openldap-bugs May 2009

openldap-bugs@openldap.org

42 participants
159 discussions

Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi
by michael＠stroeder.com 26 May '09

26 May '09

abartlet(a)samba.org wrote: > Samba4 always uses SASL credentials these days (trying to avoid simple > binds). libsasldb2.so is not required for a SASL bind with password-based mechanism. You can store the passwords in attribute userPassword (in clear-text). So the security consideration is more about password storage than SASL vs. simple bind on the wire. > Perhaps it's time to investigate EXTERNAL That would be good anyway since in Samba4 the result of standard provision is LDAPI access anyway. So you could directly map the Unix user smbd is running as (root?) with authz-regexp to directory user samba-admin. Well, we already discussed that.. ;-) Ciao, Michael.

1 0

Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi
by hyc＠symas.com 26 May '09

26 May '09

Michael Ströder wrote: > hyc(a)symas.com wrote: >> Further testing with Andrew's kvm image shows the hang only occurs when Cyrus >> SASL's libsasldb2.so plugin is present. > > Probably you already checked whether there's a BDB library mix. Yes, the version is the same, BDB 4.7. However it's possible that BDB 4.7 doesn't like being initialized multiple times, as occurs here. I haven't yet looked more deeply to see what the real cause is. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi
by abartlet＠samba.org 26 May '09

26 May '09

--=-oqpE6PlbXuzML9/ubGjQ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2009-05-26 at 04:26 -0700, Howard Chu wrote: > abartlet(a)samba.org wrote: > > Full_Name: Andrew Bartlett > > Version: CVS HEAD > > OS: Fedora 10 > > URL: ftp://ftp.openldap.org/incoming/ > > Submission from: (NULL) (59.167.251.137) > > > > > > Samba4's provision and 'make test' seems to create some internal situat= ion in > > OpenLDAP slapd where it will not accept any more connections over ldapi= :/// > > > > This is best seen by building Samba4, and running > > > > TEST_LDAP=3Dyes OPENLDAP_ROOT=3D/usr/local make test > > > > The slapd does not crash, but simply stops accepting new connections. = Samba4 > > currently then crashes due to some other bug (the LDAP backend not resp= onding is > > clearly untested code in Samba4). > > > > It isn't a Samba4 client bug, as ldapsearch also fails to respond. > > > > This seems very, very similar to ITS#5261 >=20 > Further testing with Andrew's kvm image shows the hang only occurs when C= yrus=20 > SASL's libsasldb2.so plugin is present. I always remove that plugin from = my=20 > installs, since I only use in-directory SASL secrets. That's probably why= I=20 > wasn't seeing the reported behavior before. Very interesting result! > Also a note - it's still not clear we've been talking about the same thin= g up=20 > to this point. Even when the samba test suite hangs, I see that ldapsearc= h=20 > still works fine against slapd. At any rate, currently all of the samba4 = tests=20 > pass for me. Samba4 always uses SASL credentials these days (trying to avoid simple binds). Perhaps it's time to investigate EXTERNAL if it would avoid some of this pain (but we should also try and fix the real bug here, if at all possible). =20 Andrew Bartlett --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com --=-oqpE6PlbXuzML9/ubGjQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBKG99Zz4A8Wyi0NrsRAmqZAJ9Oh4eSbVP7nbGAn0b8tp2hVMbWKQCfZ4Lr pIs94kn/tBYQYq0Qr1uSX44= =CZuG -----END PGP SIGNATURE----- --=-oqpE6PlbXuzML9/ubGjQ--

1 0

Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi
by michael＠stroeder.com 26 May '09

26 May '09

hyc(a)symas.com wrote: > Further testing with Andrew's kvm image shows the hang only occurs when Cyrus > SASL's libsasldb2.so plugin is present. Probably you already checked whether there's a BDB library mix. Ciao, Michael.

1 0

Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi
by hyc＠symas.com 26 May '09

26 May '09

abartlet(a)samba.org wrote: > Full_Name: Andrew Bartlett > Version: CVS HEAD > OS: Fedora 10 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (59.167.251.137) > > > Samba4's provision and 'make test' seems to create some internal situation in > OpenLDAP slapd where it will not accept any more connections over ldapi:/// > > This is best seen by building Samba4, and running > > TEST_LDAP=yes OPENLDAP_ROOT=/usr/local make test > > The slapd does not crash, but simply stops accepting new connections. Samba4 > currently then crashes due to some other bug (the LDAP backend not responding is > clearly untested code in Samba4). > > It isn't a Samba4 client bug, as ldapsearch also fails to respond. > > This seems very, very similar to ITS#5261 Further testing with Andrew's kvm image shows the hang only occurs when Cyrus SASL's libsasldb2.so plugin is present. I always remove that plugin from my installs, since I only use in-directory SASL secrets. That's probably why I wasn't seeing the reported behavior before. Also a note - it's still not clear we've been talking about the same thing up to this point. Even when the samba test suite hangs, I see that ldapsearch still works fine against slapd. At any rate, currently all of the samba4 tests pass for me. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

LDAP add *.ldif errors
by Pastore Annamaria 25 May '09

25 May '09

Goodmornig, I load a version 2.4 of LDAP (that support overlay-memberof). Ldap it start ok, and the network was ok. I start to configure a memberof scenarios and after few errors started. For don't touch anymore, I cleanup all /var/lib/ldap...and I try to load A single *.ldif.... but when I try to load a .ldif (core, cosine..) I have few errors : 1. With ldap online : ldapadd -x -D "cn=Manager,dc=pippo,dc=it" -W -f core.ldif Enter LDAP Password: adding new entry "cn=core,cn=schema,cn=config" ldap_add: Insufficient access (50) In /var/lib/ldap there is a DB_CONFIG (before DB_CONFIG.exemple) and the owner of directory is ldap, just I read few threads about this sort of bug. The access in slapd.con is : #access to dn="" by * read access to attrs=userPassword by anonymous auth by self write by * auth # by * none access to * by self write by * read # by * none But anymore I try also whit "by * write" and nothing change. Other parameter is : directory /var/lib/ldap 2. With ldap offline : [root@itmit2vl5 schema]# slapadd -l core.ldif -f ../slapd.conf bdb(dc=telecom,dc=it): Program version 4.4 doesn't match environment version 4.6 bdb_db_open: Database cannot be opened, err -30971. Restore from backup! bdb(dc=pippo,dc=it): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem bdb(dc=pippo,dc=it): txn_checkpoint interface requires an environment configured for the transaction subsystem bdb_db_close: txn_checkpoint failed: Invalid argument (22) backend_startup_one: bi_db_open failed! (-30971) slap_startup failed But the bdb version not appears anywhere!!! I try also the command "od -j12 -N8 -tx4 log.0000000001" and the result was 4.6! What I must to do, for going on ? Thank you very much at all, and sorry for my newbie expierence..... Internet E. Mail Confidentiality Footer ----------------------------------------------------------------------------------------------------- La presente comunicazione, con le informazioni in essa contenute e ogni documento o file allegato, e' rivolta unicamente alla/e persona/e cui e' indirizzata ed alle altre da questa autorizzata/e a riceverla. Se non siete i destinatari/autorizzati siete avvisati che qualsiasi azione, copia, comunicazione, divulgazione o simili basate sul contenuto di tali informazioni e' vietata e potrebbe essere contro la legge (art. 616 C.P., D.Lgs n. 196/2003 Codice in materia di protezione dei dati personali). Se avete ricevuto questa comunicazione per errore, vi preghiamo di darne immediata notizia al mittente e di distruggere il messaggio originale e ogni file allegato senza farne copia alcuna o riprodurne in alcun modo il contenuto. This e-mail and its attachments are intended for the addressee(s) only and are confidential and/or may contain legally privileged information. If you have received this message by mistake or are not one of the addressees above, you may take no action based on it, and you may not copy or show it to anyone; please reply to this e-mail and point out the error which has occurred.

1 0

Re: (ITS#6139) slapd: password-hash rejects multiple values
by michael＠stroeder.com 25 May '09

25 May '09

fumiyas(a)osstech.co.jp wrote: > My /etc/openldap/slapd.conf has the following line: > password-hash {CRYPT} {SSHA} What exactly do you want to achieve by this? Ciao, Michael.

1 0

Compile error on tru64 5.1b
by Didier Godefroy 25 May '09

25 May '09

Hello, Compiling openldap 2.4.26 on tru64 unix v5.1b, using the native compilers and gmake. I'm getting an error as follows: Entering subdirectory liblunicode gmake[2]: Entering directory `/usr/local/openldap/openldap-2.4.16/libraries/liblunicode' cc -O4 -g3 -w -I../../include -I../../include -pthread -I/usr/local/include -pthread -I/usr/local/include -c -o ure.o ure.c cc: Fatal: A memory access violation (bus error or segmentation fault) has occurred. Please submit a problem report. gmake[2]: *** [ure.o] Error 1 I retried, just in case, and got the same error again. I'm not a C programmer and I have no idea how to fix this. What can I try and send to get this fixed? Thanks, -- Didier Godefroy mailto:dg@ulysium.net Support anti-Spam legislation. Join the fight http://www.cauce.org/

2 1

Re: (ITS#6131) "TLSVerifyClient try" not working with GNU TLS
by hyc＠symas.com 25 May '09

25 May '09

subbarao(a)computer.org wrote: > Full_Name: Kartik Subbarao > Version: 2.4.16 > OS: Debian 5.0.1 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (76.99.175.5) > > > When TLSVerifyClient is set to "try", OpenLDAP improperly rejects SSL > connections without a client certificate. The problem appears to start with this > section of code in tls.c around line 1564: > > #ifdef HAVE_GNUTLS > if ( ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) { > err = tls_cert_verify( ssl ); > if ( err&& ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW > ) > return err; > } > #endif > > tls_cert_verify() calls gnutls_certificate_verify_peers2(), which appears to > return error 49 when no client certificate is presented. tls_cert_verify() > doesn't seem to distinguish between this case, and the case of an invalid client > certificate, returning -1 in both cases. > This bug report makes no sense; the code you quoted is not part of OpenLDAP 2.4.16. The relevant code is in function tlsg_session_accept() in tls_g.c, and there is no such bug in that function. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#6140) nadf.schema: AttributeType not found: "lastModifiedTime"
by michael＠stroeder.com 25 May '09

25 May '09

Full_Name: Michael Ströder Version: RE24 OS: Linux URL: Submission from: (NULL) (84.163.124.107) When including nadf.schema slapd does not start and prints error message: /opt/openldap-RE24/etc/openldap/schema/nadf.schema: line 111 objectclass: AttributeType not found: "lastModifiedTime" /etc/openldap/slapd.conf: line 17: <include> handler exited with 1! Analyzing this I found this commented declaration in cosine.schema: ## Deprecated in favor of modifyTimeStamp #attributetype ( 0.9.2342.19200300.100.1.23 NAME 'lastModifiedTime' # DESC 'RFC1274: time of last modify, replaced by modifyTimestamp' # OBSOLETE # SYNTAX 1.3.6.1.4.1.1466.115.121.1.53 # USAGE directoryOperation ) So it seems nadf.schema is not usable at the moment.

1 0

← Newer
1
2
3
4
5
6
7
...
16
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2009