openldap-bugs February 2011

openldap-bugs@openldap.org

35 participants
158 discussions

Re: (ITS#6815) Feature Request: Accesslog filter
by masarati＠aero.polimi.it 23 Feb '11

23 Feb '11

hyc(a)symas.com wrote: > Andrew Findlay wrote: >> On Wed, Feb 23, 2011 at 08:58:33AM +0000, hyc(a)symas.com wrote: >> >>> Possibly we can extend the directive to handle exclusion as well as inclusion, >>> to simplify this case. >> Extending this idea slightly, would it be possible to have >> exclusions based on changes to specific attributes? The >> particular case I have in mind is where accesslog is used to >> keep a permanent audit log of changes, and ppolicy is also >> in use, resulting in one audit entry for every login >> failure. I have one site where a large proportion of the auditlog >> entries are login failures... > > Perhaps in that case, it would be simpler just to set ppolicy's mods to be > internal-only and bypass the accesslog overlay. (Currently it does this > already, if the server is a single-master replica.) > > So far you're talking about two different enhancements - the original poster > is trying to exclude a set of searches, and you're talking about excluding > modify ops. I'm not seeing any way yet to generalize from here such that all > operation types are addressed meaningfully, and I don't want to introduce > multiple special cases to the config language. A URI-based restriction specification could include/exclude based on suffix, filter and listed attributes with a unified syntax. p.

1 0

Re: (ITS#6815) Feature Request: Accesslog filter
by hyc＠symas.com 23 Feb '11

23 Feb '11

Andrew Findlay wrote: > On Wed, Feb 23, 2011 at 08:58:33AM +0000, hyc(a)symas.com wrote: > >> Possibly we can extend the directive to handle exclusion as well as inclusion, >> to simplify this case. > > Extending this idea slightly, would it be possible to have > exclusions based on changes to specific attributes? The > particular case I have in mind is where accesslog is used to > keep a permanent audit log of changes, and ppolicy is also > in use, resulting in one audit entry for every login > failure. I have one site where a large proportion of the auditlog > entries are login failures... Perhaps in that case, it would be simpler just to set ppolicy's mods to be internal-only and bypass the accesslog overlay. (Currently it does this already, if the server is a single-master replica.) So far you're talking about two different enhancements - the original poster is trying to exclude a set of searches, and you're talking about excluding modify ops. I'm not seeing any way yet to generalize from here such that all operation types are addressed meaningfully, and I don't want to introduce multiple special cases to the config language. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6815) Feature Request: Accesslog filter
by andrew.findlay＠skills-1st.co.uk 23 Feb '11

23 Feb '11

On Wed, Feb 23, 2011 at 08:58:33AM +0000, hyc(a)symas.com wrote: > Possibly we can extend the directive to handle exclusion as well as inclusion, > to simplify this case. Extending this idea slightly, would it be possible to have exclusions based on changes to specific attributes? The particular case I have in mind is where accesslog is used to keep a permanent audit log of changes, and ppolicy is also in use, resulting in one audit entry for every login failure. I have one site where a large proportion of the auditlog entries are login failures... Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

1 0

Re: (ITS#6815) Feature Request: Accesslog filter
by marco.pizzoli＠gmail.com 23 Feb '11

23 Feb '11

--0016363b8528ec55d3049cef5b03 Content-Type: text/plain; charset=ISO-8859-1 On Wed, Feb 23, 2011 at 9:57 AM, Howard Chu <hyc(a)symas.com> wrote: > Marco Pizzoli wrote: > >> Hi Howard, >> thanks for this work. >> >> I noticed that you give me a baseDN under which I can have operations >> logged. >> If I would like to exclude one subtree from my principal tree, I need to >> specify all the baseDN of other sibling-subtrees. >> To do this do I need to poli-invoke accesslog overlay? >> > > No, you can specify logbase multiple times in a single overlay. > Ok, thanks. > Possibly we can extend the directive to handle exclusion as well as > inclusion, to simplify this case. > This is effectively what I would need, in this case. --0016363b8528ec55d3049cef5b03 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <div class=3D"gmail_quote">On Wed, Feb 23, 2011 at 9:57 AM, Howard Chu = <<a href=3D"mailto:hyc@symas.com">hyc(a)symas.com</a>&gt= ; wrote: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0= pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;= "> <div class=3D"im">Marco Pizzoli wrote: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> Hi Howard, thanks for this work. I noticed that you give me a baseDN under which I can have operations logge= d. If I would like to exclude one subtree from my principal tree, I need to<br= > specify all the baseDN of other sibling-subtrees. To do this do I need to poli-invoke accesslog overlay? </blockquote> </div> No, you can specify logbase multiple times in a single overlay. </blockq= uote><div> Ok, thanks. =A0</div><blockquote class=3D"gmail_quote"= style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 2= 04); padding-left: 1ex;"> Possibly we can extend the directive to handle exclusion as well as inclusi= on, to simplify this case. </blockquote><div> This is effectively wha= t I would need, in this case. </div></div> --0016363b8528ec55d3049cef5b03--

1 0

Re: (ITS#6815) Feature Request: Accesslog filter
by hyc＠symas.com 23 Feb '11

23 Feb '11

Marco Pizzoli wrote: > Hi Howard, > thanks for this work. > > I noticed that you give me a baseDN under which I can have operations logged. > If I would like to exclude one subtree from my principal tree, I need to > specify all the baseDN of other sibling-subtrees. > To do this do I need to poli-invoke accesslog overlay? No, you can specify logbase multiple times in a single overlay. Possibly we can extend the directive to handle exclusion as well as inclusion, to simplify this case. > > Thanks again > Marco > > On Wed, Feb 23, 2011 at 3:15 AM, Howard Chu <hyc(a)symas.com > <mailto:hyc@symas.com>> wrote: > > marco.pizzoli(a)gmail.com <mailto:marco.pizzoli@gmail.com> wrote: > > Full_Name: Marco Pizzoli > Version: ALL > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (193.41.84.11) > > > Hi, > this is a feature request. > > I would like to have accesslog writing to his db only ldap operations > that match > some sort of filter, or, in particular, to not to log searches that > matches a > specific pattern. > > This request is spotted by some ldap clients that I have that every > 30seconds do > a dummy ldap search only to keep alive their connection to the ldap > server. > These searches are frequent and I have many of these clients in my > deploy, so my > accesslog become full of not significant entries. > > > I've added a simple subtree-matching feature to accesslog in HEAD. Please > test and let us know if it addresses this request. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > > > -- > _________________________________________ > Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. > Jim Morrison -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6815) Feature Request: Accesslog filter
by marco.pizzoli＠gmail.com 23 Feb '11

23 Feb '11

--0016363b85287ec3a0049cef245f Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Howard, thanks for this work. I noticed that you give me a baseDN under which I can have operations logged. If I would like to exclude one subtree from my principal tree, I need to specify all the baseDN of other sibling-subtrees. To do this do I need to poli-invoke accesslog overlay? Thanks again Marco On Wed, Feb 23, 2011 at 3:15 AM, Howard Chu <hyc(a)symas.com> wrote: > marco.pizzoli(a)gmail.com wrote: > >> Full_Name: Marco Pizzoli >> Version: ALL >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (193.41.84.11) >> >> >> Hi, >> this is a feature request. >> >> I would like to have accesslog writing to his db only ldap operations th= at >> match >> some sort of filter, or, in particular, to not to log searches that >> matches a >> specific pattern. >> >> This request is spotted by some ldap clients that I have that every >> 30seconds do >> a dummy ldap search only to keep alive their connection to the ldap >> server. >> These searches are frequent and I have many of these clients in my deplo= y, >> so my >> accesslog become full of not significant entries. >> > > I've added a simple subtree-matching feature to accesslog in HEAD. Please > test and let us know if it addresses this request. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > --=20 _________________________________________ Non =E8 forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison --0016363b85287ec3a0049cef245f Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Howard, thanks for this work. I noticed that you give me a bas= eDN under which I can have operations logged. If I would like to exclude= one subtree from my principal tree, I need to specify all the baseDN of ot= her sibling-subtrees. To do this do I need to poli-invoke accesslog overlay? Thanks again<= br>Marco <div class=3D"gmail_quote">On Wed, Feb 23, 2011 at 3:15 AM,= Howard Chu <<a href=3D"mailto:hyc@symas.com">hyc@syma= s.com</a>> wrote: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><a href=3D"mailto= :marco.pizzoli@gmail.com" target=3D"_blank">marco.pizzoli(a)gmail.com</a> wro= te: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> Full_Name: Marco Pizzoli Version: ALL OS: URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_blank">ftp://f= tp.openldap.org/incoming/</a> Submission from: (NULL) (193.41.84.11) Hi, this is a feature request. I would like to have accesslog writing to his db only ldap operations that = match some sort of filter, or, in particular, to not to log searches that matches= a specific pattern. This request is spotted by some ldap clients that I have that every 30secon= ds do a dummy ldap search only to keep alive their connection to the ldap server.= These searches are frequent and I have many of these clients in my deploy, = so my accesslog become full of not significant entries. </blockquote> I've added a simple subtree-matching feature to accesslog in HEAD. Plea= se test and let us know if it addresses this request. -- =A0-- Howard Chu =A0CTO, Symas Corp. =A0 =A0 =A0 =A0 =A0 <a href=3D"http://www.symas.com" t= arget=3D"_blank">http://www.symas.com</a> =A0Director, Highland Sun =A0 =A0 <a href=3D"http://highlandsun.com/hyc/" = target=3D"_blank">http://highlandsun.com/hyc/</a> =A0Chief Architect, OpenLDAP =A0<a href=3D"http://www.openldap.org/project= /" target=3D"_blank">http://www.openldap.org/project/</a> </blockquote></div> -- ________________= _________________________ Non =E8 forte chi non cade, ma chi cadendo ha = la forza di rialzarsi. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Jim Morri= son --0016363b85287ec3a0049cef245f--

1 0

Re: (ITS#6839) Expanded documentation for ldapi: and SASL EXTERNAL
by hyc＠symas.com 22 Feb '11

22 Feb '11

Andrew Findlay wrote: > On Fri, Feb 18, 2011 at 02:56:16PM -0800, Howard Chu wrote: > >> re: TLS Authentication Identity Format >> >> Strictly speaking, the order of components is not changed at all. >> The sequence of RDNs in the DN is what it is; just that the >> convention for *displaying* it is ass-backwards in LDAP. I'm afraid >> the wording here will confuse people into thinking that the >> *semantics* of the DN are changed, when it's only a display issue. > > Good point. Updated wording attached. Thanks, applied with formatting tweaks. > > Andrew > > > sasl-x509-dn-doc.patch > > > --- sasl.sdf.head 2011-02-18 23:03:07.000000000 +0000 > +++ sasl.sdf 2011-02-22 14:30:25.947887979 +0000 > @@ -1,4 +1,4 @@ > -# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.51 2011/02/18 23:03:07 hyc Exp $ > +# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.34.2.12 2011/01/04 23:49:40 kurt Exp $ > # Copyright 1999-2011 The OpenLDAP Foundation, All Rights Reserved. > # COPYING RESTRICTIONS APPLY, see COPYRIGHT. > > @@ -302,9 +302,9 @@ > > H4: TLS Authentication Identity Format > > -This is usually the Subject DN from the client-side certificate. > -The order of the components will be changed to follow LDAP conventions, > -so a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}} > +This is the Subject DN from the client-side certificate. > +Note that DNs are displayed differently by LDAP and by X.509, so > +a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}} > will produce an authentication identity of: > > > cn=A Person,o=The Example Organisation,c=gb -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6833) LDAP hangs on Solaris
by hyc＠symas.com 22 Feb '11

22 Feb '11

tombolala(a)gmx.de wrote: > Hi Quanah! > > sorry for the wrong release, I meant 2.4.22 of course. I recall we also experienced hangs with Solaris 10 during the testing leading up to the 2.4.24 release. Yet with identical code, no such hangs were reported on Solaris 9 or Solaris 11. I suspect there's a bug in the implementation of select() on Solaris 10, causing it to fail to report the connection close events. Some discussion of this problem occurred in this email thread http://www.openldap.org/lists/openldap-devel/201101/msg00033.html Try 2.4.24, and try a different Solaris release. Aside from that, we have no answers for you. > /Thomas > > -------- Original-Nachricht -------- >> Datum: Wed, 16 Feb 2011 16:34:39 GMT >> Von: quanah(a)zimbra.com >> An: openldap-its(a)openldap.org >> Betreff: Re: (ITS#6833) LDAP hangs on Solaris > >> --On Wednesday, February 16, 2011 11:37 AM +0000 tombolala(a)gmx.de wrote: >> >>> Full_Name: Thomas Bopp >>> Version: 4.2.22 >> >>> I really need a solution for this problem. >> >> I suggest you list an actual OpenLDAP release. It's near impossible to >> help you without that. >> >> --Quanah >> >> -- >> >> Quanah Gibson-Mount >> Sr. Member of Technical Staff >> Zimbra, Inc >> A Division of VMware, Inc. >> -------------------- >> Zimbra :: the leader in open source messaging and collaboration >> >> > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6815) Feature Request: Accesslog filter
by hyc＠symas.com 22 Feb '11

22 Feb '11

marco.pizzoli(a)gmail.com wrote: > Full_Name: Marco Pizzoli > Version: ALL > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (193.41.84.11) > > > Hi, > this is a feature request. > > I would like to have accesslog writing to his db only ldap operations that match > some sort of filter, or, in particular, to not to log searches that matches a > specific pattern. > > This request is spotted by some ldap clients that I have that every 30seconds do > a dummy ldap search only to keep alive their connection to the ldap server. > These searches are frequent and I have many of these clients in my deploy, so my > accesslog become full of not significant entries. I've added a simple subtree-matching feature to accesslog in HEAD. Please test and let us know if it addresses this request. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6841) slapd segfault error 7
by masarati＠aero.polimi.it 22 Feb '11

22 Feb '11

> Full_Name: André Bolinhas > Version: 2.4.24 > OS: ubuntu 10.4 x86 > URL: > Submission from: (NULL) (217.129.0.33) > > > Dear, > > My ldap crash every 2 minutes, I get this error on syslog > > kernel: [35483.930213] slapd[3892]: segfault at 8127238 ip 080c6fcc sp > b60ffb00 > error 7 in slapd[8048000+123000] > > How can help to solve this problem ? Usage help requests should be directed to openldap-technical mailing list. The ITS is for bug tracking. I infer you didn't read the instructions from the fact that you clicked the "Major Security Issue?" for ITS#6840). This ITS will be closed. p.

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs February 2011