openldap-bugs July 2008

openldap-bugs@openldap.org

43 participants
131 discussions

(ITS#5614) Ignore invalid search filters
by andrew.graham＠agustawestland.com 14 Jul '08

14 Jul '08

Full_Name: Andrew Graham Version: 2.4.10 OS: SLES 10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (194.169.32.250) In line with the behavious specified in ITS 3785, any invalid search filter applied against back-meta will force a query including the search filter (!(objectClass=*)). As this filter can result in slow performance for certain brands of LDAP server, please provide an option to ignore invalid search filters in back-meta.

1 0

(ITS#5613) slapd determines hostname by PTR even if host url defined, breaking ServerID
by joe＠julianfamily.org 14 Jul '08

14 Jul '08

Full_Name: Joe Julian Version: 2.4.10 OS: Linux (Fedora 7 distribution) URL: Submission from: (NULL) (68.178.24.202) Description of problem: slapd is called with "-h ldap://ldap1.domain.dom" where ldap1 is a CNAME for the actual server name "moe.domain.dom" and "-h ldap://ldap2.domain.dom" for "curly.domain.dom". The cn=config entries for olcServerID are "1 ldap://ldap1.domain.dom" and "2 ldap://ldap2.domain.dom" In config_generic (bconfig.c) case CFG_SERVERID lud->lud_host is compared with global_host. As the PTR record for moe is moe.domain.dom and not ldap1.domain.dom, moe does not get assigned a serverID. The same is true for curly. Version-Release number of selected component (if applicable): openldap_2.4.8 Steps to Reproduce: 1. configure a server's dns entries for the actual name of the server 2. configure a cname that's different 3. call slapd with "-h": the url referring to the cname of the server Actual results: no serverID defined Expected results: the serverID should be selected (in part) based on the "-h" url configuration matching an olcServerID entry

1 0

(ITS#5612) Contributing An Overlay which Submits Modification in LDAP to a Web-Page!
by fawadlateef＠gmail.com 14 Jul '08

14 Jul '08

Full_Name: Fawad Lateef Version: 2.4.10 OS: Ubuntu URL: ftp://ftp.openldap.org/incoming/fawadlateef-contrib-updopstoweb-080714.tgz Submission from: (NULL) (202.133.78.60) Contributing an overlay which submits modification in LDAP to a web-page through libcurl. Description: ------------ This package contains a slapd overlay, updopstoweb, that provides support for monitoring add/modify/delete operations performed on LDAP and sends the information related to operation going to be performed on LDAP to a web-site through libcurl api. It also provides support for specifying an IP address which will not be monitored, e.g. if you want to monitor operations from remote system then you can specify local-host IP and then it will ignore local-host operations. Monitoring of operations is based on dn, attributes and object classes which are provided through entries in slapd.conf file. Web-site URL and IP address for ignoring operations from are also provided to overlay through slapd.conf file. Although all these parameters can be provided at run-time through back-config. The overlay is tested on openldap-2.4.10 although it can work on any version of openldap-2.4 For details please consult README provided in the package

1 0

Re: (ITS#5601) set-acl failure under back-ldap+rwm
by mbackes＠symas.com 14 Jul '08

14 Jul '08

> To further elaborate, even if the virtual DN is set instead of the > real one in c_ndn, the operation fails because ACL checking passes > through bi_entry_get_rw(), which is not provided by slapo-rwm, and > can't be provided according to the current design, since it does not > allow to massage the arguments. As a quick'n'dirty fix, what you > can do is make the proxy database serve both naming contexts, namely > > database ldap > suffix "dc=remote,dc=local" > suffix "dc=remote" This works for getting the query to the right place; thanks! Remapped attributes in the acl obviously don't work, but working around that is straight-forward also. > This is a hack; the real fix requires to redesign the API of > bi_entry_get_rw(), to let it modify the request arguments while > letting the real function do the hard job. Right, okay. Matthew Backes Symas Corporation mbackes(a)symas.com

1 0

Re: (ITS#5609) slapo-constraint with typ 'uri' rejects valid attribute values
by ando＠sys-net.it 13 Jul '08

13 Jul '08

michael(a)stroeder.com wrote: > ando(a)sys-net.it wrote: >> michael(a)stroeder.com wrote: >>> First this raises the question what to do if filters are not valid in >>> configuration. I'd prefer if slapo-constraint would cause invalidFilter >>> with an appropriate diagnosticMessage pointing to slapo-constraint >>> configuration to be returned instead of silently assuming the attribute >>> value is wrong. >> AFAIK, an invalid filter in the configuration would prevent slapd from >> starting, although right now checks are not that tight. > > ldap:///ou=Departments,ou=schulung,dc=stroeder,dc=local?ou?one?(objectClass=organizationalUnit)) > > obviously contains an invalid filter. But slapd starts without complaining. OK, this type of error is not caught basically because no real check is done besides parsing the URI. I was more concerned about erroneous filters as a result of constructing the constraint filter. However, I notice that even in case of an incorrect filter, str2filter() will not fail, but rather generate a filter with erroneous terminal filters marked as erroneous, without complaining. Moreover, the internal search will return as successful but likely with no results. This is the expected behavior for a real search. So tracing an incorrect filter is not that obvious. >>> Still it does not work for me. The filter seems to be ok now and returns >>> the correct search result. But still the attribute value "Abteilung 1" >>> is not accepted. >> Can you provide the filter, the relevant data (or an excerpt of it) and >> the operation you're trying to perform? > > I could provide a complete canned config in a personal e-mail if you want. I'll let you know if that's needed. Maybe what you posted below is enough. p. > Just for the ITS: > > ---------------------- excerpt slapd.conf ---------------------- > overlay constraint > constraint_attribute gender regex ^[0129]?$ > constraint_attribute departmentNumber uri > ldap:///ou=Departments,ou=schulung,dc=stroeder,dc=local?ou?one?(objectClass=organizationalUnit) > constraint_attribute manager uri > ldap:///ou=Managers,ou=schulung,dc=stroeder,dc=local?entryDN?one?(objectClass=inetOrgPerson) > ---------------------- entry to be modified ---------------------- > dn: cn=Michael Stroeder,ou=People,ou=schulung,dc=stroeder,dc=local > cn: Michael Stroeder > givenName: Michael > hasSubordinates: FALSE > objectClass: inetOrgPerson > sn: Stroeder > > ---------------------- modification operation ---------------------- > dn: cn=Michael Stroeder,ou=People,ou=schulung,dc=stroeder,dc=local > changetype: modify > add: departmentNumber > departmentNumber: Abteilung 1 > - > > ---------------------- departments ---------------------- > dn: ou=Departments,ou=schulung,dc=stroeder,dc=local > objectClass: organizationalUnit > ou: Departments > > dn: ou=Abteilung 1,ou=Departments,ou=schulung,dc=stroeder,dc=local > objectClass: organizationalUnit > ou: Abteilung 1 > > dn: ou=Abteilung 2,ou=Departments,ou=schulung,dc=stroeder,dc=local > objectClass: organizationalUnit > ou: Abteilung 2 > > -------------------------------------------------------------- > > Ciao, Michael > > Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5609) slapo-constraint with typ 'uri' rejects valid attribute values
by michael＠stroeder.com 13 Jul '08

13 Jul '08

ando(a)sys-net.it wrote: > michael(a)stroeder.com wrote: >> First this raises the question what to do if filters are not valid in >> configuration. I'd prefer if slapo-constraint would cause invalidFilter >> with an appropriate diagnosticMessage pointing to slapo-constraint >> configuration to be returned instead of silently assuming the attribute >> value is wrong. > > AFAIK, an invalid filter in the configuration would prevent slapd from > starting, although right now checks are not that tight. ldap:///ou=Departments,ou=schulung,dc=stroeder,dc=local?ou?one?(objectClass=organizationalUnit)) obviously contains an invalid filter. But slapd starts without complaining. >> Still it does not work for me. The filter seems to be ok now and returns >> the correct search result. But still the attribute value "Abteilung 1" >> is not accepted. > > Can you provide the filter, the relevant data (or an excerpt of it) and > the operation you're trying to perform? I could provide a complete canned config in a personal e-mail if you want. Just for the ITS: ---------------------- excerpt slapd.conf ---------------------- overlay constraint constraint_attribute gender regex ^[0129]?$ constraint_attribute departmentNumber uri ldap:///ou=Departments,ou=schulung,dc=stroeder,dc=local?ou?one?(objectClass=organizationalUnit) constraint_attribute manager uri ldap:///ou=Managers,ou=schulung,dc=stroeder,dc=local?entryDN?one?(objectClass=inetOrgPerson) ---------------------- entry to be modified ---------------------- dn: cn=Michael Stroeder,ou=People,ou=schulung,dc=stroeder,dc=local cn: Michael Stroeder givenName: Michael hasSubordinates: FALSE objectClass: inetOrgPerson sn: Stroeder ---------------------- modification operation ---------------------- dn: cn=Michael Stroeder,ou=People,ou=schulung,dc=stroeder,dc=local changetype: modify add: departmentNumber departmentNumber: Abteilung 1 - ---------------------- departments ---------------------- dn: ou=Departments,ou=schulung,dc=stroeder,dc=local objectClass: organizationalUnit ou: Departments dn: ou=Abteilung 1,ou=Departments,ou=schulung,dc=stroeder,dc=local objectClass: organizationalUnit ou: Abteilung 1 dn: ou=Abteilung 2,ou=Departments,ou=schulung,dc=stroeder,dc=local objectClass: organizationalUnit ou: Abteilung 2 -------------------------------------------------------------- Ciao, Michael

1 0

Re: (ITS#5609) slapo-constraint with typ 'uri' rejects valid attribute values
by ando＠sys-net.it 12 Jul '08

12 Jul '08

michael(a)stroeder.com wrote: > Pierangelo Masarati wrote: >> michael(a)stroeder.com wrote: >> >>> Looking at the logs slapo-constraint seems to generate a filter which is >>> considered bad by slapd: >>> >>> constraint_violation uri filter = >>> (&((objectClass=organizationalUnit))(|(ou=Abteilung 1))) >>> >>> This filter would work and finds the correct entry containing the valid >>> attribute value: >>> (&(objectClass=organizationalUnit)(|(ou=Abteilung 1))) >> The overlay assumes you don't put brackets around your filter. This is >> now fixed in HEAD; please test. p. > > First this raises the question what to do if filters are not valid in > configuration. I'd prefer if slapo-constraint would cause invalidFilter > with an appropriate diagnosticMessage pointing to slapo-constraint > configuration to be returned instead of silently assuming the attribute > value is wrong. AFAIK, an invalid filter in the configuration would prevent slapd from starting, although right now checks are not that tight. > Still it does not work for me. The filter seems to be ok now and returns > the correct search result. But still the attribute value "Abteilung 1" > is not accepted. Can you provide the filter, the relevant data (or an excerpt of it) and the operation you're trying to perform? I just checked slapo-constraint, after fixing it, and it seemed to work as expected. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5609) slapo-constraint with typ 'uri' rejects valid attribute values
by michael＠stroeder.com 12 Jul '08

12 Jul '08

Pierangelo Masarati wrote: > michael(a)stroeder.com wrote: > >> Looking at the logs slapo-constraint seems to generate a filter which is >> considered bad by slapd: >> >> constraint_violation uri filter = >> (&((objectClass=organizationalUnit))(|(ou=Abteilung 1))) >> >> This filter would work and finds the correct entry containing the valid >> attribute value: >> (&(objectClass=organizationalUnit)(|(ou=Abteilung 1))) > > The overlay assumes you don't put brackets around your filter. This is > now fixed in HEAD; please test. p. First this raises the question what to do if filters are not valid in configuration. I'd prefer if slapo-constraint would cause invalidFilter with an appropriate diagnosticMessage pointing to slapo-constraint configuration to be returned instead of silently assuming the attribute value is wrong. Still it does not work for me. The filter seems to be ok now and returns the correct search result. But still the attribute value "Abteilung 1" is not accepted. Ciao, Michael. --------------------------------- snip --------------------------------- ==> constraint_violation uri filter = (&(objectClass=organizationalUnit)(|(ou=Abteilung 1))) put_filter: "(&(objectClass=organizationalUnit)(|(ou=Abteilung 1)))" put_filter: AND put_filter_list "(objectClass=organizationalUnit)(|(ou=Abteilung 1))" put_filter: "(objectClass=organizationalUnit)" put_filter: simple put_simple_filter: "objectClass=organizationalUnit" put_filter: "(|(ou=Abteilung 1))" put_filter: OR put_filter_list "(ou=Abteilung 1)" put_filter: "(ou=Abteilung 1)" put_filter: simple put_simple_filter: "ou=Abteilung 1" ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: => hdb_search bdb_dn2entry("ou=Departments,ou=schulung,dc=stroeder,dc=local") => hdb_dn2id("ou=Departments,ou=schulung,dc=stroeder,dc=local") <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) => access_allowed: disclose access to "ou=schulung,dc=stroeder,dc=local" "entry" requested <= root access granted => access_allowed: disclose access granted by manage(=mwrscxd) send_ldap_result: conn=1 op=28 p=3 send_ldap_result: err=10 matched="ou=schulung,dc=stroeder,dc=local" text="" ==> constraint_violation uri rc = 32, found = 0 send_ldap_result: conn=1 op=28 p=3 send_ldap_result: err=19 matched="" text="modify breaks constraint on departmentNumber" send_ldap_response: msgid=29 tag=103 err=19 ber_flush2: 58 bytes to sd 17 conn=1 op=28 RESULT tag=103 err=19 text=modify breaks constraint on departmentNumber

1 0

Re: (ITS#5609) slapo-constraint with typ 'uri' rejects valid attribute values
by ando＠sys-net.it 12 Jul '08

12 Jul '08

michael(a)stroeder.com wrote: > Looking at the logs slapo-constraint seems to generate a filter which is > considered bad by slapd: > > constraint_violation uri filter = > (&((objectClass=organizationalUnit))(|(ou=Abteilung 1))) > > This filter would work and finds the correct entry containing the valid > attribute value: > (&(objectClass=organizationalUnit)(|(ou=Abteilung 1))) The overlay assumes you don't put brackets around your filter. This is now fixed in HEAD; please test. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5592) Quarantine in back-meta
by ando＠sys-net.it 12 Jul '08

12 Jul '08

andrew.graham(a)agustawestland.com wrote: > The quarantine function in back-meta will permanently disable a target if a > query is received while the quarantine has been imposed. Fixed in HEAD; please test. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando(a)sys-net.it -----------------------------------

1 0

← Newer
1
2
3
4
5
6
7
8
9
...
14
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs July 2008