openldap-bugs February 2007

openldap-bugs@openldap.org

32 participants
125 discussions

Re: (ITS#4685) Updated changelog overlay by Neil Dunbar
by sebastian.rieger＠gwdg.de 20 Feb '07

20 Feb '07

This is a multi-part message in MIME format. ------=_NextPart_000_026A_01C7550D.760C6C90 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I updated the changelog overlay to work with OpenLDAP up to 2.3.34, and removed some bugs from the changelog purging routine. Several stress = tests were done using 2.3.34 so it should work without problems. To ease installation of the overlay I assembled a patch, that adds the overlay = to configure, configure.in and portable.hin: Patch can be found in: ftp://ftp.openldap.org/incoming/changelog-rieger-070220.c Updated Source for the overlay: ftp://ftp.openldap.org/incoming/changelog-rieger-070220-patch.gz I'm currently working on fixing the overlay to work with OpenLDAP CVS = HEAD where the registration of the schema seems to have changed. -- MfG Sebastian Rieger Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=F6ttingen=20 Am Fassberg - 37077 G=F6ttingen Fon: +49 551 201 1878 -- Fax: +49 551 201 2150 Gesch=E4ftsf=FChrer: Prof. Dr. Bernhard Neumair Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger Sitz der Gesellschaft: G=F6ttingen Registergericht: G=F6ttingen Handelsregister-Nr. B 598 Die digitale Unterschrift dieser Mail kann anhand des Zertifikats des = DFN =FCberpr=FCft werden: = https://ca.gwdg.de/certs/root-classic/root-ca-cert.der ------=_NextPart_000_026A_01C7550D.760C6C90 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIXujCCBHUw ggNdoAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwWzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkRGTi1W ZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJTAjBgNVBAMTHERGTi1WZXJlaW4gUENBIENsYXNzaWMg LSBHMDEwHhcNMDUwMjI4MDAyOTM3WhcNMTMwNDI4MDAyOTM3WjBbMQswCQYDVQQGEwJERTETMBEG A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTElMCMGA1UEAxMcREZOLVZlcmVpbiBQ Q0EgQ2xhc3NpYyAtIEcwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNTUXjQCVx w87yo/67c+J0bhhl6sfVNVO87Jk2WMY/lPC/E1cmq6iOAe2fV10FhexSG2zIp8XqbrlPNN7s3sy/ 0jUQfHegDqWWuCDQfWLkdWHTiDhIfhcCTdLaXDRshAxE18zDJzKPu3EMeU/N5dju7/azQVi2wkzM fM9I5aARVcrYVH+OanfQo1+yCoQupE9XaGpZRCr2w1X6pf1v0JcqakuC/LBX9uk0IPtMz9Y6frOP AvCldCn8pWNdQrT6VPmJpI7zDCm6/PCAZy82cImzkfbxGpMVxNBxC3Zwgc4zT9Cn22e0Hms8Q3cm cr8hbFb3icuGnMGKp50e9L2eOokCAwEAAaOCAUIwggE+MB0GA1UdDgQWBBSDrjvMk+EkUnrpIE+D cKIq3XsvATAfBgNVHSMEGDAWgBSDrjvMk+EkUnrpIE+DcKIq3XsvATAPBgNVHRMBAf8EBTADAQH/ MIHHBgNVHR8Egb8wgbwwXKBaoFiGVmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLXBraS9jZXJ0 aWZpY2F0aW9uL3g1MDkvY2xhc3NpYy9nMS9kYXRhL2NybHMvcm9vdC1jYS1jcmwuY3JsMFygWqBY hlZodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2Rmbi1wa2kvY2VydGlmaWNhdGlvbi94NTA5L2NsYXNz aWMvZzEvZGF0YS9jcmxzL3Jvb3QtY2EtY3JsLmNybDAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4 QgEBBAQDAgAHMA0GCSqGSIb3DQEBBQUAA4IBAQDaFaWOgZRQO/CaU+xUQPj3mgnJ5MJug0ad1d+L k+K1iTUp8r9fLxnamypzVeVrHFbtC5zk9lxx8qDMiDc6sd9HYRJNikJUme/EfHPkzlbn6hTXuL6+ ZKdCeK3qQHnltEjg/NLUIaU/bukFmhOk6NrnU5XNTKcEeOJ47t0K2EWWZ6rN3Ji0FU444hGO73tl C5t1ACWaMYFakmylmagwdZPIVnA3qKFmVRTPcz3Cel56UyA2U6n9qQR8zZzkltIwx2/6SHt2EqQN u3g6iDyOWzIfsb0bRVHmvHQx3KCUZb5JNy3iue8yIB6WMbKZ+eJuwZl1Q0PJ87BjsHYglO3JX+Oy MIIFhjCCBG6gAwIBAgIEBnsYQDANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJERTETMBEGA1UE ChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTElMCMGA1UEAxMcREZOLVZlcmVpbiBQQ0Eg Q2xhc3NpYyAtIEcwMTAeFw0wNTA0MTIwOTUzNTRaFw0wOTA0MTIwOTUzNTRaMIGcMQswCQYDVQQG EwJERTFCMEAGA1UEChM5R2VzZWxsc2NoYWZ0IGZ1ZXIgd2lzc2Vuc2NoYWZ0bGljaGUgRGF0ZW52 ZXJhcmJlaXR1bmcgbWJIMQswCQYDVQQLEwJDQTEcMBoGA1UEAxMTR1dERy1DQSBFYmVuZSAxIEcw MjEeMBwGCSqGSIb3DQEJARYPZ3dkZy1jYUBnd2RnLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA3y/2S6yGKZhpv+DwWTSH4/szbEB2yPEJUgZz5kaVId/17wKdRNKd9el03skx/ind 1IJ27YaoOybmRp5pwuNSAL7SEC2neEKcLCqkV+jDcLusV2mQ/ykgMs7No5csyhS6FxuUwBK18BlF E7tfraK3J6iyOJxzjFKB+3/ZWhasXnwEtzOUc5hRry9bTNYpyLueUa5DLR5nqIRwk1OWbx3IARbC RKrxdAupzwEAjWwz8ar2aDHgsBH41D7sfDY9wRxH04sW6K9D0BANEx+o8KhbsPQv6l0HQE7p0n6Y XQhUo5QhZ8GMfEiIh39sE1turDLut7I4bCZwrIjPT9gJqhFMWwIDAQABo4ICDjCCAgowHQYDVR0O BBYEFPP+0UOeITsrZQ3Y8arSBsKbVgajMB8GA1UdIwQYMBaAFIOuO8yT4SRSeukgT4Nwoirdey8B MA8GA1UdEwEB/wQFMAMBAf8wgccGA1UdHwSBvzCBvDBcoFqgWIZWaHR0cDovL2NkcDEucGNhLmRm bi5kZS9kZm4tcGtpL2NlcnRpZmljYXRpb24veDUwOS9jbGFzc2ljL2cxL2RhdGEvY3Jscy9yb290 LWNhLWNybC5jcmwwXKBaoFiGVmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLXBraS9jZXJ0aWZp Y2F0aW9uL3g1MDkvY2xhc3NpYy9nMS9kYXRhL2NybHMvcm9vdC1jYS1jcmwuY3JsMIHcBggrBgEF BQcBAQSBzzCBzDBkBggrBgEFBQcwAoZYaHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4tcGtpL2Nl cnRpZmljYXRpb24veDUwOS9jbGFzc2ljL2cxL2RhdGEvY2VydHMvcm9vdC1jYS1jZXJ0LmNydDBk BggrBgEFBQcwAoZYaHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tcGtpL2NlcnRpZmljYXRpb24v eDUwOS9jbGFzc2ljL2cxL2RhdGEvY2VydHMvcm9vdC1jYS1jZXJ0LmNydDAOBgNVHQ8BAf8EBAMC AQYwDQYJKoZIhvcNAQEFBQADggEBADFx3Ji676DYFd/XIY9KcsNopLqtgF5Ixr2irPOPpZ/X/zta Gss3l18EdKCCBFqhwCrd2lFOfowbxnWZ1L+WRS/+0x4a8MZoAUWyfk+pLLgv3OucY4ZhAGP5F0XJ wLRlskcnLVvt3HFQ9JsEjHo45u/QiKbZJGFPVZb5elpphRtAVTiRisw5UTiV57m07vcJhUtrt6wh 7389cz2aYYdlViMZtuaE0Z+LlSElAe4/U6tOowoR+06qDjjFNLjQ1P3fnmBPRo2zWidaLiZcfD3f qjxBgJolgeS+gS3YePj2M6NAUTu+1XKAbrFJUyrCI+qPkEcVq3yK6FkZbbhla+BKQrcwggZUMIIF PKADAgECAgou6MIgAAAAAASaMA0GCSqGSIb3DQEBBQUAMIGVMSkwJwYDVQQDEyBHV0RHLUNBIEVi ZW5lIDIgR2VuZXJpYy1DQSBHMDIuMTELMAkGA1UECxMCY2ExQjBABgNVBAoTOUdlc2VsbHNjaGFm dCBmdWVyIHdpc3NlbnNjaGFmdGxpY2hlIERhdGVudmVyYXJiZWl0dW5nIG1iSDELMAkGA1UEBhMC REUxCjAIBgNVBAUTATIwHhcNMDYxMTA5MTMzNDU3WhcNMDcwOTIwMTA1ODAwWjCBvjELMAkGA1UE BhMCREUxFjAUBgNVBAgTDU5pZWRlcnNhY2hzZW4xEzARBgNVBAcTCkdvZXR0aW5nZW4xPjA8BgNV BAoTNUdlc2VsbHNjaGFmdCBmdWVyIHdpc3NlbnNjaGFmdGxpY2hlIERhdGVudmVyYXJiZWl0dW5n MRkwFwYDVQQDExBTZWJhc3RpYW4gUmllZ2VyMScwJQYJKoZIhvcNAQkBFhhzZWJhc3RpYW4ucmll Z2VyQGd3ZGcuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN+JMyvFWWLIl0gDV5t9edUF qJCNFHH/aDm40I6MZLkYZ6eyLpRVmvIQ1+KBLP8Qjagiz1HwEqwMBDNPABq50yYCHpLmKFy+BCEH r4Cjoz2AhSm4BqUhjy/XnFOqeAReo9MJfrJeslCPbfaqVV7APQl4VqALnxnDJl/1PJ4++CiLAgMB AAGjggL9MIIC+TALBgNVHQ8EBAMCBaAwNgYJKoZIhvcNAQkPBCkwJzANBggqhkiG9w0DAgIBODAN BggqhkiG9w0DBAIBODAHBgUrDgMCBzApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisG AQQBgjcKAwQwHQYDVR0OBBYEFMxqWUeIRKOu1OVQe7WDZwKzQJlGMB8GA1UdIwQYMBaAFENS2L3V sDi5Z+Q7/gMbGR0jhO5IMIGvBgNVHR8EgacwgaQwgaGggZ6ggZuGTmh0dHA6Ly91c2VyLWNhLmd3 ZGcuZGUvQ2VydEVucm9sbC9HV0RHLUNBJTIwRWJlbmUlMjAyJTIwR2VuZXJpYy1DQSUyMEcwMi4x LmNybIZJaHR0cDovL3BjYS5nd2RnLmRlL2NybC9nd2RnLWNhL2ViZW5lMi9nMDIuMS9nd2RnLWNh LWViZW5lMi1nZW5lcmljLWNhLmNybDCB0wYIKwYBBQUHAQEEgcYwgcMwagYIKwYBBQUHMAGGXmh0 dHA6Ly91c2VyLWNhLmd3ZGcuZGUvQ2VydEVucm9sbC91c2VyLWNhLmd3ZGcuZGVfR1dERy1DQSUy MEViZW5lJTIwMiUyMEdlbmVyaWMtQ0ElMjBHMDIuMS5jcnQwVQYIKwYBBQUHMAGGSWh0dHA6Ly9w Y2EuZ3dkZy5kZS9jcmwvZ3dkZy1jYS9lYmVuZTIvZzAyLjEvZ3dkZy1jYS1lYmVuZTItZ2VuZXJp Yy1jYS5jcnQwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIhZ2OO4GrnU+tkQWF84sDhK7MIS2H kIMrg8myPwIBZAIBAzBKBgNVHSAEQzBBMD8GCysGAQQBgZ1IMgEBMDAwLgYIKwYBBQUHAgEWImh0 dHA6Ly9jYS5nd2RnLmRlL3BvbGljeS9pbmRleC5odG0wNQYJKwYBBAGCNxUKBCgwJjAKBggrBgEF BQcDAjAKBggrBgEFBQcDBDAMBgorBgEEAYI3CgMEMA0GCSqGSIb3DQEBBQUAA4IBAQCASq3lwDZ/ o7RuoZxqmuGCZPKlVuoBsQGaNJnoGUMBoq/7UBHRym4EpMuB8wf+NxPxhcSOxUR3UwDKE3p0VnVE O//hD6CFwbed83Wn6nv4O4jHJDxTAs0JJGomtrNxFxa5NwSUHq8ujf0DSr2Zn+yq8KzmNVjuANNe sbxvtvO3rr8pLh66m4QsgvOtGZpDeeJRpJM8eN9hf9HcIrtnCNP/KN8HGESiozUB0h0ZasH9yTQZ f/K0VCTTttPnXg3cF+g+bWMc0gGQzR40oVzTt4ggC0G68gRh2yTlQxRjMxZBS7vkWBGhEYoJoLHE TQv5oNafPL4UZGIW4SjLjWiR5mUZMIIHWzCCBkOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBnDEL MAkGA1UEBhMCREUxQjBABgNVBAoTOUdlc2VsbHNjaGFmdCBmdWVyIHdpc3NlbnNjaGFmdGxpY2hl IERhdGVudmVyYXJiZWl0dW5nIG1iSDELMAkGA1UECxMCQ0ExHDAaBgNVBAMTE0dXREctQ0EgRWJl bmUgMSBHMDIxHjAcBgkqhkiG9w0BCQEWD2d3ZGctY2FAZ3dkZy5kZTAeFw0wNTA5MjAxMDU4MDBa Fw0wNzA5MjAxMDU4MDBaMIGVMSkwJwYDVQQDEyBHV0RHLUNBIEViZW5lIDIgR2VuZXJpYy1DQSBH MDIuMTELMAkGA1UECxMCY2ExQjBABgNVBAoTOUdlc2VsbHNjaGFmdCBmdWVyIHdpc3NlbnNjaGFm dGxpY2hlIERhdGVudmVyYXJiZWl0dW5nIG1iSDELMAkGA1UEBhMCREUxCjAIBgNVBAUTATIwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC62IidFd5KC11HewNoQh8DG8jcJI1fdNIf/ETt d4vOMZRRQG5+WhETBhH0d6pXjZ+V8dhlMiekFq2RpFYPictQFnEt5M49iGfX6V3PIKkaFtFTIZj0 QbGN7BWTpcCfTw6L9VwPA3olG1QYABl16Ea9mHT6nGfvwYyiadnzHCAI1XTFeF1UzOKM8EemZvGa oQncG8QUt1uqskfcLJ18ASM6GY/C108p0E9hUx2V24BQDdLdCUB6BzcW/SQdBqjRaW51mPPMxn/p bqXWrgUwkiYJOqkDY6qVUtvKGCZIumQdKxnoSB5X7tna2widH50xNX5VdMe/qnYZPLuEnbzrkOo5 AgMBAAGjggOrMIIDpzAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjBuBglghkgBhvhCAQ0E YRZfU3Vib3JkaW5hdGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHZXNlbGxzY2hhZnQgZnVl ciB3aXNzZW5zY2hhZnRsaWNoZSBEYXRlbnZlcmFyYmVpdHVuZyBtYkgwHQYDVR0OBBYEFENS2L3V sDi5Z+Q7/gMbGR0jhO5IMIGGBgNVHSMEfzB9gBTz/tFDniE7K2UN2PGq0gbCm1YGo6FfpF0wWzEL MAkGA1UEBhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJTAjBgNV BAMTHERGTi1WZXJlaW4gUENBIENsYXNzaWMgLSBHMDGCBAZ7GEAwGgYDVR0RBBMwEYEPZ3dkZy1j YUBnd2RnLmRlMAkGA1UdEgQCMAAwQgYJYIZIAYb4QgEEBDUWM2h0dHA6Ly9jYS5nd2RnLmRlL2Ny bC9lYmVuZTEvZzAyL2d3ZGctY2EtZWJlbmUxLmNybDBCBglghkgBhvhCAQMENRYzaHR0cDovL2Nh Lmd3ZGcuZGUvY3JsL2ViZW5lMS9nMDIvZ3dkZy1jYS1lYmVuZTEuY3JsMIGABgNVHR8EeTB3MDmg N6A1hjNodHRwOi8vY2EuZ3dkZy5kZS9jcmwvZWJlbmUxL2cwMi9nd2RnLWNhLWViZW5lMS5jcmww OqA4oDaGNGh0dHA6Ly9wY2EuZ3dkZy5kZS9jcmwvZWJlbmUxL2cwMi9nd2RnLWNhLWViZW5lMS5j cmwwgZcGCCsGAQUFBwEBBIGKMIGHMEEGCCsGAQUFBzAChjVodHRwOi8vY2EuZ3dkZy5kZS9jZXJ0 cy9lYmVuZTEvZzAyL2d3ZGctY2EtZWJlbmUxLmNydDBCBggrBgEFBQcwAoY2aHR0cDovL3BjYS5n d2RnLmRlL2NlcnRzL2ViZW5lMS9nMDIvZ3dkZy1jYS1lYmVuZTEuY3J0MCAGCWCGSAGG+EIBAgQT FhFodHRwOi8vY2EuZ3dkZy5kZTAyBglghkgBhvhCAQgEJRYjaHR0cDovL2NhLmd3ZGcuZGUvcG9s aWN5L2luZGV4Lmh0bWwwTQYDVR0gBEYwRDBCBg0rBgEEAYGdSDIBAwEBMDEwLwYIKwYBBQUHAgEW I2h0dHA6Ly9jYS5nd2RnLmRlL3BvbGljeS9pbmRleC5odG1sMA0GCSqGSIb3DQEBBQUAA4IBAQBj KNeFKWGSWFjcy1fR1UHC5+MdmiTUfzHVeRbLuoGOTkbjYEbjE3+FNhGgRJJwKoDU1jQXLGGBzLQT dZcZj3QO0926SpshKNmW0zVIwf9gbAzFZ17Zgfns/BenJ7hTRl4m5aHTodkmJSKNvqwWOCFTTX9H RYRiSuDC10QYRH6S7MqyZ5Gkhtdq9iLVik8Q2RIS7OIoJgYUkLOG+tZ1rtQmWb3U6p/WwF4t5CAp ErqoJ1f427lLOj0EPOsXJUcwf+km6kkcIrKopv63HTWw7HmQHLGXajf5KbZXumwcG0Z2RCZN4OE2 yfQgRi8wmhj3pSKE4ylcz7Y9ExWdWh5YJAfMMYIDhzCCA4MCAQEwgaQwgZUxKTAnBgNVBAMTIEdX REctQ0EgRWJlbmUgMiBHZW5lcmljLUNBIEcwMi4xMQswCQYDVQQLEwJjYTFCMEAGA1UEChM5R2Vz ZWxsc2NoYWZ0IGZ1ZXIgd2lzc2Vuc2NoYWZ0bGljaGUgRGF0ZW52ZXJhcmJlaXR1bmcgbWJIMQsw CQYDVQQGEwJERTEKMAgGA1UEBRMBMgIKLujCIAAAAAAEmjAJBgUrDgMCGgUAoIICODAYBgkqhkiG 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzAyMjAxNTM3NTBaMCMGCSqGSIb3 DQEJBDEWBBRi5TY/Vy3cXYPEWqMYz4n03SV5ZjBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMH MA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAH BgUrDgMCGjAKBggqhkiG9w0CBTCBtQYJKwYBBAGCNxAEMYGnMIGkMIGVMSkwJwYDVQQDEyBHV0RH LUNBIEViZW5lIDIgR2VuZXJpYy1DQSBHMDIuMTELMAkGA1UECxMCY2ExQjBABgNVBAoTOUdlc2Vs bHNjaGFmdCBmdWVyIHdpc3NlbnNjaGFmdGxpY2hlIERhdGVudmVyYXJiZWl0dW5nIG1iSDELMAkG A1UEBhMCREUxCjAIBgNVBAUTATICCi7owiAAAAAABJowgbcGCyqGSIb3DQEJEAILMYGnoIGkMIGV MSkwJwYDVQQDEyBHV0RHLUNBIEViZW5lIDIgR2VuZXJpYy1DQSBHMDIuMTELMAkGA1UECxMCY2Ex QjBABgNVBAoTOUdlc2VsbHNjaGFmdCBmdWVyIHdpc3NlbnNjaGFmdGxpY2hlIERhdGVudmVyYXJi ZWl0dW5nIG1iSDELMAkGA1UEBhMCREUxCjAIBgNVBAUTATICCi7owiAAAAAABJowDQYJKoZIhvcN AQEBBQAEgYCCe7aAZSWTEemBNF86CVX2laItjfSMajZTc0C6QRMyBVaWTRevwRApEVuGXi8tuAHD ebpepRzCWjmePfpv3RjqJbuIK5lWjA8cj1/rc7oBXFfxebCt4e3QfNbDdXKsWM/DisSGRYuVRZVj J/UWHEGT0X9jvWRpzTXWVX+pJkMGUQAAAAAAAA== ------=_NextPart_000_026A_01C7550D.760C6C90--

1 0

Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
by timo＠physik.uni-potsdam.de 20 Feb '07

20 Feb '07

--pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, OpenLDAP issue ITS#4750 is still unresolved (it affects current versions of nss_ldap and pam_ldap), and I consider it to be pretty serious: - Even security-conscious applications like pam_ldap still parse files from unsafe locations, including the current directory. - Attempting to read from a file in the current directory can cause problems on its own, e.g. when the directory is an autofs mountpoint (In fact, I became aware of this issue by investigating deadlocks occurring in such a situation) - If an application uses LDAP in more than one context, like a program using LDAP while also linking to nss_ldap and pam_ldap, the settings can interfere (unless very much care is taken, see below). This is bad, as the very purpose of nss and pam is to make the underlying mechanisms completely transparent to the application. - The existing LDAPNOINIT mechanism is only effective for the first call which initializes the global option structure. Thus, almost no one can reliably use it: the options may already have been initialized e.g. by nss_ldap which nearly every program might link to. The suggested workaround so far is to force nss_ldap, pam_ldap, and possibly others, to override all relevant options with safe values. To me, this seems to be quite error-prone and not a satisfactory solution: - it requires duplication of much of the configuration parsing code, which needs to be kept in sync with OpenLDAP's syntax and semantics (or worse, allow the syntax to diverge), and - it requires users to think of and nail down each and every potentially relevant option separately (note that current versions of libldap and pam_ldap silently ignore syntax errors in the config file, so one may very easily be in a false sense of security). - It does not stop libldap from opening files it shouldn't open in the first place. As Kurt Zeilenga already noted, a proper solution will require some redesign, so... I include 3 patches: one for libldap (against HEAD as of 20070216), and corresponding patches for nss_ldap-254 and pam_ldap-183. The first lines of the openldap patch (the changes to ldap.h) and the nss_ldap patch should tell you how it is supposed to work: libraries can obtain a private copy of the "globaloptions", in an opaque "LDAPContext" object, to be initialized in a safe way and independently from other copies of that structure. The existing struct globaloptions is used by default to stay compatible with existing programs. I'm willing to write more documentation too but I would like to get some some feedback on it first, Regards, Timo Felbinger --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="openldap.patch" This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Timo Felbinger <timo(a)physik.uni-potsdam.de>. These modifications are not subject to any license of University of Potsdam. I, Timo Felbinger, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. diff -Nru openldap-src/include/ldap.h openldap-src-context/include/ldap.h --- openldap-src/include/ldap.h 2007-02-12 10:53:59.000000000 +0000 +++ openldap-src-context/include/ldap.h 2007-02-17 13:22:45.000000000 +0000 @@ -696,6 +696,8 @@ */ typedef struct ldap LDAP; +typedef struct ldapoptions LDAPContext; + #define LDAP_DEREF_NEVER 0x00 #define LDAP_DEREF_SEARCHING 0x01 #define LDAP_DEREF_FINDING 0x02 @@ -890,6 +892,12 @@ int option, LDAP_CONST void *invalue)); +LDAP_F( int ) +ldap_set_option_in_context LDAP_P(( + LDAPContext *context, + int option, + LDAP_CONST void *invalue)); + /* V3 REBIND Function Callback Prototype */ typedef int (LDAP_REBIND_PROC) LDAP_P(( LDAP *ld, LDAP_CONST char *url, @@ -1382,10 +1390,30 @@ LDAP **ldp )); LDAP_F( int ) +ldap_create_in_context LDAP_P(( + LDAP **ldp, + LDAPContext *context )); + +LDAP_F( int ) ldap_initialize LDAP_P(( LDAP **ldp, LDAP_CONST char *url )); +LDAP_F( int ) +ldap_initialize_in_context LDAP_P(( + LDAP **ldp, + LDAP_CONST char *url, + LDAPContext *context )); + +LDAP_F( int ) +ldap_create_context LDAP_P(( + LDAPContext **context, + char **directives )); + +LDAP_F( int ) +ldap_destroy_context LDAP_P(( + LDAPContext *context )); + /* * in tls.c */ diff -Nru openldap-src/include/ldap_pvt.h openldap-src-context/include/ldap_pvt.h --- openldap-src/include/ldap_pvt.h 2007-02-12 03:20:24.000000000 +0000 +++ openldap-src-context/include/ldap_pvt.h 2007-02-17 13:22:45.000000000 +0000 @@ -278,6 +278,8 @@ int option, void *arg )); LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldap *ld, int option, void *arg )); +LDAP_F (int) ldap_pvt_tls_set_option_2 LDAP_P(( struct ldapoptions *lo, struct ldap *ld, + int option, void *arg )); LDAP_F (void) ldap_pvt_tls_destroy LDAP_P(( void )); LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void )); diff -Nru openldap-src/libraries/libldap/init.c openldap-src-context/libraries/libldap/init.c --- openldap-src/libraries/libldap/init.c 2007-02-05 19:32:44.000000000 +0000 +++ openldap-src-context/libraries/libldap/init.c 2007-02-17 13:22:45.000000000 +0000 @@ -124,6 +124,7 @@ #define MAX_LDAP_ENV_PREFIX_LEN 8 static void openldap_ldap_init_w_conf( + struct ldapoptions *gopts, const char *file, int userconf ) { char linebuf[ AC_LINE_MAX ]; @@ -131,10 +132,11 @@ int i; char *cmd, *opt; char *start, *end; - struct ldapoptions *gopts; - if ((gopts = LDAP_INT_GLOBAL_OPT()) == NULL) { - return; /* Could not allocate mem for global options */ + if( ! gopts ) { + if ((gopts = LDAP_INT_GLOBAL_OPT()) == NULL) { + return; /* Could not allocate mem for global options */ + } } if (file == NULL) { @@ -244,7 +246,7 @@ * (char**) p = LDAP_STRDUP(opt); break; case ATTR_OPTION: - ldap_set_option( NULL, attrs[i].offset, opt ); + ldap_set_option_in_context( gopts, attrs[i].offset, opt ); break; case ATTR_SASL: #ifdef HAVE_CYRUS_SASL @@ -253,7 +255,7 @@ break; case ATTR_TLS: #ifdef HAVE_TLS - ldap_int_tls_config( NULL, attrs[i].offset, opt ); + ldap_int_tls_config_in_context( gopts, attrs[i].offset, opt ); #endif break; case ATTR_OPT_TV: { @@ -285,7 +287,7 @@ static void openldap_ldap_init_w_sysconf(const char *file) { - openldap_ldap_init_w_conf( file, 0 ); + openldap_ldap_init_w_conf( NULL, file, 0 ); } static void openldap_ldap_init_w_userconf(const char *file) @@ -314,11 +316,11 @@ /* try ~/file */ sprintf(path, "%s" LDAP_DIRSEP "%s", home, file); - openldap_ldap_init_w_conf(path, 1); + openldap_ldap_init_w_conf(NULL, path, 1); /* try ~/.file */ sprintf(path, "%s" LDAP_DIRSEP ".%s", home, file); - openldap_ldap_init_w_conf(path, 1); + openldap_ldap_init_w_conf(NULL, path, 1); } if(path != NULL) { @@ -326,7 +328,7 @@ } /* try file */ - openldap_ldap_init_w_conf(file, 1); + openldap_ldap_init_w_conf(NULL, file, 1); } static void openldap_ldap_init_w_env( @@ -466,9 +468,10 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl ) { if (dbglvl) - gopts->ldo_debug = *dbglvl; + /* FIXME: currently ldo_debug is an always global option only, so we set both places: */ + gopts->ldo_debug = LDAP_INT_GLOBAL_OPT()->ldo_debug = *dbglvl; else - gopts->ldo_debug = 0; + gopts->ldo_debug = LDAP_INT_GLOBAL_OPT()->ldo_debug = 0; gopts->ldo_version = LDAP_VERSION2; gopts->ldo_deref = LDAP_DEREF_NEVER; @@ -531,7 +534,10 @@ char * ldap_int_hostname = NULL; #endif -void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl ) +void ldap_int_initialize( + struct ldapoptions *gopts, + int *dbglvl, + char **directives ) { if ( gopts->ldo_valid == LDAP_INITIALIZED ) { return; @@ -593,6 +599,19 @@ ldap_int_initialize_global_options(gopts, NULL); + if( directives ) { + for( ; *directives; ++directives ) { + if( ! strncmp( *directives, "file=", 5 ) ) { + openldap_ldap_init_w_conf( gopts, *directives + 5, 1 ); + continue; + } + /* add more directives here... */ + gopts->ldo_valid = LDAP_TRASHED_SESSION; + return; + } + return; + } + if( getenv("LDAPNOINIT") != NULL ) { return; } diff -Nru openldap-src/libraries/libldap/ldap-int.h openldap-src-context/libraries/libldap/ldap-int.h --- openldap-src/libraries/libldap/ldap-int.h 2007-02-15 00:42:23.000000000 +0000 +++ openldap-src-context/libraries/libldap/ldap-int.h 2007-02-17 13:22:45.000000000 +0000 @@ -417,7 +417,7 @@ LDAP_V ( struct ldapoptions ) ldap_int_global_options; -LDAP_F ( void ) ldap_int_initialize LDAP_P((struct ldapoptions *, int *)); +LDAP_F ( void ) ldap_int_initialize LDAP_P((struct ldapoptions *, int *, char **directives )); LDAP_F ( void ) ldap_int_initialize_global_options LDAP_P(( struct ldapoptions *, int *)); @@ -652,6 +652,9 @@ LDAP_F (int) ldap_int_tls_config LDAP_P(( LDAP *ld, int option, const char *arg )); +LDAP_F (int) ldap_int_tls_config_in_context LDAP_P(( struct ldapoptions *lo, + int option, const char *arg )); + LDAP_F (int) ldap_int_tls_start LDAP_P(( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )); diff -Nru openldap-src/libraries/libldap/open.c openldap-src-context/libraries/libldap/open.c --- openldap-src/libraries/libldap/open.c 2007-02-12 03:20:24.000000000 +0000 +++ openldap-src-context/libraries/libldap/open.c 2007-02-17 13:45:19.000000000 +0000 @@ -87,27 +87,88 @@ return ld; } +int +ldap_free_context_internals( LDAPContext *context ) +{ + ldap_free_urllist( context->ldo_defludp ); +#ifdef HAVE_CYRUS_SASL + LDAP_FREE( context->ldo_def_sasl_authzid ); + LDAP_FREE( context->ldo_def_sasl_authcid ); + LDAP_FREE( context->ldo_def_sasl_realm ); + LDAP_FREE( context->ldo_def_sasl_mech ); +#endif + return LDAP_SUCCESS; +} + +/* public destructor of LDAPContext */ +int +ldap_destroy_context( LDAPContext *context ) +{ + if( context ) { + ldap_free_context_internals( context ); + free( context ); + } + return LDAP_SUCCESS; +} + +/* public constructor of LDAPContext */ +int +ldap_create_context( + LDAPContext **context, + /* directives: NULL-terminated list of initialization directives: + * - NULL: default initialization procedure (see ldap.conf(5)) + * - { NULL }: equivalent to LDAPNOINIT + * - { ..., "file=path", ... }: parse path like user-config file + */ + char **directives ) +{ + LDAPContext *lo; + + *context = NULL; + lo = ( LDAPContext * ) LDAP_CALLOC( 1, sizeof( LDAPContext ) ); + if( ! lo ) + return LDAP_NO_MEMORY; + + Debug( LDAP_DEBUG_TRACE, "ldap_create_context %p\n", lo, 0, 0 ); + + lo->ldo_valid = LDAP_UNINITIALIZED; + ldap_int_initialize( lo, NULL, directives ); + if( lo->ldo_valid != LDAP_INITIALIZED ) + return LDAP_LOCAL_ERROR; + *context = lo; + + return LDAP_SUCCESS; +} int ldap_create( LDAP **ldp ) { + return ldap_create_in_context( ldp, NULL ); +} + +int +ldap_create_in_context( LDAP **ldp, LDAPContext *gopts ) +{ LDAP *ld; - struct ldapoptions *gopts; *ldp = NULL; - /* Get pointer to global option structure */ - if ( (gopts = LDAP_INT_GLOBAL_OPT()) == NULL) { - return LDAP_NO_MEMORY; - } - /* Initialize the global options, if not already done. */ - if( gopts->ldo_valid != LDAP_INITIALIZED ) { - ldap_int_initialize(gopts, NULL); - if ( gopts->ldo_valid != LDAP_INITIALIZED ) - return LDAP_LOCAL_ERROR; + if( ! gopts ) { + /* default is the global context */ + if ( (gopts = LDAP_INT_GLOBAL_OPT()) == NULL) { + return LDAP_NO_MEMORY; + } + + /* Initialize the global options, if not already done. */ + if( gopts->ldo_valid != LDAP_INITIALIZED ) { + ldap_int_initialize(gopts, NULL, NULL); + } } + if( gopts->ldo_valid != LDAP_INITIALIZED ) + return LDAP_LOCAL_ERROR; + Debug( LDAP_DEBUG_TRACE, "ldap_create\n", 0, 0, 0 ); if ( (ld = (LDAP *) LDAP_CALLOC( 1, sizeof(LDAP) )) == NULL ) { @@ -167,13 +228,7 @@ nomem: ldap_free_select_info( ld->ld_selectinfo ); - ldap_free_urllist( ld->ld_options.ldo_defludp ); -#ifdef HAVE_CYRUS_SASL - LDAP_FREE( ld->ld_options.ldo_def_sasl_authzid ); - LDAP_FREE( ld->ld_options.ldo_def_sasl_authcid ); - LDAP_FREE( ld->ld_options.ldo_def_sasl_realm ); - LDAP_FREE( ld->ld_options.ldo_def_sasl_mech ); -#endif + ldap_free_context_internals( &ld->ld_options ); LDAP_FREE( (char *)ld ); return LDAP_NO_MEMORY; } @@ -215,11 +270,17 @@ int ldap_initialize( LDAP **ldp, LDAP_CONST char *url ) { + return ldap_initialize_in_context( ldp, url, NULL ); +} + +int +ldap_initialize_in_context( LDAP **ldp, LDAP_CONST char *url, LDAPContext *context ) +{ int rc; LDAP *ld; *ldp = NULL; - rc = ldap_create(&ld); + rc = ldap_create_in_context(&ld, context); if ( rc != LDAP_SUCCESS ) return rc; diff -Nru openldap-src/libraries/libldap/options.c openldap-src-context/libraries/libldap/options.c --- openldap-src/libraries/libldap/options.c 2007-02-06 22:02:47.000000000 +0000 +++ openldap-src-context/libraries/libldap/options.c 2007-02-17 13:22:45.000000000 +0000 @@ -97,16 +97,6 @@ { struct ldapoptions *lo; - /* Get pointer to global option structure */ - lo = LDAP_INT_GLOBAL_OPT(); - if (NULL == lo) { - return LDAP_NO_MEMORY; - } - - if( lo->ldo_valid != LDAP_INITIALIZED ) { - ldap_int_initialize(lo, NULL); - } - if(ld != NULL) { assert( LDAP_VALID( ld ) ); @@ -117,6 +107,18 @@ lo = &ld->ld_options; } + if( lo == NULL ) { + /* Get pointer to global option structure */ + lo = LDAP_INT_GLOBAL_OPT(); + if (NULL == lo) { + return LDAP_NO_MEMORY; + } + + if( lo->ldo_valid != LDAP_INITIALIZED ) { + ldap_int_initialize(lo, NULL, NULL); + } + } + if(outvalue == NULL) { /* no place to get to */ return LDAP_OPT_ERROR; @@ -347,19 +349,35 @@ } int +ldap_set_option_in_context( + LDAPContext *context, + int option, + LDAP_CONST void *invalue) +{ + return ldap_set_option_2( context, NULL, option, invalue ); +} + +int ldap_set_option( LDAP *ld, int option, LDAP_CONST void *invalue) { - struct ldapoptions *lo; - int *dbglvl = NULL; + return ldap_set_option_2( NULL, ld, option, invalue ); +} - /* Get pointer to global option structure */ - lo = LDAP_INT_GLOBAL_OPT(); - if (lo == NULL) { - return LDAP_NO_MEMORY; - } +/* + * ldap_set_option_2: can set options per LDAP handle or per context. + * if handle is given, the context is ignored. + */ +int +ldap_set_option_2( + struct ldapoptions *lo, + LDAP *ld, + int option, + LDAP_CONST void *invalue) +{ + int *dbglvl = NULL; /* * The architecture to turn on debugging has a chicken and egg @@ -370,10 +388,6 @@ dbglvl = (int *) invalue; } - if( lo->ldo_valid != LDAP_INITIALIZED ) { - ldap_int_initialize(lo, dbglvl); - } - if(ld != NULL) { assert( LDAP_VALID( ld ) ); @@ -384,6 +398,17 @@ lo = &ld->ld_options; } + if( lo == NULL ) { + /* Get pointer to global option structure */ + lo = LDAP_INT_GLOBAL_OPT(); + if (lo == NULL) { + return LDAP_NO_MEMORY; + } + if( lo->ldo_valid != LDAP_INITIALIZED ) { + ldap_int_initialize(lo, dbglvl, NULL); + } + } + switch(option) { case LDAP_OPT_REFERRALS: if(invalue == LDAP_OPT_OFF) { @@ -668,7 +693,7 @@ default: #ifdef HAVE_TLS - if ( ldap_pvt_tls_set_option( ld, option, (void *)invalue ) == 0 ) + if ( ldap_pvt_tls_set_option_2( lo, ld, option, (void *)invalue ) == 0 ) return LDAP_OPT_SUCCESS; #endif #ifdef HAVE_CYRUS_SASL diff -Nru openldap-src/libraries/libldap/tls.c openldap-src-context/libraries/libldap/tls.c --- openldap-src/libraries/libldap/tls.c 2007-01-24 22:38:26.000000000 +0000 +++ openldap-src-context/libraries/libldap/tls.c 2007-02-17 13:22:45.000000000 +0000 @@ -1178,8 +1178,20 @@ } int +ldap_int_tls_config_in_context( struct ldapoptions *lo, int option, const char *arg ) +{ + return ldap_int_tls_config_2( lo, NULL, option, arg ); +} + +int ldap_int_tls_config( LDAP *ld, int option, const char *arg ) { + return ldap_int_tls_config_2( NULL, ld, option, arg ); +} + +int +ldap_int_tls_config_2( struct ldapconfig *lo, LDAP *ld, int option, const char *arg ) +{ int i; switch( option ) { @@ -1190,7 +1202,7 @@ case LDAP_OPT_X_TLS_RANDOM_FILE: case LDAP_OPT_X_TLS_CIPHER_SUITE: case LDAP_OPT_X_TLS_DHFILE: - return ldap_pvt_tls_set_option( ld, option, (void *) arg ); + return ldap_pvt_tls_set_option_2( lo, ld, option, (void *) arg ); case LDAP_OPT_X_TLS_REQUIRE_CERT: case LDAP_OPT_X_TLS: @@ -1216,7 +1228,7 @@ } if (i >= 0) { - return ldap_pvt_tls_set_option( ld, option, &i ); + return ldap_pvt_tls_set_option_2( lo, ld, option, &i ); } return -1; #ifdef HAVE_OPENSSL_CRL @@ -1230,7 +1242,7 @@ i = LDAP_OPT_X_TLS_CRL_ALL ; } if (i >= 0) { - return ldap_pvt_tls_set_option( ld, option, &i ); + return ldap_pvt_tls_set_option_2( lo, ld, option, &i ); } return -1; #endif @@ -1334,7 +1346,12 @@ int ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) { - struct ldapoptions *lo; + return ldap_pvt_tls_set_option_2( NULL, ld, option, arg ); +} + +int +ldap_pvt_tls_set_option_2( struct ldapoptions *lo, LDAP *ld, int option, void *arg ) +{ if( ld != NULL ) { assert( LDAP_VALID( ld ) ); @@ -1345,7 +1362,8 @@ lo = &ld->ld_options; - } else { + } + if( lo == NULL ) { /* Get pointer to global option structure */ lo = LDAP_INT_GLOBAL_OPT(); if ( lo == NULL ) { --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="nss_ldap.patch" This patch file is derived from PADL Software (nss_ldap). All of the modifications to PADL Software represented in the following patch(es) were developed by Timo Felbinger <timo(a)physik.uni-potsdam.de>. These modifications are not subject to any license of University of Potsdam. I, Timo Felbinger, hereby place the following modifications to PADL Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. diff -Nru nss_ldap-254/config.h.in nss_ldap-254-context/config.h.in --- nss_ldap-254/config.h.in 2006-12-18 08:12:56.000000000 +0000 +++ nss_ldap-254-context/config.h.in 2007-02-17 14:46:02.000000000 +0000 @@ -132,6 +132,9 @@ /* Define to 1 if you have the `ldap_initialize' function. */ #undef HAVE_LDAP_INITIALIZE +/* Define to 1 if you have the `ldap_create_context' function. */ +#undef HAVE_LDAP_CREATE_CONTEXT + /* Define to 1 if you have the `ldap_ld_free' function. */ #undef HAVE_LDAP_LD_FREE diff -Nru nss_ldap-254/configure nss_ldap-254-context/configure --- nss_ldap-254/configure 2006-12-18 08:12:56.000000000 +0000 +++ nss_ldap-254-context/configure 2007-02-17 14:46:37.000000000 +0000 @@ -1,4 +1,6 @@ #! /bin/sh +echo please run autoconf first! +exit 1 # Guess values for system-dependent variables and create Makefiles. # Generated automatically using autoconf version 2.13 diff -Nru nss_ldap-254/configure.in nss_ldap-254-context/configure.in --- nss_ldap-254/configure.in 2006-12-18 08:12:56.000000000 +0000 +++ nss_ldap-254-context/configure.in 2007-02-17 14:46:02.000000000 +0000 @@ -297,7 +297,7 @@ AC_CHECK_FUNCS(sasl_auxprop_request) AC_CHECK_FUNCS(ldap_init ldap_get_lderrno ldap_parse_result ldap_memfree ldap_controls_free) AC_CHECK_FUNCS(ldap_ld_free ldap_explode_rdn ldap_set_option ldap_get_option) -AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s ldap_initialize ldap_search_ext) +AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s ldap_initialize ldap_search_ext ldap_create_context) AC_CHECK_FUNCS(ldap_create_control ldap_create_page_control ldap_parse_page_control) if test "$enable_ssl" \!= "no"; then AC_CHECK_FUNCS(ldapssl_client_init ldap_start_tls_s ldap_pvt_tls_set_option ldap_start_tls) diff -Nru nss_ldap-254/ldap-nss.c nss_ldap-254-context/ldap-nss.c --- nss_ldap-254/ldap-nss.c 2006-12-18 08:12:56.000000000 +0000 +++ nss_ldap-254-context/ldap-nss.c 2007-02-17 14:46:02.000000000 +0000 @@ -137,7 +137,7 @@ /* * Global LDAP session. */ -static ldap_session_t __session = { NULL, NULL, 0, LS_UNINITIALIZED }; +static ldap_session_t __session = { NULL, NULL, NULL, 0, LS_UNINITIALIZED }; #if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H) static pthread_once_t __once = PTHREAD_ONCE_INIT; @@ -1003,7 +1003,7 @@ } static NSS_STATUS -do_init_session (LDAP ** ld, const char *uri, int defport) +do_init_session ( LDAPContext **ldap_context, LDAP ** ld, const char *uri, int defport) { int rc; int ldaps; @@ -1011,6 +1011,17 @@ char *p; NSS_STATUS stat; +#ifdef HAVE_LDAP_CREATE_CONTEXT + if( ! *ldap_context ) + { + /* make sure ldap config is read in a safe way */ + static const char *directives[2] = { "file=" NSS_LDAP_PATH_CONF, NULL }; + int rc = ldap_create_context( ldap_context, directives ); + if (rc != LDAP_SUCCESS) + return NSS_UNAVAIL; + } +#endif + ldaps = (strncasecmp (uri, "ldaps://", sizeof ("ldaps://") - 1) == 0); p = strchr (uri, ':'); /* we should be looking for the second instance to find the port number */ @@ -1028,7 +1039,11 @@ uri = uribuf; } +# ifdef HAVE_LDAP_CREATE_CONTEXT + rc = ldap_initialize_in_context (ld, uri, *ldap_context); +# else rc = ldap_initialize (ld, uri); +# endif #else if (strncasecmp (uri, "ldap://", sizeof ("ldap://") - 1) != 0) { @@ -1311,7 +1326,7 @@ assert (__session.ls_current_uri <= NSS_LDAP_CONFIG_URI_MAX); assert (cfg->ldc_uris[__session.ls_current_uri] != NULL); - stat = do_init_session (&__session.ls_conn, + stat = do_init_session ( &__session.ldap_context, &__session.ls_conn, cfg->ldc_uris[__session.ls_current_uri], cfg->ldc_port); if (stat != NSS_SUCCESS) diff -Nru nss_ldap-254/ldap-nss.h nss_ldap-254-context/ldap-nss.h --- nss_ldap-254/ldap-nss.h 2006-12-18 08:12:56.000000000 +0000 +++ nss_ldap-254-context/ldap-nss.h 2007-02-17 14:46:02.000000000 +0000 @@ -416,12 +416,19 @@ typedef enum ldap_session_state ldap_session_state_t; +/* for readability, make sure LDAPContext is at least a dummy type: */ +#ifndef HAVE_LDAP_CREATE_CONTEXT +# define LDAPContext void +#endif + /* * convenient wrapper around pointer into global config list, and a * connection to an LDAP server. */ struct ldap_session { + /* the context, if supported */ + LDAPContext *ldap_context; /* the connection */ LDAP *ls_conn; /* pointer into config table */ --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pam_ldap.patch" This patch file is derived from PADL Software (pam_ldap). All of the modifications to PADL Software represented in the following patch(es) were developed by Timo Felbinger <timo(a)physik.uni-potsdam.de>. These modifications are not subject to any license of University of Potsdam. I, Timo Felbinger, hereby place the following modifications to PADL Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. diff -Nru pam_ldap-183/config.h.in pam_ldap-183-context/config.h.in --- pam_ldap-183/config.h.in 2006-10-19 13:22:27.000000000 +0000 +++ pam_ldap-183-context/config.h.in 2007-02-17 14:55:38.000000000 +0000 @@ -33,6 +33,9 @@ /* Define if you have the ldap_initialize function. */ #undef HAVE_LDAP_INITIALIZE +/* Define if you have the ldap_create_context function. */ +#undef HAVE_LDAP_CREATE_CONTEXT + /* Define if you have the ldap_memfree function. */ #undef HAVE_LDAP_MEMFREE diff -Nru pam_ldap-183/configure pam_ldap-183-context/configure --- pam_ldap-183/configure 2006-10-19 13:22:27.000000000 +0000 +++ pam_ldap-183-context/configure 2007-02-17 14:55:38.000000000 +0000 @@ -1,4 +1,6 @@ #! /bin/sh +echo Please run autoconf first! +exit 1 # Guess values for system-dependent variables and create Makefiles. # Generated automatically using autoconf version 2.13 diff -Nru pam_ldap-183/configure.in pam_ldap-183-context/configure.in --- pam_ldap-183/configure.in 2006-10-19 13:22:27.000000000 +0000 +++ pam_ldap-183-context/configure.in 2007-02-17 14:55:38.000000000 +0000 @@ -131,6 +131,7 @@ AC_CHECK_FUNCS(ldapssl_init ldap_start_tls_s ldap_pvt_tls_set_option) fi AC_CHECK_FUNCS(ldap_initialize) +AC_CHECK_FUNCS(ldap_create_context) AC_CHECK_FUNCS(ldap_sasl_bind ldap_sasl_interactive_bind_s) AC_CHECK_FUNCS(gethostbyname_r) diff -Nru pam_ldap-183/pam_ldap.c pam_ldap-183-context/pam_ldap.c --- pam_ldap-183/pam_ldap.c 2006-10-19 13:22:27.000000000 +0000 +++ pam_ldap-183-context/pam_ldap.c 2007-02-17 15:08:39.000000000 +0000 @@ -155,6 +155,11 @@ #endif static int pam_debug_level __UNUSED__ = 0; +#ifndef HAVE_LDAP_CREATE_CONTEXT +# typedef LDAPContext void; +#endif +static LDAPContext *ldap_context = 0; + #ifdef HAVE_LDAPSSL_INIT static int ssl_initialized = 0; #endif @@ -1190,6 +1195,36 @@ struct timeval tv; #endif +#ifdef HAVE_LDAP_CREATE_CONTEXT + /* make sure ldap config is read in a safe and transparent way */ + if( ! ldap_context ) + { + char *directives[2]; + int rc; + + if( session->conf->configFile == NULL ) + { + directives[0] = NULL; + } + else + { + directives[0] = malloc (strlen (session->conf->configFile) + 6); + if( directives[0] == NULL ) + return PAM_BUF_ERR; + strcpy( directives[0], "file=" ); + strcpy( directives[0]+5, session->conf->configFile ); + } + directives[1] = NULL; + rc = ldap_create_context( &ldap_context, directives ); + _pam_drop( directives[0] ); + if (rc != LDAP_SUCCESS || ! ldap_context ) + { + syslog (LOG_ERR, "pam_ldap: ldap_create_context: %s", ldap_err2string (rc)); + return PAM_SERVICE_ERR; + } + } +#endif + #ifdef HAVE_LDAP_SET_OPTION if (session->conf->debug) { @@ -1253,7 +1288,11 @@ #ifdef HAVE_LDAP_INITIALIZE if (session->conf->uri != NULL) { +# ifdef HAVE_LDAP_CREATE_CONTEXT + int rc = ldap_initialize_in_context (&session->ld, session->conf->uri, ldap_context); +# else int rc = ldap_initialize (&session->ld, session->conf->uri); +# endif if (rc != LDAP_SUCCESS) { syslog (LOG_ERR, "pam_ldap: ldap_initialize %s", @@ -1400,8 +1439,12 @@ /* rand file */ if (session->conf->tls_randfile != NULL) { - rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE, - session->conf->tls_randfile); +# ifdef HAVE_LDAP_CREATE_CONTEXT + rc = ldap_set_option_in_context ( ldap_context, +# else + rc = ldap_set_option (NULL, +# endif + LDAP_OPT_X_TLS_RANDOM_FILE, session->conf->tls_randfile); if (rc != LDAP_SUCCESS) { syslog (LOG_ERR, @@ -1415,7 +1458,12 @@ /* ca cert file */ if (session->conf->tls_cacertfile != NULL) { - rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE, +# ifdef HAVE_LDAP_CREATE_CONTEXT + rc = ldap_set_option_in_context ( ldap_context, +# else + rc = ldap_set_option (NULL, +# endif + LDAP_OPT_X_TLS_CACERTFILE, session->conf->tls_cacertfile); if (rc != LDAP_SUCCESS) { @@ -1429,7 +1477,12 @@ if (session->conf->tls_cacertdir != NULL) { /* ca cert directory */ - rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR, +# ifdef HAVE_LDAP_CREATE_CONTEXT + rc = ldap_set_option_in_context ( ldap_context, +# else + rc = ldap_set_option (NULL, +# endif + LDAP_OPT_X_TLS_CACERTDIR, session->conf->tls_cacertdir); if (rc != LDAP_SUCCESS) { @@ -1443,7 +1496,12 @@ if (session->conf->tls_checkpeer > -1) { /* require cert? */ - rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, +# ifdef HAVE_LDAP_CREATE_CONTEXT + rc = ldap_set_option_in_context ( ldap_context, +# else + rc = ldap_set_option (NULL, +# endif + LDAP_OPT_X_TLS_REQUIRE_CERT, &session->conf->tls_checkpeer); if (rc != LDAP_SUCCESS) { @@ -1457,7 +1515,12 @@ if (session->conf->tls_ciphers != NULL) { /* set cipher suite, certificate and private key: */ - rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, +# ifdef HAVE_LDAP_CREATE_CONTEXT + rc = ldap_set_option_in_context ( ldap_context, +# else + rc = ldap_set_option (NULL, +# endif + LDAP_OPT_X_TLS_CIPHER_SUITE, session->conf->tls_ciphers); if (rc != LDAP_SUCCESS) { @@ -1470,7 +1533,12 @@ if (session->conf->tls_cert != NULL) { - rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE, +# ifdef HAVE_LDAP_CREATE_CONTEXT + rc = ldap_set_option_in_context ( ldap_context, +# else + rc = ldap_set_option (NULL, +# endif + LDAP_OPT_X_TLS_CERTFILE, session->conf->tls_cert); if (rc != LDAP_SUCCESS) { @@ -1483,7 +1551,12 @@ if (session->conf->tls_key != NULL) { - rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE, +# ifdef HAVE_LDAP_CREATE_CONTEXT + rc = ldap_set_option_in_context ( ldap_context, +# else + rc = ldap_set_option (NULL, +# endif + LDAP_OPT_X_TLS_KEYFILE, session->conf->tls_key); if (rc != LDAP_SUCCESS) { --pf9I7BMVVzbSWLtt--

1 0

(ITS#4845) Back-perl is non working
by kiwi＠oav.net 19 Feb '07

19 Feb '07

Full_Name: Xavier Beaudouin Version: 2.3.33 OS: FreeBSD 6.2 URL: http://www.oav.net/tmp/openldap/ Submission from: (NULL) (82.225.248.92) Seems since 2.3 branch back-perl doesn't work files in http://www.oav.net/tmp/openldap/ works correctly on 2.2.xx branch but seems to returns nothing. Debug output : # /usr/local/libexec/slapd -d 4 -f /usr/local/etc/openldap/slapd.conf @(#) $OpenLDAP: slapd 2.3.33 (Feb 19 2007 23:24:47) $ root@diskless.home.oav.net:/usr/ports/net/openldap23-server/work/openldap-2.3.33/servers/slapd daemon_init: <null> => ldap_bv2dn(ou=mailboxes,dc=kazar,dc=net,0) <= ldap_bv2dn(ou=mailboxes,dc=kazar,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=mailboxes,dc=kazar,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=mailboxes,dc=kazar,dc=net)=0 Starting mailboxes => ldap_bv2dn(cn=Subschema,0) <= ldap_bv2dn(cn=Subschema)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=subschema)=0 WARNING: No dynamic config support for database perl. slapd starting connection_get(8) send_ldap_result: err=0 matched="" text="" connection_get(8) => ldap_bv2dn(ou=mailboxes,dc=kazar,dc=net,0) <= ldap_bv2dn(ou=mailboxes,dc=kazar,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=mailboxes,dc=kazar,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=mailboxes,dc=kazar,dc=net)=0 SRCH "ou=mailboxes,dc=kazar,dc=net" 2 0 0 0 0 filter: (uid=kiwi(a)oav.net) attrs: We get a request for UID Looking for : (uid=kiwi(a)oav.net) We get some results... Sending -> dn : uid=kiwi(a)oav.net,ou=mailboxes,dc=kazar,dc=net objectClass : top objectClass : kazarPerson uid : kiwi(a)oav.net cn : Nom Prenom description : Sample description uidNumber : 10 gidNumber : 10 userPassword : Password homeDirectory : /home/test mailQuota : 50 CouriermailQuota : 50S str2entry: entry -1 has no dn str2entry(dn) failed send_ldap_result: err=0 matched="" text="" connection_get(8) To the query : # ldapsearch -h 127.0.0.1 -b ou=mailboxes,dc=kazar,dc=net uid=kiwi(a)oav.net # extended LDIF # # LDAPv3 # base <ou=mailboxes,dc=kazar,dc=net> with scope subtree # filter: uid=kiwi(a)oav.net # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 Seems that str2entry from search.c doesn't get any value. Is that because internals of OpenLDAP has changed ? Thanks /Xavier

1 0

Re: (ITS#4829) slapd-config should create olcDbDirectory
by ghenry＠suretecsystems.com 18 Feb '07

18 Feb '07

<quote who="hyc(a)symas.com"> > ghenry(a)suretecsystems.com wrote: >> In another step towards 100% remote admin/config, could we store >> StartTLS >> certs in the directory for slapd usage, replacing the need for: >> >> TLS* config path hardcoding.? > > One step at a time... Sure, I just wanted to have this wish recorded somewhere ;-) > Ordinarily I would store certs in an entry with the > same DN as the cert. This would mean creating a directory entry for your > server name, as well as directory entries for any client certs you wanted > to > use. That's probably not the ideal way to go here. > > We could store the certs directly, in attributes under cn=config. We could > also just store DNs in the config attributes, pointing to certs in some > other > database entries. Understood. > > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > >

1 0

Re: (ITS#4829) slapd-config should create olcDbDirectory
by hyc＠symas.com 18 Feb '07

18 Feb '07

ghenry(a)suretecsystems.com wrote: > In another step towards 100% remote admin/config, could we store StartTLS > certs in the directory for slapd usage, replacing the need for: > > TLS* config path hardcoding.? One step at a time... Ordinarily I would store certs in an entry with the same DN as the cert. This would mean creating a directory entry for your server name, as well as directory entries for any client certs you wanted to use. That's probably not the ideal way to go here. We could store the certs directly, in attributes under cn=config. We could also just store DNs in the config attributes, pointing to certs in some other database entries. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#4829) slapd-config should create olcDbDirectory
by ghenry＠suretecsystems.com 18 Feb '07

18 Feb '07

<quote who="ghenry(a)suretecsystems.com"> > <quote who="Howard Chu"> >> ghenry(a)suretecsystems.com wrote: >> >>> Dear All, >>> >>> If we are to suppose that slapd-config is to provide 100% remote >>> configuration, >>> then directories should be created as set in: >>> >>> olcDbDirectory >>> set_lg_dir >>> >>> >>> Questions/Needs: >>> >>> 1. How to handle existing directories on mkdir? >>> 2. Some global cn=config setting to say what cn=config is allowed to do >>> 3. Plus many more I'm sure. >> >> Some of this touches on issues raised in ITS#4535. We probably need to >> answer >> those points first. > > Understood. > In another step towards 100% remote admin/config, could we store StartTLS certs in the directory for slapd usage, replacing the need for: TLS* config path hardcoding.? Gavin.

1 0

(ITS#4844) Missing 2.4 man pages and things marked as "Experimental"
by ghenry＠suretecsystems.com 17 Feb '07

17 Feb '07

Full_Name: Gavin Henry Version: 2.3.34/2.4.4alpha OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (212.159.59.85) Just a quick to note that there are some overlays missing from slapd.overlays.5 in 2.4.4alpha and actual man pages. Also, relay and rwm are still marked as experimental in some places. grep experimental doc/man/man5/* doc/man/man5/slapd-relay.5:This backend and the above mentioned overlay are experimental. doc/man/man5/slapo-rwm.5:This overlay is experimental. I'll help where I can, Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

1 0

Re: (ITS#4829) slapd-config should create olcDbDirectory
by ghenry＠suretecsystems.com 17 Feb '07

17 Feb '07

<quote who="Howard Chu"> > ghenry(a)suretecsystems.com wrote: > >> Dear All, >> >> If we are to suppose that slapd-config is to provide 100% remote >> configuration, >> then directories should be created as set in: >> >> olcDbDirectory >> set_lg_dir >> >> >> Questions/Needs: >> >> 1. How to handle existing directories on mkdir? >> 2. Some global cn=config setting to say what cn=config is allowed to do >> 3. Plus many more I'm sure. > > Some of this touches on issues raised in ITS#4535. We probably need to > answer > those points first. Understood. > > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc > Chief Architect, OpenLDAP http://www.openldap.org/project/ >

1 0

ITS#4535 back-config can allow break-ins
by hyc＠symas.com 17 Feb '07

17 Feb '07

The first issue here was in regards to protection for the config backend when running the tests in the test suite. That was addressed mainly by using a randomly generated rootpw for cn=config in all of the tests. Also the default ACL for the config backend is explicitly set to "access to * by * none". In terms of the potential attacks on a server through back-config - it's obvious to me that you have to treat access to back-config the same as you would treat SSH credentials for a root user on the machine. That was one of the main reasons I decided to make cn=config only usable by its rootdn in 2.3. But since you really should be able to delegate authority, we added regular ACL support for 2.4. So it still comes down to having sane ACLs configured. Most of the attacks listed here require a user to have shell access to the machine, and write access to relevant filesystems. Frankly I think these attack scenarios are contrived - if you have untrusted users logging in to your system, you have other problems already. re: a meta-config file - No. The design goal here is to remove all limitations that prevent totally remote administration of the server, not add new ones. Artificial restrictions, just like artificially restricting 2.3 to rootdn only, will only impair usability and eventually get removed. re: lstat/fstat to prevent use of symlinks - No. There are too many valid uses for symlinks. What might make sense would be to fstat targets and check that they are owned by the current user and are not world-writable. We might also include root-owned directories that are world-writable with the sticky bit set. re: Documentation - sure. re: slaptools with -r/-u/-g - That's been discussed in ITS#4719. The consensus there seems (to me) to be that people with root access better know wth they're doing. re: adding dangerous database configurations - this raises a question about the config DIT. It implies a need for individual containers for backends, databases, and modules, so that you can configure write access to their children attribute. Otherwise, at the moment, we have no way to give fine grained access as to who can create what entries. The other alternative is to make back-config's add handler check for wadd access to the objectclass attribute of new entries, which would be oddly inconsistent with regular backend behavior. I specifically omitted such containers in the original DIT because I assumed only a rootDN, and with the object types essentially coded into their RDNs, the containers were superfluous. I still consider such containers redundant, and would lean toward the objectclass ACL check, which we can also make value-dependent to control exactly what types of databases an administrator can add. Assuming we have fine-grain control over what databases can be added, there should be no further consideration of whether to allow back-passwd, back-perl, or whatever. If an authorized admin wants to add them, let them. Fine-grained restriction of modules is pretty much irrelevant - all we have to go on is a name, which need not bear any relation to the module's actual content. The best we can do here is check ownership, as with other path-related items. re: Can one add "some-attribute:< file:///foobar" over the protocol to a back-ldif database to read file /foobar? I don't think so, but...? No. The URL is processed by the LDIF reader, which in this case is the client. At this point we should probably split this ITS into a few different ones. The main point, vulnerability in the test suite, has already been addressed. The doc-related issues obviously should go to a Doc bug. That leaves path ownership/permission checking for one bug, and fine-grained control of Adds as a separate bug. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#4829) slapd-config should create olcDbDirectory
by hyc＠symas.com 17 Feb '07

17 Feb '07

ghenry(a)suretecsystems.com wrote: > Dear All, > > If we are to suppose that slapd-config is to provide 100% remote configuration, > then directories should be created as set in: > > olcDbDirectory > set_lg_dir > > > Questions/Needs: > > 1. How to handle existing directories on mkdir? > 2. Some global cn=config setting to say what cn=config is allowed to do > 3. Plus many more I'm sure. Some of this touches on issues raised in ITS#4535. We probably need to answer those points first. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

← Newer
1
2
3
4
5
6
7
8
9
...
13
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs February 2007