Re: (ITS#7276) [PATCH] MozNSS: allow CA certdb together with PEM CA bundle file
by hyc@symas.com
jvcelak(a)redhat.com wrote:
> Full_Name: Jan Vcelak
> Version: master
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/jvcelak-20120518-update-nss-allow-ca-cert...
> Submission from: (NULL) (209.132.186.34)
>
>
> With Mozilla NSS crypto backend:
>
> Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate
> database and TLS_CACERT was set to a PEM bundle file with CA
> certificates, the PEM file content was not loaded.
>
> With this patch and the same settings, OpenLDAP can verify certificates
> which are signed by CAs stored both in certdb and PEM bundle file.
Thanks for the patch, added to master.
>
> This problem was found with FreeIPA which is setting CA PEM bundle using
> ldap_set_option(&ld, LDAP_OPT_X_TLS_CACERTFILE, ...), while TLS_CACERTDIR with
> certdb is set in system ldap.conf file.
>
>
> The attached file is derived from OpenLDAP Software. All of the modifications to
> OpenLDAP Software represented in the following patch(es) were developed by Red
> Hat. Red Hat has not assigned rights and/or interest in this work to any party.
> I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under
> the following terms.
>
> Red Hat hereby place the following modifications to OpenLDAP Software (and only
> these modifications) into the public domain. Hence, these modifications may be
> freely used and/or redistributed for any purpose with or without attribution
> and/or other notice.
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 4 months
Re: (ITS#7271) Don't clobber SASL_NOCANON in clients/tools/common.c
by hyc@symas.com
wking(a)tremily.us wrote:
> Full_Name: W. Trevor King
> Version: git commit 22bf5188
> OS: Gentoo
> URL: http://blog.tremily.us/posts/LDAP/tool-nocanon.patch
> Submission from: (NULL) (72.68.88.202)
>
>
> The ldap.conf SASL_NOCANON configuration option (or LDAPSASL_NOCANON environment
> variable) should set the default behaviour for OpenLDAP tools such as
> ldapwhoami. This configuration option should allow users to use the tools
> without having to use the matching command line option (-N). Unfortunately, the
> current code sets the option to true/false after only querying the command line
> option.
>
> I'm linking to a patch that looks at the current value of the option first, and
> if it's true, skips processing the command line option (which would either be a
> redundant -N keeping the option true, or an absence of -N which implies the user
> wants to use the configured value (true)).
>
> Another approach would be to set the initial value of nocanon to UNINITIALIZED
> (-1?). Command line arguments could set nocanon to 1 (true, -N) or false (0,
> --canon?). Then we would only call ldap_set_option if nocanon was not
> UNINITIALIZED.
>
> I can work up a patch using this second approach if people prefer. If so, let
> me know if you want me to define UNINITIALIZED, or to just use -1.
>
> I didn't check, but I would not be surprised if this same clobbering occurred
> for other command line options.
The only other boolean command line option is referrals, which is deprecated
and has been undocumented for years. Not worth bothering over.
Ideally the command line option should have been able to set this explicitly
to both true and false, to allow complete control over the option. But I'm not
particularly concerned either way. Since the option currently can only be set
to true, it would be sufficient to just check for nocanon != 0 before calling
ldap_set_option.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 4 months
Re: (ITS#7270) Double free in ldap_int_initialize
by hyc@symas.com
fdeweerdt(a)cloudmark.com wrote:
> Full_Name: Frederik Deweerdt
> Version: current HEAD
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/Frederik-Deweerdt-120511.patch
> Submission from: (NULL) (72.5.239.5)
>
>
> [PATCH] Protect accesses to ldap_int_hostname with a mutex
Thanks for the patch, now in git master.
>
>
> Not protecting the accesses to ldap_int_hostname would lead to a double
> free with the following trace:
>
> #7 0x0000003aca031d10 in abort () from /lib64/libc.so.6
> No symbol table info available.
> #8 0x0000003aca06a99b in __libc_message () from /lib64/libc.so.6
> No symbol table info available.
> #9 0x0000003aca0729d6 in free () from /lib64/libc.so.6
> No symbol table info available.
> #10 0x000000328902333e in ldap_int_initialize ()
> from /usr/lib64/libldap-2.3.so.0
> No symbol table info available.
> #11 0x000000328900c426 in ldap_create () from /usr/lib64/libldap-2.3.so.0
> No symbol table info available.
> #12 0x000000328900ca0d in ldap_init () from /usr/lib64/libldap-2.3.so.0
> No symbol table info available.
>
> The race in init.c:ldap_int_initialize is as follows:
> 646 char *name = ldap_int_hostname;
> 647
> 648 ldap_int_hostname = ldap_pvt_get_fqdn( name );
> 649
> 650 if ( name != NULL && name != ldap_int_hostname ) {
> 651 LDAP_FREE( name );
> 652 }
>
> - T1 and T2 enter ldap_int_initialize, both assign to name the current
> address of ldap_int_hostname, say 0x1234.
> - T1 and T2 call ldap_pvt_get_fqdn(), updating ldap_int_hostname to 0x1235
> and 0x1236 respectively.
> - T1 and T2 reach the name != ldap_int_hostname check. In both threads
> it's false, because 0x1235 != 0x1234 and 0x1236 != 0x1234, respectively.
> - T1 and T2 both try to free 0x1234 => Crash.
> ---
> libraries/libldap/init.c | 2 ++
> libraries/libldap/ldap-int.h | 1 +
> libraries/libldap/util-int.c | 3 +++
> 3 files changed, 6 insertions(+), 0 deletions(-)
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 4 months
Re: (ITS#7283) Usage of private headers make building out-of-tree extensions painful
by hyc@symas.com
guillomovitch(a)gmail.com wrote:
> Full_Name: Guillaume Rousse
> Version: any
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (128.93.30.10)
>
>
> In order to build out of tree extensions, such as ppolicy external password
> checker (http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password),
> you need additional slapd headers, portable.h and slapd.h (and a bunch of
> additional dependant ones), which are currently not installed, and thus
> considered as private.
>
> A request to ship those headers was refused by fedora package maintainer,
> precisely for this reason:
> https://bugzilla.redhat.com/show_bug.cgi?id=812860
They gave the right answer. The slap.h header is private and subject to change
without notice.
> The situation ought to be clarified, and some kind of solution found, as
> maintaining a custom slapd build just to be able to benefit from this
> extensability is largely overkill.
Probably this should be discussed on the openldap-devel mailing list. There's
no straightforward solution to this request.
In the case of the LTB password checker module, there's barely any need for
slap.h; the module could easily be tweaked to avoid all references to it.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 4 months
Re: (ITS#7279) Apparently mdb "approx" index generation failure for mdb_add for syncrepl consumer
by hyc@symas.com
brandon.hume(a)dal.ca wrote:
> Full_Name: Brandon Hume
> Version: 2.4.31
> OS: RHEL EL6.1, kernel 2.6.32-131.12.1.el6.x86_64
> URL: http://den.bofh.ca/~hume/mdb_approx_indexfail.tar
> Submission from: (NULL) (2001:410:a010:2:223:aeff:fe74:400e)
>
>
> An empty syncrepl consumer using mdb backend will suffer index generator
> failures when populating its database from the provider and using "approx" index
> options. The failure manifests in syslog (with olcLogLevel=Stats) as the
> following:
>
> May 24 11:50:41 node2 slapd[25282]: null_callback : error code 0x50
> May 24 11:50:41 node2 slapd[25282]: syncrepl_entry: rid=001 be_add $DN failed
> (80)
>
> These problems don't seem to occur when populating the provider using slapadd.
> The problem only seems to manifest when the new entry arrives via syncrepl.
> Playing with gdb, it seems like indexer() ends up being called with { bv_len =
> 0, bv_val = "" } when indexing "givenName".
Thanks for the report, fixed now in git master. slapadd also failed for me, so
it wasn't quite the same behavior you reported.
>
> Could be because "givenName" on the troublesome entry is only one character?
>
> A minimalist DIT and config are provided in the tarfile in the link. The two
> nodes are running in mirrormode, and I'm not sure if that makes a difference.
The config is invalid; you have used the same RIDs multiple times.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 4 months
Re: (ITS#7274) delta-syncrepl MMR infinite loop
by quanah@zimbra.com
--On Tuesday, May 29, 2012 6:25 PM -0700 Howard Chu <hyc(a)openldap.org>
wrote:
>> so it is tracking "000" as a third master? This seems to be why the
>> original server (which was 000 before being promoted to 001) replicates
>> these entries back to itself.
>
> The loop is caused by the patch to ITS#6872, which considers a consumer
> out of date whenever the number of CSNs in its sync request doesn't match
> the number known to the provider.
>
> The data here is basically invalid: server1 has entries generated using
> SID=0 but it has no contextCSN value with SID=0. It only sent SID=1 and
> SID=2 in its sync request. Server2, which just updated from server1, has
> a contextCSN for SID=0 in addition to 1 and 2 (and that's all correct).
>
> Server1 should have always had a contextCSN value for SID=0 but doesn't.
> This problem would not occur if server1 was converted first from
> standalone into a single-master. I.e., load syncprov on it, let it scan
> the DB and generate the first sid=0 contextCSN, before turning it intu a
> MMR node.
For documentation purposes -- The issue occurred because I set olcServerID
before I loaded syncprov. Re-ordering my script to load syncprov (which
then caused a contextCSN value to be correctly generated on Server1 for
SID=0) fixed this loop.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years, 4 months
Re: (ITS#7274) delta-syncrepl MMR infinite loop
by hyc@OpenLDAP.org
quanah(a)zimbra.com wrote:
> --On Wednesday, May 16, 2012 10:27 PM +0000 quanah(a)OpenLDAP.org wrote:
>
>> Full_Name: Quanah Gibson-Mount
>> Version: 2.4.31
>> OS: Linux 2.6
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (75.108.184.39)
>
> We can see that the script turning it into a master ran here:
>
> Thu May 17 16:05:46 2012 *** Running as zimbra user:
> /opt/zimbra/libexec/zmldapenable-mmr -s 2 -m
> ldap://zre-ldap002.eng.vmware.com:389/
>
> so 16:05:46
>
> In the accesslog, we see:
>
> dn: cn=accesslog
> objectClass: auditContainer
> cn: accesslog
> structuralObjectClass: auditContainer
> contextCSN: 20120517225152.913667Z#000000#000#000000
> contextCSN: 20120517230823.615364Z#000000#001#000000
> contextCSN: 20120517230546.409118Z#000000#002#000000
>
> dn: reqStart=20120517230546.000019Z,cn=accesslog
> objectClass: auditAdd
> structuralObjectClass: auditAdd
> reqStart: 20120517230546.000019Z
> reqEnd: 20120517230546.000020Z
> reqType: add
> reqSession: 100
> reqAuthzID: cn=config
> reqDN: cn=zimbra
> reqResult: 0
> reqMod: objectClass:+ organizationalRole
> reqMod: description:+ Zimbra Systems Application Data
> reqMod: cn:+ zimbra
> reqMod: structuralObjectClass:+ organizationalRole
> reqMod: entryUUID:+ 40f78bea-34be-1031-8a5d-e1466f667e19
> reqMod: creatorsName:+ cn=config
> reqMod: createTimestamp:+ 20120517224907Z
> reqMod: entryCSN:+ 20120517224907.221672Z#000000#000#000000
> reqMod: modifiersName:+ cn=config
> reqMod: modifyTimestamp:+ 20120517224907Z
> reqEntryUUID: 40f78bea-34be-1031-8a5d-e1466f667e19
> entryUUID: 948929e2-34c0-1031-9a14-c93bd10ff0f2
> creatorsName: cn=config
> createTimestamp: 20120517224907Z
> entryCSN: 20120517224907.221672Z#000000#000#000000
> modifiersName: cn=config
> modifyTimestamp: 20120517224907Z
>
> so it is tracking "000" as a third master? This seems to be why the
> original server (which was 000 before being promoted to 001) replicates
> these entries back to itself.
The loop is caused by the patch to ITS#6872, which considers a consumer out of
date whenever the number of CSNs in its sync request doesn't match the number
known to the provider.
The data here is basically invalid: server1 has entries generated using SID=0
but it has no contextCSN value with SID=0. It only sent SID=1 and SID=2 in its
sync request. Server2, which just updated from server1, has a contextCSN for
SID=0 in addition to 1 and 2 (and that's all correct).
Server1 should have always had a contextCSN value for SID=0 but doesn't. This
problem would not occur if server1 was converted first from standalone into a
single-master. I.e., load syncprov on it, let it scan the DB and generate the
first sid=0 contextCSN, before turning it intu a MMR node.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 4 months
Re: (ITS#7280) accesslog write to subentry of log database
by quanah@zimbra.com
--On Sunday, May 27, 2012 11:27 PM +0000 openldap(a)stormcloud9.net wrote:
> This is nonconstructive. I know not to do that, I'm the one who
> filed the ITS...<br>
> You don't address the feature request at all, only that it
> currently doesn't work which is why the request was filed in the
> first place. Is logging multiple accesslog overlays to the same
> backend database unfeasible?<br>
No.
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years, 4 months
Re: (ITS#7282) Invalid Regex in Documentation
by quanah@zimbra.com
--On Tuesday, May 29, 2012 5:04 PM +0000 alacer.cogitatus(a)gmail.com wrote:
> Full_Name: Kyle Smith
> Version: 2.4.30
> OS: Ubuntu Server 10.04.02LTS
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (192.245.87.13)
>
>
> In section 8.2.5 of the OpenLDAP Documentation (Access Control Examples),
> the example regex to allow an IP address is given by:
>
> by peername.regex=IP:10\..+ read
>
> I think it should read:
>
> by peername.regex=IP=10\..+ read
>
>
Thanks, fixed.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years, 4 months
