openldap-bugs April 2007

openldap-bugs@openldap.org

38 participants
126 discussions

Re: (ITS#4942) configurable filter blocking
by h.b.furuseth＠usit.uio.no 30 Apr '07

30 Apr '07

quanah(a)OpenLDAP.org writes: > For example, I may want to block subfinal indices on the > "suAffiliation" attribute in the cn=people,dc=stanford,dc=edu tree. I should have added: Unless you've got a better answer than me for why this is better than the "unchecked" limit, it might be more useful to block "suAffiliation" from getting a "subfinal" index. Then use the "unchecked" limit to block too general searches. -- Regards, Hallvard

1 0

Re: (ITS#4942) configurable filter blocking
by h.b.furuseth＠usit.uio.no 30 Apr '07

30 Apr '07

quanah(a)OpenLDAP.org writes: > In reading through the documentation for Fedora DS, I saw an > interesting feature where you can, at the slapd level, disable the > ability for clients to execute filters when the attribute(s) being > filtered on are not indexed. What's the motivation for this? I've thought about suggesting similar features (or maybe even suggested it, I don't remember) - but so far the "unchecked" limit has proved a better way for my purposes. How does it work with complex filters? E.g. (&(cn=foo)(mail=*)) where cn is indexed and finds the relevant entries, mail=* eliminates the 0.1% mailless users. Should this succeed if mail has no presence index? If no, what's the advantage of forbidding it? If yes, how do you stop (&(objectClass=person)(mail=*))? > This seems an interesting feature to me, but I think it could be > more worthwhile to make it a bit more configurable, (...) > For example, I may want to block subfinal indices on the > "suAffiliation" attribute in the cn=people,dc=stanford,dc=edu tree. I can see an access control reason for doing that, though users might get trivially around it by appending a '*' to the filter. And I do use sizelimit and the "unchecked" limit as a crude form of access control, as well as to ensure a good response time. But it remains crude, since it's not what an index is for - it's basically just an optimization. -- Regards, Hallvard

1 0

Re: (ITS#4941) incorrect description of TLS_REQCERT setting
by guenther＠sendmail.com 30 Apr '07

30 Apr '07

On Mon, 30 Apr 2007, Howard Chu wrote: > guenther+ldapdev(a)sendmail.com wrote: ... >> - 'allow' checks the identity of the server vs its cert (per RFC 4513, >> section 3.1.3) and will terminate the connection if they don't match >> - 'try' is the same as 'demand' and 'hard' > > Not quite. With both "allow" and "try" it's OK if the server provides no > certificate. That's true of 'demand' and 'hard' as well. The only difference between 'try' and 'demand' in the code is that the latter passes SSL_CTX_set_verify() the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag, but that flag has NO EFFECT on SSL clients. This is documented on the SSL_CTX_set_verify() manpage and confirmed by grepping the openssl source for it. If you don't believe me, I suggest you try configuring your server to accept the ADH suites (don't forget to set TLSDHParamFile to /dev/null) and give ldapsearch a whirl with LDAPTLS_REQCERT=hard LDAPTLS_CIPHER_SUITE=ADH-AES256-SHA in your environment. That's what I did. Philip Guenther

1 0

(ITS#4942) configurable filter blocking
by quanah＠OpenLDAP.org 30 Apr '07

30 Apr '07

Full_Name: Quanah Gibson-Mount Version: NA OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (171.66.155.86) In reading through the documentation for Fedora DS, I saw an interesting feature where you can, at the slapd level, disable the ability for clients to execute filters when the attribute(s) being filtered on are not indexed. This seems an interesting feature to me, but I think it could be more worthwhile to make it a bit more configurable, where you could block certain filter types from being used, regardless of whether or not they were indexed, and expanded to only pertain to particular subtrees. For example, I may want to block subfinal indices on the "suAffiliation" attribute in the cn=people,dc=stanford,dc=edu tree. Just food for thought. --Quanah

1 0

Re: (ITS#4941) incorrect description of TLS_REQCERT setting
by hyc＠symas.com 30 Apr '07

30 Apr '07

guenther+ldapdev(a)sendmail.com wrote: > Full_Name: Philip Guenther > Version: 2.3.27 > OS: linux and solaris > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (64.58.1.252) > > > The description of the TLS_REQCERT setting in the ldap.conf(5) manpage does not > match the actual operation of the code. In particular: > - clients don't 'request' server certs in TLS. They get one if the cipher > suite > uses them, otherwise they don't > - 'allow' checks the identity of the server vs its cert (per RFC 4513, > section 3.1.3) and will terminate the connection if they don't match > - 'try' is the same as 'demand' and 'hard' Not quite. With both "allow" and "try" it's OK if the server provides no certificate. The difference is, with "try", if a cert is provided, it must be valid. > > > Here's a possible patch to ldap.conf.5 to fix the above. A reference to the RFC > should perhaps be added to the text. I was also tempted to add a sentence to > the lead-in to clarify that the setting has no effect if the negotiated cipher > suite doesn't use certs, as a clarification of the "if any" in the existing > lead-in, but that's minor. Simply having an even slightly correct description > of 'allow' is the important thing. > > --- ldap.conf.5 26 Jan 2006 05:57:49 -0000 > +++ ldap.conf.5 30 Apr 2007 08:39:53 -0000 > @@ -249,22 +249,20 @@ > .RS > .TP > .B never > -The client will not request or check any server certificate. > +The client will not check the server certificate at all. > .TP > .B allow > -The server certificate is requested. If no certificate is provided, > -the session proceeds normally. If a bad certificate is provided, it will > -be ignored and the session proceeds normally. > -.TP > -.B try > -The server certificate is requested. If no certificate is provided, > -the session proceeds normally. If a bad certificate is provided, > +The client will only verify that name used to connect to the server > +matches one of the server certificate's subjectAltName or CN values. > +If no match is found, the session is immediately terminated. > +.TP > +.B try | demand | hard > +These keywords are equivalent. > +The client will verify the server certificate is valid and matches the > +name used to connect (as for 'allow'). > +If a bad or mismatched certificate is provided, > the session is immediately terminated. > -.TP > -.B demand | hard > -These keywords are equivalent. The server certificate is requested. If no > -certificate is provided, or a bad certificate is provided, the session > -is immediately terminated. This is the default setting. > +This is the default setting. > .RE > .TP > .B TLS_CRLCHECK <level> > > > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#4941) incorrect description of TLS_REQCERT setting
by guenther+ldapdev＠sendmail.com 30 Apr '07

30 Apr '07

Full_Name: Philip Guenther Version: 2.3.27 OS: linux and solaris URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (64.58.1.252) The description of the TLS_REQCERT setting in the ldap.conf(5) manpage does not match the actual operation of the code. In particular: - clients don't 'request' server certs in TLS. They get one if the cipher suite uses them, otherwise they don't - 'allow' checks the identity of the server vs its cert (per RFC 4513, section 3.1.3) and will terminate the connection if they don't match - 'try' is the same as 'demand' and 'hard' Here's a possible patch to ldap.conf.5 to fix the above. A reference to the RFC should perhaps be added to the text. I was also tempted to add a sentence to the lead-in to clarify that the setting has no effect if the negotiated cipher suite doesn't use certs, as a clarification of the "if any" in the existing lead-in, but that's minor. Simply having an even slightly correct description of 'allow' is the important thing. --- ldap.conf.5 26 Jan 2006 05:57:49 -0000 +++ ldap.conf.5 30 Apr 2007 08:39:53 -0000 @@ -249,22 +249,20 @@ .RS .TP .B never -The client will not request or check any server certificate. +The client will not check the server certificate at all. .TP .B allow -The server certificate is requested. If no certificate is provided, -the session proceeds normally. If a bad certificate is provided, it will -be ignored and the session proceeds normally. -.TP -.B try -The server certificate is requested. If no certificate is provided, -the session proceeds normally. If a bad certificate is provided, +The client will only verify that name used to connect to the server +matches one of the server certificate's subjectAltName or CN values. +If no match is found, the session is immediately terminated. +.TP +.B try | demand | hard +These keywords are equivalent. +The client will verify the server certificate is valid and matches the +name used to connect (as for 'allow'). +If a bad or mismatched certificate is provided, the session is immediately terminated. -.TP -.B demand | hard -These keywords are equivalent. The server certificate is requested. If no -certificate is provided, or a bad certificate is provided, the session -is immediately terminated. This is the default setting. +This is the default setting. .RE .TP .B TLS_CRLCHECK <level>

1 0

(ITS#4940) libldap doesn't wait for server's TLS close_notify
by guenther+ldapdev＠sendmail.com 30 Apr '07

30 Apr '07

Full_Name: Philip Guenther Version: 2.3.27 OS: Linux and Solaris URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (64.58.1.252) [I vaguely recall seeing a report of this issue in the archives of one of the mailing lists, but I can no longer find the original.] If you trace the packets sent when you use, for example, ldapsearch against a server on a different host, using either the -Z option to do TLS or using an ldaps URI, you'll discover that the TCP connection is actually reset instead of being closed cleanly: the client sends TCP RSTs in response to the server's final packets. This is because libldap uses the following sequence when unbind a TLS or SSL connection: 1) send the unbind request (over the TLS or SSL layer) 2) call SSL_shutdown(), sending the TLS close_notify alert 3) call close() After receiving the close_notify alert from step (2), the server sends back its own close_notify alert and then calls close(). However, because the client didn't wait for the server's response before calling close() on its end, the client's TCP stack considers the TCP connection to already be gone and responds with the RST packets. This occurs with Linux and Solaris clients and probably most other unices: the response to packets after a close() doesn't vary in my experience. There are a number of ways this can be handled: 1) change the client to wait until it sees the server's close_notify alert by replacing "SSL_shutdown( p->ssl );" in tls.c with the two lines: if (SSL_shutdown( p->ssl ) == 0) SSL_shutdown( p->ssl ); (I have confirmed that this works. As documented, the first call will return 1 if the server's close_notify has already been received, if not, the second call will block until it is received.) 2) change the client to not bother to send a close_notify alert when it's just going to close() the connection; change the server to not send a close_notify if it didn't get one. This probably violates the TLS spec, but the fact that TLS/1.1 permits resumption of sessions without close_notify having been sent indicates that the violation is not a major issue, particularly given that LDAP's unbind request prevents truncation attacks. Close_notifies are, of course, required if the client just wants to terminate the TLS layer and resume unprotected LDAP operations. 3) ignore the issue: it only causes one or two extra packets to be sent. While it also eliminates the TIME_WAIT state, LDAP's application-level close (the unbind request) means it doesn't need reliable full-duplex closure, so the only concern would be random connection issues from reincarnations of the TCP tuple, which is unlikely for an LDAP connection. Personally, I like the simplicity and cleanliness of solution (1).

1 0

(ITS#4939) Typographical error in client tool_common_usage()
by ceri＠submonkey.net 28 Apr '07

28 Apr '07

Full_Name: Ceri Davies Version: HEAD OS: FreeBSD URL: http://shrike.submonkey.net/~ceri/clients-tools-common.c.patch Submission from: (NULL) (81.106.128.65) The help output from the client tools contains a misspelling of "Identifier". See the patch at http://shrike.submonkey.net/~ceri/clients-tools-common.c.patch which applies against today's -HEAD. I seriously doubt that you need this, but: I, Ceri Davies, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Re: (ITS#4938) hdb_db_close SEGVs
by quanah＠zimbra.com 26 Apr '07

26 Apr '07

----- quanah(a)zimbra.com wrote: > ----- richton(a)nbcs.rutgers.edu wrote: > > I don't have #5 (sleepycat#14657) nor the unofficial > > > http://www.stanford.edu/services/directory/openldap/configuration/patches/d… > > > > patch. As for the official one, I'm not sure about its relevance to > > the > > actual SEGV due to the "recovery...fail" comment. In other words, > > though > > it may be impacting the ability of alock/db_recover to do its thing, > > > that's just a side effect of the unclean shutdown which is the real > > bug > > here to my view. > > > > > Patch #5 specifically deals with a race condition where a checkpoint > is occuring while a cache buffer retrieval is also occuring causing a > database corruption that will later not be recoverable from. At > least, that's how I read sleepcat's description: > > 5. Fix a bug where cache buffer retrieval could race with a checkpoint > call, potentially causing database environment recovery to fail. > [#14657] > > Given that OpenLDAP checkpoints on shutdown, shutting down the server > could be what is triggering the issue for you. I'd suggest applying > the patch and seeing if this resolves your problem. Just to note, I shut down one of my 2.3.35 servers that's served out over 1 million connections since I brought it up, and everything was clean on both shutdown and startup. --Quanah

1 0

Re: (ITS#4938) hdb_db_close SEGVs
by quanah＠zimbra.com 26 Apr '07

26 Apr '07

----- richton(a)nbcs.rutgers.edu wrote: > I don't have #5 (sleepycat#14657) nor the unofficial > http://www.stanford.edu/services/directory/openldap/configuration/patches/d… > > patch. As for the official one, I'm not sure about its relevance to > the > actual SEGV due to the "recovery...fail" comment. In other words, > though > it may be impacting the ability of alock/db_recover to do its thing, > that's just a side effect of the unclean shutdown which is the real > bug > here to my view. Patch #5 specifically deals with a race condition where a checkpoint is occuring while a cache buffer retrieval is also occuring causing a database corruption that will later not be recoverable from. At least, that's how I read sleepcat's description: 5. Fix a bug where cache buffer retrieval could race with a checkpoint call, potentially causing database environment recovery to fail. [#14657] Given that OpenLDAP checkpoints on shutdown, shutting down the server could be what is triggering the issue for you. I'd suggest applying the patch and seeing if this resolves your problem. > The region size patch is interesting, but I will tell you that the > database in question has > > set_cachesize 0 200000000 0 > > and it (to a glance) looks like that only impacts the gig column, > which I > have as zero anyway. Yeah, the patch may not apply for you (I have a 3.5GB cache, so it does for me). Wouldn't harm anything, of course, if you decided later you needed a larger BDB cache. ;) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs April 2007