(ITS#7362) back-mdb: slapadd -q fails
by quanah@OpenLDAP.org
Full_Name: Quanah Gibson-Mount
Version: 2.4.32 + ITS7356
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (74.196.25.250)
slapadd fails with:
5035099b mdb_db_open: database "" cannot be opened, err 12. Restore from backup!
5035099b backend_startup_one (type=mdb, suffix=""): bi_db_open failed! (12)
slap_startup failed
10 years, 7 months
Re: (ITS#7359) [PATCH] MozNSS: prefer unlocked slot when getting private key
by jvcelak@redhat.com
> >> 1) the recent patches do not adhere to the existing whitespace
> >> conventions.
> >> Please fix this.
> >
> > Sorry for that. Looks like you already committed the patch. I will send
> > you
> > a patch fixing just the whitespaces in my recent changes.
>
> Thanks.
The patch is uploaded. I have touched only lines modified by me as a last one.
ftp://ftp.openldap.org/incoming/jvcelak-20120822-moznss-fix-my-coding-
standard.patch
The attached file is derived from OpenLDAP Software. All of the modifications
to OpenLDAP Software represented in the following patch(es) were developed by
Red Hat. Red Hat has not assigned rights and/or interest in this work to any
party. I, Jan Vcelak am authorized by Red Hat, my employer, to release this
work under the following terms.
Red Hat hereby place the following modifications to OpenLDAP Software (and
only these modifications) into the public domain. Hence, these modifications
may be freely used and/or redistributed for any purpose with or without
attribution and/or other notice.
10 years, 7 months
Re: (ITS#7358) Patch to fix Visual Studio build broken by 2.4.32
by mbooth@apache.org
On 21 August 2012 23:17, Howard Chu <hyc(a)symas.com> wrote:
> mbooth(a)apache.org wrote:
>> Full_Name: Mat Booth
>> Version: 2.4.32
>> OS: Windows XP
>> URL: http://people.apache.org/~mbooth/0001-Fix-build-error-syntax-error-missin...
>> Submission from: (NULL) (77.86.30.139)
>>
>>
>> The provided patch fixes a build problem for Visual Studio 2005 that was
>> introduced with OpenLDAP 2.4.32.
>
> Thanks for the report. A different fix is now in git master.
>
>> * libraries/libldap/init.c
>> Use C89-style variable declarations because Visual C does not support C99-style
>> declarations. Avoids a "syntax error : missing ; before type" compile-time error
>> with Microsoft compilers.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
Thanks for committing a better fix -- I wasn't sure if the
LDAP_MUTEX_* macros needed to be in that scope for a reason I couldn't
discern. :-)
Mat
10 years, 7 months
Re: (ITS#7359) [PATCH] MozNSS: prefer unlocked slot when getting private key
by hyc@symas.com
Jan Včelák wrote:
> On Tuesday 21 of August 2012 13:38:41, Howard Chu wrote:
>> The quality of this code seems to be getting progressively worse. It seems
>> I've been accepting the last several patches without giving feedback though.
>
> So thank you for feedback on this patch.
>
>> 1) the recent patches do not adhere to the existing whitespace conventions.
>> Please fix this.
>
> Sorry for that. Looks like you already committed the patch. I will send you
> a patch fixing just the whitespaces in my recent changes.
Thanks.
>> 2) the code in this patch is unnecessarily clumsy:
>
> It's a matter of opinion. In general, I rather see less levels of indentation.
> That's why I used this construct. But right, you are the maintainer. This code
> is too short to say that it is more readable and the code produced by the
> compiler will be the same.
Assuming how the compiler behaves is unsafe and nonportable. Even if you're
only working on a single platform (which we are not) the compiler behavior can
change drastically depending on optimization flags. During debugging you tend
to need to compile without optimization, to be able to see clearly what's
going on. It is best practice to write code that doesn't rely on the optimizer
to kill redundancies, to minimize the difference between debug versions and
deployed/optimized versions.
These are facts, not opinions.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10 years, 7 months
Re: (ITS#7359) [PATCH] MozNSS: prefer unlocked slot when getting private key
by jvcelak@redhat.com
On Tuesday 21 of August 2012 13:38:41, Howard Chu wrote:
> The quality of this code seems to be getting progressively worse. It seems
> I've been accepting the last several patches without giving feedback though.
So thank you for feedback on this patch.
> 1) the recent patches do not adhere to the existing whitespace conventions.
> Please fix this.
Sorry for that. Looks like you already committed the patch. I will send you
a patch fixing just the whitespaces in my recent changes.
> 2) the code in this patch is unnecessarily clumsy:
It's a matter of opinion. In general, I rather see less levels of indentation.
That's why I used this construct. But right, you are the maintainer. This code
is too short to say that it is more readable and the code produced by the
compiler will be the same.
Jan
10 years, 7 months
RE: (ITS#7357) Pass-through radius auth. with RFC2865
by jet@transniaga.co.th
Howard Chu wrote:
>
> jet(a)transniaga.co.th wrote:
> > Full_Name: Jetasik Anantakunupakorn
> > Version: 2.4.32
> > OS: FreeBSD 9.0-RELEASE amd64
> > URL:
> > http://www.openldap.org/lists/openldap-technical/201208/msg00172.html
> > Submission from: (NULL) (58.11.65.20)
> >
> >
> > Pass-through radius authentication in contrib's passwd
> > module(radius.c) does not include either a NAS-IP or a NAS-Identifier,
> > according to radius RFC 2865 one of these attributes is mandatory in the
> access request.
> >
> > The thing is that the previous version of Radius RFC standard(RFC
> > 2138) specified that the access request "SHOULD" contain either a
> > NAS-IP or a NAS-Identifier but the current version use "MUST" instead.
> >
> A patch for this is now in git master, please test.
>
Awesome!Thanks a lot.
Properly tested with no error.
--
JET JETASIK
10 years, 7 months
Re: (ITS#7359) [PATCH] MozNSS: prefer unlocked slot when getting private key
by hyc@symas.com
jvcelak(a)redhat.com wrote:
> Full_Name: Jan Vcelak
> Version: git master
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/jvcelak-20120820-nss-prefer-unlocked-slot...
> Submission from: (NULL) (94.113.220.43)
>
>
> With last MozNSS patches for OpenLDAP, the library explicitly opens the
> certificate database when retrieving the certificates, even if the database is
> already opened. (Requried for safe certificate lookup from a nickname.) This
> might also require a re-authentication to a slot, which holds the private key.
>
> Some application might expect that the slot with private key is already unlocked
> before passing the control to libldap. This got broken with the recent changes.
The quality of this code seems to be getting progressively worse. It seems
I've been accepting the last several patches without giving feedback though.
1) the recent patches do not adhere to the existing whitespace conventions.
Please fix this.
2) the code in this patch is unnecessarily clumsy:
+static SECKEYPrivateKey *
+tlsm_find_unlocked_key(tlsm_ctx *ctx, void *pin_arg)
+{
+ SECKEYPrivateKey *result = NULL;
+
+ PK11SlotList *slots = PK11_GetAllSlotsForCert(ctx->tc_certificate, NULL);
+ if (!slots) {
+ PRErrorCode errcode = PR_GetError();
+ Debug(LDAP_DEBUG_ANY,
+ "TLS: cannot get all slots for certificate '%s' (error %d: %s)",
+ tlsm_ctx_subject_name(ctx), errcode,
+ PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT));
+ return result;
+ }
+
+ PK11SlotListElement *le;
+ for (le = slots->head; le && !result; le = le->next) {
+ PK11SlotInfo *slot = le->slot;
+ if (!PK11_IsLoggedIn(slot, NULL))
+ continue;
+
+ result = PK11_FindKeyByDERCert(slot, ctx->tc_certificate, pin_arg);
+ }
+
+ PK11_FreeSlotList(slots);
+ return result;
+}
This should just be:
+ for (le = slots->head; le; le = le->next) {
+ PK11SlotInfo *slot = le->slot;
+ if (PK11_IsLoggedIn(slot, NULL)) {
+ result = PK11_FindKeyByDERCert(slot, ctx->tc_certificate,
pin_arg);
+ break;
+ }
+ }
> I'm attaching a patch which fixes it. If the certificate (and corresponding key)
> is held in multiple slots, libldap will take the key from an already
> authenticated slot.
>
>
> The attached file is derived from OpenLDAP Software. All of the modifications to
> OpenLDAP Software represented in the following patch(es) were developed by Red
> Hat. Red Hat has not assigned rights and/or interest in this work to any party.
> I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under
> the following terms.
>
> Red Hat hereby place the following modifications to OpenLDAP Software (and only
> these modifications) into the public domain. Hence, these modifications may be
> freely used and/or redistributed for any purpose with or without attribution
> and/or other notice.
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10 years, 7 months
Re: (ITS#7352) openldap not supporting CAMELLIA ciphers
by hyc@symas.com
goodgoingswati(a)gmail.com wrote:
> Full_Name: Swati
> Version: 2.4.32
> OS: RHEL5
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (115.113.153.34)
>
>
> openldap is not supporting CAMELLIA based ciphers(both RSA and DSA based)
> I have configured SSL LDAP(LDAPS) and on checking SSL connection with LDAPS
> server with CAMELLIA based cipher leads to failure in handshake:
Sounds like something is wrong with your config.
openssl s_client -connect localhost:9011 -showcerts -cipher CAMELLIA256-SHA
-state -CAfile ~/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:SSLv3 read server hello A
depth=1 C = US, ST = California, L = Los Angeles, O = Symas Corp., CN = Symas
Keymaster
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Symas Corp., OU = R&D,
CN = violino.symas.net
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=US/ST=California/L=Los Angeles/O=Symas Corp./OU=R&D/CN=violino.symas.net
i:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster
-----BEGIN CERTIFICATE-----
MIIDeDCCAuGgAwIBAgIBBDANBgkqhkiG9w0BAQQFADBoMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNV
BAoTC1N5bWFzIENvcnAuMRgwFgYDVQQDEw9TeW1hcyBLZXltYXN0ZXIwHhcNMTAw
NTA4MTMxMTQwWhcNMTUwNTA3MTMxMTQwWjB4MQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNVBAoTC1N5
bWFzIENvcnAuMQwwCgYDVQQLFANSJkQxGjAYBgNVBAMTEXZpb2xpbm8uc3ltYXMu
bmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+UzX69iQfiHqFsfmbft8r
bbJ1B0khAMIyzbvAq+0TTXBl1z3vh/0zewfa2eXx75A+4j85VhJbmunKQtpGNZoU
j78qmlZyyadr1JDV/IP1VdkvimAY/ms/AIN7VXKbo/dMvvE2/Wlz1k6uyARHKRO0
HuDSXR+/y8wxmbssonIaoQIDAQABo4IBIDCCARwwCQYDVR0TBAIwADARBglghkgB
hvhCAQEEBAMCBkAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBRiK30dAs2UKMa0nqGuZ/ZOvHy/SzCBmgYDVR0j
BIGSMIGPgBR8WtuSd1849yXVcEj7z1a5fdXhAKFspGowaDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYD
VQQKEwtTeW1hcyBDb3JwLjEYMBYGA1UEAxMPU3ltYXMgS2V5bWFzdGVyggkAlRwa
GgnLxpUwEgYDVR0RBAswCYIHdmlvbGlubzANBgkqhkiG9w0BAQQFAAOBgQBsQgtW
fd3sjH3kou2QVI0YVh13mUdgLcFvyfI615cvhomttIfrHny2WYb9ktp7yBjsSni5
x6J0s0Xi0NnBgdfh0LNamQL06UXzEPhBwf90n+LyUq+F+9jbHSkQWlAfg+vaBWCs
NpPOOvgFPpKkzMouLrc4hVDm9yvPnCh1jV5CKQ==
-----END CERTIFICATE-----
1 s:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster
i:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster
-----BEGIN CERTIFICATE-----
MIIDHDCCAoWgAwIBAgIJAJUcGhoJy8aVMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5nZWxl
czEUMBIGA1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1hc3Rl
cjAeFw0xMDAyMjMwMTE0MTVaFw0yMDAyMjEwMTE0MTVaMGgxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5nZWxlczEUMBIG
A1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1hc3RlcjCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtdAxWHaiQVRn4ulkvQ/kWdeQRTlmDp0I
6ROd8UTdZWgG8pdaaSjic3oRrzXGu3yci7oCTeJj//wL6QuAiP3RAd34nvAF3G+J
4fp4AUCYhT7kM1jdGe94omQZeEjVwgr33ugvUYEbVU/fPIn/T3bnmKLifrNcPF30
UimTPNCoTvMCAwEAAaOBzTCByjAdBgNVHQ4EFgQUfFrbkndfOPcl1XBI+89WuX3V
4QAwgZoGA1UdIwSBkjCBj4AUfFrbkndfOPcl1XBI+89WuX3V4QChbKRqMGgxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5n
ZWxlczEUMBIGA1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1h
c3RlcoIJAJUcGhoJy8aVMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
MtI45poCh3L8xk0g56WGxroIPMGPZvrHDo1XIj6ALxlhpSLIcTDPFbidJ0tD9aL3
7aNlCZQ7DeJx18BhIUUgSYZj/Sfb0oXZw9Vj59c1AA7UFGnvyjKuJx4G8sIYTFFx
rYXCmXraOoB9x0+DcD/7I9ed5Ogid/tZklF9ORPjUgs=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Los Angeles/O=Symas
Corp./OU=R&D/CN=violino.symas.net
issuer=/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster
---
Acceptable client certificate CA names
/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster
---
SSL handshake has read 2166 bytes and written 290 bytes
---
New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.1
Cipher : CAMELLIA256-SHA
Session-ID: 430EAC39338B25DF6D1CC63928DB20830BA5A034F13EAF3BE3BED715015D33C1
Session-ID-ctx:
Master-Key:
F38B9781E21339675D80CDC3561B4ED906A15F5A6F5A9D1A9CCFFF9E16B912D270E2E1F44135FA6CA15D5A24DB720F67
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - f0 95 1a 3f 67 bf cd 43-d7 dc 70 ce a3 19 5a 4e ...?g..C..p...ZN
0010 - c7 2b 4e cc d5 48 df a9-7f d1 a7 b5 53 e0 35 28 .+N..H......S.5(
0020 - fa 7f 9c 70 37 b7 65 01-b6 27 bf 88 d6 dc 8a 36 ...p7.e..'.....6
0030 - 95 a8 2f fb 22 a6 26 3e-07 d3 9b 94 88 b7 99 de ../.".&>........
0040 - 78 9b ee cb 52 51 5a 50-0a 53 a2 b8 05 f6 63 de x...RQZP.S....c.
0050 - c4 8e e1 2e 03 1c 5d a5-6a e2 6d 05 8e 62 aa 21 ......].j.m..b.!
0060 - f8 0e d0 5e 9f d4 89 3e-85 db b9 8f ed 04 9e 39 ...^...>.......9
0070 - a1 3e b1 44 a2 c3 48 5c-f8 d2 ff 5f 45 ad a0 d6 .>.D..H\..._E...
0080 - d7 c3 3b 4a bd 6e c6 09-9d 08 74 d9 1c c5 6b 1b ..;J.n....t...k.
0090 - b1 f3 eb dc 26 ac 10 31-66 d3 fb bb 6b 9e 4b 8d ....&..1f...k.K.
00a0 - df ef 17 69 97 7b 56 0d-a7 32 bf 6c c6 49 fa b5 ...i.{V..2.l.I..
Compression: 1 (zlib compression)
Start Time: 1345578708
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
>
> openssl s_client -connect localhost:636 -showcerts -cipher
> DHE-DSS-CAMELLIA256-SHA -state -CAfile /path_to_cert -cert /path_to_client_cert
> -key /path_to_client_key
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL3 alert read:fatal:handshake failure
> SSL_connect:error in SSLv2/v3 read server hello A
> 47726707455072:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure:s23_clnt.c:741:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 102 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
>
> Handshake is failing with all camellia ciphers.
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10 years, 7 months
