openldap-bugs April 2011

openldap-bugs@openldap.org

32 participants
91 discussions

(ITS#6901) openldap crash
by m.sheldyakov＠hostcomm.ru 11 Apr '11

11 Apr '11

Full_Name: Michail Sheldyakov Version: 2.4.25 OS: FreeBSD 8.1-RELEASE-p1 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (91.189.112.7) Modify with ldapvi: dn: cn=ovz678.hc.ru,ou=ovz,ou=hosts,ou=hosting,ou=sites,o=hc changetype: add macAddress: hostType: main cn: ovz678.hc.ru objectClass: device objectClass: ipHost objectClass: intraExtra objectClass: intraHost objectClass: ieee802Device description: ovz678.hc.ru ipHostNumber: 127.0.0.1 unique overlay olcUniqueURI: ldap:///ou=sites,o=hc?macAddress?sub?(&(objectClass=ipHost)(|(hostType=main)(hostType=xen)(hostType=service))) openldap crash with core dump.

1 0

(ITS#6900) dnattr acl statement: users can produce dangling entries
by daniel＠pluta.biz 10 Apr '11

10 Apr '11

Full_Name: Daniel Pluta Version: HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/Daniel-Pluta-110410.patch Submission from: (NULL) (2001:4ca0:0:fe11::1) Hi, I'm not quite sure whether the below described scenario can be successfully avoided eg. using current slapd in combination with some kind of tricky ACL configuration statements (if so, any advice is strongly appreciated). Nevertheless, attached below you'll find a small patch that implements a slightly enhanced (aka more restictive!) dnattr acl processing in case of ACL_WDEL operations: In case the currently authenticated user tries to delete his bindDN from the attribute referenced by the dnattr= acl statement, access is denied. Example scenario based on the following (nearly) minimal standard ACL configuration: access to dn.base="ou=groups,dc=foo,dc=bar" attrs=children by users =w by * none access to dn.onelevel="ou=groups,dc=foo,dc=bar" by dnattr=owner write by * none access to dn.subtree="dc=foo,dc=bar" by users read by * none ... at first a user (user1) successfully creates (add) a new group entry, where/because user1's DN is contained within the entry's owner attribute: OPTS="-Z -D 'uid=user1,ou=users,dc=foo,dc=bar' -w 'user1'" cat <<EOF | ldapadd ${OPTS} dn: cn=test,ou=groups,dc=foo,dc=bar objectClass: groupOfNames objectClass: top cn: test member: cn=otheruser,ou=users,dc=foo,dc=bar description: test group entry owner: uid=user1,ou=users,dc=foo,dc=bar EOF Then, user1 (by mistake but) successfully modifies the just before created and personaly owned entry, deleting his DN from the owner attribute: cat <<EOF | ldapmodify ${OPTS} dn: cn=test,ou=groups,dc=foo,dc=bar changetype: modify delete: owner owner: uid=user1,ou=users,dc=foo,dc=bar EOF As a sideeffect from this second operation user1 has no chance to revert his mistake because he has lost the previous assigned access rights to access this entry by write. In fact nobody else (other than the rootdn) has a chance to correct/delete the dangline group entry. Another disabdvantage of the current implementation is the possibility to move currently managed/owned entries (e.g. users or groups) to other owners/managers without their notice/interaction. The attached patch only interact in case of value delete operations. Thus, based on the patch other owners/managers can be added/deleted as usual (except the DN of the modifyer himself). Added owners/managers can take solely responsibility of an entry by deleting all other owners/managers. I would be very happy in case this patch or at least the based idea could find a way into slapd's code. I don't mind whether this feature is implemented as an extension of current dnattr processing (backward compatibility?) or as an additional configuration option, e.g. "strictdnattr=..." (update documentation?). Also I'm not sure whether set acl statements should or need to be extended into this direction, too... Thank you very much and best regards Daniel

1 0

RE: (ITS#6898)
by quanah＠zimbra.com 09 Apr '11

09 Apr '11

--On Saturday, April 09, 2011 7:56 PM +0000 quanah(a)zimbra.com wrote: > --On Friday, April 08, 2011 9:25 PM -0400 Tyler Gates > <tgates81(a)gmail.com> wrote: > >> I can confirm this is happening too, since 2.4.24. It was working in >> 2.4.21, not sure about anything in between. > >> From the debian list: > > I've checked it with gdb too, and it locks at > libraries/libldap/options.c:455 > That is in the function ldap_set_option, still no clue why it is locking > there. Full backtrace: (gdb) thr apply all bt Thread 1 (Thread 0x7f34820c4700 (LWP 26379)): #0 0x00007f34803d6464 in __lll_lock_wait () from /lib/libpthread.so.0 #1 0x00007f34803d15d9 in _L_lock_953 () from /lib/libpthread.so.0 #2 0x00007f34803d13fb in pthread_mutex_lock () from /lib/libpthread.so.0 #3 0x00007f3481c62ff5 in ldap_pvt_thread_mutex_lock (mutex=0x1cac2a0) at thr_posix.c:296 #4 0x00007f3481c87fb9 in ldap_set_option (ld=0x1cab030, option=17, invalue=0x6164a8) at options.c:455 #5 0x000000000040ad83 in tool_conn_setup (dont=0, private_setup=0x405367 <private_conn_setup>) at common.c:1347 #6 0x00000000004059c7 in main (argc=8, argv=0x7fff16202148) at ldapsearch.c:906 --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

RE: (ITS#6898)
by quanah＠zimbra.com 09 Apr '11

09 Apr '11

--On Friday, April 08, 2011 9:25 PM -0400 Tyler Gates <tgates81(a)gmail.com> wrote: > I can confirm this is happening too, since 2.4.24. It was working in > 2.4.21, not sure about anything in between. >From the debian list: I've checked it with gdb too, and it locks at libraries/libldap/options.c:455 That is in the function ldap_set_option, still no clue why it is locking there. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

ITS#6893 published: SECURITY: SHA2 Password Hashing not working
by openldap-its＠OpenLDAP.org 09 Apr '11

09 Apr '11

Private ITS#6893 is now publicly readable URL: http://www.OpenLDAP.org/its/?findid=6893

1 0

RE: (ITS#6898)
by tgates81＠gmail.com 08 Apr '11

08 Apr '11

I can confirm this is happening too, since 2.4.24. It was working in 2.4.21, not sure about anything in between.

1 0

(ITS#6899) Read Entry Control response value is not compliant to definition of SearchResultEntry
by michael＠stroeder.com 08 Apr '11

08 Apr '11

Full_Name: Michael Ströder Version: 2.4.25 OS: URL: Submission from: (NULL) (84.163.53.138) The very same client code was successfully tested with OpenDJ 2.4.1 but does not work with OpenLDAP 2.4.25. See analysis by pyasn1 developer on the pyasn1 mailing list: --------------------------------- snip --------------------------------- It looks to me that your BER data does not fully match ASN.1 specification for the SearchResultEntry object. According to RFC2251, the grammar is as follows: SearchResultEntry ::= [APPLICATION 4] SEQUENCE { objectName LDAPDN, attributes PartialAttributeList } ... Notice the [implicitly] tagged outer SEQUENCE. In your BER data, that additional tag seems to be missing and default tag for SEQUENCE type is used instead. If you modify the original pyasn1 grammar for SearchResultEntry object to match your BER data (but not the standard!), pyasn1 decoder succeeds. >>> from pyasn1_modules.rfc2251 import SearchResultEntry >>> from pyasn1.type.univ import Sequence >>> from pyasn1.codec.ber import decoder >>> ber = '0c\x043cn=Samba Unix UID Pool,ou=Testing,dc=stroeder,dc=de0,0\x14\x04\tuidNumber1\x07\x04\x05100050\x14\x04\tgidNumber1\x07\x04\x0510005' >>> SearchResultEntry.tagSet TagSet(Tag(tagClass=64, tagFormat=32, tagId=4)) # the following statement will invalidate SearchResultEntry grammar! >>> SearchResultEntry.tagSet = univ.Sequence.tagSet >>> SearchResultEntry.tagSet TagSet(Tag(tagClass=0, tagFormat=32, tagId=16)) >>> searchResultEntry, _ = decoder.decode(ber,asn1Spec=SearchResultEntry()) >>> print searchResultEntry.prettyPrint() SearchResultEntry: objectName='cn=Samba Unix UID Pool,ou=Testing,dc=stroeder,dc=de' attributes=PartialAttributeList: Sequence: type='uidNumber' vals=SetOf: '10005' Sequence: type='gidNumber' vals=SetOf: '10005' >>> Therefore my impression is that OpenLDAP yields incorrect BER data for SearchResultEntry object. What do you think? Cheers, Ilya > I'd like to decode a LDAPv3 control value returned by OpenLDAP 2.4.25 when > Pre-Read-Control was sent along with a LDAP modify request. But decoding it > does not work. > > Short example: > >>>> from pyasn1_modules.rfc2251 import SearchResultEntry >>>> from pyasn1.codec.ber import decoder >>>> ber = '0c\x043cn=Samba Unix UID > Pool,ou=Testing,dc=stroeder,dc=de0,0\x14\x04\tuidNumber1\x07\x04\x05100050\x14\x04\tgidNumber1\x07\x04\x0510005' >>>> decoder.decode(ber,asn1Spec=SearchResultEntry()) > Traceback (most recent call last): > File "<stdin>", line 1, in <module> > File > "/usr/local/lib/python2.6/site-packages/pyasn1-0.0.13a-py2.6.egg/pyasn1/codec/ber/decoder.py", > line 663, in __call__ > '%s not in asn1Spec: %s' % (tagSet, repr(asn1Spec)) > pyasn1.error.PyAsn1Error: TagSet(Tag(tagClass=0, tagFormat=32, tagId=16)) not > in asn1Spec: SearchResultEntry() >>>>

1 0

Re: (ITS#6892) Segfault in Syncprov overlay
by ghola＠rebelbase.com 07 Apr '11

07 Apr '11

--000e0cd3f872854fb804a05e0ce0 Content-Type: text/plain; charset=ISO-8859-1 More information; This server is both a producer and a consumer. Here are the logs preceeding the crash: Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1007 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1005 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1004 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1003 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1002 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1001 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: slap_graduate_commit_csn: removing 0x20494b70 20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1000 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: syncrepl_entry: rid=001 be_modify widget=ldap02,ou=widgets,dc=domain,dc=net (0) Apr 8 00:50:40 test-ldap01 slapd[8732]: slap_queue_csn: queing 0x2055d810 20110408005040.759389Z#000000#000#000000 --000e0cd3f872854fb804a05e0ce0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable More information; This server is both a producer and a consumer. Her= e are the logs preceeding the crash: Apr=A0 8 00:50:40 test-ldap01 s= lapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D20110408005040.7593= 89Z#000000#000#000000 Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid= =3D001,csn=3D20110408005040.759389Z#000000#000#000000 Apr=A0 8 00:50:40 = test-ldap01 slapd[8732]: conn=3D1007 op=3D1 ENTRY dn=3D"widget=3Dldap0= 2,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet" Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: conn=3D1005 op=3D1 ENTRY dn=3D&q= uot;widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet" Apr=A0 8 00:= 50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D= 20110408005040.759389Z#000000#000#000000 Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid= =3D001,csn=3D20110408005040.759389Z#000000#000#000000 Apr=A0 8 00:50:40 = test-ldap01 slapd[8732]: conn=3D1004 op=3D1 ENTRY dn=3D"widget=3Dldap0= 2,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet" Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: conn=3D1003 op=3D1 ENTRY dn=3D&q= uot;widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet" Apr=A0 8 00:= 50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D= 20110408005040.759389Z#000000#000#000000 Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: conn=3D1002 op=3D1 ENTRY dn=3D&q= uot;widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet" Apr=A0 8 00:= 50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D= 20110408005040.759389Z#000000#000#000000 Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid= =3D001,csn=3D20110408005040.759389Z#000000#000#000000 Apr=A0 8 00:50:40 = test-ldap01 slapd[8732]: conn=3D1001 op=3D1 ENTRY dn=3D"widget=3Dldap0= 2,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet" Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: slap_graduate_commit_csn: removi= ng 0x20494b70 20110408005040.759389Z#000000#000#000000 Apr=A0 8 00:50:40= test-ldap01 slapd[8732]: conn=3D1000 op=3D1 ENTRY dn=3D"widget=3Dldap= 02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet" Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncrepl_entry: rid=3D001 be_mod= ify widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet (0) Apr=A0 8 00:50= :40 test-ldap01 slapd[8732]: slap_queue_csn: queing 0x2055d810 201104080050= 40.759389Z#000000#000#000000 --000e0cd3f872854fb804a05e0ce0--

1 0

Re: (ITS#6815) Feature Request: Accesslog filter
by marco.pizzoli＠gmail.com 07 Apr '11

07 Apr '11

--20cf300fb269cc453c04a055d2f8 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I tried today to compile accesslog with this feature. Probably I didn't follow the correct procedure, but I would prefer to ask anyway to leave myself any doubt. - I took the vanilla openldap-2.4.25 distribution - unpacked the archive - substituted the accesslog.c file with the corresponding one as available in HEAD/MASTER - compiled the software as if it were the 2.4.25 vanilla distribution Now I obtain the following, at the startup: [cut] line 24 (logpurge 10+00:00 08:00) line 28 (logsuccess FALSE) line 30 (logbase all ou=3Dpeople,dc=3Dlancse,dc=3Dcsebo.it) /opt/openldap2.4.25/libexec/slapd: symbol lookup error: /opt/openldap2.4.25/libexec/openldap/accesslog-2.4.so.2: undefined symbol: verbstring_to_mask Could you help me? Thanks in advance Marco On Wed, Feb 23, 2011 at 10:02 AM, Marco Pizzoli <marco.pizzoli(a)gmail.com>wr= ote: > > On Wed, Feb 23, 2011 at 9:57 AM, Howard Chu <hyc(a)symas.com> wrote: > >> Marco Pizzoli wrote: >> >>> Hi Howard, >>> thanks for this work. >>> >>> I noticed that you give me a baseDN under which I can have operations >>> logged. >>> If I would like to exclude one subtree from my principal tree, I need t= o >>> specify all the baseDN of other sibling-subtrees. >>> To do this do I need to poli-invoke accesslog overlay? >>> >> >> No, you can specify logbase multiple times in a single overlay. >> > > Ok, thanks. > > > >> Possibly we can extend the directive to handle exclusion as well as >> inclusion, to simplify this case. >> > > This is effectively what I would need, in this case. > > > --=20 _________________________________________ Non =E8 forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison --20cf300fb269cc453c04a055d2f8 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I tried today to compile accesslog with this feature. Probably I didn&#3= 9;t follow the correct procedure, but I would prefer to ask anyway to leave= myself any doubt. - I took the vanilla openldap-2.4.25 distribution= - unpacked the archive - substituted the accesslog.c file with the corre= sponding one as available in HEAD/MASTER - compiled the software as if i= t were the 2.4.25 vanilla distribution Now I obtain the following, = at the startup: [cut] line 24 (l= ogpurge 10+00:00 08:00) line 28 (logsucces= s FALSE) line 30 (logbase all ou= =3Dpeople,dc=3Dlancse,dc=3D<a href=3D"http://csebo.it">csebo.it</a>)= /opt/openldap2.4.25/libexec/slapd: symbol lookup= error: /opt/openldap2.4.25/libexec/openldap/accesslog-2.4.so.2: undefined = symbol: verbstring_to_mask Could you help me? Thanks in advance Marco <div cl= ass=3D"gmail_quote">On Wed, Feb 23, 2011 at 10:02 AM, Marco Pizzoli <<a href=3D"mailto:marco.pizzoli@gmail.com">marco.pizzoli@gma= il.com</a>> wrote: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <div class=3D= "gmail_quote"><div class=3D"im">On Wed, Feb 23, 2011 at 9:57 AM, Howard Chu= <<a href=3D"mailto:hyc@symas.com" target=3D"_blank">h= yc(a)symas.com</a>> wrote: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <div>Marco Pizzoli wrote: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> Hi Howard, thanks for this work. I noticed that you give me a baseDN under which I can have operations logge= d. If I would like to exclude one subtree from my principal tree, I need to<br= > specify all the baseDN of other sibling-subtrees. To do this do I need to poli-invoke accesslog overlay? </blockquote> </div> No, you can specify logbase multiple times in a single overlay. </blockq= uote></div><div> Ok, thanks. =A0</div><div class=3D"im"><blockquo= te class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1= px solid rgb(204, 204, 204); padding-left: 1ex;"> Possibly we can extend the directive to handle exclusion as well as inclusi= on, to simplify this case. </blockquote></div><div> This is effective= ly what I would need, in this case. </div></div> </blockquote></div> -- _______________________= __________________ Non =E8 forte chi non cade, ma chi cadendo ha la forz= a di rialzarsi. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Jim Morrison --20cf300fb269cc453c04a055d2f8--

1 0

Re: (ITS#6362) slapd 2.4.19 Segmentation fault under load
by alexs＠ulgsm.ru 07 Apr '11

07 Apr '11

* alexs(a)ulgsm.ru <alexs(a)ulgsm.ru> [2010-01-19 07:25:25 +0000]: OpenLDAP 2.4.25, 8.2-RELEASE is still crashed. -- alexs

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs April 2011