openldap-bugs May 2010

openldap-bugs@openldap.org

28 participants
84 discussions

(ITS#6544) how to implement password policy
by dsbrar16＠yahoo.com 05 May '10

05 May '10

Full_Name: Devender Singh Version: openldap 2.4.16 OS: RHEL5.4 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (122.177.190.226) Hello Dear, Please let me know, how to implement ppolicy in openldap2.4.16. I am using RHEL5.4 I have followed below steps on installation time: ************************************************** Installing BerkeleyDB ************************************************** 1) Create build_unix directory in /opt directory 2) Copy db-4.7.25.tar.gz to /opt/build_unix directory 3) Goto /opt/build_unix directory 4) gzip -d db-4.7.25.tar.gz 5) tar xvf db-4.7.25.tar 6) db-4.7.25/dist/configure 7) make 8) make install 9) vi /root/.bash_profile 10) Add below lines in .bash_profile of root user export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/BerkeleyDB.4.7/lib export LD_RUN_PATH=$LD_RUN_PATH:/usr/local/BerkeleyDB.4.7/lib 11) Close existing PUTTY and start new PUTTY ************************************************** Before Installation check the below packages: #rpm qa|grep openssl* After the above command if you dont find the all openssl packages than install them via yum command ************************************************** Installing OpenLDAP ************************************************** 1) Copy openldap-stable-20090411.tgz to /opt directory 2) gunzip -c openldap-stable-20090411.tgz | tar xf - 3) cd openldap-2.4.16 4) CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include -I/usr/local/ssl/include/openssl" 5) export CPPFLAGS 6) LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.7/lib -L/usr/local/ssl/lib -R/usr/local/lib -R/usr/local/BerkeleyDB.4.7/lib -R/usr/local/ssl/lib" 7) export LDFLAGS 8) LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.7/lib" 9) export LD_LIBRARY_PATH 10) ./configure 11) make depend 12) make 13) make install 14) vi /root/.bash_profile 15) Add OpenLDAP sbin path in .bash_profile of root user (E.g. export PATH=$PATH:$HOME/bin:/usr/local/sbin) 16) Close existing PUTTY and start new PUTTY ************************************************** Thanks in Advance. Regards, Devender Singh (+919818107222)

1 0

Re: (ITS#6540) test022-ppolicy is flawed, masks serious stability issue
by ryans＠aweber.com 04 May '10

04 May '10

Ryan Steele wrote: > Actually, it would appear I'm hitting the same problem as the OP in this thread: > > http://markmail.org/message/fhfhzy5uehh6e4us#query:openldap chain "modifications require > authentication"+page:1+mid:fhfhzy5uehh6e4us+state:results > > > I say that because when I get prompted for authentication by the slave (instead of having the referral handled > server-side), I see this corresponding entry in the master's logs: > > May 4 12:22:43 ldap1 slapd[8794]: conn=226810 fd=50 ACCEPT from IP=10.x.x.x:45081 (IP=0.0.0.0:389) > May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=0 BIND dn="" method=128 > May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=0 RESULT tag=97 err=0 text= > May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=1 MOD dn="uid=ryans,ou=Users,dc=example,dc=com" > May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=1 MOD attr=displayColor > May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=1 RESULT tag=103 err=8 text=modifications require authentication > May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=2 UNBIND > May 4 12:22:43 ldap1 slapd[8794]: conn=226810 fd=50 closed > > > So, it looks like the DN is not being passed through for some reason. Still working on trying to track it down... > The same issue affects ldappasswd (it refuses to change the passwd because it thinks the user has not bound to the directory), so it's not just third party utilities. It really does appear as though the chain overlay is stripping the DN before sending the request out to the master, because the logs seem to indicate that the request makes it to the master and fails because there is no DN before a referral is presented to the client that initially sent the update to the slave. I added the 'ACL' loglevel to what I already use ('stats' and 'sync'), just to confirm that it is wasn't being denied by ACL's or anything like that. I do see references to the 'authzFrom' and 'authzTo' attributes in the admin guide's section on chaining, and on the FAQ (http://www.openldap.org/faq/data/cache/1425.html), but the example in test022-ppolicy does not use them, so I would not think that they are required or causing this problem. In any case, I did add olcDbIDAssertAuthzFrom: {0}"*" to the slaves (as the FAQ says) just to be absolutely sure, but it made no difference. I initially thought that the uncommenting of that check was responsible for this behavior, but the followup I sent just prior to this has a link to an OpenLDAP mailing list thread that was made in February, well before these changes that you made, Pierangelo. In either case, the behavior is broken. Exactly where, I'm still trying to figure out, but would definitely appreciate any input from more seasoned OpenLDAP developers.

1 0

Re: (ITS#6540) test022-ppolicy is flawed, masks serious stability issue
by ryans＠aweber.com 04 May '10

04 May '10

Actually, it would appear I'm hitting the same problem as the OP in this thread: http://markmail.org/message/fhfhzy5uehh6e4us#query:openldap chain "modifications require authentication"+page:1+mid:fhfhzy5uehh6e4us+state:results I say that because when I get prompted for authentication by the slave (instead of having the referral handled server-side), I see this corresponding entry in the master's logs: May 4 12:22:43 ldap1 slapd[8794]: conn=226810 fd=50 ACCEPT from IP=10.x.x.x:45081 (IP=0.0.0.0:389) May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=0 BIND dn="" method=128 May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=0 RESULT tag=97 err=0 text= May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=1 MOD dn="uid=ryans,ou=Users,dc=example,dc=com" May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=1 MOD attr=displayColor May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=1 RESULT tag=103 err=8 text=modifications require authentication May 4 12:22:43 ldap1 slapd[8794]: conn=226810 op=2 UNBIND May 4 12:22:43 ldap1 slapd[8794]: conn=226810 fd=50 closed So, it looks like the DN is not being passed through for some reason. Still working on trying to track it down...

1 0

Re: (ITS#6540) test022-ppolicy is flawed, masks serious stability issue
by ryans＠aweber.com 04 May '10

04 May '10

After patching, and using the same configuration as I had when the chain overlay was causing issues with slapcat and restarting slapd, I now get prompted with a referral instead of it being automatically chased. However, it does automatically fill in the DN and password to rebind with: root@somehost:~# ldapvi -h localhost --bind=simple -D cn=admin,dc=example,dc=com -w `cat /etc/ldap.secret` --discover 159 entries read add: 0, rename: 0, modify: 1, delete: 0 Action? [yYqQvVebB*rsf+?] y Received referral to ldap://ldapmaster.example.com/uid=ryans,ou=Users,dc=example,dc=com. You are not logged in to ldap://ldapmaster.example.com:389 yet. Type '!' or 'y' to do so. Rebind? [y!nB*qQ?] y --- Login Type M-h for help on key bindings. Filter or DN: cn=admin,dc=example,dc=com Password: *********** Bound as cn=admin,dc=example,dc=com. Done. Before, I never got prompted with this message when using ldapvi, which makes me think that chaining is no longer working. For reference, I am using the same configuration as is documented in test022-ppolicy: dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb.la olcModuleLoad: {1}autogroup.la olcModuleLoad: {2}syncprov.la olcModuleLoad: {3}back_ldap.la dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbURI: ldap://ldapmaster.example.com olcDbIDAssertBind: bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials=SECRET mode=self I am still looking in to what might be causing this to fail.

1 0

(ITS#6247)
by daniel＠pluta.biz 03 May '10

03 May '10

I've enabled <g-differential> format as default for the Root-DSE's serverTime attribute (and thus removed the #ifdef CTM_G_DIFFERENTIAL_SERVERTIME). The updated patch can be downloaded from here: ftp://ftp.openldap.org/incoming/daniel-pluta-100503.patch Please use -DCTM during compilation. Below is a sample schema file called "example.schema" and some sample data called "example.ldif". In addition also some sample ldif change files and filter statements are provided to: - offer you some first, quick and easy testing possibilities regarding "LDAP server side current time matching"'s matching rules in action - and to give us a chance to get more detailed feedback regarding problems concerning the LDAP specification in common (e.g. violation of the standard) and slapd in detail. Many thanks! Depending on your feedback and the current status of the discussion on ldapext the code will be updated accordingly. It's currently just a prototype, the obviously open implementation TODOs are: - use operation's time-stamp instead of system calls (OpenLDAP 2.5?) - X.680 duration-syntax (instead of custom offset fun: "n#n#n#n#n#n") - further cleanups: function aggregation / coding style / ... - integration into "make test"? e.g. using FTPL: http://www.code-wizards.com/projects/libfaketime (?!) #========================================= $: cat example.schema attributetype ( 1.3.6.1.4.1.7650.666.1.1.1 NAME 'demoTs1' DESC 'draft-pluta-ldap-srv-side-current-time-match: 1st demo attribute' EQUALITY nowMatch ORDERING nowOrderingMatch SYNTAX 1.3.6.1.4.1.7650.6.2.3.1.0 ) attributetype ( 1.3.6.1.4.1.7650.666.1.1.2 NAME 'demoTs2' DESC 'draft-pluta-ldap-srv-side-current-time-match: 2nd demo attribute' EQUALITY nowMatch ORDERING nowOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributetype ( 1.3.6.1.4.1.7650.666.1.1.3 NAME 'demoTs3' DESC 'draft-pluta-ldap-srv-side-current-time-match: 3rd demo attribute (violat es RFC4517)' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) objectclass ( 1.3.6.1.4.1.7650.666.1.2.1 NAME 'ctmDemo' DESC 'draft-pluta-ldap-srv-side-current-time-match: demo objectClass' AUXILIARY MAY ( demoTs1 $ demoTs2 $ demoTs3 ) ) #==DATA======================================= $: cat example.ldif dn: dc=example,dc=com objectClass: domain objectClass: extensibleObject objectClass: top dn: ou=dev,dc=example,dc=com objectClass: organizationalUnit objectClass: top objectClass: ctmDemo ou: dev demoTs1: 20100101000000Z demoTs2: 20100101000000Z demoTs3: 20100101000000Z #==LDIF=CHANGE=FILES========================== $: cat add_delete.ldif dn: ou=dev,dc=example,dc=com changetype: modify delete: demoTs1 demoTs1: 20100101000000Z - add: demoTs1 demoTs1: 20100201000001Z dn: ou=dev,dc=example,dc=com changetype: modify delete: demoTs2 demoTs2: 20100101000000Z - add: demoTs2 demoTs2: 20100201000001Z dn: ou=dev,dc=example,dc=com changetype: modify delete: demoTs3 demoTs3: 20100101000000Z - add: demoTs3 demoTs3: 20100201000001Z #----------------------------------------- $: cat add_mv.ldif dn: ou=dev,dc=example,dc=com changetype: modify add: demoTs1 demoTs1: 20110201000000Z - add: demoTs1 demoTs1: 20120201000000Z - add: demoTs1 demoTs1: 20130201000000Z - add: demoTs1 demoTs1: 20100201000000Z dn: ou=dev,dc=example,dc=com changetype: modify add: demoTs2 demoTs2: 20110201000000Z - add: demoTs2 demoTs2: 20120201000000Z - add: demoTs2 demoTs2: 20130201000000Z - add: demoTs2 demoTs2: 20100201000000Z dn: ou=dev,dc=example,dc=com changetype: modify add: demoTs3 demoTs3: 20110201000000Z - add: demoTs3 demoTs3: 20120201000000Z - add: demoTs3 demoTs3: 20130201000000Z - add: demoTs3 demoTs3: 20100201000000Z #----------------------------------------- $: cat reset.ldif dn: ou=dev,dc=example,dc=com changetype: modify delete: demoTs1 - add: demoTs1 demoTs1: 20100101000000Z dn: ou=dev,dc=example,dc=com changetype: modify delete: demoTs2 - add: demoTs2 demoTs2: 20100101000000Z dn: ou=dev,dc=example,dc=com changetype: modify delete: demoTs3 - add: demoTs3 demoTs3: 20100101000000Z #==FILTER=STATEMENTS====================== #BTW: You can use the FakeTime Preload Library #(link above) to easily fake slapd's time to #get constant results for automatic testing (demoTs1=20100101000000Z) (demoTs1<=NOW) (demoTs1>=NOW) (demoTs1>=-2#0#0#0#0#0) (demoTs2=20100101000000Z) (demoTs2<=NOW) (demoTs2>=NOW) (demoTs2<=0#-1#0#0#0#0) (demoTs3=20100101000000Z) #Only possible if compiled using: #-DRFC4517_ASSERTION_SYNTAX_VIOLATION (demoTs3<=NOW) (demoTs3>=NOW)

1 0

Re: (ITS#6543) make test failure
by quanah＠zimbra.com 03 May '10

03 May '10

--On Monday, May 03, 2010 3:50 PM +0000 sven.falempin(a)gmail.com wrote: > No race errors found after 10 iterations > Found 2 errors >>>>>>> Exiting with a false success status for now >>>>>> ./scripts/test058-syncrepl-asymmetric completed OK for hdb. The point of these lines about exiting with false success is that you are to ignore the issue. I.e., please don't file a bug report about failure with test058. That's why it exits with "success". --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#6543) make test failure
by sven.falempin＠gmail.com 03 May '10

03 May '10

Full_Name: Sven Version: 2.4.21 OS: OpenBSD URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (81.80.162.131) Using OpenBSD 4.3 or OpenBSD 4.7 with both bdb 4.6.21 and 5.0.21 The following test failed , to help reproduction i do a trick explained below: >>>>> Starting test058-syncrepl-asymmetric for hdb... running defines.sh Initializing master configurations... Initializing search configurations... Starting central master slapd on TCP/IP port 9011... [...] lots of output [...] Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... No race errors found after 10 iterations Found 2 errors >>>>>> Exiting with a false success status for now >>>>> ./scripts/test058-syncrepl-asymmetric completed OK for hdb. To trigger the failure i do an ugly #find / | grep whatever

1 0

Re: (ITS#6247)
by Kurt＠OpenLDAP.org 02 May '10

02 May '10

In regards to my X.501 comments, see "Matching Rule Requirements" = section of X.501(93). Note that only the 93 edition is normative here. I note that you actually need to specify the syntaxes and matching rules = in X.500 terms, and then simply specify a string representation for the = syntaxes for use in LDAP. See RFC 4521, Section 5.1 (for LDAP Syntaxes) = and 5.2 (for Matching Rules) and Section 5 more generally for schema. As far as your I-D goes, I currently deferring to Steve's initial review = at this early stage in its development because I'm busy and I trust = Steve to tease out any obvious ASN.1, X.500, and/or LDAP issues with = your I-D and to "educate" you as might be necessary. I'll join in = later, possibly after you revise your I-D once or twice to address = Steve's comments. -- Kurt=

1 0

Re: (ITS#6247)
by daniel＠pluta.biz 02 May '10

02 May '10

Kurt Zeilenga schrieb: > On May 1, 2010, at 12:31 PM, daniel(a)pluta.biz wrote: > >> The patch can be downloaded here: >> ftp://ftp.openldap.org/incoming/daniel-pluta-100501.patch >> >> Changes: >> - removed extensible matching rules strictly associated with >> dedicated syntaxes >> - added two universal matching rules instead: >> - nowMach (equality matching rule) >> - nowOrdering (ordering matching rule) >> - these two rules also support extensible match filters > > Your comments imply these rules could be used as attribute type > equality and ordering rules. In general my intention is neither to violate X.501 nor changing the ASN.1 Generalized Time syntax. Instead the introduction of a compatible/similar/derived attribute value syntax (e.g. generalizedTime') which supports matching against client-side known time-stamps *and* server-relative time-stamps (like NOW or NOW-1Y3M... or X.680 period formats) seems to be fine for me. In the following generalizedTime' is such a kind of a (very) similar syntax to the well-defined generalizedTime. Regarding the EQ/ORD matching rule applicability: The attribute type is generalizedTime' and the assertion value is for example NOW which server-internally implicitly also represents a (at least some kind of possibly not ITU specified?) generalizedTime' conform assertion value: NOW is the at client side unknown current time of the server in generalizedTime'. What's your suggestion regarding a possible solution on how to support EQ and ORD matching of attribute values compared to the server side current time? > I don't believe the met the > requirements (see X.501) to be used in that manner. That is, they > only make sense as extensible matching rules. I really would like to try to understand your concerns. Could you please give me some links to chapters/sections in X.501 where I can find more details. Note: I've currently only access to the standard of the year 2006. The class is generalizedTime' and during EQ/ORD matching two instances of generalizedTime' are compared: 1. Attribute value of an entry (generalizedTime') 2. Assertion value aka expanded-NOW (generalizedTime') >> To publish a correct server current time time-stamp value within Root-DSE: >> - apply the bugfix from ITS#6541 >> - and use -DCTM_G_DIFFERENTIAL_SERVERTIME > > #ifdef's should, IMO, be generally avoided. it will be removed as soon as the above mentioned bug is fixed in HEAD >> To extend generalizedTime attribute types to also support "NOW" as >> assertion value: >> - use -DCTM_RFC4517_MR_AV_SYNTAX_VIOLATION > > The generalized time syntax is not ours to alter. Introduction of > such a change would, it seem, lead to interoperability problems. In my opinion the chosen name for the #ifdef is more than obvious. Additionally the related comment in the patch's source already say's that this "extension" is more a violation than an extension. That's why the #ifdef currently is and probably stays in action (or will be removed) in the future. As a side-effect this #ifdef could possibly invoke some disussions... ;-) It's probably worth to discuss this (violation) in more detail to provide a solution in regard to a broader applicability of this matching feature in LDAP. Broader/easier usage/readbility is also the background I've decided to skip the extensible matching rules and introduce EQ and ORD instead. E.g. Clients that are connecting to a server that announces the supportedFeature "current time matching" could make notice of that and also support "NOW" as assertion value for createTimestamp and so on... (I've not very well thought about that in detail, yet). You are right, it's just a work in progress and you are very welcome to join the discussion on ldapext.

1 0

Re: (ITS#6542) Segmentation Fault if config file (ldif) got changed
by hyc＠symas.com 01 May '10

01 May '10

felix.schuster(a)gmx.at wrote: > Full_Name: Felix > Version: 2.4.19 > OS: Linux/Gentoo > URL: > Submission from: (NULL) (78.142.131.97) > > > Using the new configuration scheme, I changed > /etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif of a running openldap > instance. When I tried to restart openldap it gaves me a Segmentation Fault > error. Even if I called the changes off, openldap refused to start (furthermore > segfaulted). I needed to get a copy of the original configuration file from my > backup to successfully start openldap again. > I think it's somewhere ok to deny working with a hand-changed configuration, but > I think we will need a friendly advise, no unfriendly Segementation Fault error. > cn=config is an LDAP database. Like any other LDAP database, you are only supposed to use ldapadd/modify/delete to write to it while slapd is running. You would probably get segfaults if you hand-edited the data files in a back-bdb database too. And no, we will not add code to protect from such misuse. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2010