openldap-bugs October 2012

openldap-bugs@openldap.org

29 participants
84 discussions

Re: (ITS#7423) [PATCH] Update slapo-constraint tests
by michael＠stroeder.com 27 Oct '12

27 Oct '12

This is a cryptographically signed message in MIME format. --------------ms070008080905030605060503 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable jsynacek(a)redhat.com wrote: > This patch updates the slapo-constraint testsuit. It adds additional te= sts for > any constraints using 'uri'. Furthermore, it improves testing of the 'r= estrict' > parameter. In my RE24 working tree: git apply --stat jsynacek-20121025-constraint-tests-update.patch Then I expected =2E/run -b hdb test064 to fail (without the patch in ITS#7418) but it ret= urned "Test succeeded". Ciao, Michael. --------------ms070008080905030605060503 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/ kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB 1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0 Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1 c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/ BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3 LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2 KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4 B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF MRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRl ciBVbml2ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJ MB4XDTA5MTEwMzE0MDgxOVoXDTI1MTIzMTIxNTk1OVowfDELMAkGA1UEBhMCREUxHDAaBgNV BAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNVBAsTHFRDIFRydXN0Q2VudGVyIENsYXNz IDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75pBuz2Lp6QuqthDVR+V8XSsncZpozVVt 5KLv5P7yemMRwleKyH3PjmYfZUVL64Biab1GjovFblqVGCrep/EfdRonq20yU+P7TVhiLP8Z 5cegDZotIYhZhM0d8cPIij6w5d4IJM/8QCy6QSOUu4ASiTVItoYE4AFPjLqpmPwcie0fiqHH hpgmHnJla/7PZdkMZEsaCfVDEWBmJuMzVprJPT40anjG5VBLyM2I5DlsUCaeQCy2O3w3sqf1 3dyzUcv03IICuNc63towXA31Qt0TaVNU6YAmQjMepdfMbspmCZ+G8D2+xophEPPR/1vkstst smUMqX0XrLonTUJczglPAgMBAAGjggJZMIICVTCBmgYIKwYBBQUHAQEEgY0wgYowUgYIKwYB BQUHMAKGRmh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2VydHMv dGNfdW5pdmVyc2FsX3Jvb3RfSS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLnRjdW5p dmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQ dXMwEgYDVR0TAQH/BAgwBgEB/wIBADBSBgNVHSAESzBJMAYGBFUdIAAwPwYJKoIUACwBAQEB MDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAO BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMIH9BgNVHR8E gfUwgfIwge+ggeyggemGRmh0dHA6Ly9jcmwudGN1bml2ZXJzYWwtSS50cnVzdGNlbnRlci5k ZS9jcmwvdjIvdGNfdW5pdmVyc2FsX3Jvb3RfSS5jcmyGgZ5sZGFwOi8vd3d3LnRydXN0Y2Vu dGVyLmRlL0NOPVRDJTIwVHJ1c3RDZW50ZXIlMjBVbml2ZXJzYWwlMjBDQSUyMEksTz1UQyUy MFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/ Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAOcjE m+6+mO5Icm+N53G2DpCM07LBFSGoRpBoX0oE8TrJaIQh2KXmBHVdn9LU8kt3QzLclctgvwJV 0KwcsMUUl5tlCsMPpR3s2Ek5lbWpvvr0HqtW56blAQiINV9nBd1EJFASIkRjefGbV2nOq9Yz UU+N8HA7jq1ROhd/NZZraGhjthwKyfjfHV7PKxGlY+3M0MbTIG+q/GhIfm0euDpFqhKG88e9 ALXr/uoSn3MzeOcoOWjTpW3adtFO4VWVgKbgG7jNrFbvRVlHmFLbOm4msjE5aXWxLiTwpJ2X iF4zKca1vAdAOgw9us90jEtOeiH6GzjNxEMvb7TfeO6Zkuc6HDGCA84wggPKAgEBMIGPMHwx CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQLExxU QyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRlciBD bGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wCQYFKw4DAhoFAKCCAhMwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIxMDI3MTA1MzQ1WjAjBgkq hkiG9w0BCQQxFgQUbmzaJFtkRvKKODnnBAp8DLfiWrIwbAYJKoZIhvcNAQkPMV8wXTALBglg hkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBoAYJKwYBBAGCNxAEMYGSMIGP MHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQL ExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRl ciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wgaIGCyqGSIb3DQEJEAILMYGS oIGPMHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYD VQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENl bnRlciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wDQYJKoZIhvcNAQEBBQAE ggEAdf/2uF/F/Htah4Ot/ms0g9WO2JlUz97qvAXbU2mDCwC+VqjzfrRYDbSP9kxVwPGhh3/h Cp1GbtrPxzT7nhWhpdURwh6JULcOtAWMUawCwyY87DsbcrKD5kDZTi61lGpSO2JbMmfxcEft 1nlBhzuWFMsyPMjsunjumxstBpbn65+1vcaYN8KMz3CGP2gRniG411zOchah31lA6h+dvEnc z6zzsjw2Z7P8Xuqh1MV39im/HPsgnHEzMTyIwywlLNH6HEwqKH7ELjhlQEpNtIqRvdRQKLY8 85lnO/FMH2ujpxhx1c+FgjHtqOHXSJzzApWaIcqKC4yCxtLQ+EZebM3obgAAAAAAAA== --------------ms070008080905030605060503--

1 0

(ITS#7423) [PATCH] Update slapo-constraint tests
by jsynacek＠redhat.com 25 Oct '12

25 Oct '12

Full_Name: Jan Synacek Version: master OS: linux-fedora17 URL: ftp://ftp.openldap.org/incoming/jsynacek-20121025-constraint-tests-update.p… Submission from: (NULL) (209.132.186.34) This patch updates the slapo-constraint testsuit. It adds additional tests for any constraints using 'uri'. Furthermore, it improves testing of the 'restrict' parameter. The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Jan Synacek am authorized by Red Hat, my employer, to release this work under the following terms. Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Re: AW: AW: (ITS#7418) slapo-constraint are broken
by jsynacek＠redhat.com 25 Oct '12

25 Oct '12

On 10/25/2012 01:41 PM, Sascha.Kuehndel(a)deka.de wrote: > Hi, > > it looks better. > make test an my own tests was successful. Great. URL: ftp://ftp.openldap.org/incoming/jsynacek-20121025-slapo-constraint-uri-rest… The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Jan Synacek am authorized by Red Hat, my employer, to release this work under the following terms. Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. -- Jan Synacek Software Engineer, BaseOS team Brno, Red Hat

1 0

AW: AW: (ITS#7418) slapo-constraint are broken
by Sascha.Kuehndel＠deka.de 25 Oct '12

25 Oct '12

Hi, it looks better. make test an my own tests was successful. Thanks, Sascha --------------------------------------------------------------------------------------- #!RESULT OK dn: dc=1,ou=user,ou=deka,dc=example,dc=com changetype: modify replace: description description: ab - #!RESULT ERROR #!ERROR [LDAP: error code 19 - modify breaks constraint on associatedName] dn: dc=1,ou=user,ou=deka,dc=example,dc=com changetype: modify replace: associatedName associatedName: uid=15,ou=group,ou=deka,dc=example,dc=com - #!RESULT OK dn: uid=14,ou=group,ou=deka,dc=example,dc=com changetype: delete #!RESULT OK dn: dc=1,ou=user,ou=deka,dc=example,dc=com changetype: modify replace: description description: abc - #!RESULT ERROR #!ERROR [LDAP: error code 19 - modify breaks constraint on associatedName] dn: dc=1,ou=user,ou=deka,dc=example,dc=com changetype: modify replace: associatedName associatedName: uid=14,ou=group,ou=deka,dc=example,dc=com -

1 0

Re: AW: (ITS#7418) slapo-constraint are broken
by jsynacek＠redhat.com 25 Oct '12

25 Oct '12

This is a multi-part message in MIME format. --------------030809010302060201080601 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 10/22/2012 09:14 PM, Sascha.Kuehndel(a)deka.de wrote: > Hello, > > i have reduced the configuration and the DIT to a minium. > So i can now send the slapd.conf, the initial dit and the test-change. > > I hope you can reproduce the error, with it. > > The uses software: > OpenLDAP: 2.4.33 > BDB: 5.3.21 > OpenSSL: 1.0.1c > > Thanks, > Sascha Kuehndel > Could you please try the attached patch? Thank you, -- Jan Synacek Software Engineer, BaseOS team Brno, Red Hat --------------030809010302060201080601 Content-Type: text/x-patch; name="constraint2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="constraint2.patch" diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c index 2d943a2..e7b5689 100644 --- a/servers/slapd/overlays/constraint.c +++ b/servers/slapd/overlays/constraint.c @@ -845,9 +845,6 @@ constraint_check_count_violation( Modifications *m, Entry *target_entry, constra unsigned ca; int j; - if ( cp->set ) - return 0; - for ( j = 0; cp->ap[j]; j++ ) { /* Get this attribute count */ if ( target_entry ) @@ -905,7 +902,6 @@ constraint_update( Operation *op, SlapReply *rs ) int rc; char *msg = NULL; int is_v; - int first = 1; if (get_relax(op)) { return SLAP_CB_CONTINUE; @@ -933,15 +929,17 @@ constraint_update( Operation *op, SlapReply *rs ) return(rs->sr_err); } + op->o_bd = on->on_info->oi_origdb; + rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry ); + op->o_bd = be; + /* Do we need to count attributes? */ for(cp = c; cp; cp = cp->ap_next) { - if (cp->count != 0 || cp->set || cp->restrict_lud != 0) { - if (first) { - op->o_bd = on->on_info->oi_origdb; - rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry ); - op->o_bd = be; - first = 0; - } + if (cp->restrict_lud && constraint_check_restrict(op, cp, target_entry) == 0) { + continue; + } + + if (cp->count != 0) { if (rc != 0 || target_entry == NULL) { Debug(LDAP_DEBUG_TRACE, "==> constraint_update rc = %d DN=\"%s\"%s\n", @@ -964,6 +962,7 @@ constraint_update( Operation *op, SlapReply *rs ) } } + rc = LDAP_CONSTRAINT_VIOLATION; for(;m; m = m->sml_next) { unsigned ce = 0; --------------030809010302060201080601--

1 0

Re: (ITS#7421) olcExtraAttrs documentation incorrect
by hyc＠symas.com 24 Oct '12

24 Oct '12

k3kk0n3n(a)gmail.com wrote: > Full_Name: > Version: 2.4.32 > OS: Ubuntu 10, Debian Squeeze > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (130.233.152.136) > > > The documentation in the slapd-config manpage is incorrect. The olcExtraAttrs > setting is said to be a global configuration setting when in reality it seems to > be database specific. In the slapd.conf manpage, the corresponding setting > (extra_attrs) is listed as being database-specific. I believe that is correct > although I have not checked it. > > ( Taken from my post on the openldap-technical mailing list: > http://www.openldap.org/lists/openldap-technical/201210/msg00104.html ) > > Thanks, fixed now in git master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7422) olcExtraAttrs doesn't work
by k3kk0n3n＠gmail.com 24 Oct '12

24 Oct '12

Full_Name: Version: 2.4.32 OS: Ubuntu 10, Debian Squeeze URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (130.233.152.136) olcExtraAttrs does not seem to work with the rwm overlay (like in ITS#6513). With the rwm overlay present, ACIs are not evaluated when requesting a specific attribute, regardless of whether olcExtraAttrs is specified or not. In order to apply the ACI, you can pass the ACI attribute name in the search. I'm providing a configuration file that can be used to reproduce the problem as well as some search examples to demonstrate the issue. ----Configuration file---- dn: cn=config objectClass: olcGlobal cn: config olcPidFile: /usr/local/var/run/slapd.pid olcArgsFile: /usr/local/var/run/slapd.args #olcLogLevel: -1 olcToolThreads: 1 dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcRequires: authc dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema include: file:///usr/local/etc/openldap/schema/core.ldif dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModuleload: back_hdb olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcSuffix: dc=example,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=example,dc=com olcRootPW: pass olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcExtraAttrs: OpenLDAPaci olcAccess: to attrs=userpassword by anonymous auth olcAccess: to dn.base="dc=example,dc=com" by * search olcAccess: to * by self manage by dynacl/aci=OpenLDAPaci manage ----Note---- To disable the rwm overlay, comment the following 4 lines in the config: dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm ----Test data---- dn: dc=example,dc=com objectClass: dcObject objectClass: top objectClass: organization dc: example o: example dn: cn=a,dc=example,dc=com objectClass: top objectClass: person cn: a sn: a userPassword: pass dn: cn=b,dc=example,dc=com objectClass: top objectClass: person cn: b sn: b userPassword: pass OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com ----Search examples---- Without rwm, requesting the whole object (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com # b, example.com dn: cn=b,dc=example,dc=com objectClass: top objectClass: person cn: b sn: b # numResponses: 2 # numEntries: 1 Without rwm, requesting an attribute (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn # b, example.com dn: cn=b,dc=example,dc=com sn: b # numResponses: 2 # numEntries: 1 With rwm, requesting the whole object (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com # b, example.com dn: cn=b,dc=example,dc=com objectClass: top objectClass: person cn: b sn: b # numResponses: 2 # numEntries: 1 With rwm, requesting an attribute (notice the object is not returned here): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn # numResponses: 1 With rwm, requesting an attribute and openldapaci (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn openldapaci # b, example.com dn: cn=b,dc=example,dc=com sn: b OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com # numResponses: 2 # numEntries: 1 ( Taken from my post on the openldap-technical mailing list: http://www.openldap.org/lists/openldap-technical/201210/msg00104.html )

1 0

(ITS#7421) olcExtraAttrs documentation incorrect
by k3kk0n3n＠gmail.com 24 Oct '12

24 Oct '12

Full_Name: Version: 2.4.32 OS: Ubuntu 10, Debian Squeeze URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (130.233.152.136) The documentation in the slapd-config manpage is incorrect. The olcExtraAttrs setting is said to be a global configuration setting when in reality it seems to be database specific. In the slapd.conf manpage, the corresponding setting (extra_attrs) is listed as being database-specific. I believe that is correct although I have not checked it. ( Taken from my post on the openldap-technical mailing list: http://www.openldap.org/lists/openldap-technical/201210/msg00104.html )

1 0

Re: AW: (ITS#7418) slapo-constraint are broken
by quanah＠zimbra.com 23 Oct '12

23 Oct '12

--On Tuesday, October 23, 2012 5:26 AM +0000 jsynacek(a)redhat.com wrote: > On 10/22/2012 09:19 PM, quanah(a)zimbra.com wrote: >> --On Monday, October 22, 2012 7:14 PM +0000 Sascha.Kuehndel(a)deka.de >> wrote: >> >>> --_004_F12A906A1F17554CB9CDFC8F4779F3C469A046FAB9EXCCREX9dekag_ >>> Content-Type: text/plain; charset="iso-8859-1" >>> Content-Transfer-Encoding: quoted-printable >>> >>> Hello, >>> >>> i have reduced the configuration and the DIT to a minium. >>> So i can now send the slapd.conf, the initial dit and the test-change. >>> >>> I hope you can reproduce the error, with it. >> >> Hi Jan, >> >> It appears your changes to slapo-constraint broke at least one >> configuration option. Can you please review the information in this ITS >> and update your changes. Thanks. >> > > Hi, > > those changes were made by me (different Jan). > I will look into it and update the testcases. Thanks. Sorry for the mixup, I picked the first Jan that came up in my mailbox search. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#7420) Way to bypass overlay unique and constranit
by hyc＠symas.com 23 Oct '12

23 Oct '12

kmenshikov(a)hostcomm.ru wrote: > Full_Name: Konstantin Menshikov > Version: 2.4.33 > OS: FreeBSD 8.2-RELEASE-p4 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (212.116.101.94) > > > Overlay unique and constraint use list attributes for check. > If we use restriction by rdn (attribute cn for example), and don`t add attribute > cn in ldif-file, we can bypass restriction. > > Overlay unique look list attributes in op->ora_e->e_attrs, > if this list not contain attribute cn, checks isn`t running. > > IMHO: problem not in overlays, but in slapd code, that allow add object without > explicit set rdn. The slapd behavior was discussed long ago, in ITS#2243. The current slapd behavior is consistent with RFC4511 (though this differs from older releases and the now obsoleted RFC2251). It seems that because of this behavior, the fix will have to be made to each overlay accordingly. It would be nice if we had a more centralized approach though. > > Example configuration: > [root(a)rdn.problem openldap]# cat slapd.conf > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/corba.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/dyngroup.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > include /usr/local/etc/openldap/schema/java.schema > include /usr/local/etc/openldap/schema/misc.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/openldap.schema > include /usr/local/etc/openldap/schema/ppolicy.schema > include /usr/local/etc/openldap/schema/sudo.schema > include /usr/local/etc/openldap/schema/samba.schema > include /usr/local/etc/openldap/schema/spamassassin.schema > include /usr/local/etc/openldap/schema/openssh-lpk.schema > include /usr/local/etc/openldap/schema/vega-base.schema > include /usr/local/etc/openldap/schema/vega-corp.schema > include /usr/local/etc/openldap/schema/vega-net.schema > include /usr/local/etc/openldap/schema/oversun-base.schema > include /usr/local/etc/openldap/schema/oversun-corp.schema > include /usr/local/etc/openldap/schema/oversun-mail.schema > include /usr/local/etc/openldap/schema/oversun-net.schema > include /usr/local/etc/openldap/schema/asterisk.schema > > > # Define global ACLs to disable default read access. > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > loglevel config stats sync trace > > # Load dynamic backend modules: > modulepath /usr/local/libexec/openldap > moduleload back_hdb > > database hdb > suffix "o=company" > rootdn "cn=ldapadm,o=company" > rootpw password > directory /var/db/openldap-data/o=company > > overlay unique > unique_uri ldap:///ou=groups,o=company?cn?sub > > How to repeat: > > [root(a)rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H > ldap://127.0.0.5:389 -f /root/add.ldif.false > adding new entry "cn=test,ou=system,ou=groups,o=company" > ldap_add: Constraint violation (19) > additional info: some attributes not unique > > [root(a)rdn.problem openldap]# cat /root/add.ldif.false > dn: cn=test,ou=system,ou=groups,o=company > changetype: add > objectClass: posixGroup > description: test > cn: test > gidNumber: 1000 > [root(a)rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H > ldap://127.0.0.5:389 -f /root/add.ldif.true > adding new entry "cn=test,ou=system,ou=groups,o=company" > > [root(a)rdn.problem openldap]# cat /root/add.ldif.true > dn: cn=test,ou=system,ou=groups,o=company > changetype: add > objectClass: posixGroup > description: test > gidNumber: 1000 > [root(a)rdn.problem openldap]# diff -U 3 /root/add.ldif.false /root/add.ldif.true > > --- /root/add.ldif.false 2012-10-23 06:22:16.000000000 +0000 > +++ /root/add.ldif.true 2012-10-23 06:22:25.000000000 +0000 > @@ -2,5 +2,4 @@ > changetype: add > objectClass: posixGroup > description: test > -cn: test > gidNumber: 1000 > > > Log file records: > > Oct 23 06:23:21 rdn slapd[44326]: slap_listener_activate(6): > Oct 23 06:23:21 rdn slapd[44326]: >>> slap_listener(ldap://) > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 ACCEPT from IP=127.0.0.5:17098 > (IP=0.0.0.0:389) > Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006 > Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on > id=1006 > Oct 23 06:23:21 rdn slapd[44326]: op tag 0x60, time 1350973401 > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 do_bind > Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company> > Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>, > <cn=ldapadm,o=company> > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company" > method=128 > Oct 23 06:23:21 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company" > method=128 > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company" > mech=SIMPLE ssf=0 > Oct 23 06:23:21 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to > "cn=ldapadm,o=company" > Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=0 p=3 > Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0 > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 RESULT tag=97 err=0 text= > Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006 > Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on > id=1006 > Oct 23 06:23:21 rdn slapd[44326]: op tag 0x68, time 1350973401 > Oct 23 06:23:21 rdn slapd[44326]: connection_input: conn=1006 deferring > operation: binding > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 do_add > Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal: > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal: > <cn=test,ou=system,ou=groups,o=company>, > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 ADD > dn="cn=test,ou=system,ou=groups,o=company" > Oct 23 06:23:21 rdn slapd[44326]: > bdb_dn2entry("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:21 rdn slapd[44326]: => > hdb_dn2id("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:21 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No > matching key/data pair found (-30989) > Oct 23 06:23:21 rdn slapd[44326]: hdb_referrals: tag=104 > target="cn=test,ou=system,ou=groups,o=company" > matched="ou=system,ou=groups,o=company" > Oct 23 06:23:21 rdn slapd[44326]: ==> unique_add > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:21 rdn slapd[44326]: ==> unique_search (|(cn=test)) > Oct 23 06:23:21 rdn slapd[44326]: => hdb_search > Oct 23 06:23:21 rdn slapd[44326]: bdb_dn2entry("ou=groups,o=company") > Oct 23 06:23:21 rdn slapd[44326]: search_candidates: base="ou=groups,o=company" > (0x00000002) scope=2 > Oct 23 06:23:21 rdn slapd[44326]: => hdb_dn2idl("ou=groups,o=company") > Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (objectClass) > Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (objectClass) not > indexed > Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (cn) > Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (cn) not indexed > Oct 23 06:23:21 rdn slapd[44326]: bdb_search_candidates: id=-1 first=2 last=5 > Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 2 does not match filter > Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 3 does not match filter > Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 4 does not match filter > Oct 23 06:23:21 rdn slapd[44326]: ==> count_attr_cb > <cn=test,ou=personal,ou=groups,o=company> > Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3 > Oct 23 06:23:21 rdn slapd[44326]: => unique_search found 1 records > Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3 > Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=19 > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 RESULT tag=105 err=19 text=some > attributes not unique > Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006 > Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on > id=1006 > Oct 23 06:23:21 rdn slapd[44326]: op tag 0x42, time 1350973401 > Oct 23 06:23:21 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0 > (Undefined error: 0) > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 do_unbind > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 UNBIND > Oct 23 06:23:21 rdn slapd[44326]: connection_close: conn=1006 sd=10 > Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 closed > > Oct 23 06:23:52 rdn slapd[44326]: slap_listener_activate(6): > Oct 23 06:23:52 rdn slapd[44326]: >>> slap_listener(ldap://) > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 ACCEPT from IP=127.0.0.5:20738 > (IP=0.0.0.0:389) > Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007 > Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on > id=1007 > Oct 23 06:23:52 rdn slapd[44326]: op tag 0x60, time 1350973432 > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 do_bind > Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company> > Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>, > <cn=ldapadm,o=company> > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company" > method=128 > Oct 23 06:23:52 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company" > method=128 > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company" > mech=SIMPLE ssf=0 > Oct 23 06:23:52 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to > "cn=ldapadm,o=company" > Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=0 p=3 > Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0 > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 RESULT tag=97 err=0 text= > Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007 > Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on > id=1007 > Oct 23 06:23:52 rdn slapd[44326]: op tag 0x68, time 1350973432 > Oct 23 06:23:52 rdn slapd[44326]: connection_input: conn=1007 deferring > operation: binding > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 do_add > Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal: > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal: > <cn=test,ou=system,ou=groups,o=company>, > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 ADD > dn="cn=test,ou=system,ou=groups,o=company" > Oct 23 06:23:52 rdn slapd[44326]: > bdb_dn2entry("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:52 rdn slapd[44326]: => > hdb_dn2id("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No > matching key/data pair found (-30989) > Oct 23 06:23:52 rdn slapd[44326]: hdb_referrals: tag=104 > target="cn=test,ou=system,ou=groups,o=company" > matched="ou=system,ou=groups,o=company" > Oct 23 06:23:52 rdn slapd[44326]: ==> unique_add > <cn=test,ou=system,ou=groups,o=company> > Oct 23 06:23:52 rdn slapd[44326]: oc_check_required entry > (cn=test,ou=system,ou=groups,o=company), objectClass "posixGroup" > Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "objectClass" > Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "description" > Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "gidNumber" > Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "structuralObjectClass" > Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "cn" > Oct 23 06:23:52 rdn slapd[44326]: slap_queue_csn: queing 0x7ffffebfc160 > 20121023062352.127471Z#000000#000#000000 > Oct 23 06:23:52 rdn slapd[44326]: > bdb_dn2entry("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:52 rdn slapd[44326]: => > hdb_dn2id("cn=test,ou=system,ou=groups,o=company") > Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No > matching key/data pair found (-30989) > Oct 23 06:23:52 rdn slapd[44326]: => hdb_dn2id_add 0x6: > "cn=test,ou=system,ou=groups,o=company" > Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id_add 0x6: 0 > Oct 23 06:23:52 rdn slapd[44326]: => index_entry_add( 6, > "cn=test,ou=system,ou=groups,o=company" ) > Oct 23 06:23:52 rdn slapd[44326]: <= index_entry_add( 6, > "cn=test,ou=system,ou=groups,o=company" ) success > Oct 23 06:23:52 rdn slapd[44326]: => entry_encode(0x00000006): > Oct 23 06:23:52 rdn slapd[44326]: <= entry_encode(0x00000006): > Oct 23 06:23:52 rdn slapd[44326]: hdb_add: added id=00000006 > dn="cn=test,ou=system,ou=groups,o=company" > Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=1 p=3 > Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=0 > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 RESULT tag=105 err=0 text= > Oct 23 06:23:52 rdn slapd[44326]: slap_graduate_commit_csn: removing 0x80197aeb0 > 20121023062352.127471Z#000000#000#000000 > Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007 > Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on > id=1007 > Oct 23 06:23:52 rdn slapd[44326]: op tag 0x42, time 1350973432 > Oct 23 06:23:52 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0 > (Undefined error: 0) > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 do_unbind > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 UNBIND > Oct 23 06:23:52 rdn slapd[44326]: connection_close: conn=1007 sd=10 > Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 closed > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs October 2012