openldap-bugs August 2008

openldap-bugs@openldap.org

40 participants
169 discussions

Re: (ITS#5639) Digital (PGP-)signature for downloadable sources
by Kurt＠OpenLDAP.org 05 Aug '08

05 Aug '08

On Aug 4, 2008, at 9:56 PM, h.b.furuseth(a)usit.uio.no wrote: > Kurt(a)OpenLDAP.org writes: >> On Aug 4, 2008, at 2:06 PM, h.b.furuseth(a)usit.uio.no wrote: >>> Kurt(a)OpenLDAP.org writes: >>>> I note as well that properly deploying release signing requires >>>> more than script modification. For instance, one does need to >>>> consider that the host to sign the releases might itself been >>>> taken over and the implications of such a takeover. >>> >>> For that part, signatures in the 'https:' site would help. >> >> I think you need to re-think that assertion. > > Er, yes, I was thinking of the "outside" equivalent, hacking DNS and > "taking over" that way. Those mounting such attacks are more likely to take over google.com than openldap.org. > I have the impression that's the most common way to "take over" a > site, but I may be wrong. I would say it's a more commonly talked about "take over" approach at present. Though I don't know if its more common that other major site "take over" approaches. But "take over" of small sites, such are openldap.org, are different because the goal is different. Folks "take over" major sites (generally in an isolated way, such as via a particular ISP) because there is a reasonable chance that users will access the taken over site. These take overs often are attempts to install malware on user systems (be careful, that google search button might not be a true google search button). Take over of small sites is commonly done to deface the site, to gain notoriety or to grind an axe or something. So, I'm not particularly worried about former, but am worried about the latter. But you and others brought up https:// in the context of a PGP signing discussion. This is, I think, confused. -- Kurt

1 0

Re: (ITS#5639) Digital (PGP-)signature for downloadable sources
by Kurt＠OpenLDAP.org 05 Aug '08

05 Aug '08

I figure that an attacker can convince most downloaders who might verify a PGP signature that the project no longer signs releases, making the project's use of PGP signatures moot. While it can be argued that there might be some downloaders who want to establish rigid signature verification procedures and follow them, I simply haven't heard anyone claim to be such a downloader. And even if there where a few that might now claim this, I think the amount of work involved (both initially and on a per release basis) is worth the time spent. I would argue time is better spent on improvements that are benefit most downloaders, such as a more comprehensive web/ftp change detection/notice system. -- Kurt

1 0

Re: (ITS#5642) Double free on exit, when specific attributetype is defined
by hyc＠symas.com 05 Aug '08

05 Aug '08

stef(a)memberwebs.com wrote: > Full_Name: Stef Walter > Version: 2.4.11 > OS: FreeBSD 6.3-RELEASE-p2 > URL: > Submission from: (NULL) (38.99.5.20) > > > When the following line is present in the schema (or slapd.conf), then upon exit > any slap* process aborts due to a double free of memory: > > attributetype ( 278.1.3.6.1 NAME 'requireClass' SUP objectClass ) > > > The OID is obviously fictional. This can be triggered reliably by running: > > # slaptest This also occurs in 2.3, and is specific to objectClass and a few other built in attributes with custom matching rules. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#5645) <suffix> invalid DN 21 (Invalid syntax)
by support＠msm-projects.net 05 Aug '08

05 Aug '08

Full_Name: MSM-Projects Support Version: 2.4.11 OS: Debian Linux (2.6.18-6-xen-amd64) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (213.9.60.153) We installed a ldap server version 2.4.11. With default slapd.conf the server is starting. Changing the default-suffix to a version we need (building a replica with an existing host), we get error: line 54 (suffix "o=my-domain, c=com") >>> dnPrettyNormal: <o=my-domain, c=com> => ldap_bv2dn(o=my-domain, c=com,0) <= ldap_bv2dn(o=my-domain, c=com)=0 ldap_err2string /usr/local/openldap/etc/openldap/slapd.conf: line 54: <suffix> invalid DN 21 (Invalid syntax)

1 0

Re: (ITS#5581) slapd: search.c:970: oc_filter: Assertion `f != ((void *)0)' failed.
by stef＠memberwebs.com 05 Aug '08

05 Aug '08

I get this problem with 2.4.11 (but not with 2.4.10). My slapo-unique configuration is as follows: unique_uri ldap:///?cn?sub unique_uri ldap:///?uid,login?sub?(!(disabled=TRUE)) The filter seems valid to me, but please correct me if I'm wrong.

1 0

Re: (ITS#5644) make test000 core dumps
by michael＠stroeder.com 05 Aug '08

05 Aug '08

Pierangelo Masarati wrote: > ----- michael(a)stroeder.com wrote: > >> michael(a)stroeder.com wrote: >>> Maybe slapd starts but this is not correctly detected by the test >> script? >> >> This does not seem to be the case. > > Can you start it manually? Good idea. Indeed that's possible: cd tests/ ../servers/slapd/.libs/lt-slapd -d 1 -h ldap://127.0.0.1:9011 -f testrun/slapd.1.conf Ciao, Michael.

1 0

Re: (ITS#5644) make test000 core dumps
by ando＠sys-net.it 05 Aug '08

05 Aug '08

----- michael(a)stroeder.com wrote: > michael(a)stroeder.com wrote: > > Maybe slapd starts but this is not correctly detected by the test > script? > > This does not seem to be the case. Can you start it manually? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5644) make test000 core dumps
by michael＠stroeder.com 05 Aug '08

05 Aug '08

michael(a)stroeder.com wrote: > Maybe slapd starts but this is not correctly detected by the test script? This does not seem to be the case. Ciao, Michael.

1 0

Re: (ITS#5644) make test000 core dumps
by michael＠stroeder.com 05 Aug '08

05 Aug '08

Pierangelo Masarati wrote: >> slapd starting >> daemon: listen(ldap://localhost:9011/, 5) failed errno=3D98 (Address >> already in use) > > ^^^^ ? p. I already saw this but this is caused by the 2nd try to start slapd. You might have noticed several lines of console output saying "Waiting 5 seconds for slapd to start...". I've checked with fuser 9011/tcp and by looking at output of 'netstat -anp' before invoking 'make test' that there's no process bound on that port. Maybe slapd starts but this is not correctly detected by the test script? Ciao, Michael.

1 0

Re: (ITS#5644) make test000 core dumps
by ando＠sys-net.it 05 Aug '08

05 Aug '08

> slapd starting > daemon: listen(ldap://localhost:9011/, 5) failed errno=3D98 (Address > alre= > ady in use) ^^^^ ? p. > lt-slapd shutdown: initiated > =3D=3D=3D=3D> bdb_cache_release_all > lt-slapd destroy: freeing system resources. > slapd stopped. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs August 2008