openldap-bugs August 2012

openldap-bugs@openldap.org

29 participants
100 discussions

Re: (ITS#7355) slapd reproducible segfaults deleting memberof from cn=config
by hyc＠symas.com 16 Aug '12

16 Aug '12

daniel(a)pluta.biz wrote: > Full_Name: Daniel Pluta > Version: HEAD > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (84.167.95.124) > > > Steps to reproduce: > > 0.) slapd version: HEAD (git master pulled today) cn=config does not support deletes. You should not be mucking with the (still incomplete) SLAP_CONFIG_DELETE code unless you're an actual C programmer working on completing the code. Closing this ITS, it's pointless to even mention this stuff until ITS #7254, #7256, #7257, and #7212 are addressed, and none of them are targeted for OpenLDAP 2.4. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7355) slapd reproducible segfaults deleting memberof from cn=config
by daniel＠pluta.biz 16 Aug '12

16 Aug '12

Full_Name: Daniel Pluta Version: HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.167.95.124) Steps to reproduce: 0.) slapd version: HEAD (git master pulled today) 1.) slapd.conf: include /opt/openldap-acl/etc/openldap/schema/core.schema pidfile /opt/openldap-acl/var/run/slapd.pid argsfile /opt/openldap-acl/var/run/slapd.args modulepath /opt/openldap-acl/libexec/openldap moduleload memberof.la access to * by self write by users read by anonymous auth database config rootdn "cn=Manager,cn=config" rootpw secret database mdb suffix "o=test" rootdn "cn=Manager,o=test" rootpw secret directory /opt/openldap-acl/var/openldap-data/test index objectClass eq overlay memberof memberof-group-oc groupOfNames memberof-member-ad member memberof-memberof-ad memberOf memberof-dangling ignore memberof-refint FALSE 2.) conversion to slapd.d: /opt/openldap-acl/sbin/slaptest -f slapd.conf.acl -F slapd.d 3.) slapd start: slapd -F slapd.d -u openldap -g openldap -l local4 -d 1 \ -h "ldap://0.0.0.0:1389/ ldapi://%2Fopt%2Fopenldap%2Fvar%2Frun%2Fldapi_acl/" 4.) delete_memberof.ldif: dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config changetype: delete 5.) ldapmodify: cat delete_memberof.ldif | ldapmodify -x -H "ldap://localhost:1389/" -D "cn=Manager,cn=config" -w secret Result: 502c9eeb slap_listener_activate(7): 502c9eeb >>> slap_listener(ldap://0.0.0.0:1389/) 502c9eeb connection_get(11): got connid=1000 502c9eeb connection_read(11): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 38 contents: 502c9eeb op tag 0x60, time 1345101547 ber_get_next 502c9eeb conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: 502c9eeb >>> dnPrettyNormal: <cn=Manager,cn=config> 502c9eeb <<< dnPrettyNormal: <cn=Manager,cn=config>, <cn=manager,cn=config> 502c9eeb do_bind: version=3 dn="cn=Manager,cn=config" method=128 502c9eeb do_bind: v3 bind: "cn=Manager,cn=config" to "cn=Manager,cn=config" 502c9eeb send_ldap_result: conn=1000 op=0 p=3 502c9eeb send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 11 502c9eeb connection_get(11): got connid=1000 502c9eeb connection_read(11): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 56 contents: 502c9eeb op tag 0x4a, time 1345101547 ber_get_next 502c9eeb conn=1000 op=1 do_delete ber_scanf fmt (m) ber: 502c9eeb >>> dnPrettyNormal: <olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config> 502c9eeb <<< dnPrettyNormal: <olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config>, <olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config> Segmentation fault

1 0

Re: (ITS#7172) SEGFAULT in openldap-2.4.28 & 2.4.29
by hyc＠symas.com 15 Aug '12

15 Aug '12

A fix for this is now in git master, please test. Thanks. david.coutadeur(a)linagora.com wrote: > Hi, > > I had some difficulties to reproduce it, but I have finally succeeded : > > [Switching to Thread 0x431e4940 (LWP 11061)] > 0x000000000054211c in sp_avl_cmp (c1=<value optimized out>, > c2=0xbfb5a60) at syncprov.c:378 > 378 rc = m1->mt_op->o_req_ndn.bv_len - > m2->mt_op->o_req_ndn.bv_len; > > > Thank you for the help, > > David Coutadeur -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7354) segfault with delta-syncrepl MMR
by quanah＠zimbra.com 15 Aug '12

15 Aug '12

--On Wednesday, August 15, 2012 7:46 PM +0000 quanah(a)OpenLDAP.org wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.32 > OS: Linux 2.6 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (74.196.25.250) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fd7d8b44700 (LWP 28572)] 0x00000000004c02b8 in syncrepl_op_modify (op=0x7fd7d8b43460, rs=0x7fd7d8b42e40) at syncrepl.c:2133 2133 if ( ml->sml_flags == SLAP_MOD_INTERNAL ) { (gdb) print *ml Cannot access memory at address 0x40 (gdb) print newlist $1 = (Modifications *) 0x13a77d0 (gdb) print newlist->sml_next $2 = (Modifications *) 0x40 (gdb) print *newlist $3 = {sml_mod = {sm_desc = 0xf78a50, sm_values = 0x0, sm_nvalues = 0x0, sm_numvals = 0, sm_op = 4097, sm_flags = 0, sm_type = {bv_len = 56, bv_val = 0x312d61717a3d6e63 <Address 0x312d61717a3d6e63 out of bounds>}}, sml_next = 0x40} --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#7354) segfault with delta-syncrepl MMR
by quanah＠OpenLDAP.org 15 Aug '12

15 Aug '12

Full_Name: Quanah Gibson-Mount Version: 2.4.32 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.196.25.250) Failed to start slapd. Attempting debug start to determine error. 502a8f8c <= mdb_index_read: failed (-30798) 502a8f8c <= mdb_index_read: failed (-30798) res_errno: 0, res_error: <>, res_matched: <> res_errno: 0, res_error: <>, res_matched: <> 502a8f8c <= mdb_index_read: failed (-30798) It gives: => ldap_dn2bv(272) <= ldap_dn2bv(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com)=0 => ldap_bv2dn(uid=zimbra,cn=admins,cn=zimbra,0) <= ldap_bv2dn(uid=zimbra,cn=admins,cn=zimbra)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=zimbra,cn=admins,cn=zimbra)=0 => ldap_bv2dn(uid=zimbra,cn=admins,cn=zimbra,0) <= ldap_bv2dn(uid=zimbra,cn=admins,cn=zimbra)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=zimbra,cn=admins,cn=zimbra)=0 502a8fd2 => mdb_entry_get: ndn: "uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com" 502a8fd2 => mdb_entry_get: oc: "(null)", at: "(null)" => ldap_bv2dn(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com,0) <= ldap_bv2dn(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com)=0 => ldap_bv2dn(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com,0) <= ldap_bv2dn(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com)=0 502a8fd2 mdb_idl_fetch_key: 502a8fd2 mdb_idl_fetch_key: 502a8fd2 mdb_idl_fetch_key: [98599c51] 502a8fd2 mdb_idl_fetch_key: [80000000] 502a8fd2 dnMatch -4 "uid=user?^.0987,ou=people,dc=1344964239572,dc=230,dc=domain,dc=com" "uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com" 502a8fd2 dnMatch 7 "uid=distlist11344964239574,ou=people,dc=1344964239572,dc=230,dc=domain,dc=com" "uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com" 502a8fd2 dnMatch 0 "uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com" "uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com" 502a8fd2 send_ldap_result: err=0 matched="" text="" Segmentation fault (core dumped) (gdb) where #0 0x00000000004c02b8 in syncrepl_op_modify (op=0x7f60e8424490, rs=0x7f60e8423e70) at syncrepl.c:2133 #1 0x00000000004d48f4 in overlay_op_walk (op=0x7f60e8424490, rs=0x7f60e8423e70, which=op_modify, oi=0x19deb40, on=0x19de780) at backover.c:661 #2 0x00000000004d4bca in over_op_func (op=0x7f60e8424490, rs=0x7f60e8423e70, which=op_modify) at backover.c:723 #3 0x00000000004d4d35 in over_op_modify (op=0x7f60e8424490, rs=0x7f60e8423e70) at backover.c:762 #4 0x00000000004c1353 in syncrepl_message_to_op (si=0x155d340, op=0x7f60e8424490, msg=0x1926400) at syncrepl.c:2317 #5 0x00000000004bc45f in do_syncrep2 (op=0x7f60e8424490, si=0x155d340) at syncrepl.c:986 #6 0x00000000004be6ba in do_syncrepl (ctx=0x7f60e8424b50, arg=0x1afd860) at syncrepl.c:1523 #7 0x00007f88efc17cc9 in ldap_int_thread_pool_wrapper (xpool=0x14b81c0) at tpool.c:688 #8 0x00007f88ee7209ca in start_thread () from /lib/libpthread.so.0 #9 0x00007f88ee47dcdd in clone () from /lib/libc.so.6 #10 0x0000000000000000 in ?? () (gdb) list 2128 op->o_callback = sc; 2129 op->orm_no_opattrs = 1; 2130 mx->mx_orig = op->orm_modlist; 2131 mx->mx_free = newlist; 2132 for ( ml = newlist; ml; ml=ml->sml_next ) { 2133 if ( ml->sml_flags == SLAP_MOD_INTERNAL ) { 2134 ml->sml_flags = 0; 2135 ml->sml_op = SLAP_MOD_SOFTDEL; 2136 } 2137 else if ( ml->sml_op == LDAP_MOD_DELETE )

1 0

Re: (ITS#7353) Handling request controls that include spurious control values
by masarati＠aero.polimi.it 15 Aug '12

15 Aug '12

> mhardin(a)symas.com wrote: >> Some clients, like Oracle SGD, incorrectly implement the password polic= > y request >> control by including a zero-length control value with the request contr= > ol. >> OpenLDAP reports "passwordPolicyRequest control value not absent" and f= > ails the >> operation with a Protocol Error (2). While this behavior follows the le= > tter of >> RFC 4511, the control value in this case is zero-length and therefore h= > armless. >> Failing in this case seems merely punctilious, and has no real benefit.= > For >> reference, OpenLDAP 2.3 allowed a zero-length control value. > > For the very same reason I've added a work-around in upcoming python-ldap= > > 2.4.11 to handle non-decodable control response values as being absent in= > case > CRITICAL flag is False. (Apache DS 2.0.0M7 also returns such an invalid > zero-length value in password policy response control.) > > I'd appreciate to discuss a bit further whether that's the right approach= > =2E > Maybe we should take this to ietf-ldapbis mailing list as interop issue? Occasionally, we handled malformed or non-standard control values (I recall something about the many versions of the proxiedAuthz control). Our usual policy was to be "tolerant" about what comes in, possibly by requiring an explicit configuration statement to enable "tolerance" (usually, an admin knows when his system works in a broken environment, and wants to be able to decide whether being tolerant or not). So I favour allowing the administrator to explicitly enable tolerance with respect to malformed controls (my 2c). p.

1 0

Re: (ITS#7353) Handling request controls that include spurious control values
by michael＠stroeder.com 15 Aug '12

15 Aug '12

This is a cryptographically signed message in MIME format. --------------ms000806050201060707000502 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable mhardin(a)symas.com wrote: > Some clients, like Oracle SGD, incorrectly implement the password polic= y request > control by including a zero-length control value with the request contr= ol. > OpenLDAP reports "passwordPolicyRequest control value not absent" and f= ails the > operation with a Protocol Error (2). While this behavior follows the le= tter of > RFC 4511, the control value in this case is zero-length and therefore h= armless. > Failing in this case seems merely punctilious, and has no real benefit.= For > reference, OpenLDAP 2.3 allowed a zero-length control value. For the very same reason I've added a work-around in upcoming python-ldap= 2.4.11 to handle non-decodable control response values as being absent in= case CRITICAL flag is False. (Apache DS 2.0.0M7 also returns such an invalid zero-length value in password policy response control.) I'd appreciate to discuss a bit further whether that's the right approach= =2E Maybe we should take this to ietf-ldapbis mailing list as interop issue? Ciao, Michael. --------------ms000806050201060707000502 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/ kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB 1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0 Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1 c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/ BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3 LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2 KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4 B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF MRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRl ciBVbml2ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJ MB4XDTA5MTEwMzE0MDgxOVoXDTI1MTIzMTIxNTk1OVowfDELMAkGA1UEBhMCREUxHDAaBgNV BAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNVBAsTHFRDIFRydXN0Q2VudGVyIENsYXNz IDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75pBuz2Lp6QuqthDVR+V8XSsncZpozVVt 5KLv5P7yemMRwleKyH3PjmYfZUVL64Biab1GjovFblqVGCrep/EfdRonq20yU+P7TVhiLP8Z 5cegDZotIYhZhM0d8cPIij6w5d4IJM/8QCy6QSOUu4ASiTVItoYE4AFPjLqpmPwcie0fiqHH hpgmHnJla/7PZdkMZEsaCfVDEWBmJuMzVprJPT40anjG5VBLyM2I5DlsUCaeQCy2O3w3sqf1 3dyzUcv03IICuNc63towXA31Qt0TaVNU6YAmQjMepdfMbspmCZ+G8D2+xophEPPR/1vkstst smUMqX0XrLonTUJczglPAgMBAAGjggJZMIICVTCBmgYIKwYBBQUHAQEEgY0wgYowUgYIKwYB BQUHMAKGRmh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2VydHMv dGNfdW5pdmVyc2FsX3Jvb3RfSS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLnRjdW5p dmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQ dXMwEgYDVR0TAQH/BAgwBgEB/wIBADBSBgNVHSAESzBJMAYGBFUdIAAwPwYJKoIUACwBAQEB MDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAO BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMIH9BgNVHR8E gfUwgfIwge+ggeyggemGRmh0dHA6Ly9jcmwudGN1bml2ZXJzYWwtSS50cnVzdGNlbnRlci5k ZS9jcmwvdjIvdGNfdW5pdmVyc2FsX3Jvb3RfSS5jcmyGgZ5sZGFwOi8vd3d3LnRydXN0Y2Vu dGVyLmRlL0NOPVRDJTIwVHJ1c3RDZW50ZXIlMjBVbml2ZXJzYWwlMjBDQSUyMEksTz1UQyUy MFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/ Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAOcjE m+6+mO5Icm+N53G2DpCM07LBFSGoRpBoX0oE8TrJaIQh2KXmBHVdn9LU8kt3QzLclctgvwJV 0KwcsMUUl5tlCsMPpR3s2Ek5lbWpvvr0HqtW56blAQiINV9nBd1EJFASIkRjefGbV2nOq9Yz UU+N8HA7jq1ROhd/NZZraGhjthwKyfjfHV7PKxGlY+3M0MbTIG+q/GhIfm0euDpFqhKG88e9 ALXr/uoSn3MzeOcoOWjTpW3adtFO4VWVgKbgG7jNrFbvRVlHmFLbOm4msjE5aXWxLiTwpJ2X iF4zKca1vAdAOgw9us90jEtOeiH6GzjNxEMvb7TfeO6Zkuc6HDGCA84wggPKAgEBMIGPMHwx CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQLExxU QyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRlciBD bGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wCQYFKw4DAhoFAKCCAhMwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwODE1MDcwMjE4WjAjBgkq hkiG9w0BCQQxFgQUTDuEs5JNtz2cqQb/7wx1ZxJk10QwbAYJKoZIhvcNAQkPMV8wXTALBglg hkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBoAYJKwYBBAGCNxAEMYGSMIGP MHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQL ExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRl ciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wgaIGCyqGSIb3DQEJEAILMYGS oIGPMHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYD VQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENl bnRlciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wDQYJKoZIhvcNAQEBBQAE ggEASXZfP97C8zxYbux1N1U9pETszUQGUyG7GebVvdLdZnIG4r9D12JRHaFWG6YzI7ms2k/X A+CpALzsJW3LmdcT5SSH8ecfnvRMZJd9fLK6jea6UHf3gkHCNzl0EOQ/fitx0yZF92c/YN/k y07/CnMVMOw5HXRqsKw4p7SPWpUlPOtGA9zo8LnsvR9ySYGniBIWU2zC3aM3bbnsjKS/i0y2 fJ9N/MDw+sSFzm1gdiegxQNnYdDTswY89WkDVuILHYk5OXC6MOCEVyit99cpqDfxM0+VIKj/ 22hVsidJKfJ9L9FnG8/2YfcomMJF9G+qdT5m2FjDvi4MXoHyfY7Mo95QiAAAAAAAAA== --------------ms000806050201060707000502--

1 0

(ITS#7353) Handling request controls that include spurious control values
by mhardin＠symas.com 14 Aug '12

14 Aug '12

Full_Name: Matthew Hardin Version: 2.4.32 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (69.43.206.100) Some clients, like Oracle SGD, incorrectly implement the password policy request control by including a zero-length control value with the request control. OpenLDAP reports "passwordPolicyRequest control value not absent" and fails the operation with a Protocol Error (2). While this behavior follows the letter of RFC 4511, the control value in this case is zero-length and therefore harmless. Failing in this case seems merely punctilious, and has no real benefit. For reference, OpenLDAP 2.3 allowed a zero-length control value. While I don't believe it's acceptable for clients to present malformed controls, I do think it's sufficient, at least in this case, to log a warning and continue processing the request. For reference, the BER dump below shows the bind request containing the incorrectly-formatted password policy request control as well as the various stages of parsing. The request in this case comes from Oracle SGD 4.62.913. ber_get_next: tag 0x30 len 89 contents: ber_dump: buf=101fd8f00 ptr=101fd8f00 end=101fd8f59 len=89 0000: 02 01 01 60 33 02 01 03 04 27 63 6e 3d 70 70 6f ...`3....'cn=ppo 0010: 6c 69 63 79 74 73 74 2c 6f 75 3d 50 6f 6c 69 63 licytst,ou=Polic 0020: 69 65 73 2c 64 63 3d 76 73 6f 2c 64 63 3d 63 6f ies,dc=vso,dc=co 0030: 6d 80 05 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e m..aaaaa..0...1. 0040: 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 3.6.1.4.1.42.2.2 0050: 37 2e 38 2e 35 2e 31 04 00 7.8.5.1.. 502a936b op tag 0x60, time 1344967531 ber_get_next 502a936b conn=1001 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=101fd8f00 ptr=101fd8f03 end=101fd8f59 len=86 0000: 60 33 02 01 03 04 27 63 6e 3d 70 70 6f 6c 69 63 `3....'cn=ppolic 0010: 79 74 73 74 2c 6f 75 3d 50 6f 6c 69 63 69 65 73 ytst,ou=Policies 0020: 2c 64 63 3d 76 73 6f 2c 64 63 3d 63 6f 6d 80 05 ,dc=vso,dc=com.. 0030: 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e 33 2e 36 aaaaa..0...1.3.6 0040: 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 2e 38 .1.4.1.42.2.27.8 0050: 2e 35 2e 31 04 00 .5.1.. ber_scanf fmt (m}) ber: ber_dump: buf=101fd8f00 ptr=101fd8f31 end=101fd8f59 len=40 0000: 00 05 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e 33 ..aaaaa..0...1.3 0010: 2e 36 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 .6.1.4.1.42.2.27 0020: 2e 38 2e 35 2e 31 04 00 .8.5.1.. 502a936b => get_ctrls ber_scanf fmt ({m) ber: ber_dump: buf=101fd8f00 ptr=101fd8f3a end=101fd8f59 len=31 0000: 30 1d 04 19 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 0...1.3.6.1.4.1. 0010: 34 32 2e 32 2e 32 37 2e 38 2e 35 2e 31 04 00 42.2.27.8.5.1.. ber_scanf fmt (m) ber: ber_dump: buf=101fd8f00 ptr=101fd8f57 end=101fd8f59 len=2 0000: 00 00 .. 502a936b => get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical) 502a936b <= get_ctrls: n=1 rc=2 err="passwordPolicyRequest control value not absent" 502a936b send_ldap_result: conn=1001 op=0 p=3 502a936b send_ldap_response: msgid=1 tag=97 err=2 As an aside, the error text left me scratching my head and reading the source code to figure out what was meant. Each of the other request control handlers that doesn't require/allow a control value has a similar message. Could we change these messages to: {Warning|Error}: Spurious <control name here> control value found in request. Comments?

1 0

(ITS#7352) openldap not supporting CAMELLIA ciphers
by goodgoingswati＠gmail.com 09 Aug '12

09 Aug '12

Full_Name: Swati Version: 2.4.32 OS: RHEL5 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (115.113.153.34) openldap is not supporting CAMELLIA based ciphers(both RSA and DSA based) I have configured SSL LDAP(LDAPS) and on checking SSL connection with LDAPS server with CAMELLIA based cipher leads to failure in handshake: openssl s_client -connect localhost:636 -showcerts -cipher DHE-DSS-CAMELLIA256-SHA -state -CAfile /path_to_cert -cert /path_to_client_cert -key /path_to_client_key CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 47726707455072:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 102 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE Handshake is failing with all camellia ciphers.

1 0

(ITS#7351) can not start slapd when enable accesslog relay
by bashift＠gmail.com 09 Aug '12

09 Aug '12

Full_Name: ChenShuJun Version: 2.4.32 OS: RHEL5.5(2.6.18-194.el5) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (218.246.127.3) [root@LDAP_LAB_A openldap]# slapd -d 1 ldap_url_parse_ext(ldap://localhost/) ldap_init: trying /usr/local/openldap-2.4.32/etc/openldap/ldap.conf ldap_init: using /usr/local/openldap-2.4.32/etc/openldap/ldap.conf ldap_init: HOME env is /root ldap_init: trying /root/ldaprc ldap_init: trying /root/.ldaprc ldap_init: trying ldaprc ldap_init: LDAPCONF env is NULL ldap_init: LDAPRC env is NULL 502475bb @(#) $OpenLDAP: slapd 2.4.32 (Aug 8 2012 14:19:37) $ root@LDAP_LAB_A.bgctv.net.cn:/root/openldap-2.4.32/servers/slapd ldap_pvt_gethostbyname_a: host=LDAP_LAB_A.bgctv.net.cn, r=11 502475bb daemon_init: listen on ldap:/// 502475bb daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) 502475bb daemon: listener initialized ldap:/// 502475bb daemon_init: 1 listeners opened ldap_create 502475bb slapd init: initiated server. 502475bb slap_sasl_init: initialized! 502475bb bdb_back_initialize: initialize BDB backend 502475bb bdb_back_initialize: Berkeley DB 4.8.30: (April 9, 2010) 502475bb hdb_back_initialize: initialize HDB backend 502475bb hdb_back_initialize: Berkeley DB 4.8.30: (April 9, 2010) 502475bb mdb_back_initialize: initialize MDB backend 502475bb mdb_back_initialize: MDB 0.9.0: ("September 1, 2011") 502475bb ndb_back_initialize: initialize ndb backend 502475bb null_back_initialize: initialize null backend 502475bb perl backend open 502475bb ==> translucent_initialize 502475bb ndb_db_init: Initializing ndb database 502475bb >>> dnPrettyNormal: <dc=bgctv,dc=net,dc=cn> 502475bb <<< dnPrettyNormal: <dc=bgctv,dc=net,dc=cn>, <dc=bgctv,dc=net,dc=cn> 502475bb >>> dnPrettyNormal: <cn=admin,dc=bgctv,dc=net,dc=cn> 502475bb <<< dnPrettyNormal: <cn=admin,dc=bgctv,dc=net,dc=cn>, <cn=admin,dc=bgctv,dc=net,dc=cn> 502475bb >>> dnPrettyNormal: <cn=auditlog> 502475bb <<< dnPrettyNormal: <cn=auditlog>, <cn=auditlog> put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ber_scanf fmt (m) ber: 502475bb >>> dnNormalize: <ou=cm,dc=bgctv,dc=net,dc=cn> 502475bb <<< dnNormalize: <ou=cm,dc=bgctv,dc=net,dc=cn> 502475bb >>> dnNormalize: <userid=cmadmin,dc=bgctv,dc=net,dc=cn> 502475bb <<< dnNormalize: <uid=cmadmin,dc=bgctv,dc=net,dc=cn> 502475bb >>> dnNormalize: <userid=cmadmin,dc=bgctv,dc=net,dc=cn> 502475bb <<< dnNormalize: <uid=cmadmin,dc=bgctv,dc=net,dc=cn> 502475bb bdb_db_init: Initializing BDB database 502475bb >>> dnPrettyNormal: <cn=auditlog> 502475bb <<< dnPrettyNormal: <cn=auditlog>, <cn=auditlog> 502475bb >>> dnPrettyNormal: <cn=admin,cn=auditlog> 502475bb <<< dnPrettyNormal: <cn=admin,cn=auditlog>, <cn=admin,cn=auditlog> 502475bb >>> dnNormalize: <cn=Subschema> 502475bb <<< dnNormalize: <cn=subschema> 502475bb matching_rule_use_init 502475bb 1.2.840.113556.1.4.804 (integerBitOrMatch): 502475bb matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ olcDbMaxReaders $ olcDbMaxSize $ olcDbPort $ olcDbFlag $ olcDbConnections $ olcDDSmaxDynamicObjects $ olcPcacheMaxQueries $ olcRetcodeSleep $ olcSssVlvMax $ olcSssVlvMaxKeys $ olcSssVlvMaxPerConn $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 502475bb 1.2.840.113556.1.4.803 (integerBitAndMatch): 502475bb matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ olcDbMaxReaders $ olcDbMaxSize $ olcDbPort $ olcDbFlag $ olcDbConnections $ olcDDSmaxDynamicObjects $ olcPcacheMaxQueries $ olcRetcodeSleep $ olcSssVlvMax $ olcSssVlvMaxKeys $ olcSssVlvMaxPerConn $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 502475bb 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): 502475bb matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) ) 502475bb 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): 502475bb matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) ) 502475bb 2.5.13.39 (certificateListMatch): 502475bb 2.5.13.38 (certificateListExactMatch): 502475bb matchingRuleUse: ( 2.5.13.38 NAME 'certificateListExactMatch' APPLIES ( authorityRevocationList $ certificateRevocationList $ deltaRevocationList ) ) 502475bb 2.5.13.35 (certificateMatch): 502475bb 2.5.13.34 (certificateExactMatch): 502475bb matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) ) 502475bb 2.5.13.30 (objectIdentifierFirstComponentMatch): 502475bb matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) ) 502475bb 2.5.13.29 (integerFirstComponentMatch): 502475bb matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ olcDbMaxReaders $ olcDbMaxSize $ olcDbPort $ olcDbFlag $ olcDbConnections $ olcDDSmaxDynamicObjects $ olcPcacheMaxQueries $ olcRetcodeSleep $ olcSssVlvMax $ olcSssVlvMaxKeys $ olcSssVlvMaxPerConn $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 502475bb 2.5.13.28 (generalizedTimeOrderingMatch): 502475bb matchingRuleUse: ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' APPLIES ( createTimestamp $ modifyTimestamp $ pwdChangedTime $ pwdAccountLockedTime $ pwdFailureTime $ pwdGraceUseTime ) ) 502475bb 2.5.13.27 (generalizedTimeMatch): 502475bb matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp $ pwdChangedTime $ pwdAccountLockedTime $ pwdFailureTime $ pwdGraceUseTime ) ) 502475bb 2.5.13.24 (protocolInformationMatch): 502475bb matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation ) 502475bb 2.5.13.23 (uniqueMemberMatch): 502475bb matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember ) 502475bb 2.5.13.22 (presentationAddressMatch): 502475bb matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress ) 502475bb 2.5.13.20 (telephoneNumberMatch): 502475bb matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) ) 502475bb 2.5.13.18 (octetStringOrderingMatch): 502475bb matchingRuleUse: ( 2.5.13.18 NAME 'octetStringOrderingMatch' APPLIES ( userPassword $ olcDbCryptKey $ pwdHistory ) ) 502475bb 2.5.13.17 (octetStringMatch): 502475bb matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey $ pwdHistory ) ) 502475bb 2.5.13.16 (bitStringMatch): 502475bb matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier ) 502475bb 2.5.13.15 (integerOrderingMatch): 502475bb matchingRuleUse: ( 2.5.13.15 NAME 'integerOrderingMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ olcDbMaxReaders $ olcDbMaxSize $ olcDbPort $ olcDbFlag $ olcDbConnections $ olcDDSmaxDynamicObjects $ olcPcacheMaxQueries $ olcRetcodeSleep $ olcSssVlvMax $ olcSssVlvMaxKeys $ olcSssVlvMaxPerConn $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 502475bb 2.5.13.14 (integerMatch): 502475bb matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ olcDbMaxReaders $ olcDbMaxSize $ olcDbPort $ olcDbFlag $ olcDbConnections $ olcDDSmaxDynamicObjects $ olcPcacheMaxQueries $ olcRetcodeSleep $ olcSssVlvMax $ olcSssVlvMaxKeys $ olcSssVlvMaxPerConn $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 502475bb 2.5.13.13 (booleanMatch): 502475bb matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcSyncUseSubentry $ olcDbChecksum $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbProxyWhoAmI $ olcDbSingleConn $ olcDbUseTemporaryConn $ olcDbSessionTrackingRequest $ olcDbNoRefs $ olcDbNoUndefFilter $ olcChainCacheURI $ olcChainReturnError $ olcDbBindAllowed $ olcPerlFilterSearchResults $ olcAccessLogSuccess $ olcDDSstate $ olcMemberOfRefInt $ pwdReset $ olcPPolicyHashCleartext $ olcPPolicyForwardUpdates $ olcPPolicyUseLockout $ olcPcachePersist $ olcPcacheValidate $ olcPcacheOffline $ olcRetcodeInDir $ olcRwmNormalizeMapped $ olcRwmDropUnrequested $ olcSpNoPresent $ olcSpReloadHint $ olcTranslucentStrict $ olcTranslucentNoGlue $ olcTranslucentBindLocal $ olcTranslucentPwModLocal $ olcUniqueStrict ) ) 502475bb 2.5.13.11 (caseIgnoreListMatch): 502475bb matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) ) 502475bb 2.5.13.9 (numericStringOrderingMatch): 502475bb matchingRuleUse: ( 2.5.13.9 NAME 'numericStringOrderingMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) 502475bb 2.5.13.8 (numericStringMatch): 502475bb matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) 502475bb 2.5.13.7 (caseExactSubstringsMatch): 502475bb matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 502475bb 2.5.13.6 (caseExactOrderingMatch): 502475bb matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbIDAssertPassThru $ olcChainingBehavior $ olcDbHost $ olcDbName $ olcDbUser $ olcDbPass $ olcDbSocket $ olcDbConnect $ olcNdbAttrLen $ olcNdbAttrSet $ olcNdbAttrBlob $ olcPasswdFile $ olcPerlModule $ olcPerlModulePath $ olcPerlModuleConfig $ olcShellBind $ olcShellUnbind $ olcShellSearch $ olcShellCompare $ olcShellModify $ olcShellModRDN $ olcShellAdd $ olcShellDelete $ olcOvSocketOps $ olcOvSocketResps $ olcDbSocketPath $ olcDbSocketExtensions $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcAuditlogFile $ olcCollectInfo $ olcConstraintAttribute $ olcDDSmaxTtl $ olcDDSminTtl $ olcDDSdefaultTtl $ olcDDSinterval $ olcDDStolerance $ olcDGAttrPair $ olcDlAttrSet $ olcMemberOfDangling $ olcMemberOfGroupOC $ olcMemberOfMemberAD $ olcMemberOfMemberOfAD $ olcMemberOfDanglingError $ olcPcache $ olcPcacheAttrset $ olcPcacheTemplate $ olcPcachePosition $ olcPcacheBind $ olcRefintAttribute $ olcRetcodeItem $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcTranslucentLocal $ olcTranslucentRemote $ olcUniqueIgnore $ olcUniqueAttribute $ olcUniqueURI $ olcValSortAttr $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ cmmac $ cmipadd $ servicelevel $ startdate $ enddate $ cmuid $ cmext1 $ cmext2 $ cmext3 $ cmext4 $ cmext5 $ cmext6 $ cmext7 $ cmext8 $ cmext9 ) ) 502475bb 2.5.13.5 (caseExactMatch): 502475bb matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbIDAssertPassThru $ olcChainingBehavior $ olcDbHost $ olcDbName $ olcDbUser $ olcDbPass $ olcDbSocket $ olcDbConnect $ olcNdbAttrLen $ olcNdbAttrSet $ olcNdbAttrBlob $ olcPasswdFile $ olcPerlModule $ olcPerlModulePath $ olcPerlModuleConfig $ olcShellBind $ olcShellUnbind $ olcShellSearch $ olcShellCompare $ olcShellModify $ olcShellModRDN $ olcShellAdd $ olcShellDelete $ olcOvSocketOps $ olcOvSocketResps $ olcDbSocketPath $ olcDbSocketExtensions $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcAuditlogFile $ olcCollectInfo $ olcConstraintAttribute $ olcDDSmaxTtl $ olcDDSminTtl $ olcDDSdefaultTtl $ olcDDSinterval $ olcDDStolerance $ olcDGAttrPair $ olcDlAttrSet $ olcMemberOfDangling $ olcMemberOfGroupOC $ olcMemberOfMemberAD $ olcMemberOfMemberOfAD $ olcMemberOfDanglingError $ olcPcache $ olcPcacheAttrset $ olcPcacheTemplate $ olcPcachePosition $ olcPcacheBind $ olcRefintAttribute $ olcRetcodeItem $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcTranslucentLocal $ olcTranslucentRemote $ olcUniqueIgnore $ olcUniqueAttribute $ olcUniqueURI $ olcValSortAttr $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ cmmac $ cmipadd $ servicelevel $ startdate $ enddate $ cmuid $ cmext1 $ cmext2 $ cmext3 $ cmext4 $ cmext5 $ cmext6 $ cmext7 $ cmext8 $ cmext9 ) ) 502475bc 2.5.13.4 (caseIgnoreSubstringsMatch): 502475bc matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 502475bc 2.5.13.3 (caseIgnoreOrderingMatch): 502475bc matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbIDAssertPassThru $ olcChainingBehavior $ olcDbHost $ olcDbName $ olcDbUser $ olcDbPass $ olcDbSocket $ olcDbConnect $ olcNdbAttrLen $ olcNdbAttrSet $ olcNdbAttrBlob $ olcPasswdFile $ olcPerlModule $ olcPerlModulePath $ olcPerlModuleConfig $ olcShellBind $ olcShellUnbind $ olcShellSearch $ olcShellCompare $ olcShellModify $ olcShellModRDN $ olcShellAdd $ olcShellDelete $ olcOvSocketOps $ olcOvSocketResps $ olcDbSocketPath $ olcDbSocketExtensions $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcAuditlogFile $ olcCollectInfo $ olcConstraintAttribute $ olcDDSmaxTtl $ olcDDSminTtl $ olcDDSdefaultTtl $ olcDDSinterval $ olcDDStolerance $ olcDGAttrPair $ olcDlAttrSet $ olcMemberOfDangling $ olcMemberOfGroupOC $ olcMemberOfMemberAD $ olcMemberOfMemberOfAD $ olcMemberOfDanglingError $ olcPcache $ olcPcacheAttrset $ olcPcacheTemplate $ olcPcachePosition $ olcPcacheBind $ olcRefintAttribute $ olcRetcodeItem $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcTranslucentLocal $ olcTranslucentRemote $ olcUniqueIgnore $ olcUniqueAttribute $ olcUniqueURI $ olcValSortAttr $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ cmmac $ cmipadd $ servicelevel $ startdate $ enddate $ cmuid $ cmext1 $ cmext2 $ cmext3 $ cmext4 $ cmext5 $ cmext6 $ cmext7 $ cmext8 $ cmext9 ) ) 502475bc 2.5.13.2 (caseIgnoreMatch): 502475bc matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbIDAssertPassThru $ olcChainingBehavior $ olcDbHost $ olcDbName $ olcDbUser $ olcDbPass $ olcDbSocket $ olcDbConnect $ olcNdbAttrLen $ olcNdbAttrSet $ olcNdbAttrBlob $ olcPasswdFile $ olcPerlModule $ olcPerlModulePath $ olcPerlModuleConfig $ olcShellBind $ olcShellUnbind $ olcShellSearch $ olcShellCompare $ olcShellModify $ olcShellModRDN $ olcShellAdd $ olcShellDelete $ olcOvSocketOps $ olcOvSocketResps $ olcDbSocketPath $ olcDbSocketExtensions $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcAuditlogFile $ olcCollectInfo $ olcConstraintAttribute $ olcDDSmaxTtl $ olcDDSminTtl $ olcDDSdefaultTtl $ olcDDSinterval $ olcDDStolerance $ olcDGAttrPair $ olcDlAttrSet $ olcMemberOfDangling $ olcMemberOfGroupOC $ olcMemberOfMemberAD $ olcMemberOfMemberOfAD $ olcMemberOfDanglingError $ olcPcache $ olcPcacheAttrset $ olcPcacheTemplate $ olcPcachePosition $ olcPcacheBind $ olcRefintAttribute $ olcRetcodeItem $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcTranslucentLocal $ olcTranslucentRemote $ olcUniqueIgnore $ olcUniqueAttribute $ olcUniqueURI $ olcValSortAttr $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ cmmac $ cmipadd $ servicelevel $ startdate $ enddate $ cmuid $ cmext1 $ cmext2 $ cmext3 $ cmext4 $ cmext5 $ cmext6 $ cmext7 $ cmext8 $ cmext9 ) ) 502475bc 1.2.36.79672281.1.13.3 (rdnMatch): 502475bc 2.5.13.1 (distinguishedNameMatch): 502475bc matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcDbACLAuthcDn $ olcDbIDAssertAuthcDn $ olcRelay $ olcAccessLogDB $ memberOf $ olcMemberOfDN $ pwdPolicySubentry $ olcPPolicyDefault $ olcRefintNothing $ olcRefintModifiersName $ olcRetcodeParent $ olcUniqueBase $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) ) 502475bc 2.5.13.0 (objectIdentifierMatch): 502475bc matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) ) 502475bc slapd startup: initiated. 502475bc backend_startup_one: starting "cn=config" 502475bc config_back_db_open 502475bc config_build_entry: "cn=config" 502475bc config_build_entry: "cn=schema" 502475bc >>> dnNormalize: <cn={0}core> 502475bc <<< dnNormalize: <cn={0}core> 502475bc config_build_entry: "cn={0}core" 502475bc >>> dnNormalize: <cn={1}cosine> 502475bc <<< dnNormalize: <cn={1}cosine> 502475bc config_build_entry: "cn={1}cosine" 502475bc >>> dnNormalize: <cn={2}nis> 502475bc <<< dnNormalize: <cn={2}nis> 502475bc config_build_entry: "cn={2}nis" 502475bc >>> dnNormalize: <cn={3}inetorgperson> 502475bc <<< dnNormalize: <cn={3}inetorgperson> 502475bc config_build_entry: "cn={3}inetorgperson" 502475bc >>> dnNormalize: <cn={4}cnrldap> 502475bc <<< dnNormalize: <cn={4}cnrldap> 502475bc config_build_entry: "cn={4}cnrldap" 502475bc config_build_entry: "olcDatabase={-1}frontend" 502475bc config_build_entry: "olcDatabase={0}config" 502475bc config_build_entry: "olcDatabase={1}ndb" 502475bc config_build_entry: "olcOverlay={0}accesslog" 502475bc config_build_entry: "olcDatabase={2}bdb" 502475bc backend_startup_one: starting "dc=bgctv,dc=net,dc=cn" 502475bc backend_startup_one: starting "cn=auditlog" 502475bc bdb_db_open: database "cn=auditlog": unclean shutdown detected; attempting recovery. 502475bc bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/openldap-2.4.32/var/openldap-data: (14). Expect poor performance for suffix "cn=auditlog". 502475bc bdb_db_open: database "cn=auditlog": dbenv_open(/usr/local/openldap-2.4.32/var/openldap-data). 502475bc bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 502475bc slapd starting 502475bc bdb_dn2entry("cn=auditlog") 502475bc => bdb_dn2id("cn=auditlog") 502475bc <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) 502475bc >>> dnNormalize: <cn=admin,dc=bgctv,dc=net,dc=cn> 502475bc <<< dnNormalize: <cn=admin,dc=bgctv,dc=net,dc=cn> 502475bc >>> dnNormalize: <cn=admin,dc=bgctv,dc=net,dc=cn> 502475bc <<< dnNormalize: <cn=admin,dc=bgctv,dc=net,dc=cn> *** glibc detected *** slapd: free(): invalid pointer: 0x0000000001d68f28 *** ======= Backtrace: ========= /lib64/libc.so.6[0x3f8207230f] /lib64/libc.so.6(cfree+0x4b)[0x3f8207276b] slapd(ber_memfree_x+0x33)[0x67a01f] slapd(ber_bvarray_free_x+0x5a)[0x67aca0] slapd(ber_bvarray_free+0x1a)[0x67acd3] slapd(ndb_entry_get+0x1fa)[0x54d24e] slapd(overlay_entry_get_ov+0x201)[0x4d9286] slapd[0x4d9360] slapd(be_entry_get_rw+0x93)[0x45ddca] slapd[0x5d4687] slapd[0x63f2d5] /lib64/libpthread.so.0[0x3f82c0673d] /lib64/libc.so.6(clone+0x6d)[0x3f820d3d1d] ======= Memory map: ======== 00400000-0072a000 r-xp 00000000 fd:00 3962485 /usr/local/openldap-2.4.32/libexec/slapd 0092a000-0093d000 rw-p 0032a000 fd:00 3962485 /usr/local/openldap-2.4.32/libexec/slapd 0093d000-009fd000 rw-p 0093d000 00:00 0 01ae8000-01ead000 rw-p 01ae8000 00:00 0 [heap] 4052d000-4052e000 ---p 4052d000 00:00 0 4052e000-40f2e000 rw-p 4052e000 00:00 0 41197000-41198000 ---p 41197000 00:00 0 41198000-411b8000 rw-p 41198000 00:00 0 411b8000-411b9000 ---p 411b8000 00:00 0 411b9000-411d9000 rw-p 411b9000 00:00 0 411d9000-411da000 ---p 411d9000 00:00 0 411da000-411fa000 rw-p 411da000 00:00 0 411fa000-411fb000 ---p 411fa000 00:00 0 411fb000-4121b000 rw-p 411fb000 00:00 0 4121b000-4121c000 ---p 4121b000 00:00 0 4121c000-4123c000 rw-p 4121c000 00:00 0 416c0000-416c1000 ---p 416c0000 00:00 0 416c1000-41ec1000 rw-p 416c1000 00:00 0 3f81c00000-3f81c1c000 r-xp 00000000 fd:00 65784 /lib64/ld-2.5.so 3f81e1b000-3f81e1c000 r--p 0001b000 fd:00 65784 /lib64/ld-2.5.so 3f81e1c000-3f81e1d000 rw-p 0001c000 fd:00 65784 /lib64/ld-2.5.so 3f82000000-3f8214e000 r-xp 00000000 fd:00 65785 /lib64/libc-2.5.so 3f8214e000-3f8234d000 ---p 0014e000 fd:00 65785 /lib64/libc-2.5.so 3f8234d000-3f82351000 r--p 0014d000 fd:00 65785 /lib64/libc-2.5.so 3f82351000-3f82352000 rw-p 00151000 fd:00 65785 /lib64/libc-2.5.so 3f82352000-3f82357000 rw-p 3f82352000 00:00 0 3f82400000-3f82402000 r-xp 00000000 fd:00 65786 /lib64/libdl-2.5.so 3f82402000-3f82602000 ---p 00002000 fd:00 65786 /lib64/libdl-2.5.so 3f82602000-3f82603000 r--p 00002000 fd:00 65786 /lib64/libdl-2.5.so 3f82603000-3f82604000 rw-p 00003000 fd:00 65786 /lib64/libdl-2.5.so 3f82800000-3f82882000 r-xp 00000000 fd:00 65790 /lib64/libm-2.5.so 3f82882000-3f82a81000 ---p 00082000 fd:00 65790 /lib64/libm-2.5.so 3f82a81000-3f82a82000 r--p 00081000 fd:00 65790 /lib64/libm-2.5.so 3f82a82000-3f82a83000 rw-p 00082000 fd:00 65790 /lib64/libm-2.5.so 3f82c00000-3f82c16000 r-xp 00000000 fd:00 65792 /lib64/libpthread-2.5.so 3f82c16000-3f82e15000 ---p 00016000 fd:00 65792 /lib64/libpthread-2.5.so 3f82e15000-3f82e16000 r--p 00015000 fd:00 65792 /lib64/libpthread-2.5.so 3f82e16000-3f82e17000 rw-p 00016000 fd:00 65792 /lib64/libpthread-2.5.so 3f82e17000-3f82e1b000 rw-p 3f82e17000 00:00 0 3f83000000-3f83007000 r-xp 00000000 fd:00 65793 /lib64/librt-2.5.so 3f83007000-3f83207000 ---p 00007000 fd:00 65793 /lib64/librt-2.5.so 3f83207000-3f83208000 r--p 00007000 fd:00 65793 /lib64/librt-2.5.so 3f83208000-3f83209000 rw-p 00008000 fd:00 65793 /lib64/librt-2.5.so 3f83400000-3f83403000 r-xp 00000000 fd:00 65640 /lib64/libuuid.so.1.2 3f83403000-3f83603000 ---p 00003000 fd:00 65640 /lib64/libuuid.so.1.2 3f83603000-3f83604000 rw-p 00003000 fd:00 65640 /lib64/libuuid.so.1.2 3f83800000-3f83815000 r-xp 00000000 fd:00 65799 /lib64/libselinux.so.1 3f83815000-3f83a15000 ---p 00015000 fd:00 65799 /lib64/libselinux.so.1 3f83a15000-3f83a17000 rw-p 00015000 fd:00 65799 /lib64/libselinux.so.1 3f83a17000-3f83a18000 rw-p 3f83a17000 00:00 0 3f83c00000-3f83c3b000 r-xp 00000000 fd:00 65798 /lib64/libsepol.so.1 3f83c3b000-3f83e3b000 ---p 0003b000 fd:00 65798 /lib64/libsepol.so.1 3f83e3b000-3f83e3c000 rw-p 0003b000 fd:00 65798 /lib64/libsepol.so.1 3f83e3c000-3f83e46000 rw-p 3f83e3c000 00:00 0 3f84000000-3f8412b000 r-xp 00000000 fd:00 3274780 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so 3f8412b000-3f8432b000 ---p 0012b000 fd:00 3274780 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so 3f8432b000-3f84334000 rw-p 0012b000 fd:00 3274780 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so 3f84334000-3f84336000 rw-p 3f84334000 00:00 0 3f84400000-3f84409000 r-xp 00000000 fd:00 65800 /lib64/libcrypt-2.5.so 3f84409000-3f84608000 ---p 00009000 fd:00 65800 /lib64/libcrypt-2.5.so 3f84608000-3f84609000 r--p 00008000 fd:00 65800 /lib64/libcrypt-2.5.so 3f84609000-3f8460a000 rw-p 00009000 fd:00 65800 /lib64/libcrypt-2.5.so 3f8460a000-3f84638000 rw-p 3f8460a000 00:00 0 3f85800000-3f85815000 r-xp 00000000 fd:00 65663 /lib64/libnsl-2.5.so 3f85815000-3f85a14000 ---p 00015000 fd:00 65663 /lib64/libnsl-2.5.so 3f85a14000-3f85a15000 r--p 00014000 fd:00 65663 /lib64/libnsl-2.5.so 3f85a15000-3f85a16000 rw-p 00015000 fd:00 65663 /lib64/libnsl-2.5.so 3f85a16000-3f85a18000 rw-p 3f85a16000 00:00 0 3f86800000-3f868e6000 r-xp 00000000 fd:00 3130355 /usr/lib64/libstdc++.so.6.0.8 3f868e6000-3f86ae5000 ---p 000e6000 fd:00 3130355 /usr/lib64/libstdc++.so.6.0.8 3f86ae5000-3f86aeb000 r--p 000e5000 fd:00 3130355 /usr/lib64/libstdc++.so.6.0.8 3f86aeb000-3f86aee000 rw-p 000eb000 fd:00 3130355 /usr/lib64/libstdc++.so.6.0.8 3f86aee000-3f86b00000 rw-p 3f86aee000 00:00 0 3f89000000-3f89011000 r-xp 00000000 fd:00 65802 /lib64/libresolv-2.5.so 3f89011000-3f89211000 ---p 00011000 fd:00 65802 /lib64/libresolv-2.5.so 3f89211000-3f89212000 r--p 00011000 fd:00 65802 /lib64/libresolv-2.5.so 3f89212000-3f89213000 rw-p 00012000 fd:00 65802 /lib64/libresolv-2.5.so 3f89213000-3f89215000 rw-p 3f89213000 00:00 0 3f89400000-3f89402000 r-xp 00000000 fd:00 65804 /lib64/libcom_err.so.2.1 3f89402000-3f89601000 ---p 00002000 fd:00 65804 /lib64/libcom_err.so.2.1 3f89601000-3f89602000 rw-p 00001000 fd:00 65804 /lib64/libcom_err.so.2.1 3f8b000000-3f8b12d000 r-xp 00000000 fd:00 65801 /lib64/libcrypto.so.0.9.8e 3f8b12d000-3f8b32c000 ---p 0012d000 fd:00 65801 /lib64/libcrypto.so.0.9.8e 3f8b32c000-3f8b34d000 rw-p 0012c000 fd:00 65801 /lib64/libcrypto.so.0.9.8e 3f8b34d000-3f8b351000 rw-p 3f8b34d000 00:00 0 3f8c400000-3f8c491000 r-xp 00000000 fd:00 3130374 /usr/lib64/libkrb5.so.3.3 3f8c491000-3f8c691000 ---p 00091000 fd:00 3130374 /usr/lib64/libkrb5.so.3.3 3f8c691000-3f8c695000 rw-p 00091000 fd:00 3130374 /usr/lib64/libkrb5.so.3.3 3f8c800000-3f8c824000 r-xp 00000000 fd:00 3130373 /usr/lib64/libk5crypto.so.3.1 3f8c824000-3f8ca23000 ---p 00024000 fd:00 3130373 /usr/lib64/libk5crypto.so.3.1 3f8ca23000-3f8ca25000 rw-p 00023000 fd:00 3130373 /usr/lib64/libk5crypto.so.3.1 3f8cc00000-3f8cc02000 r-xp 00000000 fd:00 65803 /lib64/libkeyutils-1.2.so 3f8cc02000-3f8ce01000 ---p 00002000 fd:00 65803 /lib64/libkeyutils-1.2.so 3f8ce01000-3f8ce02000 rw-p 00001000 fd:00 65803 /lib64/libkeyutils-1.2.so 3f8dc00000-3f8dc08000 r-xp 00000000 fd:00 3130372 /usr/lib64/libkrb5support.so.0.1 3f8dc08000-3f8de07000 ---p 00008000 fd:00 3130372 /usr/lib64/libkrb5support.so.0.1 3f8de07000-3f8de08000 rw-p 00007000 fd:00 3130372 /usr/lib64/libkrb5support.so.0.1 3f91200000-3f9122c000 r-xp 00000000 fd:00 3130375 /usr/lib64/libgssapi_krb5.so.2.2 3f9122c000-3f9142c000 ---p 0002c000 fd:00 3130375 /usr/lib64/libgssapi_krb5.so.2.2 3f9142c000-3f9142e000 rw-p 0002c000 fd:00 3130375 /usr/lib64/libgssapi_krb5.so.2.2 3f91e00000-3f91e46000 r-xp 00000000 fd:00 65531 /lib64/libssl.so.0.9.8e 3f91e46000-3f92046000 ---p 00046000 fd:00 65531 /lib64/libssl.so.0.9.8e 3f92046000-3f9204c000 rw-p 00046000 fd:00 65531 /lib64/libssl.so.0.9.8e 3f92200000-3f92202000 r-xp 00000000 fd:00 65810 /lib64/libutil-2.5.so 3f92202000-3f92401000 ---p 00002000 fd:00 65810 /lib64/libutil-2.5.so 3f92401000-3f92402000 r--p 00001000 fd:00 65810 /lib64/libutil-2.5.so 3f92402000-3f92403000 rw-p 00002000 fd:00 65810 /lib64/libutil-2.5.so 2aaaaaaab000-2aaaab3a0000 rw-p 2aaaaaaab000 00:00 0 2aaaab3a0000-2aaaab3a6000 rw-s 00000000 fd:00 3962498 /usr/local/openldap-2.4.32/var/openldap-data/__db.001 2aaaab3a6000-2aaaac478000 rw-s 00000000 fd:00 3962499 /usr/local/openldap-2.4.32/var/openldap-data/__db.002 2aaaac478000-2aaac047a000 rw-s 00000000 fd:00 3962500 /usr/local/openldap-2.4.32/var/openldap-data/__db.003 2aaac047a000-2aaac06ba000 rw-s 00000000 fd:00 3962501 /usr/local/openldap-2.4.32/var/openldap-data/__db.004 2aaac06ba000-2aaac077e000 rw-s 00000000 fd:00 3962502 /usr/local/openldap-2.4.32/var/openldap-data/__db.005 2aaac077e000-2aaac0786000 rw-s 00000000 fd:00 3962503 /usr/local/openldap-2.4.32/var/openldap-data/__db.006 2b53b42db000-2b53b42dc000 rw-p 2b53b42db000 00:00 0 2b53b42ed000-2b53b42ee000 rw-p 2b53b42ed000 00:00 0 2b53b42ee000-2b53b445a000 r-xp 00000000 fd:00 7370254 /usr/local/db-4.8.30/lib/libdb-4.8.so 2b53b445a000-2b53b465a000 ---p 0016c000 fd:00 7370254 /usr/local/db-4.8.30/lib/libdb-4.8.so 2b53b465a000-2b53b465f000 rw-p 0016c000 fd:00 7370254 /usr/local/db-4.8.30/lib/libdb-4.8.so 2b53b465f000-2b53b476f000 r-xp 00000000 fd:00 5827230 /usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libmysqlclient_r.so.16.0.0 2b53b476f000-2b53b486e000 ---p 00110000 fd:00 5827230 /usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libmysqlclient_r.so.16.0.0 2b53b486e000-2b53b498e000 rw-p 0010f000 fd:00 5827230 /usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libmysqlclient_r.so.16.0.0 2b53b498e000-2b53b4991000 rw-p 2b53b498e000 00:00 0 2b53b4991000-2b53b4bf0000 r-xp 00000000 fd:00 5827221 /usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libndbclient.so.4.0.0 2b53b4bf0000-2b53b4cef000 ---p 0025f000 fd:00 5827221 /usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libndbclient.so.4.0.0 2b53b4cef000-2b53b4e23000 rw-p 0025e000 fd:00 5827221 /usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libndbclient.so.4.0.0 2b53b4e23000-2b53b4e2d000 rw-p 2b53b4e23000 00:00 0 2b53b4e2d000-2b53b4e45000 r-xp 00000000 fd:00 3121387 /usr/lib64/libsasl2.so.2.0.22 2b53b4e45000-2b53b5045000 ---p 00018000 fd:00 3121387 /usr/lib64/libsasl2.so.2.0.22 2b53b5045000-2b53b5046000 rw-p 00018000 fd:00 3121387 /usr/lib64/libsasl2.so.2.0.22 2b53b5046000-2b53b5047000 rw-p 2b53b5046000 00:00 0 2b53b5047000-2b53b5054000 r-xp 00000000 fd:00 65791 /lib64/libgcc_s-4.1.2-20080825.so.1 2b53b5054000-2b53b5254000 ---p 0000d000 fd:00 65791 /lib64/libgcc_s-4.1.2-20080825.so.1 2b53b5254000-2b53b5255000 rw-p 0000d000 fd:00 65791 /lib64/libgcc_s-4.1.2-20080825.so.1 2b53b5255000-2b53b5257000 rw-p 2b53b5255000 00:00 0 2b53b5257000-2b53b526b000 r-xp 00000000 fd:00 3117678 /usr/lib64/libz.so.1.2.3 2b53b526b000-2b53b546a000 ---p 00014000 fd:00 3117678 /usr/lib64/libz.so.1.2.3 2b53b546a000-2b53b546b000 rw-p 00013000 fd:00 3117678 /usr/lib64/libz.so.1.2.3 2b53b546b000-2b53b5470000 rw-p 2b53b546b000 00:00 0 2b53b5470000-2b53b547a000 r-xp 00000000 fd:00 65499 /lib64/libnss_files-2.5.so 2b53b547a000-2b53b5679000 ---p 0000a000 fd:00 65499 /lib64/libnss_files-2.5.so 2b53b5679000-2b53b567a000 r--p 00009000 fd:00 65499 /lib64/libnss_files-2.5.so 2b53b567a000-2b53b567b000 rw-p 0000a000 fd:00 65499 /lib64/libnss_files-2.5.so 2b53b567b000-2b53b567f000 r-xp 00000000 fd:00 65497 /lib64/libnss_dns-2.5.so 2b53b567f000-2b53b587e000 ---p 00004000 fd:00 65497 /lib64/libnss_dns-2.5.so 2b53b587e000-2b53b587f000 r--p 00003000 fd:00 65497 /lib64/libnss_dns-2.5.so 2b53b587f000-2b5Aborted my slapd.conf: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # allow bind_v2 include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/cnrldap.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. pidfile /var/run/slapd.pid argsfile /var/run/slapd.args #loglevel stats sync #loglevel -1 #loglevel trace args conns BER stats stats2 #loglevel 1 idletimeout 120 sizelimit unlimited timelimit 1800 # Load dynamic backend modules: modulepath /usr/local/openldap-2.4.21/libexec/openldap moduleload back_bdb.la moduleload accesslog.la # moduleload back_hdb.la # moduleload back_ldap.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database ndb suffix "dc=bgctv,dc=net,dc=cn" rootdn "cn=admin,dc=bgctv,dc=net,dc=cn" rootpw ghwl directory /usr/local/openldap/var/openldap-data dbconnect 172.30.5.20:1186 dbhost 172.30.5.20 dbname bgctv dbuser bgctv dbpass ghwl_h0 dbconnections 1 overlay accesslog logdb "cn=auditlog" logops writes logold (objectclass=*) #dbconnect 172.30.5.20:1186 #dbhost 172.30.5.20 #dbname auditlog #dbuser bgctv #dbpass ghwl_h0 #dbconnections 1 access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none access to dn.sub="ou=cm,dc=bgctv,dc=net,dc=cn" by dn="userid=cmadmin,dc=bgctv,dc=net,dc=cn" write by anonymous auth by * none access to * by dn="userid=cmadmin,dc=bgctv,dc=net,dc=cn" read by * none database bdb suffix "cn=auditlog" index reqStart eq

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs August 2012