openldap-bugs May 2012

openldap-bugs@openldap.org

23 participants
78 discussions

Re: (ITS#7276) [PATCH] MozNSS: allow CA certdb together with PEM CA bundle file
by hyc＠symas.com 30 May '12

30 May '12

jvcelak(a)redhat.com wrote: > Full_Name: Jan Vcelak > Version: master > OS: Linux > URL: ftp://ftp.openldap.org/incoming/jvcelak-20120518-update-nss-allow-ca-certdb… > Submission from: (NULL) (209.132.186.34) > > > With Mozilla NSS crypto backend: > > Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate > database and TLS_CACERT was set to a PEM bundle file with CA > certificates, the PEM file content was not loaded. > > With this patch and the same settings, OpenLDAP can verify certificates > which are signed by CAs stored both in certdb and PEM bundle file. Thanks for the patch, added to master. > > This problem was found with FreeIPA which is setting CA PEM bundle using > ldap_set_option(&ld, LDAP_OPT_X_TLS_CACERTFILE, ...), while TLS_CACERTDIR with > certdb is set in system ldap.conf file. > > > The attached file is derived from OpenLDAP Software. All of the modifications to > OpenLDAP Software represented in the following patch(es) were developed by Red > Hat. Red Hat has not assigned rights and/or interest in this work to any party. > I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under > the following terms. > > Red Hat hereby place the following modifications to OpenLDAP Software (and only > these modifications) into the public domain. Hence, these modifications may be > freely used and/or redistributed for any purpose with or without attribution > and/or other notice. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
by hyc＠symas.com 30 May '12

30 May '12

wking(a)tremily.us wrote: > Full_Name: W. Trevor King > Version: git commit 22bf5188 > OS: Gentoo > URL: http://blog.tremily.us/posts/LDAP/tool-nocanon.patch > Submission from: (NULL) (72.68.88.202) > > > The ldap.conf SASL_NOCANON configuration option (or LDAPSASL_NOCANON environment > variable) should set the default behaviour for OpenLDAP tools such as > ldapwhoami. This configuration option should allow users to use the tools > without having to use the matching command line option (-N). Unfortunately, the > current code sets the option to true/false after only querying the command line > option. > > I'm linking to a patch that looks at the current value of the option first, and > if it's true, skips processing the command line option (which would either be a > redundant -N keeping the option true, or an absence of -N which implies the user > wants to use the configured value (true)). > > Another approach would be to set the initial value of nocanon to UNINITIALIZED > (-1?). Command line arguments could set nocanon to 1 (true, -N) or false (0, > --canon?). Then we would only call ldap_set_option if nocanon was not > UNINITIALIZED. > > I can work up a patch using this second approach if people prefer. If so, let > me know if you want me to define UNINITIALIZED, or to just use -1. > > I didn't check, but I would not be surprised if this same clobbering occurred > for other command line options. The only other boolean command line option is referrals, which is deprecated and has been undocumented for years. Not worth bothering over. Ideally the command line option should have been able to set this explicitly to both true and false, to allow complete control over the option. But I'm not particularly concerned either way. Since the option currently can only be set to true, it would be sufficient to just check for nocanon != 0 before calling ldap_set_option. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7270) Double free in ldap_int_initialize
by hyc＠symas.com 30 May '12

30 May '12

fdeweerdt(a)cloudmark.com wrote: > Full_Name: Frederik Deweerdt > Version: current HEAD > OS: Linux > URL: ftp://ftp.openldap.org/incoming/Frederik-Deweerdt-120511.patch > Submission from: (NULL) (72.5.239.5) > > > [PATCH] Protect accesses to ldap_int_hostname with a mutex Thanks for the patch, now in git master. > > > Not protecting the accesses to ldap_int_hostname would lead to a double > free with the following trace: > > #7 0x0000003aca031d10 in abort () from /lib64/libc.so.6 > No symbol table info available. > #8 0x0000003aca06a99b in __libc_message () from /lib64/libc.so.6 > No symbol table info available. > #9 0x0000003aca0729d6 in free () from /lib64/libc.so.6 > No symbol table info available. > #10 0x000000328902333e in ldap_int_initialize () > from /usr/lib64/libldap-2.3.so.0 > No symbol table info available. > #11 0x000000328900c426 in ldap_create () from /usr/lib64/libldap-2.3.so.0 > No symbol table info available. > #12 0x000000328900ca0d in ldap_init () from /usr/lib64/libldap-2.3.so.0 > No symbol table info available. > > The race in init.c:ldap_int_initialize is as follows: > 646 char *name = ldap_int_hostname; > 647 > 648 ldap_int_hostname = ldap_pvt_get_fqdn( name ); > 649 > 650 if ( name != NULL && name != ldap_int_hostname ) { > 651 LDAP_FREE( name ); > 652 } > > - T1 and T2 enter ldap_int_initialize, both assign to name the current > address of ldap_int_hostname, say 0x1234. > - T1 and T2 call ldap_pvt_get_fqdn(), updating ldap_int_hostname to 0x1235 > and 0x1236 respectively. > - T1 and T2 reach the name != ldap_int_hostname check. In both threads > it's false, because 0x1235 != 0x1234 and 0x1236 != 0x1234, respectively. > - T1 and T2 both try to free 0x1234 => Crash. > --- > libraries/libldap/init.c | 2 ++ > libraries/libldap/ldap-int.h | 1 + > libraries/libldap/util-int.c | 3 +++ > 3 files changed, 6 insertions(+), 0 deletions(-) > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7283) Usage of private headers make building out-of-tree extensions painful
by hyc＠symas.com 30 May '12

30 May '12

guillomovitch(a)gmail.com wrote: > Full_Name: Guillaume Rousse > Version: any > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (128.93.30.10) > > > In order to build out of tree extensions, such as ppolicy external password > checker (http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password), > you need additional slapd headers, portable.h and slapd.h (and a bunch of > additional dependant ones), which are currently not installed, and thus > considered as private. > > A request to ship those headers was refused by fedora package maintainer, > precisely for this reason: > https://bugzilla.redhat.com/show_bug.cgi?id=812860 They gave the right answer. The slap.h header is private and subject to change without notice. > The situation ought to be clarified, and some kind of solution found, as > maintaining a custom slapd build just to be able to benefit from this > extensability is largely overkill. Probably this should be discussed on the openldap-devel mailing list. There's no straightforward solution to this request. In the case of the LTB password checker module, there's barely any need for slap.h; the module could easily be tweaked to avoid all references to it. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7279) Apparently mdb "approx" index generation failure for mdb_add for syncrepl consumer
by hyc＠symas.com 30 May '12

30 May '12

brandon.hume(a)dal.ca wrote: > Full_Name: Brandon Hume > Version: 2.4.31 > OS: RHEL EL6.1, kernel 2.6.32-131.12.1.el6.x86_64 > URL: http://den.bofh.ca/~hume/mdb_approx_indexfail.tar > Submission from: (NULL) (2001:410:a010:2:223:aeff:fe74:400e) > > > An empty syncrepl consumer using mdb backend will suffer index generator > failures when populating its database from the provider and using "approx" index > options. The failure manifests in syslog (with olcLogLevel=Stats) as the > following: > > May 24 11:50:41 node2 slapd[25282]: null_callback : error code 0x50 > May 24 11:50:41 node2 slapd[25282]: syncrepl_entry: rid=001 be_add $DN failed > (80) > > These problems don't seem to occur when populating the provider using slapadd. > The problem only seems to manifest when the new entry arrives via syncrepl. > Playing with gdb, it seems like indexer() ends up being called with { bv_len = > 0, bv_val = "" } when indexing "givenName". Thanks for the report, fixed now in git master. slapadd also failed for me, so it wasn't quite the same behavior you reported. > > Could be because "givenName" on the troublesome entry is only one character? > > A minimalist DIT and config are provided in the tarfile in the link. The two > nodes are running in mirrormode, and I'm not sure if that makes a difference. The config is invalid; you have used the same RIDs multiple times. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7283) Usage of private headers make building out-of-tree extensions painful
by guillomovitch＠gmail.com 30 May '12

30 May '12

Full_Name: Guillaume Rousse Version: any OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (128.93.30.10) In order to build out of tree extensions, such as ppolicy external password checker (http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password), you need additional slapd headers, portable.h and slapd.h (and a bunch of additional dependant ones), which are currently not installed, and thus considered as private. A request to ship those headers was refused by fedora package maintainer, precisely for this reason: https://bugzilla.redhat.com/show_bug.cgi?id=812860 The situation ought to be clarified, and some kind of solution found, as maintaining a custom slapd build just to be able to benefit from this extensability is largely overkill.

1 0

Re: (ITS#7274) delta-syncrepl MMR infinite loop
by quanah＠zimbra.com 29 May '12

29 May '12

--On Tuesday, May 29, 2012 6:25 PM -0700 Howard Chu <hyc(a)openldap.org> wrote: >> so it is tracking "000" as a third master? This seems to be why the >> original server (which was 000 before being promoted to 001) replicates >> these entries back to itself. > > The loop is caused by the patch to ITS#6872, which considers a consumer > out of date whenever the number of CSNs in its sync request doesn't match > the number known to the provider. > > The data here is basically invalid: server1 has entries generated using > SID=0 but it has no contextCSN value with SID=0. It only sent SID=1 and > SID=2 in its sync request. Server2, which just updated from server1, has > a contextCSN for SID=0 in addition to 1 and 2 (and that's all correct). > > Server1 should have always had a contextCSN value for SID=0 but doesn't. > This problem would not occur if server1 was converted first from > standalone into a single-master. I.e., load syncprov on it, let it scan > the DB and generate the first sid=0 contextCSN, before turning it intu a > MMR node. For documentation purposes -- The issue occurred because I set olcServerID before I loaded syncprov. Re-ordering my script to load syncprov (which then caused a contextCSN value to be correctly generated on Server1 for SID=0) fixed this loop. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#7274) delta-syncrepl MMR infinite loop
by hyc＠OpenLDAP.org 29 May '12

29 May '12

quanah(a)zimbra.com wrote: > --On Wednesday, May 16, 2012 10:27 PM +0000 quanah(a)OpenLDAP.org wrote: > >> Full_Name: Quanah Gibson-Mount >> Version: 2.4.31 >> OS: Linux 2.6 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (75.108.184.39) > > We can see that the script turning it into a master ran here: > > Thu May 17 16:05:46 2012 *** Running as zimbra user: > /opt/zimbra/libexec/zmldapenable-mmr -s 2 -m > ldap://zre-ldap002.eng.vmware.com:389/ > > so 16:05:46 > > In the accesslog, we see: > > dn: cn=accesslog > objectClass: auditContainer > cn: accesslog > structuralObjectClass: auditContainer > contextCSN: 20120517225152.913667Z#000000#000#000000 > contextCSN: 20120517230823.615364Z#000000#001#000000 > contextCSN: 20120517230546.409118Z#000000#002#000000 > > dn: reqStart=20120517230546.000019Z,cn=accesslog > objectClass: auditAdd > structuralObjectClass: auditAdd > reqStart: 20120517230546.000019Z > reqEnd: 20120517230546.000020Z > reqType: add > reqSession: 100 > reqAuthzID: cn=config > reqDN: cn=zimbra > reqResult: 0 > reqMod: objectClass:+ organizationalRole > reqMod: description:+ Zimbra Systems Application Data > reqMod: cn:+ zimbra > reqMod: structuralObjectClass:+ organizationalRole > reqMod: entryUUID:+ 40f78bea-34be-1031-8a5d-e1466f667e19 > reqMod: creatorsName:+ cn=config > reqMod: createTimestamp:+ 20120517224907Z > reqMod: entryCSN:+ 20120517224907.221672Z#000000#000#000000 > reqMod: modifiersName:+ cn=config > reqMod: modifyTimestamp:+ 20120517224907Z > reqEntryUUID: 40f78bea-34be-1031-8a5d-e1466f667e19 > entryUUID: 948929e2-34c0-1031-9a14-c93bd10ff0f2 > creatorsName: cn=config > createTimestamp: 20120517224907Z > entryCSN: 20120517224907.221672Z#000000#000#000000 > modifiersName: cn=config > modifyTimestamp: 20120517224907Z > > so it is tracking "000" as a third master? This seems to be why the > original server (which was 000 before being promoted to 001) replicates > these entries back to itself. The loop is caused by the patch to ITS#6872, which considers a consumer out of date whenever the number of CSNs in its sync request doesn't match the number known to the provider. The data here is basically invalid: server1 has entries generated using SID=0 but it has no contextCSN value with SID=0. It only sent SID=1 and SID=2 in its sync request. Server2, which just updated from server1, has a contextCSN for SID=0 in addition to 1 and 2 (and that's all correct). Server1 should have always had a contextCSN value for SID=0 but doesn't. This problem would not occur if server1 was converted first from standalone into a single-master. I.e., load syncprov on it, let it scan the DB and generate the first sid=0 contextCSN, before turning it intu a MMR node. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7280) accesslog write to subentry of log database
by quanah＠zimbra.com 29 May '12

29 May '12

--On Sunday, May 27, 2012 11:27 PM +0000 openldap(a)stormcloud9.net wrote: > This is nonconstructive. I know not to do that, I'm the one who > filed the ITS...<br> > You don't address the feature request at all, only that it > currently doesn't work which is why the request was filed in the > first place. Is logging multiple accesslog overlays to the same > backend database unfeasible?<br> No. -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#7282) Invalid Regex in Documentation
by quanah＠zimbra.com 29 May '12

29 May '12

--On Tuesday, May 29, 2012 5:04 PM +0000 alacer.cogitatus(a)gmail.com wrote: > Full_Name: Kyle Smith > Version: 2.4.30 > OS: Ubuntu Server 10.04.02LTS > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (192.245.87.13) > > > In section 8.2.5 of the OpenLDAP Documentation (Access Control Examples), > the example regex to allow an IP address is given by: > > by peername.regex=IP:10\..+ read > > I think it should read: > > by peername.regex=IP=10\..+ read > > Thanks, fixed. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2012