Re: (ITS#6464) Buffer overflow
by hyc@symas.com
csdr(a)lthd.com wrote:
> Full_Name: Chis-Serban Dinu-Razvan
> Version: 2.4.21
> OS: Fedora 12
> URL: http://lthd.com/out1.txt
> Submission from: (NULL) (193.231.233.40)
>
>
> I have a master ldap server running openldap 2.4.21 and 3 replicas running
> 2.4.15 and 2.4.19 and I when I try to delete/rename an object, the master dies
> with an buffer overflow error. I mention that before the master was 2.4.15 and
> the replica running 2.4.19 died. I have updated the master to 2.4.19 and it
> start dyeing. Then I upgraded it to 2.4.21 an it still dies. It dies even if the
> syncprov is off.
>
Please provide a stack trace from this crash. Be sure to compile with debug
symbols enabled and no optimization, otherwise we won't be able to track
anything down.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
13 years, 8 months
Re: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)
by hyc@symas.com
erwann.abalea(a)keynectis.com wrote:
> Full_Name: Erwann Abalea
> Version: 2.4.17
> OS: Debian/testing
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (217.167.155.1)
>
>
> As indicated in the subject, certificateListValidate() doesn't validate some
> valid CRLs. Those CRLs are valid from X.509 point of view, but do not conform to
> RFC5280 (which is only a profile of the standard).
>
> When no certificate is revoked, the revokedCertificate element SHOULD be
> omitted, instead of being included as an empty SEQUENCE OF SEQUENCE. RFC5280 has
> changed the SHOULD into a MUST, but I don't think this is checked by the
> function. I think it only skips over the next element (in my case, the
> crlExtensions).
Thanks for the report. The code in CVS HEAD has been patched to silently
accept this case. However, it's worth pointing out that even in X.509(2005):
>>>>
If none of the certificates covered by this CRL have been revoked,
it is strongly recommended that
revokedCertificates parameter be omitted from the CRL, rather than being
included with an empty SEQUENCE.
<<<<
Also note that, technically, LDAP is defined to conform to the 1993 edition of
the X.500 specs, and X.509(1993) makes no such allowance here.
We may consider logging a warning for this case. What software generated this
CRL? It seems to be defective...
> Here's a real-life CRL:
> certificateRevocationList;binary:: MIIBPTCBpwIBATANBgkqhkiG9w0BAQUFADAkMQswCQY
> DVQQGEwJGUjEVMBMGA1UEChMMR0lQLUNQUy1URVNUFw0wOTA5MTcxMDEyNTdaFw0xMDA2MjQxMDEy
> NTdaMACgTTBLMB8GA1UdIwQYMBaAFOH6F/gUI8Xen3tJVqLlQphs5EovMAoGA1UdFAQDAgECMBwGA
> 1UdEgQVMBOBEWFjLWdpcEBnaXAtY3BzLmZyMA0GCSqGSIb3DQEBBQUAA4GBAByCwHi4fZG95ScpLO
> 2HW+5I1zeodXlbTOCgnbLVLLz0WjXXZpa5ecn2aHpqrc5L70UIKBhrk/LJ8+y03UBtx6z1gdGNL3u
> +rbVQcMgbKJ5AbLojfyWeS4d6n8TZBlM0Wd5eJ6AlwPKRvNV//QH3vjMPVWeD2XYtwQhBYqEGJrvn
>
> And a real-life deltaCRL:
> deltaRevocationList;binary:: MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADAkMQswCQYDVQQGE
> wJGUjEVMBMGA1UEChMMR0lQLUNQUy1URVNUFw0wODEyMjQwMzAwMjNaFw0wODEyMzAwMzAwMjNaMA
> CgXjBcMB8GA1UdIwQYMBaAFOH6F/gUI8Xen3tJVqLlQphs5EovMAsGA1UdFAQEAgIKAjAOBgNVHRs
> BAf8EBAICCgEwHAYDVR0SBBUwE4ERYWMtZ2lwQGdpcC1jcHMuZnIwDQYJKoZIhvcNAQEFBQADgYEA
> gEk/dBR5Vz+RtfBp4hpPaSX1aXFAzx6pZCSBaQ4dFfbXV9HkbPM/2dh32HRDueyhJnXmfn/m5Q9Vo
> syEzF1MQEDYZV0A5Liu8oiZtY9gfe522pz7+oehZdOyzkLx6nUw6uLLTL62q8lRbDsNbZNsu22sz7
> dAucnBo63ksdGgdFQ=
>
> You'll see empty SEQUENCEs. Bug probably around line 314 of file schema_init.c,
> but I don't know openldap internals enough to correct it by myself.
>
> Thanks.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
13 years, 8 months
(ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)
by erwann.abalea@keynectis.com
Full_Name: Erwann Abalea
Version: 2.4.17
OS: Debian/testing
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (217.167.155.1)
As indicated in the subject, certificateListValidate() doesn't validate some
valid CRLs. Those CRLs are valid from X.509 point of view, but do not conform to
RFC5280 (which is only a profile of the standard).
When no certificate is revoked, the revokedCertificate element SHOULD be
omitted, instead of being included as an empty SEQUENCE OF SEQUENCE. RFC5280 has
changed the SHOULD into a MUST, but I don't think this is checked by the
function. I think it only skips over the next element (in my case, the
crlExtensions).
Here's a real-life CRL:
certificateRevocationList;binary:: MIIBPTCBpwIBATANBgkqhkiG9w0BAQUFADAkMQswCQY
DVQQGEwJGUjEVMBMGA1UEChMMR0lQLUNQUy1URVNUFw0wOTA5MTcxMDEyNTdaFw0xMDA2MjQxMDEy
NTdaMACgTTBLMB8GA1UdIwQYMBaAFOH6F/gUI8Xen3tJVqLlQphs5EovMAoGA1UdFAQDAgECMBwGA
1UdEgQVMBOBEWFjLWdpcEBnaXAtY3BzLmZyMA0GCSqGSIb3DQEBBQUAA4GBAByCwHi4fZG95ScpLO
2HW+5I1zeodXlbTOCgnbLVLLz0WjXXZpa5ecn2aHpqrc5L70UIKBhrk/LJ8+y03UBtx6z1gdGNL3u
+rbVQcMgbKJ5AbLojfyWeS4d6n8TZBlM0Wd5eJ6AlwPKRvNV//QH3vjMPVWeD2XYtwQhBYqEGJrvn
And a real-life deltaCRL:
deltaRevocationList;binary:: MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADAkMQswCQYDVQQGE
wJGUjEVMBMGA1UEChMMR0lQLUNQUy1URVNUFw0wODEyMjQwMzAwMjNaFw0wODEyMzAwMzAwMjNaMA
CgXjBcMB8GA1UdIwQYMBaAFOH6F/gUI8Xen3tJVqLlQphs5EovMAsGA1UdFAQEAgIKAjAOBgNVHRs
BAf8EBAICCgEwHAYDVR0SBBUwE4ERYWMtZ2lwQGdpcC1jcHMuZnIwDQYJKoZIhvcNAQEFBQADgYEA
gEk/dBR5Vz+RtfBp4hpPaSX1aXFAzx6pZCSBaQ4dFfbXV9HkbPM/2dh32HRDueyhJnXmfn/m5Q9Vo
syEzF1MQEDYZV0A5Liu8oiZtY9gfe522pz7+oehZdOyzkLx6nUw6uLLTL62q8lRbDsNbZNsu22sz7
dAucnBo63ksdGgdFQ=
You'll see empty SEQUENCEs. Bug probably around line 314 of file schema_init.c,
but I don't know openldap internals enough to correct it by myself.
Thanks.
13 years, 8 months
(ITS#6465) startup error after converting to slapd-config
by gerard.ranke@kmt.hku.nl
Full_Name: Gerard Ranke
Version: 2.4.21
OS: IRIX 6.5.30
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (192.87.216.230)
We run openLDAP 2.4.21 on one master plus 7 slaves. Some time ago ( I believe we
were on 2.4.19 at the time ), I converted one of the slaves to slapd-config from
slapd.conf to get myself acquainted with it, and that went without problems.
Now, if I try the conversion with slaptest -f slapd.conf -F slapd.d, the
conversion works ok, but slapd won't start, and gives this error:
Jan 18 15:30:20 7E:example-slave slapd[1741992]: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: ldapdb
Jan 18 15:30:20 7U:example-slave slapd[1741992]: olcSyncrepl: value #0:
<olcSyncrepl> invalid URL
Jan 18 15:30:20 7U:example-slave slapd[1741992]: config error processing
olcDatabase={1}hdb,cn=config: <olcSyncrepl> invalid URL
Jan 18 15:30:20 7U:example-slave slapd[1741992]: slapd stopped.
Jan 18 15:30:20 7U:example-slave slapd[1741992]: connections_destroy: nothing to
destroy.
I noticed that the olcSyncrepl in olcDatabase={1}hdb,cn=config changed from:
olcSyncrepl: rid=001 provider=ldap://masterldap.example.com:389
bindmethod=simple timeout
=0 network-timeout=0 binddn="cn=syncuser,dc=example,dc=com"
credentials="xxxxxxxxx
" starttls=critical filter="(objectClass=*)" searchbase="dc=example,dc=com"
scope=
sub attrs="*,+" schemachecking=off type=refreshAndPersist retry="5 5 10 +"
for the older openldap version, to:
olcSyncrepl: rid=001 provider=ldap://masterldap.example.com:389 uri=""
bindmethod=simple
timeout=0 network-timeout=0 binddn="cn=syncuser,dc=example,dc=com"
credentials="xxxxxxxxx" starttls=critical
tls_cert="/usr/ssl/certs/examplewildcard.cert
" tls_key="/usr/ssl/certs/examplewildcard.key" tls_cacert="/usr
/ssl/certs/cacert_root.crt" tls_reqcert=demand tls_crlcheck=none filter="(obj
ectClass=*)" searchbase="dc=example,dc=com" scope=sub attrs="*,+"
schemachecking=o
ff type=refreshAndPersist retry="5 5 10 +"
for 2.4.21.
Notice the ' uri="" ' in the last version.
Fortunately, if I remove the empty uri assignment from the ldif file, slapd
starts normally.
I also noticed the slaves which I converted earlier ( so which had the first
olcSyncrepl 'format' above ) didn't replicate properly ( contextcsn also lagging
behind ). I shut down slapd on these machines, cleaned out slapd.d, converted
again, removed the 'uri=""' and restarted. After that, the replication caught up
by itself.
Thanks for your attention for this!
13 years, 8 months
(ITS#6464) Buffer overflow
by csdr@lthd.com
Full_Name: Chis-Serban Dinu-Razvan
Version: 2.4.21
OS: Fedora 12
URL: http://lthd.com/out1.txt
Submission from: (NULL) (193.231.233.40)
I have a master ldap server running openldap 2.4.21 and 3 replicas running
2.4.15 and 2.4.19 and I when I try to delete/rename an object, the master dies
with an buffer overflow error. I mention that before the master was 2.4.15 and
the replica running 2.4.19 died. I have updated the master to 2.4.19 and it
start dyeing. Then I upgraded it to 2.4.21 an it still dies. It dies even if the
syncprov is off.
13 years, 8 months
Re: (ITS#6453) OpenLDAP memory leak on LDAP_TIMEOUT
by alinachegalati@yahoo.com
--0-1999948331-1264610847=:54320
Content-Type: text/plain; charset=us-ascii
We found out that this call :
ldap_msgfree(res);
does not get executed because the LDAPMessage is NULL (res is null) in case the timeout is on the client side.
There is any other way to clean it?
--0-1999948331-1264610847=:54320
Content-Type: text/html; charset=us-ascii
<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">We found out that this call :<br><br>ldap_msgfree(res);<br><br>does not get executed because the LDAPMessage is NULL (res is null) in case the timeout is on the client side.<br><br>There is any other way to clean it?<br></td></tr></table><br>
--0-1999948331-1264610847=:54320--
13 years, 8 months
Re: (ITS#6453) OpenLDAP memory leak on LDAP_TIMEOUT
by alinachegalati@yahoo.com
--0-1407467353-1264601923=:2093
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
=A0 A similar issue was found in Netscape SDK :=A0 http://www.mail-archive.=
com/mozilla-directory(a)mozilla.org/msg01734.html
=0A=0A=0A
--0-1407467353-1264601923=:2093
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" ><tr><td valign=3D"=
top" style=3D"font: inherit;"> A similar issue was found in Netscape =
SDK : http://www.mail-archive.com/mozilla-directory@mozilla.org/msg01=
734.html<br><br></td></tr></table><br>=0A=0A
--0-1407467353-1264601923=:2093--
13 years, 8 months
memberof overlay
by Daniel Gomes
Dear list members,
I have been trying to get the memberof overlay to work properly on
slapd 2.4.19 on an Ubuntu hardy (8.04.3).
After realizing (which took a while hehe) that installing OpenLDAP via
apt-get wouldn't allow me to enable modules/overlays, I downloaded the
source and built it manually with:
./configure --enable-overlays --enable-accesslog --enable-auditlog
--enable-collect --enable-constraint --enable-dds --enable-deref
--enable-dyngroup --enable-dynlist --enable-memberof --enable-ppolicy
--enable-proxycache --enable-refint --enable-retcode --enable-rwm
--enable-seqmod --enable-syncprov --enable-translucent --enable-unique
--enable-valsort --enable-modules --with-tls
(I wanted to be on the safe side so I kinda enabled everything)
The server is now set up and running (with TLS and all, but I guess
that's not important here). To activate the wanted overlay, I have (on
my
slapd.conf):
modulepath /usr/local/etc/openldap/overlays/
moduleload memberof.la
overlay memberof
(the path is correct and I have checked the logs to make sure he was
paying attention to those fields).
Anyway, I starting making some experiences, and at first it seemed to
be working fine. But some test cases later, the memberOf value started
being incorrect, when comparing to the member attribute of the
groups.
Here's how to reproduce my scenario (I just tried it again, with a new
database, base DN being dc=ipfn,dc=ist,dc=utl,dc=pt):
First, run init.ldif (attached), which creates the usual groups and
people OU's, creates 2 users followed by 2 group with one user per
group.
So far so good, if I make a ldapsearch based on ou=people (...) and
ask for the memberOf attribute, I get:
dn: ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
dn: cn=Daniel Gomes,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
memberOf: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
dn: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
memberOf: cn=users,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
----------------------------------------
Next, I run modify.ldif (also attached) which changes the member
attribute of the admin group from "cn=Daniel Gomes (...)" to "cn=John
Smith (...)". We can then see that:
dn: ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectClass: organizationalUnit
ou: groups
dn: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectClass: groupOfNames
cn: admin
description: For administrators
member: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
dn: cn=users,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectClass: groupOfNames
cn: users
description: For users
member: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
----------------------------------------------
Meaning, the group was successfully modified, but the previous query
returns the same value:
dn: ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
dn: cn=Daniel Gomes,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
memberOf: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
dn: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
memberOf: cn=users,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
-----------------------------------------
This seems to happen only when deleting users from groups. I have
tried with and without the refint overlay, if that matters for anything.
Anyway, I do not see anything I can be doing wrong, so it does seem to
be a bug. If I could get some info on this, I would appreciate it!
Cheers,
--
Daniel Gomes (SysAdmin)
dgomes(a)ipfn.ist.utl.pt
Ext. 3487 - 218419487
Instituto de Plasmas e usão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal
13 years, 8 months
Re: (ITS#6462) DNS SRV records: ldaps ???
by quanah@zimbra.com
--On Wednesday, January 27, 2010 1:28 AM +0000 jochen(a)keutel.de wrote:
> Full_Name: Jochen Keutel
> Version: 2.4.21
> OS: Solaris 10
> URL: ftp://ftp.openldap.org/incoming/
> protocol is either "ldap" oder "ldaps".
LDAPS is not a defined protocol. I would suggest using LDAP with startTLS,
which is RFC Defined.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
13 years, 8 months
(ITS#6463) dnssrv_back_referrals: ldaps not handled, search base gone
by jochen@keutel.de
Full_Name: Jochen Keutel
Version: 2.4.21
OS: Solaris 10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (87.159.206.14)
dnssrv_back_referrals() always returns ldap URLs - even when the original
request was a ldaps query.
Additionally only protocol and hostname are put into the URL - the search base
doesn't appear any more.
Problematic code:
url.bv_len = STRLENOF( "ldap://" ) + strlen( hosts[i] );
url.bv_val = ch_malloc( url.bv_len + 1 );
strcpy( url.bv_val, "ldap://" );
strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] );
I'm not sure whether you want me to deliver a complete patch or not ...
Thanks to my colleague Manuel Gaupp for detecting this problem.
Best regards, Jochen.
13 years, 8 months