openldap-bugs November 2006

openldap-bugs@openldap.org

34 participants
148 discussions

(ITS#4760) problem with group caching and proxyAuth control
by richter＠ecos.de 23 Nov '06

23 Nov '06

Full_Name: Gerald Richter Version: 2.3.30 OS: Linux URL: ftp://ftp.openldap.org/incoming/Gerald-Richter-061123.2.patch Submission from: (NULL) (194.95.226.11) Hi, I noticed that when I use the proxyAuth control group members are not correctly resolved. What I do is to login as user A and do a search with proxyAuth control with an authzid of user B. User B is member of a group, which grants him access to the some items. User A is not. When directly logging in as user B, everything is ok. Using proxyAuth user B doesn't have access to the items that are granted to the group. The reason is that the group membership is cached, and therefore users A membership is used for ACL evaluation, instead of users B membership. The attached patch, simply deletes all cached groups, when inside the proxyAuth control setup, which resolvs this issue. Gerald This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Gerald Richter <richter(a)ecos.de>. These modifications are not subject to any license of ecos GmbH. Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.

1 0

(ITS#4759) aci comptibilty to V2.1; multiple attrs
by richter＠ecos.de 23 Nov '06

23 Nov '06

Full_Name: Gerald Richter Version: 2.3.30 OS: Linux URL: ftp://ftp.openldap.org/incoming/Gerald-Richter-061123.patch Submission from: (NULL) (194.95.226.11) Hi, I found that due to the rewrite of ACI code, the possiblity to specify more than one attribute in one ACI entry has gone lost. We discussed this already at the beginning of the year on the mailing list. I have made a patch, that is in heavy production use on several systems for some time now, that again (as in OpenLDAP 2.1) allows to have multiple attributes in one ACI. This is not only a compatibility issue, but also improves the performance of ACI handling, if you need to specifiy a lot of attributes. The patch also adds some more debugging output, that allows to easyer understand what's going on, when you have set some ACI and it does not have the desired result. Gerald This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Gerald Richter <richter(a)ecos.de>. These modifications are not subject to any license of ecos GmbH. Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.

1 0

(ITS#4758) valsort + dynlist can cause 100% cpu utilization causing slapd to become unresponsive
by michael.heep＠o2.com 23 Nov '06

23 Nov '06

Full_Name: Michael Heep Version: 2.3.30 OS: Linux (RHES30) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (82.113.101.1) Hi, the following valsort + dynlist combination causes slapd to utilize 100% cpu time when issueing searches against parts of the DIT containing attribute-value pairs "created" by dynlist: overlay dynlist dynlist-attrset extensibleObject memberURL uniqueMember overlay valsort valsort-attr uniqueMember dc=o2online,dc=de alpha-ascend When run independent both overlays work flawlessly.

1 0

ITS#4600 slap_mods_check duplicate check
by hyc＠symas.com 23 Nov '06

23 Nov '06

There *is* a bug here, as Nick pointed out in the first followup - slap_mods2entry does a redundant check for duplicates. All of the mods that get fed into this function have already been checked by slap_mods_check. So we're doing an n^2 check twice on every add, no wonder LDAPAdds are so slow... -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

1 0

Re: (ITS#4723) SEGV in syncprov search
by richton＠nbcs.rutgers.edu 21 Nov '06

21 Nov '06

Since test033 didn't replicate, I ran librtc against a full production config. The SEGV occurred here (note we're not inside malloc due to librtc redzone features): <rtc> Write to unallocated (wua) on thread 11: Attempting to write 1 byte at address 0xc886b0 which is just past heap block of size 128 bytes at 0xc88630 This block was allocated from: [1] default_malloc_ex() at line 79 in "mem.c" [2] CRYPTO_malloc() at line 304 in "mem.c" [3] RSA_eay_private_decrypt() at line 488 in "rsa_eay.c" [4] RSA_private_decrypt() at line 292 in "rsa_lib.c" [5] ssl3_get_client_key_exchange() at line 1454 in "s3_srvr.c" [6] ssl3_accept() at line 448 in "s3_srvr.c" [7] SSL_accept() at line 816 in "ssl_lib.c" [8] ldap_pvt_tls_accept() at line 863 in "tls.c" Location of error: current thread: t@11 =>[1] BN_bn2bin(a = 0xd93ff3d4, to = 0xc886b0 ""), line 649 in "bn_lib.c" [2] RSA_eay_private_decrypt(flen = 128, from = 0xc76066 "6^D\xf3\xd8\xfb\xa4\x83^H5\xd8b\xa2\xe2\xd9\xdf_0`(^T:w\xd8\xff^C\xf7W\xe2_\xaar\xec\xc7\xf5~\xf1\xf1E{^NX\xe2.\xf5\xa4B^L\xf6$\xb7=\x8er\xde\xee\xce^R^W\x95^?^?", to = 0xc76066 "6^D\xf3\xd8\xfb\xa4\x83^H5\xd8b\xa2\xe2\xd9\xdf_0`(^T:w\xd8\xff^C\xf7W\xe2_\xaar\xec\xc7\xf5~\xf1\xf1E{^NX\xe2.\xf5\xa4B^L\xf6$\xb7=\x8er\xde\xee\xce^R^W\x95^?^?", rsa = 0xbb5a08, padding = 1), line 576 in "rsa_eay.c" [3] RSA_private_decrypt(flen = 128, from = 0xc76066 "6^D\xf3\xd8\xfb\xa4\x83^H5\xd8b\xa2\xe2\xd9\xdf_0`(^T:w\xd8\xff^C\xf7W\xe2_\xaar\xec\xc7\xf5~\xf1\xf1E{^NX\xe2.\xf5\xa4B^L\xf6$\xb7=\x8er\xde\xee\xce^R^W\x95^?^?", to = 0xc76066 "6^D\xf3\xd8\xfb\xa4\x83^H5\xd8b\xa2\xe2\xd9\xdf_0`(^T:w\xd8\xff^C\xf7W\xe2_\xaar\xec\xc7\xf5~\xf1\xf1E{^NX\xe2.\xf5\xa4B^L\xf6$\xb7=\x8er\xde\xee\xce^R^W\x95^?^?", rsa = 0xbb5a08, padding = 1), line 292 in "rsa_lib.c" [4] ssl3_get_client_key_exchange(s = 0xc74500), line 1454 in "s3_srvr.c" [5] ssl3_accept(s = 0xc74500), line 448 in "s3_srvr.c" [6] SSL_accept(s = 0xc74500), line 816 in "ssl_lib.c" [7] ldap_pvt_tls_accept(sb = 0xc74068, ctx_arg = 0xb53bd8), line 863 in "tls.c" [8] connection_read(s = 46), line 1337 in "connection.c" [9] slapd_daemon_task(ptr = (nil)), line 2352 in "daemon.c" This system is running OpenSSL 0.9.7l, although I've seen the #4723 segfault (not under debugger, alas) on 0.9.7d systems as well. Is there any easy way to turn on traffic encryption in 'make test', possibly with some on-the-fly self-gen certs?

1 0

Re: (ITS#3460) Adding LDAP statistics script to contrib directory
by Frank.Swasey＠uvm.edu 20 Nov '06

20 Nov '06

This is a cryptographically signed message in MIME format. --------------ms020103070007040700000908 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm slow reading my email (well 18 days isn't so bad really... ahem...) On 11/2/06 2:42 PM, quanah(a)stanford.edu wrote: > As for #2, I grant such a release for the work I've done on the script. > > Peter S, Dave, Peter M, Frank, and Todd, do you also grant such a release > for the work you've done with this script? :) Yes, I do grant this release. -- Frank Swasey | http://www.uvm.edu/~fcs Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900) --------------ms020103070007040700000908 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJDzCC AuIwggJLoAMCAQICEAq9rKiduK3HCbKzsBiBodUwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDcxNzE2NTcyNloX DTA3MDcxNzE2NTcyNlowRjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEjMCEG CSqGSIb3DQEJARYURnJhbmsuU3dhc2V5QHV2bS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCzhSmesaR8qf2y5cNt0qa27m42Kq3Bwubs28CzSxR1uRUaRZUfL/C2FEFV kKSat6da5b19UEWxM1giaWvLeDtQE5Tok8GhN8LNgScTiSEM6gFWnL0o7A9W7oAj42dfFvBV md7/u7nSJoAP3Wt9cU3TBJBh99U89EzIYLNik8iVhzbwfNmisxmuR5870AHURoR1sN/X4jWx q5114Rv8r60+bVitlXL7P20Z2S9+va9+a7+C1P/yJLPq1GK8+X9uaoUaGHlapBeBYNu3QWQG Q+mF+QuidS01jbaburvJxUm7dVO3QRt1PovVhlidv89eqcH8n4h7xSG1IG3teNJkschdAgMB AAGjMTAvMB8GA1UdEQQYMBaBFEZyYW5rLlN3YXNleUB1dm0uZWR1MAwGA1UdEwEB/wQCMAAw DQYJKoZIhvcNAQEEBQADgYEAblV8ye5ZLs/y3DX0W3NU67N2T6tOSZ1609L+BRWB/Md7RDFd Cm8AXFIldDLzkyPFqs9WpgAQLvZ0gRXQ8aqwYEBB3WlZzkpUS+YTuY6X9wjcroMjHCyWNpq0 /joDumCNSEWiZJ6AZMRom9Z/P6foBxXmgCBKVq/O0mGqgArlxdkwggLiMIICS6ADAgECAhAK vayonbitxwmys7AYgaHVMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNjA3MTcxNjU3MjZaFw0wNzA3MTcxNjU3MjZa MEYxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxIzAhBgkqhkiG9w0BCQEWFEZy YW5rLlN3YXNleUB1dm0uZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs4Up nrGkfKn9suXDbdKmtu5uNiqtwcLm7NvAs0sUdbkVGkWVHy/wthRBVZCkmrenWuW9fVBFsTNY Imlry3g7UBOU6JPBoTfCzYEnE4khDOoBVpy9KOwPVu6AI+NnXxbwVZne/7u50iaAD91rfXFN 0wSQYffVPPRMyGCzYpPIlYc28HzZorMZrkefO9AB1EaEdbDf1+I1sauddeEb/K+tPm1YrZVy +z9tGdkvfr2vfmu/gtT/8iSz6tRivPl/bmqFGhh5WqQXgWDbt0FkBkPphfkLonUtNY22m7q7 ycVJu3VTt0EbdT6L1YZYnb/PXqnB/J+Ie8UhtSBt7XjSZLHIXQIDAQABozEwLzAfBgNVHREE GDAWgRRGcmFuay5Td2FzZXlAdXZtLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA A4GBAG5VfMnuWS7P8tw19FtzVOuzdk+rTkmdetPS/gUVgfzHe0QxXQpvAFxSJXQy85MjxarP VqYAEC72dIEV0PGqsGBAQd1pWc5KVEvmE7mOl/cI3K6DIxwsljaatP46A7pgjUhFomSegGTE aJvWfz+n6AcV5oAgSlavztJhqoAK5cXZMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUF ADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2Fw ZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNh dGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4X DTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h bCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxV c1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J 8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9I BH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0f BDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1h aWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRl TGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aU nX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3d qZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCA2Qw ggNgAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB AhAKvayonbitxwmys7AYgaHVMAkGBSsOAwIaBQCgggHDMBgGCSqGSIb3DQEJAzELBgkqhkiG 9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA2MTEyMDE5NTUxN1owIwYJKoZIhvcNAQkEMRYEFEe5 R0tOqDV5mZSEX9tMzc1x2JoeMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZI hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGFBgkr BgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu ZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWlu ZyBDQQIQCr2sqJ24rccJsrOwGIGh1TCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQCr2sqJ24rccJsrOwGIGh1TAN BgkqhkiG9w0BAQEFAASCAQB5jfu/W/bTIPufVHhrEsZS19DtAZXNQisiNsDTRGtdQGyyS9w2 NE0w5B0Lhbhg+dgwBGvd03/OqxwguatStF0fpgW2sFK3pbvClmRA7mXte5d51GNP49COPd4C R1dLsOtzmhHb2YJ8Cg46vZWE/UdgGYYoV4zStPNJHs3Z07pQ5pCBMhd4l/BZht+BPgNiirLv UskWVwSwUfGxfgEka9yG4KLCQdhL44oUXRcawWfrOPcmN80jrXHp6FnsNSJ43ifztqK4QKyY idUeA+NEmv3Ss5AO6PkvC51rsr2qmLkMeczl/ZuvcxGaDDloBibCdWJu5R81pRoTO0UdPfiw uwbIAAAAAAAA --------------ms020103070007040700000908--

1 0

Re: (ITS#4757) Support for RFC 3045: Storing Vendor Information in the LDAP root DSE
by Kurt＠OpenLDAP.org 20 Nov '06

20 Nov '06

At 12:36 AM 11/20/2006, michael(a)stroeder.com wrote: >Kurt D. Zeilenga wrote: >> At 01:37 AM 11/19/2006, michael(a)stroeder.com wrote: >>> >>>I'd like to see support for RFC 3045 in slapd. >> >> The only reasonably decent use of such attributes is for >> administrators to determine whether they need to upgrade >> some software or not > >Yes, that's what I'm after. This purpose is, I think, somewhat beyond the intended purpose of the vendorName/Version attributes. These attributes appear to be intended to be used by general LDAP clients, not just administrative clients, for "limited feature discovery". The vendorName/Version you might want reported for "limited feature discovery" might be quite different than what you want reported for "need to upgrade" purposes. And for "need to upgrade" purposes, one needs to know not only the version of the protocol engine (slapd(8)), but version of backend codes, overlay codes, underlying libraries, etc.. >> We provide cn=monitor for this purpose. > >This is proprietary. Think of vendor-independent management/monitoring >software which just gives an terse overview. Generally speaking, DSA administrative interfaces are not standardized. (Which is, to some degree, why I think use of vendorName/Version for administrative purposes is beyond the intentions of these attributes.) >> While it certainly is possible for a client to abuse >> cn=monitor version information, the very fact that the >> version information is in cn=monitor, which generally >> requires special authorization to read, instead of >> the root dse, which generally is readable by most >> every client, is effective in discouraging this abuse. > >The server admin can easily define access control for vendor information >in root DSE. The sample slapd.conf could endorse this. Or another value >for configuration directive 'allow'. Yes, but... Kurt

1 0

Re: (ITS#4757) Support for RFC 3045: Storing Vendor Information in the LDAP root DSE
by michael＠stroeder.com 20 Nov '06

20 Nov '06

Kurt D. Zeilenga wrote: > At 01:37 AM 11/19/2006, michael(a)stroeder.com wrote: >> >>I'd like to see support for RFC 3045 in slapd. > > The only reasonably decent use of such attributes is for > administrators to determine whether they need to upgrade > some software or not Yes, that's what I'm after. > We provide cn=monitor for this purpose. This is proprietary. Think of vendor-independent management/monitoring software which just gives an terse overview. > While it certainly is possible for a client to abuse > cn=monitor version information, the very fact that the > version information is in cn=monitor, which generally > requires special authorization to read, instead of > the root dse, which generally is readable by most > every client, is effective in discouraging this abuse. The server admin can easily define access control for vendor information in root DSE. The sample slapd.conf could endorse this. Or another value for configuration directive 'allow'. Ciao, Michael.

1 0

Re: (ITS#4757) Support for RFC 3045: Storing Vendor Information in the LDAP root DSE
by Kurt＠OpenLDAP.org 19 Nov '06

19 Nov '06

At 01:37 AM 11/19/2006, michael(a)stroeder.com wrote: >Full_Name: Michael Ströder >Version: not relevant >OS: not relevant >URL: ftp://ftp.openldap.org/incoming/ >Submission from: (NULL) (83.124.27.203) > > >HI! > >I'd like to see support for RFC 3045 in slapd. The only reasonably decent use of such attributes is for administrators to determine whether they need to upgrade some software or not (though use of a protocol attribute for this purpose is somewhat problematic). We provide cn=monitor for this purpose. The primary use (or I should say misuse) of such strings is for server behavior discovery (whether the behavior is due to a feature or a bug). As this use leads to interoperability problems (as illustrated by the HTTP "mozilla" compatibility problems), we must allow spoofing and should discourage this use. We support the former via the rootdse configuration option. We support the latter by not providing any values by default. While it certainly is possible for a client to abuse cn=monitor version information, the very fact that the version information is in cn=monitor, which generally requires special authorization to read, instead of the root dse, which generally is readable by most every client, is effective in discouraging this abuse. I think it reasonable to assume any administrative tool for determining whether an OpenLDAP server is up to date would have appropriate authorization to read the cn=monitor values. I note that such tools should not assume a server needs not be upgraded simply because the version is high enough. There easily could be dependent software whose version is not high enough. It would be good for cn=monitor to not only expose the OpenLDAP version information, but to expose version information for dependent software. Of course, as there is an endless number of dependent software, this upgrade detection approach problematic. Seems it would be better to use tools that ran directly on the box to determine whether a server's software needed to be upgraded. But I digresss. In the past we have rejected submissions to extend slapd(8) to generate these values, hence I think this feature request should be closed. However, such closure certainly doesn't preclude someone from implementing **additional** vendorName/Version functionality and submitting it for consideration. There is one aspect of our current vendorName/Version support that is lacking is in dealing with multiple broken clients requiring different vendorName/Version strings. An overlay which spoofed these strings on a configurable basis, whether by authorization identity and/or IP address and/or other authorization factor, would be an interesting functionality addition. Kurt

1 0

(ITS#4757) Support for RFC 3045: Storing Vendor Information in the LDAP root DSE
by michael＠stroeder.com 19 Nov '06

19 Nov '06

Full_Name: Michael Ströder Version: not relevant OS: not relevant URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (83.124.27.203) HI! I'd like to see support for RFC 3045 in slapd. Yes, I know I can set this using configuration directive rootDSE in slapd.conf. But that doesn't really help, especially regarding 'vendorVersion'. Ciao, Michael.

1 0

← Newer
1
2
3
4
5
6
7
...
15
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs November 2006