openldap-announce

openldap-announce@openldap.org

141 discussions

RFC6125 considered Harmful
by project＠openldap.org 20 Aug '20

20 Aug '20

Hello OpenLDAP community, There have been a number of inquiries recently in regards to RFC 6125 and its support in OpenLDAP. After reviewing the contents of RFC 6125, we felt it important to publicly address the OpenLDAP project's stance on this RFC. RFC 6125 specifically states it does not supersede existing RFCs. Certificate handling for the LDAP protocol is defined in RFC4513, thus the procedures defined in RFC 6125 do not apply to the LDAP protocol. Additionally, RFC 6125 explicitly excludes the LDAP protocol from consideration in Section 1.4 and Appendix B.3. Even without the specific exclusions for the LDAP protocol, the OpenLDAP project considers the general concepts in RFC 6125 as harmful. It redefines the purpose of subjectAlternativeName from being an alternative to the commonName to being the only allowable source for consideration unless it is not present in the certificate. This breaks standard practice for commonName going back to at least 1998. Additionally it breaks standard wildcard certs as issued from various Certificate Authorities as the long standing behavior has been to use a commonName=*.example.com, which is not allowed with RFC 6125. The Subject Naming discussion in Section 2.3 and 2.3.1 is also problematic. Rather than clarify the confusion around Distinguished Names, it just muddles things even further. This is a simple concept and there's no good reason to perpetuate the confusion: DNs are hierarchical names, just like DNS names are hierarchical names. A fully qualified name is an ordered concatenation of names from a root of a naming hierarchy to its leaves. In DNS the root is "." and the names are written in leaf-to-root order, thus: com example.com www.example.com LDAP software has adopted this same leaf-to-root order for its string representation of DNs, thus: dc=com dc=example,dc=com dc=www,dc=example,dc=com Although older X.500 software tended to use a root-to-leaf ordering, just like filesystems use, and older X.509 certificate tools used this as well: /dc=com /dc=com/dc=example /dc=com/dc=example/dc=www This is still the exact same DN, just using a different convention for string representation. Ignoring the fact that DNs are hierarchical, and noting that a CN appearing anywhere in the DN can be used to check a service name, flies in the face of over 30 years of practice. In summary, RFC 6125 breaks long-established practices for weakly supported reasons and fails to enhance understanding of the subject.

1 0

OpenLDAP 2.4.51 available, LMDB 0.9.26 available
by project＠openldap.org 12 Aug '20

12 Aug '20

OpenLDAP 2.4.51 is now available for download as detailed on our download page: https://www.openldap.org/software/download/ and should soon be available on all official mirrors: ftp://ftp.openldap.org/pub/OpenLDAP/MIRRORS This is a maintenance release and is made available for general use. Users of OpenLDAP Software are encouraged to upgrade. Significant contributors are: Howard Chu (Symas Corp) Quanah Gibson-Mount (Symas Corp) Ondřej Kuzník (Symas Corp) Ryan Tandy OpenLDAP 2.4.51 Release (2020/08/11) Added slapo-ppolicy implement Netscape password policy controls (ITS#9279) Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) Fixed libldap to use getaddrinfo in ldap_pvt_get_fqdn (ITS#9287) Fixed slapd to enforce singular existence of some overlays (ITS#9309) Fixed slapd syncrepl to not delete non-replicated attrs (ITS#9227) Fixed slapd syncrepl to correctly delete entries on resync (ITS#9282) Fixed slapd syncrepl to use replace on single valued attrs (ITS#9294, ITS#9295) Fixed slapd-perl dynamic config with threaded slapd (ITS#7573) Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285) Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302) Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309) Fixed slapo-chain to check referral (ITS#9262) Build Environment Fix test064 so it no longer uses bashisms (ITS#9263) Contrib Fix default prefix value for pw-argon2, pw-pbkdf2 modules (ITS#9248) slapo-allowed - Fix usage of unitialized variable (ITS#9308) Documentation ldap_parse_result(3) - Document ldap_parse_intermediate (ITS#9271) MD5(openldap-2.4.51.tgz)= 0d2025896cf1c17af7304ecc57ec9531 SHA1(openldap-2.4.51.tgz)= 4fe7f0e5766d0d9a5431871b581938c05b4eb873 LMDB 0.9.26 Release (2020/08/11) ITS#9278 fix robust mutex cleanup for FreeBSD

1 0

OpenLDAP 2.4.50 available
by project＠openldap.org 28 Apr '20

28 Apr '20

OpenLDAP 2.4.50 is now available for download as detailed on our download page: https://www.openldap.org/software/download/ and should soon be available on all official mirrors: ftp://ftp.openldap.org/pub/OpenLDAP/MIRRORS This is a maintenance release and is made available for general use. Users of OpenLDAP Software are encouraged to upgrade. This release contains a security fix for a potential DoS attack (ITS#9202), reported by the Samba Team and filed as CVE-2020-10704. Further OpenLDAP specific CVE filed by Debian as CVE-2020-12243. Significant contributors are: Howard Chu (Symas Corp) Quanah Gibson-Mount (Symas Corp) Ondřej Kuzník (Symas Corp) Ryan Tandy OpenLDAP 2.4.50 Release (2020/04/28) Fixed client benign typos (ITS#8890) Fixed libldap type cast (ITS#9175) Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) Fixed libldap_r race on Windows mutex initialization (ITS#9181) Fixed liblunicode memory leak (ITS#9198) Fixed slapd benign typos (ITS#8890) Fixed slapd to limit depth of nested filters (ITS#9202) Fixed slapd-mdb memory leak in dnSuperiorMatch (ITS#9214) Fixed slapo-pcache database initialization (ITS#9182) Fixed slapo-ppolicy callback (ITS#9171) Build Fix olcDatabaseDummy initialization for windows (ITS#7074) Fix detection for ws2tcpip.h for windows (ITS#8383) Fix back-mdb types for windows (ITS#7878) Contrib Update ldapc++ config.guess and config.sub to support newer architectures (ITS#7855) Added pw-argon2 module (ITS#9233, ITS#8575, ITS#9203, ITS#9206) Documentation slapd-ldap(5) - Clarify idassert-authzfrom behavior (ITS#9003) slapd-meta(5) - Remove client-pr option (ITS#8683) slapdinex(8) - Fix truncate option information for back-mdb (ITS#9230) MD5(openldap-2.4.50.tgz)= f9ed44ef373abed04c9e4c8586260f9e SHA1(openldap-2.4.50.tgz)= 82f576e0d0d334e9e798d9de8936683546247bb9

1 0

OpenLDAP infrastructure updates
by OpenLDAP project 05 Mar '20

05 Mar '20

On March 12, 2020 the infrastructure for the OpenLDAP project will be undergoing a long needed set of upgrades. In particular, the following changes will be made: * The Jitterbugs based issue tracker will be replaced with Bugzilla. All existing issues will be migrated into Bugzilla. * The list server will be upgraded from mailman2 to mailman3 * The git repository will be moved to a gitlab instance It is expected that this maintenance will last several hours and most project services will be unavailable during that time. A further email will be sent once the migration is complete. Once the migration is complete the method for accessing some resources will change: * The new bugzilla tracking system will require a login to file bugs. Individuals who have submitted bugs in the past will already have an account created for them, but will need to request a password reset or use the Github authentication method (as long as Github has the account email address) * The updated mailman3 instance also will require a login for list management. You will need to confirm your email in mailman before being able to log in (either directly or via GitHub). Additionally, several services will be read-only snapshots after the migration: * Existing mailing list archives (from mailmain2) will be retained at their current location, but new emails will be archived in the mailman3 archive site only. * The FAQ site, which will be removed after useful content is migrated to a new platform (yet to be decided) * The FTP site will be only used for tarball distribution of new releases. New patch submissions should be done either via gitlab (preferred) or as attachments in bugzilla.

1 0

OpenLDAP 2.4.49 available, LMDB 0.9.25 available
by OpenLDAP project 30 Jan '20

30 Jan '20

OpenLDAP 2.4.49 is now available for download as detailed on our download page: http://www.openldap.org/software/download/ and should soon be available on all official mirrors: ftp://ftp.openldap.org/pub/OpenLDAP/MIRRORS This is a maintenance release and is made available for general use. Users of OpenLDAP Software are encouraged to upgrade. Significant contributors are: Howard Chu (Symas Corp) Quanah Gibson-Mount (Symas Corp) Ondřej Kuzník (Symas Corp) Ryan Tandy OpenLDAP 2.4.49 Release (2020/01/30) Added slapd-monitor database entry count for slapd-mdb (ITS#9154) Fixed client tools to not add controls on cancel/abandon (ITS#9145) Fixed client tools SyncInfo message to be LDIF compliant (ITS#8116) Fixed libldap to correctly free sb (ITS#9081, ITS#8755) Fixed libldap descriptor leak if ldaps fails (ITS#9147) Fixed libldap remove unnecessary global mutex for GnuTLS (ITS#9069) Fixed slapd syntax evaluation of preferredDeliveryMethod (ITS#9067) Fixed slapd to relax domainScope control check (ITS#9100) Fixed slapd to have cleaner error handling during connection setup (ITS#9112) Fixed slapd data check when processing cancel exop (ITS#9124) Fixed slapd attribute description processing (ITS#9128) Fixed slapd-ldap to set oldctrls correctly (ITS#9076) Fixed slapd-mdb to honor unchecked limit with alias deref (ITS#7657) Fixed slapd-mdb missing final commit with slapindex (ITS#9095) Fixed slapd-mdb drop attr mappings added in an aborted txn (ITS#9091) Fixed slapd-mdb nosync FLAG configuration handling (ITS#9150) Fixed slapd-monitor global operation counter reporting (ITS#9119) Fixed slapo-ppolicy when used with slapauth (ITS#8629) Fixed slapo-ppolicy to add a missed normalised copy of pwdChangedTime (ITS#9126) Fixed slapo-syncprov fix sessionlog init (ITS#9146) Fixed slapo-unique loop termination (ITS#9077) Build Environment Fix mkdep to honor TMPDIR if set (ITS#9062) Remove ICU library detection (ITS#9144) Update config.guess and config.sub to support newer architectures (ITS#7855) Disable ITS8521 regression test as it is no longer valid (ITS#9015) Documentation admin24 - Fix inconsistent whitespace in replication section (ITS#9153) slapd-config(5)/slapd.conf(5) - Fix missing bold tag for keyword (ITS#9063) slapd-ldap(5) - Document "tls none" option (ITS#9071) slapo-ppolicy(5) - Correctly document pwdGraceAuthnLimit (ITS#9065) MD5(openldap-2.4.49.tgz)= 2a47a6bb4319357ea7b032c45283e79e SHA1(openldap-2.4.49.tgz)= f0caeca122e6f90e6ac5cc8ba36fe9cec13826da LMDB 0.9.25 Release (2020/01/30) ITS#9068 fix mdb_dump/load backslashes in printable content ITS#9118 add MAP_NOSYNC for FreeBSD ITS#9155 free mt_spill_pgs in non-nested txn on end

1 0

OpenLDAP 2.4.48 available, LMDB 0.9.24 available
by OpenLDAP Project 24 Jul '19

24 Jul '19

OpenLDAP 2.4.48 is now available for download as detailed on our download page: http://www.openldap.org/software/download/ and should soon be available on all official mirrors: ftp://ftp.openldap.org/pub/OpenLDAP/MIRRORS This is a maintenance release and is made available for general use. Users of OpenLDAP Software are encouraged to upgrade. This release includes two security fixes, ITS#9038 (CVE-2019-13057) and ITS#9052 (CVE-2019-13565). These issues are unlikely to affect the majority of deployments, but please check the details for each issue. For downstream packagers, this release also includes a new header file (openldap.h) that should be packaged along with the other header files. Significant contributors are: Howard Chu (Symas Corp) Quanah Gibson-Mount (Symas Corp) Ondřej Kuzník (Symas Corp) OpenLDAP 2.4.48 (2019/07/24) Added libldap OpenSSL Elliptic Curve support (ITS#7595) Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671) Added slapd-monitor support for slapd-mdb (ITS#7770) Fixed liblber leaks (ITS#8727) Fixed liblber with partial flush (ITS#8864) Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980) Fixed libldap ASYNC connections with Solaris 10 (ITS#8968) Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585) Fixed libldap to be able to unset syncrepl TLS options (ITS#7042) Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450) Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674) Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754) Fixed libldap to correctly close TLS connection (ITS#8755) Fixed libldap with non-blocking TLS and referals (ITS#8167) Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353) Fixed liblunicode case correspondance (ITS#8508) Fixed slapd with an idletimeout of less than four seconds (ITS#8952) Fixed slapd config parser variable for Windows64 (ITS#9012) Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015) Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999) Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037) Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038) Fixed slapd to initialize SASL SSF per connection (ITS#9052) Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997) Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743) Fixed slapd-meta assertion when network interface goes down (ITS#8841) Fixed slapd-mdb fix bitshift integer overflow (ITS#8989) Fixed slapd-mdb index cleanup with cn=config (ITS#8472) Fixed slapd-mdb to improve performance with alias deref (ITS#7657) Fixed slapo-accesslog possible assert with exops (ITS#8971) Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637) Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799) Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663) Fixed slapo-memberof for group name change to itself (ITS#9000) Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349) Fixed slapo-rwm to not free original filter (ITS#8964) Fixed slapo-syncprov contextCSN generation (ITS#9015) Build Environment Fixed slapd to only link to BDB libraries with static build (ITS#8948) Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794) Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041) Documentation General - Fixed minor typos (ITS#8764, ITS#8761) admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031) slapd.access(5) - Note MDB is the primary backend (ITS#8881) slapd.backends(5) - Note MDB is the recommended backend (ITS#8771) slapd-ldap(5) - Document starttls parameter (ITS#8693) Contrib Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721) MD5(openldap-2.4.48.tgz)= 0729a0711fe096831dedc159e0bbe73f SHA1(openldap-2.4.48.tgz)= c1984e80f6db038b317bf931866adb38e5537dcd LMDB 0.9.24 Release (2019/07/24) ITS#8969 Tweak mdb_page_split ITS#8975 WIN32 fix writemap set_mapsize crash ITS#9007 Fix loose pages in WRITEMAP

1 0

LDAPCon 2019
by Howard Chu 04 Jul '19

04 Jul '19

>From https://ldapcon.org/2019/ It's high time we shared the news: the 7th Conference on LDAP, Directory Services and Identity Management will take place November 4-6th at the Holiday Inn in Sofia, Bulgaria. November 4th is set aside for workshops, November 5th and 6th will be the regular sessions. Situated at the crossroads between the east and the west, Sofia is nearly 7,000 years old and steeped in historical significance. It's also the largest city in Bulgaria, one of the top-10 locations in the world for startups, especially tech, and one of Europe's most affordable cities. Other attractions include good wine, great food that represents Balkan and Oriental cuisine, and a great view to the Vitosha mountain, making it a perfect location for the next LDAPCon. Topics of interest will include service design, LDAP schema, protocol enhancements, server technology and client programming. There will be ample opportunities to meet other LDAP specialists including the central figures in the development teams of many well-known server products. The Call for Participation is now open[0] and runs until August 1st. [0]. https://cfp.ldapcon.org/ldapcon2019/cfp -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

OpenLDAP Booth at FOSDEM
by Howard Chu 01 Feb '19

01 Feb '19

We are running a booth at the FOSDEM 2019 conference in Brussels this weekend. Drop by and visit if you're here! At least myself, Michael Stroeder, and Clement Oudot will be around at various times. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

OpenLDAP 2.4.47 available, LMDB 0.9.23 available
by OpenLDAP Project 19 Dec '18

19 Dec '18

OpenLDAP 2.4.47 is now available for download as detailed on our download page: http://www.openldap.org/software/download/ and should soon be available on all official mirrors: ftp://ftp.openldap.org/pub/OpenLDAP/MIRRORS This is a maintenance release and is made available for general use. Users of OpenLDAP Software are encouraged to upgrade. Significant contributors are: Howard Chu (Symas Corp) Quanah Gibson-Mount (Symas Corp) Ondřej Kuzník (Symas Corp) OpenLDAP 2.4.47 Release (2018/12/19) Added slapd-sock DN qualifier for subtrees to be processed (ITS#8051) Added slapd-sock ability to send extended operations to external listeners (ITS#8714) Fixed liblber to avoid incremental access to user-supplied bv in dupbv (ITS#8752) Fixed libldap dn to domain parsing with bad input (ITS#8842) Fixed slapd slapcat to correctly honor -g option (ITS#8667) Fixed slapd to correctly handle NO_SUCH_OBJECT with dynamic groups (ITS#8923) Fixed slapd to check status of rdnNormalize (ITS#8932) Fixed slapd cn=config when modifying slapo-syncprov config (ITS#8616) Fixed slapd sasl authz-policy "all" behavior (ITS#8909) Fixed slapd sasl minor typo (ITS#8918) Fixed slapd to correctly hide hidden DBs in the rootDSE (ITS#8912) Fixed slapd domainScope control to match Microsoft specification (ITS#8840) Fixed slapd-bdb/hdb/mdb to not convert certain IDLs to ranges (ITS#8868) Fixed slapo-accesslog deadlock during cleanup (ITS#8752) Fixed slapo-memberof cn=config modifications (ITS#8663) Fixed slapo-ppolicy with multimaster replication (ITS#8927) Fixed slapo-syncprov with NULL modlist (ITS#8843) Build Environment Added slapd reproducible build support (ITS#8928) Fixed missing includes with OpenSSL 1.0.2 (ITS#8809) Contrib Fixed slapo-pbkdf2 hash generation (ITS#8878) Documentation admin24 fixed minor typo (ITS#8887) MD5(openldap-2.4.47.tgz)= e508f97bfd778fec7799f286e5c07176 SHA1(openldap-2.4.47.tgz)= c59d52dd75f7d1c7b02f83725da36c322d439674 LMDB 0.9.23 Release (2018/12/19) ITS#8756 Fix loose pages in dirty list ITS#8831 Fix mdb_load flag init ITS#8844 Fix mdb_env_close in forked process Documentation ITS#8857 mdb_cursor_del doesn't invalidate cursor ITS#8908 GET_MULTIPLE etc don't change passed in key

1 0

Fifth OpenLDAP Developer Day – Call for Registration!
by Howard Chu 13 Sep '18

13 Sep '18

Together with the University of Tübingen and Symas, DAASI International invites all stakeholders to meet in Tübingen and celebrate 20 years of OpenLDAP! The 5th OpenLDAP Developer Day is a great opportunity to come together as a community and exchange ideas with developers of OpenLDAP software, directory researchers and other OpenLDAP community members interested in discussing ongoing and future development efforts. Are you a stakeholder interested to join us for the 5th OpenLDAP Developer Day? Then please register by contacting us at odd-silverjubilee(a)daasi.de before September 28th. You are invited to listen to interesting speakers and to take part in fruitful discussions. Also, if you would like to present your own topic to the community, there are still some of the limited speaker slots of 15 to 45 minutes available. Just email us at odd-silverjubilee(a)daasi.de as soon as possible, but no later than the extended deadline of September 21st. The full Call for Content is available here. The OpenLDAP Developer Day will take place at the Computing Center of the University of Tübingen (Wächterstraße 76, 72074 Tübingen). Information on how to find the location of the OpenLDAP Developer Day is available here https://daasi.de/en/company/journey-and-stay/. We are looking forward to celebrate the OpenLDAP Silver Jubilee with you! If you have any questions, please do not hesitate to contact us at odd-silverjubilee(a)daasi.de. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

← Newer
1
2
3
4
5
6
7
8
9
...
15
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-announce