openldap-bugs October 2007

openldap-bugs@openldap.org

38 participants
215 discussions

(ITS#5202) ldapsearch -E pr segfault
by kurt＠OpenLDAP.org 25 Oct '07

25 Oct '07

Full_Name: Kurt Zeilenga Version: 2.3.38 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.141.229.206) Here's a stack trace; the command was: % ldapsearch -x -E pr=2/noprompt -b "o=test2,o=test" -s one "cn=*" cn . . (gdb) where #0 0x005303d4 in _int_free () from /lib/tls/libc.so.6 #1 0x0053172b in free () from /lib/tls/libc.so.6 #2 0x004201e3 in ber_memfree_x (p=0x805405d, ctx=0x0) at memory.c:149 #3 0x001d85e8 in ldap_control_free (c=0xbfe3ecd0) at controls.c:260 #4 0x001d8669 in ldap_controls_free (controls=0x9c801c8) at controls.c:285 #5 0x0804f703 in tool_server_controls (ld=0x9c76550, extra_c=0xbfe3ece0, count=-1) at common.c:1250 #6 0x0804b910 in main (argc=14, argv=0xbfe40e44) at ldapsearch.c:794 It's done the bind ok by this stage but never gets as far as sending the search request.

1 0

Re: (ITS#5195) ssf not available during sasl bind
by hyc＠symas.com 25 Oct '07

25 Oct '07

russell-openldap(a)stuart.id.au wrote: > In one sense you are correct: the userPassword read > by slap_auxprop_lookup will never be revealed. And > so yes, the ssf for the results of that search would > be infinity. > > But what I want to check is the weakest link in the > chain. I can't imagine any instance when that isn't > what you would want to check, so that is what the > ssf should reflect. By definition, the > slap_auxprop_lookup can never be the weakest link. > The weakest link in this case when sasl sent the > password to slapd. Really, what I want to say is if > the password was sent in the clear, whether it be by > sasl or simple auth, then the link must be encrypted. > > The patch makes the information required to do that > test available. Using ACLs to enforce this requirement is the wrong approach though. You should just use the "security" directive instead. With your approach you're missing the fact that SASL may not have sent any password at all to slapd (e.g., when using DIGEST-MD5 or an OTP mechanism). As such, you're imposing a constraint that makes no sense. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: ITS#5199
by david＠schmitt.edv-bus.at 25 Oct '07

25 Oct '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 24 October 2007, you wrote: > The stack backtrace you provide is useless, as it refers to the main > thread. Please run "thread apply all bt full". Hmpf. Thanks for your answer, I will try to get a better trace upon the next hang. Regards, David - -- The primary freedom of open source is not the freedom from cost, but the free- dom to shape software to do what you want. This freedom is /never/ exercised without cost, but is available /at all/ only by accepting the very different costs associated with open source, costs not in money, but in time and effort. - -- http://www.schierer.org/~luke/log/20070710-1129/on-forks-and-forking -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHIEgZ/Pp1N6Uzh0URAjTPAJ4oiB8IlYjeDKxIGDKHDFCtQEKr2QCgnECE x5GwRPbtZ4Cl5bMy0NlOsTc= =nnG/ -----END PGP SIGNATURE-----

1 0

Re: (ITS#5195) ssf not available during sasl bind
by russell-openldap＠stuart.id.au 25 Oct '07

25 Oct '07

In one sense you are correct: the userPassword read by slap_auxprop_lookup will never be revealed. And so yes, the ssf for the results of that search would be infinity. But what I want to check is the weakest link in the chain. I can't imagine any instance when that isn't what you would want to check, so that is what the ssf should reflect. By definition, the slap_auxprop_lookup can never be the weakest link. The weakest link in this case when sasl sent the password to slapd. Really, what I want to say is if the password was sent in the clear, whether it be by sasl or simple auth, then the link must be encrypted. The patch makes the information required to do that test available.

1 0

RE: (ITS#5201) pcache has an incorrect LDAP_DEBUG _NONE debug statement
by mhardin＠symas.com 24 Oct '07

24 Oct '07

> From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] > Sent: Wednesday, October 24, 2007 11:43 AM [...] > > > > On line 1267 of servers/slapd/overlays/pcache.c there is a debug > > statement, "Entering QC, querystr = %s\n", which is clearly a routine > > debug statement specific to pcache. The channel used is LDAP_DEBUG_NONE, > > and this makes for very chatty output when a loglevel of 'none' is > > specified in slapd.conf and the pcache overlay is in use. The log > channel > > should be changed to 'pcache_debug' instead. > > This is already fixed in REL_ENG_2_3, REL_ENG_2_4, and HEAD. I just saw that- reject if you care to. > --Quanah -Matt Matthew Hardin Symas Corporation- The LDAP Guys http://www.symas.com

1 0

Re: (ITS#5201) pcache has an incorrect LDAP_DEBUG _NONE debug statement
by quanah＠zimbra.com 24 Oct '07

24 Oct '07

--On Wednesday, October 24, 2007 5:27 PM +0000 mhardin(a)symas.com wrote: > Full_Name: Matthew Hardin > Version: 2.3.38 > OS: All > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (74.38.114.43) > > > On line 1267 of servers/slapd/overlays/pcache.c there is a debug > statement, "Entering QC, querystr = %s\n", which is clearly a routine > debug statement specific to pcache. The channel used is LDAP_DEBUG_NONE, > and this makes for very chatty output when a loglevel of 'none' is > specified in slapd.conf and the pcache overlay is in use. The log channel > should be changed to 'pcache' instead. This is already fixed in REL_ENG_2_3, REL_ENG_2_4, and HEAD. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#5201) pcache has an incorrect LDAP_DEBUG _NONE debug statement
by mhardin＠symas.com 24 Oct '07

24 Oct '07

Full_Name: Matthew Hardin Version: 2.3.38 OS: All URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.38.114.43) On line 1267 of servers/slapd/overlays/pcache.c there is a debug statement, "Entering QC, querystr = %s\n", which is clearly a routine debug statement specific to pcache. The channel used is LDAP_DEBUG_NONE, and this makes for very chatty output when a loglevel of 'none' is specified in slapd.conf and the pcache overlay is in use. The log channel should be changed to 'pcache' instead.

1 0

ITS#5199
by ando＠sys-net.it 24 Oct '07

24 Oct '07

The stack backtrace you provide is useless, as it refers to the main thread. Please run "thread apply all bt full". p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it ---------------------------------------

1 0

(ITS#5200) Wrong maxderefdepth doc or default
by h.b.furuseth＠usit.uio.no 24 Oct '07

24 Oct '07

Full_Name: Hallvard B Furuseth Version: HEAD, RE23, RE24 OS: URL: Submission from: (NULL) (129.240.6.233) Submitted by: hallvard slapd.conf(5) and slapd-config(5) say MaxDerefDepth defaults to 1, but include/ldap_defaults.h says #define SLAPD_DEFAULT_MAXDEREFDEPTH 15.

1 0

(ITS#5199) slapd sometimes hangs with back-sql
by david＠schmitt.edv-bus.at 24 Oct '07

24 Oct '07

Full_Name: David Schmitt Version: 2.3.38 OS: Debian etch URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (193.170.138.34) Hi! I have OSX clients authenticating via slapd against my postgres database. Once every fortnight slapd stops responding to requests. I got this backtrace out of it: 0x00002b28372e20f5 in pthread_join () from /lib/libpthread.so.0 (gdb) bt full #0 0x00002b28372e20f5 in pthread_join () from /lib/libpthread.so.0 No symbol table info available. #1 0x00000000004230d2 in slapd_daemon () at /root/tmp/openldap2.3-2.3.38/servers/slapd/daemon.c:2579 listener_tid = 1082132832 rc = 0 #2 0x000000000041665f in main (argc=5, argv=0x7fff748e4288) at /root/tmp/openldap2.3-2.3.38/servers/slapd/main.c:859 save_errno = <value optimized out> fp = (FILE *) 0x6a4f70 i = <value optimized out> no_detach = 0 rc = 1 urls = <value optimized out> username = 0x605030 "gidNumber" groupname = 0x605010 "\226{P7(+" sandbox = 0x0 syslogUser = 160 configfile = <value optimized out> configdir = <value optimized out> serverName = <value optimized out> scp = <value optimized out> scp_entry = <value optimized out> debug_unknowns = (char **) 0x0 syslog_unknowns = (char **) 0x0 l = <value optimized out> slapd_pid_file_unlink = 1 slapd_args_file_unlink = 1 __PRETTY_FUNCTION__ = "main" (gdb) When testing with ldapsearch, the client connects, but doesn't receive any data. This is running on a 2.6.21-2-vserver-amd64 kernel, within a vserver container.

1 0

← Newer
1
2
3
4
5
6
7
8
...
22
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs October 2007