RE: (ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by mmishra@isabel.eu
Mayashankar Mishra
Consultant
E-mail : mmishra(a)isabel.eu
Tel : +32 (0)2 403.18.84
Fax : +32
Isabel NV/S.A.
Keizerinlaan 13-15 Boulevard de l'Imp=E9ratrice
1000 Brussels - Belgium
RPR Bruxelles / RPM Brussel: BE 0455 530 509
http://www.isabel.eu/ http://www.zoomit.eu/
Zoomit is a Registered Trademark of Isabel NV/S.A.
Disclaimer : http://www.isabel.eu/gps/en/disclaimer/mailing.php
-----Original Message-----
From: masarati(a)aero.polimi.it [mailto:masarati@aero.polimi.it]
Sent: 2010-04-27 17:19
To: Mayashankar Mishra
Cc: openldap-its(a)openldap.org
Subject: RE: (ITS#6537) arl[authority revocation list] issue during opnelda=
p upgrade
Please reply to openldap-its; the "T" stands for "Tracking", if you don't p=
ost there, tracking becomes impossible.
>
>
> Hi,
>
> But same arl work in openldap 2.2.26
In 2.2.26 certificate list was something like
int
certificateListValidate()
{
return LDAP_SUCCESS;
}
I would be surprised it failed.
> I could treat with openssl command to
> convert to variuos format
That's another point. If openssl tools can operate on that CL, then it mig=
ht not strictly comply with X509 but be somehow tolerated. We need to insp=
ect the certificate in order to find out why it fails.
Unless its disclosure violates any confidentiality you're bound to, please =
upload it to ftp.openldap.org *in binary form* following these instructions=
<http://www.openldap.org/devel/contributing.html#submitting>,
then post a message to the ITS with the URL of the file you uploaded.
If you're not allowed to upload the offending CL, you'll have to inspect it=
yourself. Run slapd under gdb; find out where the failure occurs (running=
with "-d stats,trace,args" should suffice); place a breakpoint at the offe=
nding call (should be either certificateListValidate() or certificateListEx=
actNormalize()), step through the function and see where it fails. We migh=
t need to request you to print specific values of variables inside those fu=
nctions.
> But then whats wrong I maens what it means binary value # 0
This sentence is definitely obscure to me. Please clarify.
p.
13 years, 7 months
RE: (ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by masarati@aero.polimi.it
Please reply to openldap-its; the "T" stands for "Tracking", if you don't
post there, tracking becomes impossible.
>
>
> Hi,
>
> But same arl work in openldap 2.2.26
In 2.2.26 certificate list was something like
int
certificateListValidate()
{
return LDAP_SUCCESS;
}
I would be surprised it failed.
> I could treat with openssl command to
> convert to variuos format
That's another point. If openssl tools can operate on that CL, then it
might not strictly comply with X509 but be somehow tolerated. We need to
inspect the certificate in order to find out why it fails.
Unless its disclosure violates any confidentiality you're bound to, please
upload it to ftp.openldap.org *in binary form* following these
instructions <http://www.openldap.org/devel/contributing.html#submitting>,
then post a message to the ITS with the URL of the file you uploaded.
If you're not allowed to upload the offending CL, you'll have to inspect
it yourself. Run slapd under gdb; find out where the failure occurs
(running with "-d stats,trace,args" should suffice); place a breakpoint at
the offending call (should be either certificateListValidate() or
certificateListExactNormalize()), step through the function and see where
it fails. We might need to request you to print specific values of
variables inside those functions.
> But then whats wrong I maens what it means binary value # 0
This sentence is definitely obscure to me. Please clarify.
p.
13 years, 7 months
RE: (ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by mmishra@isabel.eu
--_002_3CDE8F636E09F24F90BE98063FB0AD9D76545E3903ISAMAILisabel_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
I have attached the arl, and its valid but can't be validated .
Can you tell me what can be the issue
Thanks
Mayashankar Mishra
Mayashankar Mishra
Consultant
E-mail : mmishra(a)isabel.eu
Tel : +32 (0)2 403.18.84
Fax : +32
Isabel NV/S.A.
Keizerinlaan 13-15 Boulevard de l'Imp=E9ratrice
1000 Brussels - Belgium
RPR Bruxelles / RPM Brussel: BE 0455 530 509
http://www.isabel.eu/ http://www.zoomit.eu/
Zoomit is a Registered Trademark of Isabel NV/S.A.
Disclaimer : http://www.isabel.eu/gps/en/disclaimer/mailing.php
-----Original Message-----
From: masarati(a)aero.polimi.it [mailto:masarati@aero.polimi.it]
Sent: 2010-04-27 16:43
To: Mayashankar Mishra
Cc: openldap-its(a)openldap.org
Subject: Re: (ITS#6537) arl[authority revocation list] issue during opnelda=
p upgrade
> Full_Name: Mayashankar Mishra
> Version: 2.4.21
> OS: rhel5
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (195.122.110.8)
>
>
> Hi,
>
> I have to upgrade the openldap from version 2.2.26 to 2.4.21 All goes
> fine except for the arl[authority revocation list] failed to get added
> in new database.
>
> I see the binary version of arl from old openldap, its fine.
>
> When i try to upload the same on openldap 2.4.21 it provides the error
> Root error: [LDAP: error code 21 - authorityRevocationList;binary:
> value #0 invalid per syntax]
>
>
> Note the same arl when added in older version of openldap works fine
>
> Any guess what could be the reason
This is not a bug, but likely invalid data. Certificate list syntax valida=
tor and all related routines were stubs until 2.4, so basically everything =
was treated as valid. Now the syntax is validated thoroughly.
This ITS will be closed. Please continue discussion on openldap-software, =
if needed. Only in case a valid certificate list is not correctly validate=
d (i.e. you detect an actual bug in that code), this ITS can be revitalized=
.
p.
--_002_3CDE8F636E09F24F90BE98063FB0AD9D76545E3903ISAMAILisabel_
Content-Type: application/octet-stream; name="authm.arl"
Content-Description: authm.arl
Content-Disposition: attachment; filename="authm.arl"; size=612;
creation-date="Tue, 27 Apr 2010 12:51:37 GMT";
modification-date="Tue, 27 Apr 2010 13:58:42 GMT"
Content-Transfer-Encoding: base64
TUlJQndUQ0JxZ0lCQVRBTkJna3Foa2lHOXcwQkFRVUZBREJVTVFzd0NRWURWUVFHRXdKQ1pURVBN
QTBHQTFVRUJ4TUdTWE5oWW1WcwpNUXN3Q1FZRFZRUUtFd0pEWVRFbk1DVUdBMVVFQXhNZVNYTmhZ
bVZzSUVObGNuUnBabWxqWVhScGIyNGdRWFYwYUc5eWFYUjVGdzB3Ck5URXlNREl3TkRBd05UUmFG
dzB3TlRFeU1ETXdOREF3TURCYU1BQ2dJREFlTUE4R0ExVWRJd1FJTUFhQUJFTkJNREl3Q3dZRFZS
MFUKQkFRQ0FnelNNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUFMV1Jtbjc5VE5sbE9EK29PcXY3
cjY0TlNGZEJHby84ZkNRQXlrYmpjTgpNSkhSalRPU3FmVTBhbXYyaFM1MDlJNjgvVmh3ZndIdzlO
ek5zblBFZXZXa2Ixb0ZXU0x2WjZGdVdYVE5PVjVuOWFZL2JNcUpYNWdQCnR3bE5XZXovQVR2OTlN
NVdiVVVLUGpEeHBjOTBiZDJ4ak1vS0JobHNyeWtNZzBEWGFSa2lZWVJFbDNsWEYwd3I0Ri9Gc2ZP
N1FTK2YKemtpZm1JMDlaN3pDSWMyMDQzeGwyUnBYdlJvc3R6cnE4bmNRZGpCaDVVZEhqM3FXMEhR
ZmtDYU54aUl5M2VaWTRKS3lDcVc5N25UeQpoOXY1QXMxWDJtdnVqYlR0S1c1aTVsblhlSER0ak9k
dWZ2YTg2VGJadlN5UXlpa3hMUmxwUWxlK1lpNXg2TldkRE43U3o5TE8K
--_002_3CDE8F636E09F24F90BE98063FB0AD9D76545E3903ISAMAILisabel_--
13 years, 7 months
Re: (ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by masarati@aero.polimi.it
> Full_Name: Mayashankar Mishra
> Version: 2.4.21
> OS: rhel5
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (195.122.110.8)
>
>
> Hi,
>
> I have to upgrade the openldap from version 2.2.26 to 2.4.21
> All goes fine except for the arl[authority revocation list] failed to get
> added
> in new database.
>
> I see the binary version of arl from old openldap, its fine.
>
> When i try to upload the same on openldap 2.4.21 it provides the error
> Root error: [LDAP: error code 21 - authorityRevocationList;binary: value
> #0
> invalid per syntax]
>
>
> Note the same arl when added in older version of openldap works fine
>
> Any guess what could be the reason
This is not a bug, but likely invalid data. Certificate list syntax
validator and all related routines were stubs until 2.4, so basically
everything was treated as valid. Now the syntax is validated thoroughly.
This ITS will be closed. Please continue discussion on openldap-software,
if needed. Only in case a valid certificate list is not correctly
validated (i.e. you detect an actual bug in that code), this ITS can be
revitalized.
p.
13 years, 7 months
(ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by mmishra@isabel.be
Full_Name: Mayashankar Mishra
Version: 2.4.21
OS: rhel5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (195.122.110.8)
Hi,
I have to upgrade the openldap from version 2.2.26 to 2.4.21
All goes fine except for the arl[authority revocation list] failed to get added
in new database.
I see the binary version of arl from old openldap, its fine.
When i try to upload the same on openldap 2.4.21 it provides the error
Root error: [LDAP: error code 21 - authorityRevocationList;binary: value #0
invalid per syntax]
Note the same arl when added in older version of openldap works fine
Any guess what could be the reason
13 years, 7 months
(ITS#6536) Autogroup overlay enhancement
by raphael.ouazana@linagora.com
Full_Name: Raphael Ouazana
Version: 2.4.21
OS: Linux
URL: ftp://ftp.openldap.org/incoming/raphael-ouazana-autogroup-100427.patch
Submission from: (NULL) (213.41.232.151)
Hi,
The attached patch allow the autogroup overlay to handle correctly the attr part
of the URL ldap://dc=example,dc=com?attr?sub?(filter). Before this patch, the
attr part was simply ignored. Now the group entry is populated by the values of
the attribute attr in the resulting entries.
Implementation details:
Some cases (modify, delete) are harder to handle when you store values instead
of dn. In this cases the overlay try to detect if groups have been modified and
then simply refresh them. This can cause performance hits if the search
specified by the URL deals with an important number of entries.
Legal notice:
This patch file is derived from OpenLDAP Software. All of the modifications to
OpenLDAP Software represented in this following patch were developed by Raphael
Ouazana raphael.ouazana(a)linagora.com. These modifications are not subject to
any
license of Linagora.
The attached modifications to OpenLDAP Software are subject to the following
notice:
Copyright 2010 Raphael Ouazana, Linagora
Redistribution and use in source and binary forms, with or without
modification,
are permitted only as authorized by the OpenLDAP Public License.
13 years, 7 months
Re: (ITS#6535) OpenLDAP fails to build with back-ndb enabled
by hyc@symas.com
giesen(a)snickers.org wrote:
> Full_Name: Gary T. Giesen
> Version: 2.4.21
> OS: RHEL 6 Beta 1
> URL:
> Submission from: (NULL) (66.135.102.175)
>
>
> OpenLDAP 2.4.21 (as well as 2.4.19) fails to configure or build on RHEL6 with
> back-ndb support enabled. I've solved the problem with configure by applying a
> modified version of the patch found here:
>
> http://lists.freebsd.org/pipermail/freebsd-ports-bugs/2010-March/184248.html
That patch is invalid.
The current code configures and builds properly with a recent mysql-cluster.
It was developed originally against cluster 6.0.x. I have tested it again with
the current MySQL Cluster 7.1.3 available here
http://mysql.com/downloads/cluster/
> However, when building, I get the following error:
> This occurs with rebuilding the 2.4.19 SRPM, using the openldap.org 2.4.19
> tarball, and the openldap 2.4.21 tarball. I'm using the Redhat-supplied
> mysql-cluster.
Your MySQL package is obsolete by at least 2 years. This ITS will be closed.
If you need more assistance talk to your distro vendor.
As a side note, if your distro vendor is unable to help you, supported RPMs of
OpenLDAP with back-ndb are available from Symas Corp.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
13 years, 7 months
(ITS#6535) OpenLDAP fails to build with back-ndb enabled
by giesen@snickers.org
Full_Name: Gary T. Giesen
Version: 2.4.21
OS: RHEL 6 Beta 1
URL:
Submission from: (NULL) (66.135.102.175)
OpenLDAP 2.4.21 (as well as 2.4.19) fails to configure or build on RHEL6 with
back-ndb support enabled. I've solved the problem with configure by applying a
modified version of the patch found here:
http://lists.freebsd.org/pipermail/freebsd-ports-bugs/2010-March/184248.html
However, when building, I get the following error:
cd back-ndb; make -w all
make[3]: Entering directory
`/home/ggiesen/openldap-2.4.21/servers/slapd/back-ndb'
rm -f version.c
../../../build/mkversion -v "2.4.21" back_ndb > version.c
/bin/sh ../../../libtool --tag=disable-shared --mode=compile g++ -g -O2
-I../../../include -I../../../include -I.. -I./.. -I/usr/include/mysql
-I/usr/include/mysql/storage/ndb -I/usr/include/mysql/storage/ndb/ndbapi -c
init.cpp
g++ -g -O2 -I../../../include -I../../../include -I.. -I./..
-I/usr/include/mysql -I/usr/include/mysql/storage/ndb
-I/usr/include/mysql/storage/ndb/ndbapi -c init.cpp -o init.o
init.cpp:65: error: expected constructor, destructor, or type conversion before
'*' token
init.cpp: In function 'int ndb_back_initialize(BackendInfo*)':
init.cpp:366: warning: deprecated conversion from string constant to 'char*'
init.cpp:366: warning: deprecated conversion from string constant to 'char*'
init.cpp:366: warning: deprecated conversion from string constant to 'char*'
init.cpp:366: warning: deprecated conversion from string constant to 'char*'
init.cpp:366: warning: deprecated conversion from string constant to 'char*'
init.cpp:366: warning: deprecated conversion from string constant to 'char*'
init.cpp:366: warning: deprecated conversion from string constant to 'char*'
init.cpp:366: warning: deprecated conversion from string constant to 'char*'
init.cpp:376: error: 'ndb_lastrow_code' was not declared in this scope
init.cpp:376: error: expected type-specifier before 'NdbInterpretedCode'
init.cpp:376: error: expected ';' before 'NdbInterpretedCode'
make[3]: *** [init.lo] Error 1
make[3]: Leaving directory
`/home/ggiesen/openldap-2.4.21/servers/slapd/back-ndb'
make[2]: *** [.backend] Error 1
make[2]: Leaving directory `/home/ggiesen/openldap-2.4.21/servers/slapd'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory `/home/ggiesen/openldap-2.4.21/servers'
make: *** [all-common] Error 1
This occurs with rebuilding the 2.4.19 SRPM, using the openldap.org 2.4.19
tarball, and the openldap 2.4.21 tarball. I'm using the Redhat-supplied
mysql-cluster.
13 years, 7 months
(ITS#6534) bad ifdef/elif clause in liblutil
by quanah@OpenLDAP.org
Full_Name: Quanah Gibson-Mount
Version: 2.4.21
OS: NA
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.111.45.108)
The following if/elif clause in liblutil is wrong:
#ifdef HAVE_SETSID
(void) setsid();
#elif TIOCNOTTY
if ( (sd = open( "/dev/tty", O_RDWR )) != -1 ) {
(void) ioctl( sd, TIOCNOTTY, NULL );
(void) close( sd );
}
#endif
The elif should be
#elif defined(TIOCNOTTY)
13 years, 7 months
