Re: (ITS#6811) Patch - Mozilla NSS - disable pkcs11 fork checking for the software token
by hyc@symas.com
rmeggins(a)redhat.com wrote:
> Full_Name: Rich Megginson
> Version: 2.4.23 (current CVS HEAD)
> OS: RHEL6
> URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-moznss-disable-nofork-201...
> Submission from: (NULL) (76.113.111.209)
>
>
> There are some applications that acquire a crypto context in the parent process
> and expect that crypto context to work after a fork(). This does not work
> with MozNSS using strict PKCS11 compliance mode. We set the environment
> variable NSS_STRICT_NOFORK=DISABLED in tlsm_init() to tell the software
> encryption module/token to allow crypto contexts to persist across a fork().
> However, if you are using some other module or encryption device that supports
> and expects full PKCS11 semantics, the only recourse is to modify the
> application to use atfork() handlers to save the crypto context in the parent
> and restore (and SECMOD_RestartModules) the context in the child.
Sounds like this is a followon to #6802. Is this really critical at this
point? We really need to close the window on RE24 patches so we can actually
cut a release. But if ITS#6802 is actually incomplete, I guess we should roll
this in.
> These patch files are derived from OpenLDAP Software. All of the
> modifications to OpenLDAP Software represented in the following
> patch(es) were developed by Red Hat. Red Hat has not assigned rights
> and/or interest in this work to any party. I, Rich Megginson am
> authorized by Red Hat, my employer, to release this work under the
> following terms.
>
> Red Hat hereby place the following modifications to OpenLDAP Software
> (and only these modifications) into the public domain. Hence, these
> modifications may be freely used and/or redistributed for any purpose
> with or without attribution and/or other notice.
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12 years, 8 months
(ITS#6813) Error in ldap_int_connect_cbs call from ldap_connect_to_host
by ipuleston@sonicwall.com
Full_Name: Ian Puleston
Version: 2.4.23
OS: VxWorks
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (67.115.118.5)
In function ldap_connect_to_host are two calls to ldap_int_connect_cbs. The
first for "#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )" looks
OK, but the 2nd for the #else case of that is this:
i = ldap_int_connect_cbs( ld, sb, &s, srv, (struct sockaddr *)&sin );
if ( i )
rc = i;
else
break;
But this is inside a for loop that uses i as a counter for the loop control.
ldap_int_connect_cbs returns an error code so, unless I'm missing something,
setting i to that will break the loop control.
12 years, 8 months
Re: (ITS#6812) Confused syncprov return codes
by hyc@symas.com
h.b.furuseth(a)usit.uio.no wrote:
> Full_Name: Hallvard B Furuseth
> Version: HEAD
> OS:
> URL:
> Submission from: (NULL) (129.240.6.233)
> Submitted by: hallvard
>
>
> syncprov_state_ctrl(), syncprov_done_ctrl(), syncprov_sendinfo() and
> thus findpres_cb() can return either an LDAP result code, or a negative
> number on BER error. I see no code which expects both classes of error
> codes. The first functions's callers set rs->sr_err = return value.
> At best I guess it'll be ignored or interpreted as LDAP_SERVER_DOWN.
I've fixed the return codes. They still get ignored in a few places.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12 years, 8 months
Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
by hyc@symas.com
subbarao(a)computer.org wrote:
> Full_Name: Kartik Subbarao
> Version: 2.4.23
> OS: Debian Linux 5.0.5
> URL: ftp://ftp.openldap.org/incoming/kartik_subbarao.101116.tgz
> Submission from: (NULL) (76.99.175.5)
>
>
> I'm trying to get a consumer server to forward ppolicy-related updates to its
> provider server, and to use certificate-based authentication (SASL EXTERNAL)
> over STARTTLS when authenticating to the provider.
>
> I'm running into multiple problems here. The core problem seems to be that
> enabling ppolicy_forward_updates breaks the chaining overlay such that it binds
> anonymously instead of with SASL EXTERNAL.
That's because your authz-regexp is wrong. You mapped "cn=localhost" but when
using SASL EXTERNAL, the user's DN is the complete certificate DN. In your
case, "cn=localhost,o=OpenLDAP,st=Some-State,c=US"
The reason this didn't break replication is because in this test, everything
has anonymous read access so the consumer was able to pull what it needed.
> Another problem is that bind
> operations to the consumer server start to return two result messages -- one
> with the error code of the chained operation, and one with the error code of the
> bind operation.
I didn't get this far because your test certificate is now expired. I guess I
can substitute some other certs and look at it again, but I think the core
issue is your misconfigured authz-regexp.
> To simplify reproducing the problem, I've worked with test022-ppolicy in the
> openldap test framework. Here, I ran into another issue. I can't seem to be able
> to configure sasl external/starttls chaining properly with the cn=config style
> configuration that test022-ppolicy applies. The self-signed cert that I'm using
> works fine with replication, but it doesn't seem to work with chaining. This may
> or may not be another issue that needs to be resolved.
>
> In any case, with the attached files in the ITS, I hope that what I'm trying to
> do and the results that I'm getting should be as clear as possible.
Better to rename your scripts when you modify one of our existing ones. E.g.
test999-xxxxxx and just create new data files instead of modifying ours.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12 years, 8 months
Re: (ITS#6806) Invalid ldapadd crashes openldap with ndb backend
by anderson@vailsys.com
The same behavior happens with 2.4.23, I initially noticed the problem
with 2.4.23, built from source on ubuntu server, and then tried with the
rebuilt 2.4.19 rpm on rhel. both die with a bus error message when
ldapadd is run on the invalid ldif.
Nathanael
On Fri, 2011-01-28 at 10:55 -0800, Quanah Gibson-Mount wrote:
> --On Thursday, January 27, 2011 3:28 PM +0000 anderson(a)vailsys.com wrote:
>
> > Full_Name: Nathanael Anderson
> > Version: 2.4.19
> > OS: RHEL 6 (Linux)
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (74.63.156.11)
>
>
> Please use a current version of OpenLDAP 2.4 prior to filing a bug report
> to ensure the issue has not been fixed in a subsequent release. The
> current release is 2.4.23.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
12 years, 8 months
Re: (ITS#6806) Invalid ldapadd crashes openldap with ndb backend
by quanah@zimbra.com
--On Thursday, January 27, 2011 3:28 PM +0000 anderson(a)vailsys.com wrote:
> Full_Name: Nathanael Anderson
> Version: 2.4.19
> OS: RHEL 6 (Linux)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (74.63.156.11)
Please use a current version of OpenLDAP 2.4 prior to filing a bug report
to ensure the issue has not been fixed in a subsequent release. The
current release is 2.4.23.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
12 years, 8 months
(ITS#6812) Confused syncprov return codes
by h.b.furuseth@usit.uio.no
Full_Name: Hallvard B Furuseth
Version: HEAD
OS:
URL:
Submission from: (NULL) (129.240.6.233)
Submitted by: hallvard
syncprov_state_ctrl(), syncprov_done_ctrl(), syncprov_sendinfo() and
thus findpres_cb() can return either an LDAP result code, or a negative
number on BER error. I see no code which expects both classes of error
codes. The first functions's callers set rs->sr_err = return value.
At best I guess it'll be ignored or interpreted as LDAP_SERVER_DOWN.
12 years, 8 months
Re: (ITS#6684) Patch for autogroup overlay
by moenoel@informatik.uni-bremen.de
Am 27.01.2011 16:38, schrieb moenoel(a)informatik.uni-bremen.de:
>> 1) it should simply be comparing the AttributeDescription pointers
>> 2) since the "memberof" attribute is actually configurable in the memberof
>> overlay, there's no guarantee that this is the correct attribute to be looking
>> for. It should also be configurable in your patch.
>>
>> You're using strcasecmp, but your inputs are already normalized values. You
>> should just use ber_bvcmp.
>>
>
> Since I am also interested in this, I took some time to make a new
> patch. I took Norberts original patch, applied it to a current checkout
> from HEAD and tried to fix the issues mentioned by Howard. My initial
> tests are looking good.
>
> My C skills are rather mediocre, though, so I hope I didn't slaughter
> the thing :-)
>
> http://www.informatik.uni-bremen.de/~moenoel/ldap/christian-manal-autogro...
>
>
> Regards,
> Christian Manal
>
>
I just noticed that I messed up the copyright notice. I fixed that and
replaced the archive, so the link is still valid.
12 years, 8 months
(ITS#6811) Patch - Mozilla NSS - disable pkcs11 fork checking for the software token
by rmeggins@redhat.com
Full_Name: Rich Megginson
Version: 2.4.23 (current CVS HEAD)
OS: RHEL6
URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-moznss-disable-nofork-201...
Submission from: (NULL) (76.113.111.209)
There are some applications that acquire a crypto context in the parent process
and expect that crypto context to work after a fork(). This does not work
with MozNSS using strict PKCS11 compliance mode. We set the environment
variable NSS_STRICT_NOFORK=DISABLED in tlsm_init() to tell the software
encryption module/token to allow crypto contexts to persist across a fork().
However, if you are using some other module or encryption device that supports
and expects full PKCS11 semantics, the only recourse is to modify the
application to use atfork() handlers to save the crypto context in the parent
and restore (and SECMOD_RestartModules) the context in the child.
These patch files are derived from OpenLDAP Software. All of the
modifications to OpenLDAP Software represented in the following
patch(es) were developed by Red Hat. Red Hat has not assigned rights
and/or interest in this work to any party. I, Rich Megginson am
authorized by Red Hat, my employer, to release this work under the
following terms.
Red Hat hereby place the following modifications to OpenLDAP Software
(and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose
with or without attribution and/or other notice.
12 years, 8 months