howard Chu" <hyc@symas.com <mailto:hyc@symas.com>> a
> Ãcrit :
>  >
>  > Ronie Gilberto Henrich wrote:
>  >>
>  >> Hello,
>  >>
>  >> I need to be able to restrict ldap ou's access based on the ldaps://FQDN
> used to query the ldap server.
>  >> Let say I have the following in my ldap server:
>  >> ou=domain
>  >>     ou=raincoatcompany.com <http://raincoatcompany.com>
>  >>     ou=umbrellacompany.com <http://umbrellacompany.com>
>  >>
>  >> Considering that both ldap.raincoatcompany.com
> <http://ldap.raincoatcompany.com> and ldap.umbrellacompany.com
> <http://ldap.umbrellacompany.com> are resolving to IP address 10.0.0.10
>  >> So, querying the ldap server using
> ldaps://ldap.raincoatcompany.com/ou=domain
> <http://ldap.raincoatcompany.com/ou=domain> should grant access only to the
> following:
>  >> ou=domain
>  >>     ou=raincoatcompany.com <http://raincoatcompany.com>
>  >> Is there any way to accomplish that with OpenLDAP?
>  >
>  > Not possible. slapd only sees the IP address of the incoming connection, it
> has no way to know what DNS name was used to resolve to that address.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/