openldap-bugs August 2012

openldap-bugs@openldap.org

29 participants
100 discussions

(ITS#7362) back-mdb: slapadd -q fails
by quanah＠OpenLDAP.org 22 Aug '12

22 Aug '12

Full_Name: Quanah Gibson-Mount Version: 2.4.32 + ITS7356 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.196.25.250) slapadd fails with: 5035099b mdb_db_open: database "" cannot be opened, err 12. Restore from backup! 5035099b backend_startup_one (type=mdb, suffix=""): bi_db_open failed! (12) slap_startup failed

1 0

Re: (ITS#7359) [PATCH] MozNSS: prefer unlocked slot when getting private key
by jvcelak＠redhat.com 22 Aug '12

22 Aug '12

> >> 1) the recent patches do not adhere to the existing whitespace > >> conventions. > >> Please fix this. > > > > Sorry for that. Looks like you already committed the patch. I will send > > you > > a patch fixing just the whitespaces in my recent changes. > > Thanks. The patch is uploaded. I have touched only lines modified by me as a last one. ftp://ftp.openldap.org/incoming/jvcelak-20120822-moznss-fix-my-coding- standard.patch The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under the following terms. Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Re: (ITS#7358) Patch to fix Visual Studio build broken by 2.4.32
by mbooth＠apache.org 22 Aug '12

22 Aug '12

On 21 August 2012 23:17, Howard Chu <hyc(a)symas.com> wrote: > mbooth(a)apache.org wrote: >> Full_Name: Mat Booth >> Version: 2.4.32 >> OS: Windows XP >> URL: http://people.apache.org/~mbooth/0001-Fix-build-error-syntax-error-missing-… >> Submission from: (NULL) (77.86.30.139) >> >> >> The provided patch fixes a build problem for Visual Studio 2005 that was >> introduced with OpenLDAP 2.4.32. > > Thanks for the report. A different fix is now in git master. > >> * libraries/libldap/init.c >> Use C89-style variable declarations because Visual C does not support C99-style >> declarations. Avoids a "syntax error : missing ; before type" compile-time error >> with Microsoft compilers. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ Thanks for committing a better fix -- I wasn't sure if the LDAP_MUTEX_* macros needed to be in that scope for a reason I couldn't discern. :-) Mat

1 0

Re: (ITS#7359) [PATCH] MozNSS: prefer unlocked slot when getting private key
by hyc＠symas.com 22 Aug '12

22 Aug '12

Jan Včelák wrote: > On Tuesday 21 of August 2012 13:38:41, Howard Chu wrote: >> The quality of this code seems to be getting progressively worse. It seems >> I've been accepting the last several patches without giving feedback though. > > So thank you for feedback on this patch. > >> 1) the recent patches do not adhere to the existing whitespace conventions. >> Please fix this. > > Sorry for that. Looks like you already committed the patch. I will send you > a patch fixing just the whitespaces in my recent changes. Thanks. >> 2) the code in this patch is unnecessarily clumsy: > > It's a matter of opinion. In general, I rather see less levels of indentation. > That's why I used this construct. But right, you are the maintainer. This code > is too short to say that it is more readable and the code produced by the > compiler will be the same. Assuming how the compiler behaves is unsafe and nonportable. Even if you're only working on a single platform (which we are not) the compiler behavior can change drastically depending on optimization flags. During debugging you tend to need to compile without optimization, to be able to see clearly what's going on. It is best practice to write code that doesn't rely on the optimizer to kill redundancies, to minimize the difference between debug versions and deployed/optimized versions. These are facts, not opinions. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7359) [PATCH] MozNSS: prefer unlocked slot when getting private key
by jvcelak＠redhat.com 22 Aug '12

22 Aug '12

On Tuesday 21 of August 2012 13:38:41, Howard Chu wrote: > The quality of this code seems to be getting progressively worse. It seems > I've been accepting the last several patches without giving feedback though. So thank you for feedback on this patch. > 1) the recent patches do not adhere to the existing whitespace conventions. > Please fix this. Sorry for that. Looks like you already committed the patch. I will send you a patch fixing just the whitespaces in my recent changes. > 2) the code in this patch is unnecessarily clumsy: It's a matter of opinion. In general, I rather see less levels of indentation. That's why I used this construct. But right, you are the maintainer. This code is too short to say that it is more readable and the code produced by the compiler will be the same. Jan

1 0

RE: (ITS#7357) Pass-through radius auth. with RFC2865
by jet＠transniaga.co.th 21 Aug '12

21 Aug '12

Howard Chu wrote: > > jet(a)transniaga.co.th wrote: > > Full_Name: Jetasik Anantakunupakorn > > Version: 2.4.32 > > OS: FreeBSD 9.0-RELEASE amd64 > > URL: > > http://www.openldap.org/lists/openldap-technical/201208/msg00172.html > > Submission from: (NULL) (58.11.65.20) > > > > > > Pass-through radius authentication in contrib's passwd > > module(radius.c) does not include either a NAS-IP or a NAS-Identifier, > > according to radius RFC 2865 one of these attributes is mandatory in the > access request. > > > > The thing is that the previous version of Radius RFC standard(RFC > > 2138) specified that the access request "SHOULD" contain either a > > NAS-IP or a NAS-Identifier but the current version use "MUST" instead. > > > A patch for this is now in git master, please test. > Awesome!Thanks a lot. Properly tested with no error. -- JET JETASIK

1 0

Re: (ITS#7358) Patch to fix Visual Studio build broken by 2.4.32
by hyc＠symas.com 21 Aug '12

21 Aug '12

mbooth(a)apache.org wrote: > Full_Name: Mat Booth > Version: 2.4.32 > OS: Windows XP > URL: http://people.apache.org/~mbooth/0001-Fix-build-error-syntax-error-missing-… > Submission from: (NULL) (77.86.30.139) > > > The provided patch fixes a build problem for Visual Studio 2005 that was > introduced with OpenLDAP 2.4.32. Thanks for the report. A different fix is now in git master. > * libraries/libldap/init.c > Use C89-style variable declarations because Visual C does not support C99-style > declarations. Avoids a "syntax error : missing ; before type" compile-time error > with Microsoft compilers. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7359) [PATCH] MozNSS: prefer unlocked slot when getting private key
by hyc＠symas.com 21 Aug '12

21 Aug '12

jvcelak(a)redhat.com wrote: > Full_Name: Jan Vcelak > Version: git master > OS: Linux > URL: ftp://ftp.openldap.org/incoming/jvcelak-20120820-nss-prefer-unlocked-slot-p… > Submission from: (NULL) (94.113.220.43) > > > With last MozNSS patches for OpenLDAP, the library explicitly opens the > certificate database when retrieving the certificates, even if the database is > already opened. (Requried for safe certificate lookup from a nickname.) This > might also require a re-authentication to a slot, which holds the private key. > > Some application might expect that the slot with private key is already unlocked > before passing the control to libldap. This got broken with the recent changes. The quality of this code seems to be getting progressively worse. It seems I've been accepting the last several patches without giving feedback though. 1) the recent patches do not adhere to the existing whitespace conventions. Please fix this. 2) the code in this patch is unnecessarily clumsy: +static SECKEYPrivateKey * +tlsm_find_unlocked_key(tlsm_ctx *ctx, void *pin_arg) +{ + SECKEYPrivateKey *result = NULL; + + PK11SlotList *slots = PK11_GetAllSlotsForCert(ctx->tc_certificate, NULL); + if (!slots) { + PRErrorCode errcode = PR_GetError(); + Debug(LDAP_DEBUG_ANY, + "TLS: cannot get all slots for certificate '%s' (error %d: %s)", + tlsm_ctx_subject_name(ctx), errcode, + PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT)); + return result; + } + + PK11SlotListElement *le; + for (le = slots->head; le && !result; le = le->next) { + PK11SlotInfo *slot = le->slot; + if (!PK11_IsLoggedIn(slot, NULL)) + continue; + + result = PK11_FindKeyByDERCert(slot, ctx->tc_certificate, pin_arg); + } + + PK11_FreeSlotList(slots); + return result; +} This should just be: + for (le = slots->head; le; le = le->next) { + PK11SlotInfo *slot = le->slot; + if (PK11_IsLoggedIn(slot, NULL)) { + result = PK11_FindKeyByDERCert(slot, ctx->tc_certificate, pin_arg); + break; + } + } > I'm attaching a patch which fixes it. If the certificate (and corresponding key) > is held in multiple slots, libldap will take the key from an already > authenticated slot. > > > The attached file is derived from OpenLDAP Software. All of the modifications to > OpenLDAP Software represented in the following patch(es) were developed by Red > Hat. Red Hat has not assigned rights and/or interest in this work to any party. > I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under > the following terms. > > Red Hat hereby place the following modifications to OpenLDAP Software (and only > these modifications) into the public domain. Hence, these modifications may be > freely used and/or redistributed for any purpose with or without attribution > and/or other notice. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7357) Pass-through radius auth. with RFC2865
by hyc＠symas.com 21 Aug '12

21 Aug '12

jet(a)transniaga.co.th wrote: > Full_Name: Jetasik Anantakunupakorn > Version: 2.4.32 > OS: FreeBSD 9.0-RELEASE amd64 > URL: http://www.openldap.org/lists/openldap-technical/201208/msg00172.html > Submission from: (NULL) (58.11.65.20) > > > Pass-through radius authentication in contrib's passwd module(radius.c) does not > include either a NAS-IP or a NAS-Identifier, according to radius RFC 2865 one of > these attributes is mandatory in the access request. > > The thing is that the previous version of Radius RFC standard(RFC 2138) > specified that the access request "SHOULD" contain either a NAS-IP or a > NAS-Identifier but the current version use "MUST" instead. > A patch for this is now in git master, please test. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7352) openldap not supporting CAMELLIA ciphers
by hyc＠symas.com 21 Aug '12

21 Aug '12

goodgoingswati(a)gmail.com wrote: > Full_Name: Swati > Version: 2.4.32 > OS: RHEL5 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (115.113.153.34) > > > openldap is not supporting CAMELLIA based ciphers(both RSA and DSA based) > I have configured SSL LDAP(LDAPS) and on checking SSL connection with LDAPS > server with CAMELLIA based cipher leads to failure in handshake: Sounds like something is wrong with your config. openssl s_client -connect localhost:9011 -showcerts -cipher CAMELLIA256-SHA -state -CAfile ~/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:unknown state SSL_connect:SSLv3 read server hello A depth=1 C = US, ST = California, L = Los Angeles, O = Symas Corp., CN = Symas Keymaster verify return:1 depth=0 C = US, ST = California, L = Los Angeles, O = Symas Corp., OU = R&D, CN = violino.symas.net verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=California/L=Los Angeles/O=Symas Corp./OU=R&D/CN=violino.symas.net i:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster -----BEGIN CERTIFICATE----- MIIDeDCCAuGgAwIBAgIBBDANBgkqhkiG9w0BAQQFADBoMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNV BAoTC1N5bWFzIENvcnAuMRgwFgYDVQQDEw9TeW1hcyBLZXltYXN0ZXIwHhcNMTAw NTA4MTMxMTQwWhcNMTUwNTA3MTMxMTQwWjB4MQswCQYDVQQGEwJVUzETMBEGA1UE CBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNVBAoTC1N5 bWFzIENvcnAuMQwwCgYDVQQLFANSJkQxGjAYBgNVBAMTEXZpb2xpbm8uc3ltYXMu bmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+UzX69iQfiHqFsfmbft8r bbJ1B0khAMIyzbvAq+0TTXBl1z3vh/0zewfa2eXx75A+4j85VhJbmunKQtpGNZoU j78qmlZyyadr1JDV/IP1VdkvimAY/ms/AIN7VXKbo/dMvvE2/Wlz1k6uyARHKRO0 HuDSXR+/y8wxmbssonIaoQIDAQABo4IBIDCCARwwCQYDVR0TBAIwADARBglghkgB hvhCAQEEBAMCBkAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl cnRpZmljYXRlMB0GA1UdDgQWBBRiK30dAs2UKMa0nqGuZ/ZOvHy/SzCBmgYDVR0j BIGSMIGPgBR8WtuSd1849yXVcEj7z1a5fdXhAKFspGowaDELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYD VQQKEwtTeW1hcyBDb3JwLjEYMBYGA1UEAxMPU3ltYXMgS2V5bWFzdGVyggkAlRwa GgnLxpUwEgYDVR0RBAswCYIHdmlvbGlubzANBgkqhkiG9w0BAQQFAAOBgQBsQgtW fd3sjH3kou2QVI0YVh13mUdgLcFvyfI615cvhomttIfrHny2WYb9ktp7yBjsSni5 x6J0s0Xi0NnBgdfh0LNamQL06UXzEPhBwf90n+LyUq+F+9jbHSkQWlAfg+vaBWCs NpPOOvgFPpKkzMouLrc4hVDm9yvPnCh1jV5CKQ== -----END CERTIFICATE----- 1 s:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster i:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster -----BEGIN CERTIFICATE----- MIIDHDCCAoWgAwIBAgIJAJUcGhoJy8aVMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5nZWxl czEUMBIGA1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1hc3Rl cjAeFw0xMDAyMjMwMTE0MTVaFw0yMDAyMjEwMTE0MTVaMGgxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5nZWxlczEUMBIG A1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1hc3RlcjCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtdAxWHaiQVRn4ulkvQ/kWdeQRTlmDp0I 6ROd8UTdZWgG8pdaaSjic3oRrzXGu3yci7oCTeJj//wL6QuAiP3RAd34nvAF3G+J 4fp4AUCYhT7kM1jdGe94omQZeEjVwgr33ugvUYEbVU/fPIn/T3bnmKLifrNcPF30 UimTPNCoTvMCAwEAAaOBzTCByjAdBgNVHQ4EFgQUfFrbkndfOPcl1XBI+89WuX3V 4QAwgZoGA1UdIwSBkjCBj4AUfFrbkndfOPcl1XBI+89WuX3V4QChbKRqMGgxCzAJ BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5n ZWxlczEUMBIGA1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1h c3RlcoIJAJUcGhoJy8aVMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA MtI45poCh3L8xk0g56WGxroIPMGPZvrHDo1XIj6ALxlhpSLIcTDPFbidJ0tD9aL3 7aNlCZQ7DeJx18BhIUUgSYZj/Sfb0oXZw9Vj59c1AA7UFGnvyjKuJx4G8sIYTFFx rYXCmXraOoB9x0+DcD/7I9ed5Ogid/tZklF9ORPjUgs= -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Los Angeles/O=Symas Corp./OU=R&D/CN=violino.symas.net issuer=/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster --- Acceptable client certificate CA names /C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster --- SSL handshake has read 2166 bytes and written 290 bytes --- New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.1 Cipher : CAMELLIA256-SHA Session-ID: 430EAC39338B25DF6D1CC63928DB20830BA5A034F13EAF3BE3BED715015D33C1 Session-ID-ctx: Master-Key: F38B9781E21339675D80CDC3561B4ED906A15F5A6F5A9D1A9CCFFF9E16B912D270E2E1F44135FA6CA15D5A24DB720F67 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - f0 95 1a 3f 67 bf cd 43-d7 dc 70 ce a3 19 5a 4e ...?g..C..p...ZN 0010 - c7 2b 4e cc d5 48 df a9-7f d1 a7 b5 53 e0 35 28 .+N..H......S.5( 0020 - fa 7f 9c 70 37 b7 65 01-b6 27 bf 88 d6 dc 8a 36 ...p7.e..'.....6 0030 - 95 a8 2f fb 22 a6 26 3e-07 d3 9b 94 88 b7 99 de ../.".&>........ 0040 - 78 9b ee cb 52 51 5a 50-0a 53 a2 b8 05 f6 63 de x...RQZP.S....c. 0050 - c4 8e e1 2e 03 1c 5d a5-6a e2 6d 05 8e 62 aa 21 ......].j.m..b.! 0060 - f8 0e d0 5e 9f d4 89 3e-85 db b9 8f ed 04 9e 39 ...^...>.......9 0070 - a1 3e b1 44 a2 c3 48 5c-f8 d2 ff 5f 45 ad a0 d6 .>.D..H\..._E... 0080 - d7 c3 3b 4a bd 6e c6 09-9d 08 74 d9 1c c5 6b 1b ..;J.n....t...k. 0090 - b1 f3 eb dc 26 ac 10 31-66 d3 fb bb 6b 9e 4b 8d ....&..1f...k.K. 00a0 - df ef 17 69 97 7b 56 0d-a7 32 bf 6c c6 49 fa b5 ...i.{V..2.l.I.. Compression: 1 (zlib compression) Start Time: 1345578708 Timeout : 300 (sec) Verify return code: 0 (ok) --- > > openssl s_client -connect localhost:636 -showcerts -cipher > DHE-DSS-CAMELLIA256-SHA -state -CAfile /path_to_cert -cert /path_to_client_cert > -key /path_to_client_key > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL3 alert read:fatal:handshake failure > SSL_connect:error in SSLv2/v3 read server hello A > 47726707455072:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > handshake failure:s23_clnt.c:741: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 102 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > > Handshake is failing with all camellia ciphers. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs August 2012