openldap-bugs August 2008

openldap-bugs@openldap.org

40 participants
169 discussions

ITS#5581 reopened
by ando＠sys-net.it 09 Aug '08

09 Aug '08

Should be re-fixed now in HEAD; please test. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

(ITS#5649) overlay_register_control doesn't work
by hyc＠OpenLDAP.org 09 Aug '08

09 Aug '08

Full_Name: Howard Chu Version: 2.3/2.4/HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.91.220.157) Submitted by: hyc For non-global overlays, overlay_register_control sets the control flags in the temporary BackendDB structure, which is discarded shortly thereafter. It needs to set the flags in the real BackendDB structure.

1 0

Re: (ITS#5648) ppolicy controls entries without objectclass pwdPolicy
by hyc＠symas.com 08 Aug '08

08 Aug '08

dieter(a)dkluenter.de wrote: > Full_Name: Dieter Kluenter > Version: 2.4.11 > OS: openSUSE-11.0 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (84.142.237.56) > > > Hello, > man slapo-ppolicy(5) says that the overlay depends on objectclass pwdPolicy and > Every account that should be subject to password policy control should have > pwdPolicySubentry... As usual, it's important that you read every word in the manpage and not skip over anything. The manpage says: >> Every account that should be subject to password policy control should have a pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can simply use the configured default. << This means the pwdPolicy entry is some other entry, not that user entries must have the pwdPolicy class. Yes, the overlay depends on the pwdPolicy class because entries of pwdPolicy class must be used to store the policy definitions. It doesn't say that user entries must have pwdPolicy class and it would be stupid to store the policy definitions in the user entries. And it would be pointless to require a pwdPolicySubentry attribute to point to the relevant policy if the policy was simply stored in the user entry. Use your brain. This ITS will be closed. > But ppolicy is controlling every enty, even those without attribute pwdPolicy > and attribute pwdPolicySubentry. > I have created a test entry, which is not subject to password policy but got > locked out after 3 binds with wrong password. > > dn: cn=pw tester,o=avci,c=de > cn: pw tester > createTimestamp: 20080808132851Z > creatorsName: cn=admin,o=avci,c=de > description: Password Tester > entryCSN: 20080808132851.203028Z#000000#000#000000 > entryDN: cn=pw tester,o=avci,c=de > entryUUID: af06a7e2-f999-102c-8d8e-df96a2a401d4 > hasSubordinates: FALSE > modifiersName: cn=admin,o=avci,c=de > modifyTimestamp: 20080808132851Z > objectClass: person > pwdAccountLockedTime: 20080808133126Z > pwdChangedTime: 20080808132851Z > pwdFailureTime: 20080808133058Z > pwdFailureTime: 20080808133109Z > pwdFailureTime: 20080808133126Z > sn: tester > structuralObjectClass: person > subschemaSubentry: cn=Subschema > userPassword: tested > > -Dieter > > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5648) ppolicy controls entries without objectclass pwdPolicy
by dieter＠dkluenter.de 08 Aug '08

08 Aug '08

Michael Ströder <michael(a)stroeder.com> writes: > dieter(a)dkluenter.de wrote: >> man slapo-ppolicy(5) says that the overlay depends on objectclass pwdPolicy and >> Every account that should be subject to password policy control should have >> pwdPolicySubentry... >> But ppolicy is controlling every enty, even those without attribute pwdPolicy >> and attribute pwdPolicySubentry. >> I have created a test entry, which is not subject to password policy but got >> locked out after 3 binds with wrong password. > > Do you have 'ppolicy_default' set in slapd.conf? > What happens if you remove that? Yes, I do have ppolicy_default "cn=user,cn=policies,o=avci,c=de" but this should only be applicable if the entry belongs to objectclass pwdPolicy but not without objectclass pwdPolicy declaration. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E

1 0

Re: (ITS#5648) ppolicy controls entries without objectclass pwdPolicy
by michael＠stroeder.com 08 Aug '08

08 Aug '08

dieter(a)dkluenter.de wrote: > man slapo-ppolicy(5) says that the overlay depends on objectclass pwdPolicy and > Every account that should be subject to password policy control should have > pwdPolicySubentry... > But ppolicy is controlling every enty, even those without attribute pwdPolicy > and attribute pwdPolicySubentry. > I have created a test entry, which is not subject to password policy but got > locked out after 3 binds with wrong password. Do you have 'ppolicy_default' set in slapd.conf? What happens if you remove that? Ciao, Michael.

1 0

(ITS#5648) ppolicy controls entries without objectclass pwdPolicy
by dieter＠dkluenter.de 08 Aug '08

08 Aug '08

Full_Name: Dieter Kluenter Version: 2.4.11 OS: openSUSE-11.0 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.142.237.56) Hello, man slapo-ppolicy(5) says that the overlay depends on objectclass pwdPolicy and Every account that should be subject to password policy control should have pwdPolicySubentry... But ppolicy is controlling every enty, even those without attribute pwdPolicy and attribute pwdPolicySubentry. I have created a test entry, which is not subject to password policy but got locked out after 3 binds with wrong password. dn: cn=pw tester,o=avci,c=de cn: pw tester createTimestamp: 20080808132851Z creatorsName: cn=admin,o=avci,c=de description: Password Tester entryCSN: 20080808132851.203028Z#000000#000#000000 entryDN: cn=pw tester,o=avci,c=de entryUUID: af06a7e2-f999-102c-8d8e-df96a2a401d4 hasSubordinates: FALSE modifiersName: cn=admin,o=avci,c=de modifyTimestamp: 20080808132851Z objectClass: person pwdAccountLockedTime: 20080808133126Z pwdChangedTime: 20080808132851Z pwdFailureTime: 20080808133058Z pwdFailureTime: 20080808133109Z pwdFailureTime: 20080808133126Z sn: tester structuralObjectClass: person subschemaSubentry: cn=Subschema userPassword: tested -Dieter

1 0

(ITS#5647) problem with ldap backend / rwm overlay
by brett.maxfield＠gmail.com 07 Aug '08

07 Aug '08

Full_Name: Brett Maxfield Version: slapd 2.4.11 (Jul 29 2008 19:56:20) OS: SunOS qgdmzmlr01 5.10 Generic_127111-11 sun4v sparc SUNW,Sun-Fire-T200 URL: Submission from: (NULL) (203.18.108.168) I am trying to setup a ldap backend which is a filtered view of another larger parent directory, with respect to exposing fewer object classes and attributes. The intent is to present a simpler view of the larger directory, and the config below works, except for when i uncomment the line containing "rwm-map attribute *", to hide the attributes i do not want visible, but after that it stops returning any entries at all for any query. So may be there is some important openldap attribute i am nuking ? The below config works, until the "rwm-map attribute *" line is uncommented, the ldap backend stops returning any entries. Pierangelo Masarati on the list stated : <quote> Yes, I fear that's hiding the objectClass attribute, which is required for internal operations. On the other hand, you can't simply tell back-ldap to preserve that attribute, because mapping objectClass is not allowed. I suggest you file an ITS so that this problem can be fixed. </quote> I have tried mapping the "rwm-map attribute objectClass *", and as Perangelo states, the error is "objectclass attribute cannot be mapped". If this is true, then the usability of rwm-map attribute is extremely compromised, and probably unusable? The structure of the parent directory is : c=AU o=My Org 1 ou=My Unit 1 o=My Org 2 ou=My Unit 2 Config is : database ldap suffix "c=AU" uri "ldap://<parent ip>:<parent port>/" overlay rwm lastmod off # attribute maps (ok except for final "rwm-map attribute *" map) rwm-map attribute cn * rwm-map attribute sn * rwm-map attribute mail * rwm-map attribute c * rwm-map attribute o * rwm-map attribute ou * # does not like this, it stops any entries being returned #rwm-map attribute * # objectclass maps (ok) rwm-map objectclass top * rwm-map objectclass country * rwm-map objectclass organization * rwm-map objectclass organizationalRole * rwm-map objectclass organizationalPerson * rwm-map objectclass organizationalUnit * rwm-map objectclass *

1 0

Re: (ITS#5646) Unable to make the openldap-2.4.11 in fedora9
by hyc＠symas.com 07 Aug '08

07 Aug '08

snkg24(a)gmail.com wrote: > Full_Name: Nar > Version: openldap-2.4.11 > OS: Fedora 9 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (59.93.52.62) > > > Hi all, > > I am unable to install the openldap using configure. The following error > appearing after inputting the command "make". > > Please provide the solution. This is a dup of ITS#5464, a bug in glibc. https://www.openldap.org/its/index.cgi/Build?id=5464 This ITS will be closed, you can send further followups to ITS#5464. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#5646) Unable to make the openldap-2.4.11 in fedora9
by snkg24＠gmail.com 07 Aug '08

07 Aug '08

Full_Name: Nar Version: openldap-2.4.11 OS: Fedora 9 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (59.93.52.62) Hi all, I am unable to install the openldap using configure. The following error appearing after inputting the command "make". Please provide the solution. ----------- [root@eltserv openldap-2.4.11]# make Making all in /root/Download/openldap-2.4.11 Entering subdirectory include make[1]: Entering directory `/root/Download/openldap-2.4.11/include' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/root/Download/openldap-2.4.11/include' Entering subdirectory libraries make[1]: Entering directory `/root/Download/openldap-2.4.11/libraries' Making all in /root/Download/openldap-2.4.11/libraries Entering subdirectory liblutil make[2]: Entering directory `/root/Download/openldap-2.4.11/libraries/liblutil' rm -f version.c ../../build/mkversion -v "2.4.11" liblutil.a > version.c cc -g -O2 -I../../include -I../../include -I/usr/local/BerkeleyDB/include -c -o utils.o utils.c cc -g -O2 -I../../include -I../../include -I/usr/local/BerkeleyDB/include -c -o fetch.o fetch.c cc -g -O2 -I../../include -I../../include -I/usr/local/BerkeleyDB/include -c -o getpeereid.o getpeereid.c getpeereid.c: In function lutil_getpeereid: getpeereid.c:65: error: storage size of peercred isnt known make[2]: *** [getpeereid.o] Error 1 make[2]: Leaving directory `/root/Download/openldap-2.4.11/libraries/liblutil' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/root/Download/openldap-2.4.11/libraries' make: *** [all-common] Error 1

1 0

Re: (ITS#5642) Double free on exit, when specific attributetype is defined
by hyc＠symas.com 06 Aug '08

06 Aug '08

Hallvard B Furuseth wrote: > hyc(a)symas.com writes: >>> attributetype ( 278.1.3.6.1 NAME 'requireClass' SUP objectClass ) >> This is now fixed in HEAD. > > Slapd should to refuse to start with a bogus OID like that. > OIDs start with components<0-1>.<0-39> or 2.<any>. > > The LDAP standard doesn't seem to mention this, but RFC 4517 does defer > to X.680 (the ASN.1 spec), which since 1998 has deferred to X.660 - > which I don't have:-( Anyway, my reference is John Larmouth's _ASN.1 > Complete_. And it can be inferred from the BER encoding of the OBJECT > IDENTIFIER type. > Feel free to patch it. The fix I committed was simply to the double-free for any attributeType that inherits from objectClass... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

← Newer
1
...
9
10
11
12
13
14
15
16
17
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs August 2008