(ITS#7355) slapd reproducible segfaults deleting memberof from cn=config
by daniel@pluta.biz
Full_Name: Daniel Pluta
Version: HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (84.167.95.124)
Steps to reproduce:
0.) slapd version: HEAD (git master pulled today)
1.) slapd.conf:
include /opt/openldap-acl/etc/openldap/schema/core.schema
pidfile /opt/openldap-acl/var/run/slapd.pid
argsfile /opt/openldap-acl/var/run/slapd.args
modulepath /opt/openldap-acl/libexec/openldap
moduleload memberof.la
access to *
by self write
by users read
by anonymous auth
database config
rootdn "cn=Manager,cn=config"
rootpw secret
database mdb
suffix "o=test"
rootdn "cn=Manager,o=test"
rootpw secret
directory /opt/openldap-acl/var/openldap-data/test
index objectClass eq
overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-dangling ignore
memberof-refint FALSE
2.) conversion to slapd.d:
/opt/openldap-acl/sbin/slaptest -f slapd.conf.acl -F slapd.d
3.) slapd start:
slapd -F slapd.d -u openldap -g openldap -l local4 -d 1 \
-h "ldap://0.0.0.0:1389/ ldapi://%2Fopt%2Fopenldap%2Fvar%2Frun%2Fldapi_acl/"
4.) delete_memberof.ldif:
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
changetype: delete
5.) ldapmodify:
cat delete_memberof.ldif | ldapmodify -x -H "ldap://localhost:1389/" -D
"cn=Manager,cn=config" -w secret
Result:
502c9eeb slap_listener_activate(7):
502c9eeb >>> slap_listener(ldap://0.0.0.0:1389/)
502c9eeb connection_get(11): got connid=1000
502c9eeb connection_read(11): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
502c9eeb op tag 0x60, time 1345101547
ber_get_next
502c9eeb conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
502c9eeb >>> dnPrettyNormal: <cn=Manager,cn=config>
502c9eeb <<< dnPrettyNormal: <cn=Manager,cn=config>, <cn=manager,cn=config>
502c9eeb do_bind: version=3 dn="cn=Manager,cn=config" method=128
502c9eeb do_bind: v3 bind: "cn=Manager,cn=config" to "cn=Manager,cn=config"
502c9eeb send_ldap_result: conn=1000 op=0 p=3
502c9eeb send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 11
502c9eeb connection_get(11): got connid=1000
502c9eeb connection_read(11): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 56 contents:
502c9eeb op tag 0x4a, time 1345101547
ber_get_next
502c9eeb conn=1000 op=1 do_delete
ber_scanf fmt (m) ber:
502c9eeb >>> dnPrettyNormal:
<olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config>
502c9eeb <<< dnPrettyNormal:
<olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config>,
<olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config>
Segmentation fault
11 years, 3 months
Re: (ITS#7172) SEGFAULT in openldap-2.4.28 & 2.4.29
by hyc@symas.com
A fix for this is now in git master, please test. Thanks.
david.coutadeur(a)linagora.com wrote:
> Hi,
>
> I had some difficulties to reproduce it, but I have finally succeeded :
>
> [Switching to Thread 0x431e4940 (LWP 11061)]
> 0x000000000054211c in sp_avl_cmp (c1=<value optimized out>,
> c2=0xbfb5a60) at syncprov.c:378
> 378 rc = m1->mt_op->o_req_ndn.bv_len -
> m2->mt_op->o_req_ndn.bv_len;
>
>
> Thank you for the help,
>
> David Coutadeur
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 3 months
Re: (ITS#7354) segfault with delta-syncrepl MMR
by quanah@zimbra.com
--On Wednesday, August 15, 2012 7:46 PM +0000 quanah(a)OpenLDAP.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.4.32
> OS: Linux 2.6
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (74.196.25.250)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fd7d8b44700 (LWP 28572)]
0x00000000004c02b8 in syncrepl_op_modify (op=0x7fd7d8b43460,
rs=0x7fd7d8b42e40)
at syncrepl.c:2133
2133 if ( ml->sml_flags == SLAP_MOD_INTERNAL ) {
(gdb) print *ml
Cannot access memory at address 0x40
(gdb) print newlist
$1 = (Modifications *) 0x13a77d0
(gdb) print newlist->sml_next
$2 = (Modifications *) 0x40
(gdb) print *newlist
$3 = {sml_mod = {sm_desc = 0xf78a50, sm_values = 0x0, sm_nvalues = 0x0,
sm_numvals = 0, sm_op = 4097, sm_flags = 0, sm_type = {bv_len = 56,
bv_val = 0x312d61717a3d6e63 <Address 0x312d61717a3d6e63 out of
bounds>}}, sml_next = 0x40}
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years, 3 months
(ITS#7354) segfault with delta-syncrepl MMR
by quanah@OpenLDAP.org
Full_Name: Quanah Gibson-Mount
Version: 2.4.32
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (74.196.25.250)
Failed to start slapd. Attempting debug start to determine error.
502a8f8c <= mdb_index_read: failed (-30798)
502a8f8c <= mdb_index_read: failed (-30798)
res_errno: 0, res_error: <>, res_matched: <>
res_errno: 0, res_error: <>, res_matched: <>
502a8f8c <= mdb_index_read: failed (-30798)
It gives:
=> ldap_dn2bv(272)
<=
ldap_dn2bv(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com)=0
=> ldap_bv2dn(uid=zimbra,cn=admins,cn=zimbra,0)
<= ldap_bv2dn(uid=zimbra,cn=admins,cn=zimbra)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=zimbra,cn=admins,cn=zimbra)=0
=> ldap_bv2dn(uid=zimbra,cn=admins,cn=zimbra,0)
<= ldap_bv2dn(uid=zimbra,cn=admins,cn=zimbra)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=zimbra,cn=admins,cn=zimbra)=0
502a8fd2 => mdb_entry_get: ndn:
"uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com"
502a8fd2 => mdb_entry_get: oc: "(null)", at: "(null)"
=>
ldap_bv2dn(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com,0)
<=
ldap_bv2dn(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com)=0
=> ldap_dn2bv(272)
<=
ldap_dn2bv(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com)=0
=>
ldap_bv2dn(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com,0)
<=
ldap_bv2dn(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com)=0
=> ldap_dn2bv(272)
<=
ldap_dn2bv(uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com)=0
502a8fd2 mdb_idl_fetch_key:
502a8fd2 mdb_idl_fetch_key:
502a8fd2 mdb_idl_fetch_key: [98599c51]
502a8fd2 mdb_idl_fetch_key: [80000000]
502a8fd2 dnMatch -4
"uid=user?^.0987,ou=people,dc=1344964239572,dc=230,dc=domain,dc=com"
"uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com"
502a8fd2 dnMatch 7
"uid=distlist11344964239574,ou=people,dc=1344964239572,dc=230,dc=domain,dc=com"
"uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com"
502a8fd2 dnMatch 0
"uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com"
"uid=test1344964239966.231,ou=people,dc=zqa-128,dc=eng,dc=vmware,dc=com"
502a8fd2 send_ldap_result: err=0 matched="" text=""
Segmentation fault (core dumped)
(gdb) where
#0 0x00000000004c02b8 in syncrepl_op_modify (op=0x7f60e8424490,
rs=0x7f60e8423e70) at syncrepl.c:2133
#1 0x00000000004d48f4 in overlay_op_walk (op=0x7f60e8424490,
rs=0x7f60e8423e70, which=op_modify, oi=0x19deb40, on=0x19de780) at
backover.c:661
#2 0x00000000004d4bca in over_op_func (op=0x7f60e8424490, rs=0x7f60e8423e70,
which=op_modify) at backover.c:723
#3 0x00000000004d4d35 in over_op_modify (op=0x7f60e8424490, rs=0x7f60e8423e70)
at backover.c:762
#4 0x00000000004c1353 in syncrepl_message_to_op (si=0x155d340,
op=0x7f60e8424490, msg=0x1926400) at syncrepl.c:2317
#5 0x00000000004bc45f in do_syncrep2 (op=0x7f60e8424490, si=0x155d340) at
syncrepl.c:986
#6 0x00000000004be6ba in do_syncrepl (ctx=0x7f60e8424b50, arg=0x1afd860) at
syncrepl.c:1523
#7 0x00007f88efc17cc9 in ldap_int_thread_pool_wrapper (xpool=0x14b81c0) at
tpool.c:688
#8 0x00007f88ee7209ca in start_thread () from /lib/libpthread.so.0
#9 0x00007f88ee47dcdd in clone () from /lib/libc.so.6
#10 0x0000000000000000 in ?? ()
(gdb) list
2128 op->o_callback = sc;
2129 op->orm_no_opattrs = 1;
2130 mx->mx_orig = op->orm_modlist;
2131 mx->mx_free = newlist;
2132 for ( ml = newlist; ml; ml=ml->sml_next ) {
2133 if ( ml->sml_flags == SLAP_MOD_INTERNAL ) {
2134 ml->sml_flags = 0;
2135 ml->sml_op = SLAP_MOD_SOFTDEL;
2136 }
2137 else if ( ml->sml_op == LDAP_MOD_DELETE )
11 years, 3 months
Re: (ITS#7353) Handling request controls that include spurious control values
by masarati@aero.polimi.it
> mhardin(a)symas.com wrote:
>> Some clients, like Oracle SGD, incorrectly implement the password polic=
> y request
>> control by including a zero-length control value with the request contr=
> ol.
>> OpenLDAP reports "passwordPolicyRequest control value not absent" and f=
> ails the
>> operation with a Protocol Error (2). While this behavior follows the le=
> tter of
>> RFC 4511, the control value in this case is zero-length and therefore h=
> armless.
>> Failing in this case seems merely punctilious, and has no real benefit.=
> For
>> reference, OpenLDAP 2.3 allowed a zero-length control value.
>
> For the very same reason I've added a work-around in upcoming python-ldap=
>
> 2.4.11 to handle non-decodable control response values as being absent in=
> case
> CRITICAL flag is False. (Apache DS 2.0.0M7 also returns such an invalid
> zero-length value in password policy response control.)
>
> I'd appreciate to discuss a bit further whether that's the right approach=
> =2E
> Maybe we should take this to ietf-ldapbis mailing list as interop issue?
Occasionally, we handled malformed or non-standard control values (I
recall something about the many versions of the proxiedAuthz control).
Our usual policy was to be "tolerant" about what comes in, possibly by
requiring an explicit configuration statement to enable "tolerance"
(usually, an admin knows when his system works in a broken environment,
and wants to be able to decide whether being tolerant or not). So I
favour allowing the administrator to explicitly enable tolerance with
respect to malformed controls (my 2c).
p.
11 years, 3 months
Re: (ITS#7353) Handling request controls that include spurious control values
by michael@stroeder.com
This is a cryptographically signed message in MIME format.
--------------ms000806050201060707000502
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
mhardin(a)symas.com wrote:
> Some clients, like Oracle SGD, incorrectly implement the password polic=
y request
> control by including a zero-length control value with the request contr=
ol.
> OpenLDAP reports "passwordPolicyRequest control value not absent" and f=
ails the
> operation with a Protocol Error (2). While this behavior follows the le=
tter of
> RFC 4511, the control value in this case is zero-length and therefore h=
armless.
> Failing in this case seems merely punctilious, and has no real benefit.=
For
> reference, OpenLDAP 2.3 allowed a zero-length control value.
For the very same reason I've added a work-around in upcoming python-ldap=
2.4.11 to handle non-decodable control response values as being absent in=
case
CRITICAL flag is False. (Apache DS 2.0.0M7 also returns such an invalid
zero-length value in password policy response control.)
I'd appreciate to discuss a bit further whether that's the right approach=
=2E
Maybe we should take this to ietf-ldapbis mailing list as interop issue?
Ciao, Michael.
--------------ms000806050201060707000502
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC
BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG
EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD
ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM
MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF
MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M
VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K
b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/
kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB
1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC
EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0
Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw
QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1
c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/
BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3
LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2
KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj
Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M
MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK
KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR
GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4
B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ
FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx
QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw
ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF
MRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRl
ciBVbml2ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJ
MB4XDTA5MTEwMzE0MDgxOVoXDTI1MTIzMTIxNTk1OVowfDELMAkGA1UEBhMCREUxHDAaBgNV
BAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNVBAsTHFRDIFRydXN0Q2VudGVyIENsYXNz
IDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75pBuz2Lp6QuqthDVR+V8XSsncZpozVVt
5KLv5P7yemMRwleKyH3PjmYfZUVL64Biab1GjovFblqVGCrep/EfdRonq20yU+P7TVhiLP8Z
5cegDZotIYhZhM0d8cPIij6w5d4IJM/8QCy6QSOUu4ASiTVItoYE4AFPjLqpmPwcie0fiqHH
hpgmHnJla/7PZdkMZEsaCfVDEWBmJuMzVprJPT40anjG5VBLyM2I5DlsUCaeQCy2O3w3sqf1
3dyzUcv03IICuNc63towXA31Qt0TaVNU6YAmQjMepdfMbspmCZ+G8D2+xophEPPR/1vkstst
smUMqX0XrLonTUJczglPAgMBAAGjggJZMIICVTCBmgYIKwYBBQUHAQEEgY0wgYowUgYIKwYB
BQUHMAKGRmh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2VydHMv
dGNfdW5pdmVyc2FsX3Jvb3RfSS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLnRjdW5p
dmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQ
dXMwEgYDVR0TAQH/BAgwBgEB/wIBADBSBgNVHSAESzBJMAYGBFUdIAAwPwYJKoIUACwBAQEB
MDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAO
BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMIH9BgNVHR8E
gfUwgfIwge+ggeyggemGRmh0dHA6Ly9jcmwudGN1bml2ZXJzYWwtSS50cnVzdGNlbnRlci5k
ZS9jcmwvdjIvdGNfdW5pdmVyc2FsX3Jvb3RfSS5jcmyGgZ5sZGFwOi8vd3d3LnRydXN0Y2Vu
dGVyLmRlL0NOPVRDJTIwVHJ1c3RDZW50ZXIlMjBVbml2ZXJzYWwlMjBDQSUyMEksTz1UQyUy
MFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/
Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAOcjE
m+6+mO5Icm+N53G2DpCM07LBFSGoRpBoX0oE8TrJaIQh2KXmBHVdn9LU8kt3QzLclctgvwJV
0KwcsMUUl5tlCsMPpR3s2Ek5lbWpvvr0HqtW56blAQiINV9nBd1EJFASIkRjefGbV2nOq9Yz
UU+N8HA7jq1ROhd/NZZraGhjthwKyfjfHV7PKxGlY+3M0MbTIG+q/GhIfm0euDpFqhKG88e9
ALXr/uoSn3MzeOcoOWjTpW3adtFO4VWVgKbgG7jNrFbvRVlHmFLbOm4msjE5aXWxLiTwpJ2X
iF4zKca1vAdAOgw9us90jEtOeiH6GzjNxEMvb7TfeO6Zkuc6HDGCA84wggPKAgEBMIGPMHwx
CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQLExxU
QyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRlciBD
bGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wCQYFKw4DAhoFAKCCAhMwGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwODE1MDcwMjE4WjAjBgkq
hkiG9w0BCQQxFgQUTDuEs5JNtz2cqQb/7wx1ZxJk10QwbAYJKoZIhvcNAQkPMV8wXTALBglg
hkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq
hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBoAYJKwYBBAGCNxAEMYGSMIGP
MHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQL
ExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRl
ciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wgaIGCyqGSIb3DQEJEAILMYGS
oIGPMHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYD
VQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENl
bnRlciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wDQYJKoZIhvcNAQEBBQAE
ggEASXZfP97C8zxYbux1N1U9pETszUQGUyG7GebVvdLdZnIG4r9D12JRHaFWG6YzI7ms2k/X
A+CpALzsJW3LmdcT5SSH8ecfnvRMZJd9fLK6jea6UHf3gkHCNzl0EOQ/fitx0yZF92c/YN/k
y07/CnMVMOw5HXRqsKw4p7SPWpUlPOtGA9zo8LnsvR9ySYGniBIWU2zC3aM3bbnsjKS/i0y2
fJ9N/MDw+sSFzm1gdiegxQNnYdDTswY89WkDVuILHYk5OXC6MOCEVyit99cpqDfxM0+VIKj/
22hVsidJKfJ9L9FnG8/2YfcomMJF9G+qdT5m2FjDvi4MXoHyfY7Mo95QiAAAAAAAAA==
--------------ms000806050201060707000502--
11 years, 3 months
(ITS#7353) Handling request controls that include spurious control values
by mhardin@symas.com
Full_Name: Matthew Hardin
Version: 2.4.32
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (69.43.206.100)
Some clients, like Oracle SGD, incorrectly implement the password policy request
control by including a zero-length control value with the request control.
OpenLDAP reports "passwordPolicyRequest control value not absent" and fails the
operation with a Protocol Error (2). While this behavior follows the letter of
RFC 4511, the control value in this case is zero-length and therefore harmless.
Failing in this case seems merely punctilious, and has no real benefit. For
reference, OpenLDAP 2.3 allowed a zero-length control value.
While I don't believe it's acceptable for clients to present malformed controls,
I do think it's sufficient, at least in this case, to log a warning and continue
processing the request.
For reference, the BER dump below shows the bind request containing the
incorrectly-formatted password policy request control as well as the various
stages of parsing. The request in this case comes from Oracle SGD 4.62.913.
ber_get_next: tag 0x30 len 89 contents:
ber_dump: buf=101fd8f00 ptr=101fd8f00 end=101fd8f59 len=89
0000: 02 01 01 60 33 02 01 03 04 27 63 6e 3d 70 70 6f ...`3....'cn=ppo
0010: 6c 69 63 79 74 73 74 2c 6f 75 3d 50 6f 6c 69 63 licytst,ou=Polic
0020: 69 65 73 2c 64 63 3d 76 73 6f 2c 64 63 3d 63 6f ies,dc=vso,dc=co
0030: 6d 80 05 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e m..aaaaa..0...1.
0040: 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 3.6.1.4.1.42.2.2
0050: 37 2e 38 2e 35 2e 31 04 00 7.8.5.1..
502a936b op tag 0x60, time 1344967531
ber_get_next
502a936b conn=1001 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f03 end=101fd8f59 len=86
0000: 60 33 02 01 03 04 27 63 6e 3d 70 70 6f 6c 69 63 `3....'cn=ppolic
0010: 79 74 73 74 2c 6f 75 3d 50 6f 6c 69 63 69 65 73 ytst,ou=Policies
0020: 2c 64 63 3d 76 73 6f 2c 64 63 3d 63 6f 6d 80 05 ,dc=vso,dc=com..
0030: 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e 33 2e 36 aaaaa..0...1.3.6
0040: 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 2e 38 .1.4.1.42.2.27.8
0050: 2e 35 2e 31 04 00 .5.1..
ber_scanf fmt (m}) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f31 end=101fd8f59 len=40
0000: 00 05 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e 33 ..aaaaa..0...1.3
0010: 2e 36 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 .6.1.4.1.42.2.27
0020: 2e 38 2e 35 2e 31 04 00 .8.5.1..
502a936b => get_ctrls
ber_scanf fmt ({m) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f3a end=101fd8f59 len=31
0000: 30 1d 04 19 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 0...1.3.6.1.4.1.
0010: 34 32 2e 32 2e 32 37 2e 38 2e 35 2e 31 04 00 42.2.27.8.5.1..
ber_scanf fmt (m) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f57 end=101fd8f59 len=2
0000: 00 00 ..
502a936b => get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical)
502a936b <= get_ctrls: n=1 rc=2 err="passwordPolicyRequest control value not
absent"
502a936b send_ldap_result: conn=1001 op=0 p=3
502a936b send_ldap_response: msgid=1 tag=97 err=2
As an aside, the error text left me scratching my head and reading the source
code to figure out what was meant. Each of the other request control handlers
that doesn't require/allow a control value has a similar message. Could we
change these messages to:
{Warning|Error}: Spurious <control name here> control value found in request.
Comments?
11 years, 3 months
(ITS#7352) openldap not supporting CAMELLIA ciphers
by goodgoingswati@gmail.com
Full_Name: Swati
Version: 2.4.32
OS: RHEL5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (115.113.153.34)
openldap is not supporting CAMELLIA based ciphers(both RSA and DSA based)
I have configured SSL LDAP(LDAPS) and on checking SSL connection with LDAPS
server with CAMELLIA based cipher leads to failure in handshake:
openssl s_client -connect localhost:636 -showcerts -cipher
DHE-DSS-CAMELLIA256-SHA -state -CAfile /path_to_cert -cert /path_to_client_cert
-key /path_to_client_key
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
47726707455072:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:741:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 102 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
Handshake is failing with all camellia ciphers.
11 years, 4 months
(ITS#7351) can not start slapd when enable accesslog relay
by bashift@gmail.com
Full_Name: ChenShuJun
Version: 2.4.32
OS: RHEL5.5(2.6.18-194.el5)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (218.246.127.3)
[root@LDAP_LAB_A openldap]# slapd -d 1
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /usr/local/openldap-2.4.32/etc/openldap/ldap.conf
ldap_init: using /usr/local/openldap-2.4.32/etc/openldap/ldap.conf
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
502475bb @(#) $OpenLDAP: slapd 2.4.32 (Aug 8 2012 14:19:37) $
root@LDAP_LAB_A.bgctv.net.cn:/root/openldap-2.4.32/servers/slapd
ldap_pvt_gethostbyname_a: host=LDAP_LAB_A.bgctv.net.cn, r=11
502475bb daemon_init: listen on ldap:///
502475bb daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
502475bb daemon: listener initialized ldap:///
502475bb daemon_init: 1 listeners opened
ldap_create
502475bb slapd init: initiated server.
502475bb slap_sasl_init: initialized!
502475bb bdb_back_initialize: initialize BDB backend
502475bb bdb_back_initialize: Berkeley DB 4.8.30: (April 9, 2010)
502475bb hdb_back_initialize: initialize HDB backend
502475bb hdb_back_initialize: Berkeley DB 4.8.30: (April 9, 2010)
502475bb mdb_back_initialize: initialize MDB backend
502475bb mdb_back_initialize: MDB 0.9.0: ("September 1, 2011")
502475bb ndb_back_initialize: initialize ndb backend
502475bb null_back_initialize: initialize null backend
502475bb perl backend open
502475bb ==> translucent_initialize
502475bb ndb_db_init: Initializing ndb database
502475bb >>> dnPrettyNormal: <dc=bgctv,dc=net,dc=cn>
502475bb <<< dnPrettyNormal: <dc=bgctv,dc=net,dc=cn>, <dc=bgctv,dc=net,dc=cn>
502475bb >>> dnPrettyNormal: <cn=admin,dc=bgctv,dc=net,dc=cn>
502475bb <<< dnPrettyNormal: <cn=admin,dc=bgctv,dc=net,dc=cn>,
<cn=admin,dc=bgctv,dc=net,dc=cn>
502475bb >>> dnPrettyNormal: <cn=auditlog>
502475bb <<< dnPrettyNormal: <cn=auditlog>, <cn=auditlog>
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
502475bb >>> dnNormalize: <ou=cm,dc=bgctv,dc=net,dc=cn>
502475bb <<< dnNormalize: <ou=cm,dc=bgctv,dc=net,dc=cn>
502475bb >>> dnNormalize: <userid=cmadmin,dc=bgctv,dc=net,dc=cn>
502475bb <<< dnNormalize: <uid=cmadmin,dc=bgctv,dc=net,dc=cn>
502475bb >>> dnNormalize: <userid=cmadmin,dc=bgctv,dc=net,dc=cn>
502475bb <<< dnNormalize: <uid=cmadmin,dc=bgctv,dc=net,dc=cn>
502475bb bdb_db_init: Initializing BDB database
502475bb >>> dnPrettyNormal: <cn=auditlog>
502475bb <<< dnPrettyNormal: <cn=auditlog>, <cn=auditlog>
502475bb >>> dnPrettyNormal: <cn=admin,cn=auditlog>
502475bb <<< dnPrettyNormal: <cn=admin,cn=auditlog>, <cn=admin,cn=auditlog>
502475bb >>> dnNormalize: <cn=Subschema>
502475bb <<< dnNormalize: <cn=subschema>
502475bb matching_rule_use_init
502475bb 1.2.840.113556.1.4.804 (integerBitOrMatch): 502475bb
matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $
olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $
olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $
olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $
olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $
olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $
olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $
olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcDbConnectionPoolMax $
olcChainMaxReferralDepth $ olcDbMaxReaders $ olcDbMaxSize $ olcDbPort $
olcDbFlag $ olcDbConnections $ olcDDSmaxDynamicObjects $ olcPcacheMaxQueries $
olcRetcodeSleep $ olcSssVlvMax $ olcSssVlvMaxKeys $ olcSssVlvMaxPerConn $
olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $
shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
502475bb 1.2.840.113556.1.4.803 (integerBitAndMatch): 502475bb
matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $
olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $
olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $
olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $
olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $
olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $
olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $
olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcDbConnectionPoolMax $
olcChainMaxReferralDepth $ olcDbMaxReaders $ olcDbMaxSize $ olcDbPort $
olcDbFlag $ olcDbConnections $ olcDDSmaxDynamicObjects $ olcPcacheMaxQueries $
olcRetcodeSleep $ olcSssVlvMax $ olcSssVlvMaxKeys $ olcSssVlvMaxPerConn $
olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $
shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
502475bb 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): 502475bb
matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES
( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $
mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos
$ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $
ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) )
502475bb 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): 502475bb
matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES (
altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $
mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos
$ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $
ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) )
502475bb 2.5.13.39 (certificateListMatch): 502475bb 2.5.13.38
(certificateListExactMatch): 502475bb matchingRuleUse: ( 2.5.13.38 NAME
'certificateListExactMatch' APPLIES ( authorityRevocationList $
certificateRevocationList $ deltaRevocationList ) )
502475bb 2.5.13.35 (certificateMatch): 502475bb 2.5.13.34
(certificateExactMatch): 502475bb matchingRuleUse: ( 2.5.13.34 NAME
'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
502475bb 2.5.13.30 (objectIdentifierFirstComponentMatch): 502475bb
matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES
( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $
supportedApplicationContext ) )
502475bb 2.5.13.29 (integerFirstComponentMatch): 502475bb matchingRuleUse: (
2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $
entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $
olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $
olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $
olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $
olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $
olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize
$ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $
olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $
olcDbMaxReaders $ olcDbMaxSize $ olcDbPort $ olcDbFlag $ olcDbConnections $
olcDDSmaxDynamicObjects $ olcPcacheMaxQueries $ olcRetcodeSleep $ olcSssVlvMax $
olcSssVlvMaxKeys $ olcSssVlvMaxPerConn $ olcSpSessionlog $ mailPreferenceOption
$ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
502475bb 2.5.13.28 (generalizedTimeOrderingMatch): 502475bb matchingRuleUse:
( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' APPLIES ( createTimestamp $
modifyTimestamp $ pwdChangedTime $ pwdAccountLockedTime $ pwdFailureTime $
pwdGraceUseTime ) )
502475bb 2.5.13.27 (generalizedTimeMatch): 502475bb matchingRuleUse: (
2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $
modifyTimestamp $ pwdChangedTime $ pwdAccountLockedTime $ pwdFailureTime $
pwdGraceUseTime ) )
502475bb 2.5.13.24 (protocolInformationMatch): 502475bb matchingRuleUse: (
2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation )
502475bb 2.5.13.23 (uniqueMemberMatch): 502475bb matchingRuleUse: (
2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember )
502475bb 2.5.13.22 (presentationAddressMatch): 502475bb matchingRuleUse: (
2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress )
502475bb 2.5.13.20 (telephoneNumberMatch): 502475bb matchingRuleUse: (
2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $
mobile $ pager ) )
502475bb 2.5.13.18 (octetStringOrderingMatch): 502475bb matchingRuleUse: (
2.5.13.18 NAME 'octetStringOrderingMatch' APPLIES ( userPassword $ olcDbCryptKey
$ pwdHistory ) )
502475bb 2.5.13.17 (octetStringMatch): 502475bb matchingRuleUse: ( 2.5.13.17
NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey $ pwdHistory ) )
502475bb 2.5.13.16 (bitStringMatch): 502475bb matchingRuleUse: ( 2.5.13.16
NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )
502475bb 2.5.13.15 (integerOrderingMatch): 502475bb matchingRuleUse: (
2.5.13.15 NAME 'integerOrderingMatch' APPLIES ( supportedLDAPVersion $ entryTtl
$ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $
olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $
olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $
olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $
olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $
olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize
$ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $
olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $
olcDbMaxReaders $ olcDbMaxSize $ olcDbPort $ olcDbFlag $ olcDbConnections $
olcDDSmaxDynamicObjects $ olcPcacheMaxQueries $ olcRetcodeSleep $ olcSssVlvMax $
olcSssVlvMaxKeys $ olcSssVlvMaxPerConn $ olcSpSessionlog $ mailPreferenceOption
$ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
502475bb 2.5.13.14 (integerMatch): 502475bb matchingRuleUse: ( 2.5.13.14
NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $
gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads
$ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $
olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ olcDbMaxReaders $
olcDbMaxSize $ olcDbPort $ olcDbFlag $ olcDbConnections $
olcDDSmaxDynamicObjects $ olcPcacheMaxQueries $ olcRetcodeSleep $ olcSssVlvMax $
olcSssVlvMaxKeys $ olcSssVlvMaxPerConn $ olcSpSessionlog $ mailPreferenceOption
$ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
502475bb 2.5.13.13 (booleanMatch): 502475bb matchingRuleUse: ( 2.5.13.13
NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP
$ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $
olcReverseLookup $ olcSyncUseSubentry $ olcDbChecksum $ olcDbNoSync $
olcDbDirtyRead $ olcDbLinearIndex $ olcDbRebindAsUser $ olcDbChaseReferrals $
olcDbProxyWhoAmI $ olcDbSingleConn $ olcDbUseTemporaryConn $
olcDbSessionTrackingRequest $ olcDbNoRefs $ olcDbNoUndefFilter $
olcChainCacheURI $ olcChainReturnError $ olcDbBindAllowed $
olcPerlFilterSearchResults $ olcAccessLogSuccess $ olcDDSstate $
olcMemberOfRefInt $ pwdReset $ olcPPolicyHashCleartext $
olcPPolicyForwardUpdates $ olcPPolicyUseLockout $ olcPcachePersist $
olcPcacheValidate $ olcPcacheOffline $ olcRetcodeInDir $ olcRwmNormalizeMapped $
olcRwmDropUnrequested $ olcSpNoPresent $ olcSpReloadHint $ olcTranslucentStrict
$ olcTranslucentNoGlue $ olcTranslucentBindLocal $ olcTranslucentPwModLocal $
olcUniqueStrict ) )
502475bb 2.5.13.11 (caseIgnoreListMatch): 502475bb matchingRuleUse: (
2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress
$ homePostalAddress ) )
502475bb 2.5.13.9 (numericStringOrderingMatch): 502475bb matchingRuleUse: (
2.5.13.9 NAME 'numericStringOrderingMatch' APPLIES ( x121Address $
internationaliSDNNumber ) )
502475bb 2.5.13.8 (numericStringMatch): 502475bb matchingRuleUse: ( 2.5.13.8
NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
502475bb 2.5.13.7 (caseExactSubstringsMatch): 502475bb matchingRuleUse: (
2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
502475bb 2.5.13.6 (caseExactOrderingMatch): 502475bb matchingRuleUse: (
2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( supportedSASLMechanisms $
vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $
olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $
olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $
olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $
olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash
$ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $
olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $
olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $
olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $
olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $
olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $
olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $
olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize
$ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbURI $ olcDbStartTLS $
olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $
olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $
olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $
olcDbQuarantine $ olcDbIDAssertPassThru $ olcChainingBehavior $ olcDbHost $
olcDbName $ olcDbUser $ olcDbPass $ olcDbSocket $ olcDbConnect $ olcNdbAttrLen $
olcNdbAttrSet $ olcNdbAttrBlob $ olcPasswdFile $ olcPerlModule $
olcPerlModulePath $ olcPerlModuleConfig $ olcShellBind $ olcShellUnbind $
olcShellSearch $ olcShellCompare $ olcShellModify $ olcShellModRDN $ olcShellAdd
$ olcShellDelete $ olcOvSocketOps $ olcOvSocketResps $ olcDbSocketPath $
olcDbSocketExtensions $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $
olcAccessLogOldAttr $ olcAccessLogBase $ olcAuditlogFile $ olcCollectInfo $
olcConstraintAttribute $ olcDDSmaxTtl $ olcDDSminTtl $ olcDDSdefaultTtl $
olcDDSinterval $ olcDDStolerance $ olcDGAttrPair $ olcDlAttrSet $
olcMemberOfDangling $ olcMemberOfGroupOC $ olcMemberOfMemberAD $
olcMemberOfMemberOfAD $ olcMemberOfDanglingError $ olcPcache $ olcPcacheAttrset
$ olcPcacheTemplate $ olcPcachePosition $ olcPcacheBind $ olcRefintAttribute $
olcRetcodeItem $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $
olcTranslucentLocal $ olcTranslucentRemote $ olcUniqueIgnore $
olcUniqueAttribute $ olcUniqueURI $ olcValSortAttr $ knowledgeInformation $ sn $
serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $
givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $
dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $
userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $
documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus
$ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense
$ departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage $ cmmac $ cmipadd $ servicelevel $ startdate $ enddate $ cmuid
$ cmext1 $ cmext2 $ cmext3 $ cmext4 $ cmext5 $ cmext6 $ cmext7 $ cmext8 $ cmext9
) )
502475bb 2.5.13.5 (caseExactMatch): 502475bb matchingRuleUse: ( 2.5.13.5
NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile
$ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $
olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $
olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $
olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $
olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $
olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $
olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $
olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $
olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $
olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $
olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $
olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $
olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $
olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $
olcDbLockDetect $ olcDbMode $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $
olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $
olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $
olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $
olcDbIDAssertPassThru $ olcChainingBehavior $ olcDbHost $ olcDbName $ olcDbUser
$ olcDbPass $ olcDbSocket $ olcDbConnect $ olcNdbAttrLen $ olcNdbAttrSet $
olcNdbAttrBlob $ olcPasswdFile $ olcPerlModule $ olcPerlModulePath $
olcPerlModuleConfig $ olcShellBind $ olcShellUnbind $ olcShellSearch $
olcShellCompare $ olcShellModify $ olcShellModRDN $ olcShellAdd $ olcShellDelete
$ olcOvSocketOps $ olcOvSocketResps $ olcDbSocketPath $ olcDbSocketExtensions $
olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $
olcAccessLogBase $ olcAuditlogFile $ olcCollectInfo $ olcConstraintAttribute $
olcDDSmaxTtl $ olcDDSminTtl $ olcDDSdefaultTtl $ olcDDSinterval $
olcDDStolerance $ olcDGAttrPair $ olcDlAttrSet $ olcMemberOfDangling $
olcMemberOfGroupOC $ olcMemberOfMemberAD $ olcMemberOfMemberOfAD $
olcMemberOfDanglingError $ olcPcache $ olcPcacheAttrset $ olcPcacheTemplate $
olcPcachePosition $ olcPcacheBind $ olcRefintAttribute $ olcRetcodeItem $
olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $
olcTranslucentLocal $ olcTranslucentRemote $ olcUniqueIgnore $
olcUniqueAttribute $ olcUniqueURI $ olcValSortAttr $ knowledgeInformation $ sn $
serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $
givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $
dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $
userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $
documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus
$ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense
$ departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage $ cmmac $ cmipadd $ servicelevel $ startdate $ enddate $ cmuid
$ cmext1 $ cmext2 $ cmext3 $ cmext4 $ cmext5 $ cmext6 $ cmext7 $ cmext8 $ cmext9
) )
502475bc 2.5.13.4 (caseIgnoreSubstringsMatch): 502475bc matchingRuleUse: (
2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
502475bc 2.5.13.3 (caseIgnoreOrderingMatch): 502475bc matchingRuleUse: (
2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( supportedSASLMechanisms $
vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $
olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $
olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $
olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $
olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash
$ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $
olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $
olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $
olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $
olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $
olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $
olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $
olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize
$ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbURI $ olcDbStartTLS $
olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $
olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $
olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $
olcDbQuarantine $ olcDbIDAssertPassThru $ olcChainingBehavior $ olcDbHost $
olcDbName $ olcDbUser $ olcDbPass $ olcDbSocket $ olcDbConnect $ olcNdbAttrLen $
olcNdbAttrSet $ olcNdbAttrBlob $ olcPasswdFile $ olcPerlModule $
olcPerlModulePath $ olcPerlModuleConfig $ olcShellBind $ olcShellUnbind $
olcShellSearch $ olcShellCompare $ olcShellModify $ olcShellModRDN $ olcShellAdd
$ olcShellDelete $ olcOvSocketOps $ olcOvSocketResps $ olcDbSocketPath $
olcDbSocketExtensions $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $
olcAccessLogOldAttr $ olcAccessLogBase $ olcAuditlogFile $ olcCollectInfo $
olcConstraintAttribute $ olcDDSmaxTtl $ olcDDSminTtl $ olcDDSdefaultTtl $
olcDDSinterval $ olcDDStolerance $ olcDGAttrPair $ olcDlAttrSet $
olcMemberOfDangling $ olcMemberOfGroupOC $ olcMemberOfMemberAD $
olcMemberOfMemberOfAD $ olcMemberOfDanglingError $ olcPcache $ olcPcacheAttrset
$ olcPcacheTemplate $ olcPcachePosition $ olcPcacheBind $ olcRefintAttribute $
olcRetcodeItem $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $
olcTranslucentLocal $ olcTranslucentRemote $ olcUniqueIgnore $
olcUniqueAttribute $ olcUniqueURI $ olcValSortAttr $ knowledgeInformation $ sn $
serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $
givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $
dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $
userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $
documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus
$ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense
$ departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage $ cmmac $ cmipadd $ servicelevel $ startdate $ enddate $ cmuid
$ cmext1 $ cmext2 $ cmext3 $ cmext4 $ cmext5 $ cmext6 $ cmext7 $ cmext8 $ cmext9
) )
502475bc 2.5.13.2 (caseIgnoreMatch): 502475bc matchingRuleUse: ( 2.5.13.2
NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile
$ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $
olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $
olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $
olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $
olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $
olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $
olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $
olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $
olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $
olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $
olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $
olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $
olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $
olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $
olcDbLockDetect $ olcDbMode $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $
olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $
olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $
olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $
olcDbIDAssertPassThru $ olcChainingBehavior $ olcDbHost $ olcDbName $ olcDbUser
$ olcDbPass $ olcDbSocket $ olcDbConnect $ olcNdbAttrLen $ olcNdbAttrSet $
olcNdbAttrBlob $ olcPasswdFile $ olcPerlModule $ olcPerlModulePath $
olcPerlModuleConfig $ olcShellBind $ olcShellUnbind $ olcShellSearch $
olcShellCompare $ olcShellModify $ olcShellModRDN $ olcShellAdd $ olcShellDelete
$ olcOvSocketOps $ olcOvSocketResps $ olcDbSocketPath $ olcDbSocketExtensions $
olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $
olcAccessLogBase $ olcAuditlogFile $ olcCollectInfo $ olcConstraintAttribute $
olcDDSmaxTtl $ olcDDSminTtl $ olcDDSdefaultTtl $ olcDDSinterval $
olcDDStolerance $ olcDGAttrPair $ olcDlAttrSet $ olcMemberOfDangling $
olcMemberOfGroupOC $ olcMemberOfMemberAD $ olcMemberOfMemberOfAD $
olcMemberOfDanglingError $ olcPcache $ olcPcacheAttrset $ olcPcacheTemplate $
olcPcachePosition $ olcPcacheBind $ olcRefintAttribute $ olcRetcodeItem $
olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $
olcTranslucentLocal $ olcTranslucentRemote $ olcUniqueIgnore $
olcUniqueAttribute $ olcUniqueURI $ olcValSortAttr $ knowledgeInformation $ sn $
serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $
givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $
dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $
userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $
documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus
$ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense
$ departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage $ cmmac $ cmipadd $ servicelevel $ startdate $ enddate $ cmuid
$ cmext1 $ cmext2 $ cmext3 $ cmext4 $ cmext5 $ cmext6 $ cmext7 $ cmext8 $ cmext9
) )
502475bc 1.2.36.79672281.1.13.3 (rdnMatch): 502475bc 2.5.13.1
(distinguishedNameMatch): 502475bc matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $
subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $
dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN
$ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcDbACLAuthcDn $ olcDbIDAssertAuthcDn
$ olcRelay $ olcAccessLogDB $ memberOf $ olcMemberOfDN $ pwdPolicySubentry $
olcPPolicyDefault $ olcRefintNothing $ olcRefintModifiersName $ olcRetcodeParent
$ olcUniqueBase $ member $ owner $ roleOccupant $ manager $ documentAuthor $
secretary $ associatedName $ dITRedirect ) )
502475bc 2.5.13.0 (objectIdentifierMatch): 502475bc matchingRuleUse: (
2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $
supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
502475bc slapd startup: initiated.
502475bc backend_startup_one: starting "cn=config"
502475bc config_back_db_open
502475bc config_build_entry: "cn=config"
502475bc config_build_entry: "cn=schema"
502475bc >>> dnNormalize: <cn={0}core>
502475bc <<< dnNormalize: <cn={0}core>
502475bc config_build_entry: "cn={0}core"
502475bc >>> dnNormalize: <cn={1}cosine>
502475bc <<< dnNormalize: <cn={1}cosine>
502475bc config_build_entry: "cn={1}cosine"
502475bc >>> dnNormalize: <cn={2}nis>
502475bc <<< dnNormalize: <cn={2}nis>
502475bc config_build_entry: "cn={2}nis"
502475bc >>> dnNormalize: <cn={3}inetorgperson>
502475bc <<< dnNormalize: <cn={3}inetorgperson>
502475bc config_build_entry: "cn={3}inetorgperson"
502475bc >>> dnNormalize: <cn={4}cnrldap>
502475bc <<< dnNormalize: <cn={4}cnrldap>
502475bc config_build_entry: "cn={4}cnrldap"
502475bc config_build_entry: "olcDatabase={-1}frontend"
502475bc config_build_entry: "olcDatabase={0}config"
502475bc config_build_entry: "olcDatabase={1}ndb"
502475bc config_build_entry: "olcOverlay={0}accesslog"
502475bc config_build_entry: "olcDatabase={2}bdb"
502475bc backend_startup_one: starting "dc=bgctv,dc=net,dc=cn"
502475bc backend_startup_one: starting "cn=auditlog"
502475bc bdb_db_open: database "cn=auditlog": unclean shutdown detected;
attempting recovery.
502475bc bdb_db_open: warning - no DB_CONFIG file found in directory
/usr/local/openldap-2.4.32/var/openldap-data: (14).
Expect poor performance for suffix "cn=auditlog".
502475bc bdb_db_open: database "cn=auditlog":
dbenv_open(/usr/local/openldap-2.4.32/var/openldap-data).
502475bc bdb_monitor_db_open: monitoring disabled; configure monitor database to
enable
502475bc slapd starting
502475bc bdb_dn2entry("cn=auditlog")
502475bc => bdb_dn2id("cn=auditlog")
502475bc <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
(-30988)
502475bc >>> dnNormalize: <cn=admin,dc=bgctv,dc=net,dc=cn>
502475bc <<< dnNormalize: <cn=admin,dc=bgctv,dc=net,dc=cn>
502475bc >>> dnNormalize: <cn=admin,dc=bgctv,dc=net,dc=cn>
502475bc <<< dnNormalize: <cn=admin,dc=bgctv,dc=net,dc=cn>
*** glibc detected *** slapd: free(): invalid pointer: 0x0000000001d68f28 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3f8207230f]
/lib64/libc.so.6(cfree+0x4b)[0x3f8207276b]
slapd(ber_memfree_x+0x33)[0x67a01f]
slapd(ber_bvarray_free_x+0x5a)[0x67aca0]
slapd(ber_bvarray_free+0x1a)[0x67acd3]
slapd(ndb_entry_get+0x1fa)[0x54d24e]
slapd(overlay_entry_get_ov+0x201)[0x4d9286]
slapd[0x4d9360]
slapd(be_entry_get_rw+0x93)[0x45ddca]
slapd[0x5d4687]
slapd[0x63f2d5]
/lib64/libpthread.so.0[0x3f82c0673d]
/lib64/libc.so.6(clone+0x6d)[0x3f820d3d1d]
======= Memory map: ========
00400000-0072a000 r-xp 00000000 fd:00 3962485
/usr/local/openldap-2.4.32/libexec/slapd
0092a000-0093d000 rw-p 0032a000 fd:00 3962485
/usr/local/openldap-2.4.32/libexec/slapd
0093d000-009fd000 rw-p 0093d000 00:00 0
01ae8000-01ead000 rw-p 01ae8000 00:00 0 [heap]
4052d000-4052e000 ---p 4052d000 00:00 0
4052e000-40f2e000 rw-p 4052e000 00:00 0
41197000-41198000 ---p 41197000 00:00 0
41198000-411b8000 rw-p 41198000 00:00 0
411b8000-411b9000 ---p 411b8000 00:00 0
411b9000-411d9000 rw-p 411b9000 00:00 0
411d9000-411da000 ---p 411d9000 00:00 0
411da000-411fa000 rw-p 411da000 00:00 0
411fa000-411fb000 ---p 411fa000 00:00 0
411fb000-4121b000 rw-p 411fb000 00:00 0
4121b000-4121c000 ---p 4121b000 00:00 0
4121c000-4123c000 rw-p 4121c000 00:00 0
416c0000-416c1000 ---p 416c0000 00:00 0
416c1000-41ec1000 rw-p 416c1000 00:00 0
3f81c00000-3f81c1c000 r-xp 00000000 fd:00 65784
/lib64/ld-2.5.so
3f81e1b000-3f81e1c000 r--p 0001b000 fd:00 65784
/lib64/ld-2.5.so
3f81e1c000-3f81e1d000 rw-p 0001c000 fd:00 65784
/lib64/ld-2.5.so
3f82000000-3f8214e000 r-xp 00000000 fd:00 65785
/lib64/libc-2.5.so
3f8214e000-3f8234d000 ---p 0014e000 fd:00 65785
/lib64/libc-2.5.so
3f8234d000-3f82351000 r--p 0014d000 fd:00 65785
/lib64/libc-2.5.so
3f82351000-3f82352000 rw-p 00151000 fd:00 65785
/lib64/libc-2.5.so
3f82352000-3f82357000 rw-p 3f82352000 00:00 0
3f82400000-3f82402000 r-xp 00000000 fd:00 65786
/lib64/libdl-2.5.so
3f82402000-3f82602000 ---p 00002000 fd:00 65786
/lib64/libdl-2.5.so
3f82602000-3f82603000 r--p 00002000 fd:00 65786
/lib64/libdl-2.5.so
3f82603000-3f82604000 rw-p 00003000 fd:00 65786
/lib64/libdl-2.5.so
3f82800000-3f82882000 r-xp 00000000 fd:00 65790
/lib64/libm-2.5.so
3f82882000-3f82a81000 ---p 00082000 fd:00 65790
/lib64/libm-2.5.so
3f82a81000-3f82a82000 r--p 00081000 fd:00 65790
/lib64/libm-2.5.so
3f82a82000-3f82a83000 rw-p 00082000 fd:00 65790
/lib64/libm-2.5.so
3f82c00000-3f82c16000 r-xp 00000000 fd:00 65792
/lib64/libpthread-2.5.so
3f82c16000-3f82e15000 ---p 00016000 fd:00 65792
/lib64/libpthread-2.5.so
3f82e15000-3f82e16000 r--p 00015000 fd:00 65792
/lib64/libpthread-2.5.so
3f82e16000-3f82e17000 rw-p 00016000 fd:00 65792
/lib64/libpthread-2.5.so
3f82e17000-3f82e1b000 rw-p 3f82e17000 00:00 0
3f83000000-3f83007000 r-xp 00000000 fd:00 65793
/lib64/librt-2.5.so
3f83007000-3f83207000 ---p 00007000 fd:00 65793
/lib64/librt-2.5.so
3f83207000-3f83208000 r--p 00007000 fd:00 65793
/lib64/librt-2.5.so
3f83208000-3f83209000 rw-p 00008000 fd:00 65793
/lib64/librt-2.5.so
3f83400000-3f83403000 r-xp 00000000 fd:00 65640
/lib64/libuuid.so.1.2
3f83403000-3f83603000 ---p 00003000 fd:00 65640
/lib64/libuuid.so.1.2
3f83603000-3f83604000 rw-p 00003000 fd:00 65640
/lib64/libuuid.so.1.2
3f83800000-3f83815000 r-xp 00000000 fd:00 65799
/lib64/libselinux.so.1
3f83815000-3f83a15000 ---p 00015000 fd:00 65799
/lib64/libselinux.so.1
3f83a15000-3f83a17000 rw-p 00015000 fd:00 65799
/lib64/libselinux.so.1
3f83a17000-3f83a18000 rw-p 3f83a17000 00:00 0
3f83c00000-3f83c3b000 r-xp 00000000 fd:00 65798
/lib64/libsepol.so.1
3f83c3b000-3f83e3b000 ---p 0003b000 fd:00 65798
/lib64/libsepol.so.1
3f83e3b000-3f83e3c000 rw-p 0003b000 fd:00 65798
/lib64/libsepol.so.1
3f83e3c000-3f83e46000 rw-p 3f83e3c000 00:00 0
3f84000000-3f8412b000 r-xp 00000000 fd:00 3274780
/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
3f8412b000-3f8432b000 ---p 0012b000 fd:00 3274780
/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
3f8432b000-3f84334000 rw-p 0012b000 fd:00 3274780
/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
3f84334000-3f84336000 rw-p 3f84334000 00:00 0
3f84400000-3f84409000 r-xp 00000000 fd:00 65800
/lib64/libcrypt-2.5.so
3f84409000-3f84608000 ---p 00009000 fd:00 65800
/lib64/libcrypt-2.5.so
3f84608000-3f84609000 r--p 00008000 fd:00 65800
/lib64/libcrypt-2.5.so
3f84609000-3f8460a000 rw-p 00009000 fd:00 65800
/lib64/libcrypt-2.5.so
3f8460a000-3f84638000 rw-p 3f8460a000 00:00 0
3f85800000-3f85815000 r-xp 00000000 fd:00 65663
/lib64/libnsl-2.5.so
3f85815000-3f85a14000 ---p 00015000 fd:00 65663
/lib64/libnsl-2.5.so
3f85a14000-3f85a15000 r--p 00014000 fd:00 65663
/lib64/libnsl-2.5.so
3f85a15000-3f85a16000 rw-p 00015000 fd:00 65663
/lib64/libnsl-2.5.so
3f85a16000-3f85a18000 rw-p 3f85a16000 00:00 0
3f86800000-3f868e6000 r-xp 00000000 fd:00 3130355
/usr/lib64/libstdc++.so.6.0.8
3f868e6000-3f86ae5000 ---p 000e6000 fd:00 3130355
/usr/lib64/libstdc++.so.6.0.8
3f86ae5000-3f86aeb000 r--p 000e5000 fd:00 3130355
/usr/lib64/libstdc++.so.6.0.8
3f86aeb000-3f86aee000 rw-p 000eb000 fd:00 3130355
/usr/lib64/libstdc++.so.6.0.8
3f86aee000-3f86b00000 rw-p 3f86aee000 00:00 0
3f89000000-3f89011000 r-xp 00000000 fd:00 65802
/lib64/libresolv-2.5.so
3f89011000-3f89211000 ---p 00011000 fd:00 65802
/lib64/libresolv-2.5.so
3f89211000-3f89212000 r--p 00011000 fd:00 65802
/lib64/libresolv-2.5.so
3f89212000-3f89213000 rw-p 00012000 fd:00 65802
/lib64/libresolv-2.5.so
3f89213000-3f89215000 rw-p 3f89213000 00:00 0
3f89400000-3f89402000 r-xp 00000000 fd:00 65804
/lib64/libcom_err.so.2.1
3f89402000-3f89601000 ---p 00002000 fd:00 65804
/lib64/libcom_err.so.2.1
3f89601000-3f89602000 rw-p 00001000 fd:00 65804
/lib64/libcom_err.so.2.1
3f8b000000-3f8b12d000 r-xp 00000000 fd:00 65801
/lib64/libcrypto.so.0.9.8e
3f8b12d000-3f8b32c000 ---p 0012d000 fd:00 65801
/lib64/libcrypto.so.0.9.8e
3f8b32c000-3f8b34d000 rw-p 0012c000 fd:00 65801
/lib64/libcrypto.so.0.9.8e
3f8b34d000-3f8b351000 rw-p 3f8b34d000 00:00 0
3f8c400000-3f8c491000 r-xp 00000000 fd:00 3130374
/usr/lib64/libkrb5.so.3.3
3f8c491000-3f8c691000 ---p 00091000 fd:00 3130374
/usr/lib64/libkrb5.so.3.3
3f8c691000-3f8c695000 rw-p 00091000 fd:00 3130374
/usr/lib64/libkrb5.so.3.3
3f8c800000-3f8c824000 r-xp 00000000 fd:00 3130373
/usr/lib64/libk5crypto.so.3.1
3f8c824000-3f8ca23000 ---p 00024000 fd:00 3130373
/usr/lib64/libk5crypto.so.3.1
3f8ca23000-3f8ca25000 rw-p 00023000 fd:00 3130373
/usr/lib64/libk5crypto.so.3.1
3f8cc00000-3f8cc02000 r-xp 00000000 fd:00 65803
/lib64/libkeyutils-1.2.so
3f8cc02000-3f8ce01000 ---p 00002000 fd:00 65803
/lib64/libkeyutils-1.2.so
3f8ce01000-3f8ce02000 rw-p 00001000 fd:00 65803
/lib64/libkeyutils-1.2.so
3f8dc00000-3f8dc08000 r-xp 00000000 fd:00 3130372
/usr/lib64/libkrb5support.so.0.1
3f8dc08000-3f8de07000 ---p 00008000 fd:00 3130372
/usr/lib64/libkrb5support.so.0.1
3f8de07000-3f8de08000 rw-p 00007000 fd:00 3130372
/usr/lib64/libkrb5support.so.0.1
3f91200000-3f9122c000 r-xp 00000000 fd:00 3130375
/usr/lib64/libgssapi_krb5.so.2.2
3f9122c000-3f9142c000 ---p 0002c000 fd:00 3130375
/usr/lib64/libgssapi_krb5.so.2.2
3f9142c000-3f9142e000 rw-p 0002c000 fd:00 3130375
/usr/lib64/libgssapi_krb5.so.2.2
3f91e00000-3f91e46000 r-xp 00000000 fd:00 65531
/lib64/libssl.so.0.9.8e
3f91e46000-3f92046000 ---p 00046000 fd:00 65531
/lib64/libssl.so.0.9.8e
3f92046000-3f9204c000 rw-p 00046000 fd:00 65531
/lib64/libssl.so.0.9.8e
3f92200000-3f92202000 r-xp 00000000 fd:00 65810
/lib64/libutil-2.5.so
3f92202000-3f92401000 ---p 00002000 fd:00 65810
/lib64/libutil-2.5.so
3f92401000-3f92402000 r--p 00001000 fd:00 65810
/lib64/libutil-2.5.so
3f92402000-3f92403000 rw-p 00002000 fd:00 65810
/lib64/libutil-2.5.so
2aaaaaaab000-2aaaab3a0000 rw-p 2aaaaaaab000 00:00 0
2aaaab3a0000-2aaaab3a6000 rw-s 00000000 fd:00 3962498
/usr/local/openldap-2.4.32/var/openldap-data/__db.001
2aaaab3a6000-2aaaac478000 rw-s 00000000 fd:00 3962499
/usr/local/openldap-2.4.32/var/openldap-data/__db.002
2aaaac478000-2aaac047a000 rw-s 00000000 fd:00 3962500
/usr/local/openldap-2.4.32/var/openldap-data/__db.003
2aaac047a000-2aaac06ba000 rw-s 00000000 fd:00 3962501
/usr/local/openldap-2.4.32/var/openldap-data/__db.004
2aaac06ba000-2aaac077e000 rw-s 00000000 fd:00 3962502
/usr/local/openldap-2.4.32/var/openldap-data/__db.005
2aaac077e000-2aaac0786000 rw-s 00000000 fd:00 3962503
/usr/local/openldap-2.4.32/var/openldap-data/__db.006
2b53b42db000-2b53b42dc000 rw-p 2b53b42db000 00:00 0
2b53b42ed000-2b53b42ee000 rw-p 2b53b42ed000 00:00 0
2b53b42ee000-2b53b445a000 r-xp 00000000 fd:00 7370254
/usr/local/db-4.8.30/lib/libdb-4.8.so
2b53b445a000-2b53b465a000 ---p 0016c000 fd:00 7370254
/usr/local/db-4.8.30/lib/libdb-4.8.so
2b53b465a000-2b53b465f000 rw-p 0016c000 fd:00 7370254
/usr/local/db-4.8.30/lib/libdb-4.8.so
2b53b465f000-2b53b476f000 r-xp 00000000 fd:00 5827230
/usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libmysqlclient_r.so.16.0.0
2b53b476f000-2b53b486e000 ---p 00110000 fd:00 5827230
/usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libmysqlclient_r.so.16.0.0
2b53b486e000-2b53b498e000 rw-p 0010f000 fd:00 5827230
/usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libmysqlclient_r.so.16.0.0
2b53b498e000-2b53b4991000 rw-p 2b53b498e000 00:00 0
2b53b4991000-2b53b4bf0000 r-xp 00000000 fd:00 5827221
/usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libndbclient.so.4.0.0
2b53b4bf0000-2b53b4cef000 ---p 0025f000 fd:00 5827221
/usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libndbclient.so.4.0.0
2b53b4cef000-2b53b4e23000 rw-p 0025e000 fd:00 5827221
/usr/local/mysql-cluster-com-7.1.8-linux-x86_64-glibc23/lib/libndbclient.so.4.0.0
2b53b4e23000-2b53b4e2d000 rw-p 2b53b4e23000 00:00 0
2b53b4e2d000-2b53b4e45000 r-xp 00000000 fd:00 3121387
/usr/lib64/libsasl2.so.2.0.22
2b53b4e45000-2b53b5045000 ---p 00018000 fd:00 3121387
/usr/lib64/libsasl2.so.2.0.22
2b53b5045000-2b53b5046000 rw-p 00018000 fd:00 3121387
/usr/lib64/libsasl2.so.2.0.22
2b53b5046000-2b53b5047000 rw-p 2b53b5046000 00:00 0
2b53b5047000-2b53b5054000 r-xp 00000000 fd:00 65791
/lib64/libgcc_s-4.1.2-20080825.so.1
2b53b5054000-2b53b5254000 ---p 0000d000 fd:00 65791
/lib64/libgcc_s-4.1.2-20080825.so.1
2b53b5254000-2b53b5255000 rw-p 0000d000 fd:00 65791
/lib64/libgcc_s-4.1.2-20080825.so.1
2b53b5255000-2b53b5257000 rw-p 2b53b5255000 00:00 0
2b53b5257000-2b53b526b000 r-xp 00000000 fd:00 3117678
/usr/lib64/libz.so.1.2.3
2b53b526b000-2b53b546a000 ---p 00014000 fd:00 3117678
/usr/lib64/libz.so.1.2.3
2b53b546a000-2b53b546b000 rw-p 00013000 fd:00 3117678
/usr/lib64/libz.so.1.2.3
2b53b546b000-2b53b5470000 rw-p 2b53b546b000 00:00 0
2b53b5470000-2b53b547a000 r-xp 00000000 fd:00 65499
/lib64/libnss_files-2.5.so
2b53b547a000-2b53b5679000 ---p 0000a000 fd:00 65499
/lib64/libnss_files-2.5.so
2b53b5679000-2b53b567a000 r--p 00009000 fd:00 65499
/lib64/libnss_files-2.5.so
2b53b567a000-2b53b567b000 rw-p 0000a000 fd:00 65499
/lib64/libnss_files-2.5.so
2b53b567b000-2b53b567f000 r-xp 00000000 fd:00 65497
/lib64/libnss_dns-2.5.so
2b53b567f000-2b53b587e000 ---p 00004000 fd:00 65497
/lib64/libnss_dns-2.5.so
2b53b587e000-2b53b587f000 r--p 00003000 fd:00 65497
/lib64/libnss_dns-2.5.so
2b53b587f000-2b5Aborted
my slapd.conf:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
allow bind_v2
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/cnrldap.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#loglevel stats sync
#loglevel -1
#loglevel trace args conns BER stats stats2
#loglevel 1
idletimeout 120
sizelimit unlimited
timelimit 1800
# Load dynamic backend modules:
modulepath /usr/local/openldap-2.4.21/libexec/openldap
moduleload back_bdb.la
moduleload accesslog.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database ndb
suffix "dc=bgctv,dc=net,dc=cn"
rootdn "cn=admin,dc=bgctv,dc=net,dc=cn"
rootpw ghwl
directory /usr/local/openldap/var/openldap-data
dbconnect 172.30.5.20:1186
dbhost 172.30.5.20
dbname bgctv
dbuser bgctv
dbpass ghwl_h0
dbconnections 1
overlay accesslog
logdb "cn=auditlog"
logops writes
logold (objectclass=*)
#dbconnect 172.30.5.20:1186
#dbhost 172.30.5.20
#dbname auditlog
#dbuser bgctv
#dbpass ghwl_h0
#dbconnections 1
access to attrs=userPassword,shadowLastChange
by anonymous auth
by self write
by * none
access to dn.sub="ou=cm,dc=bgctv,dc=net,dc=cn"
by dn="userid=cmadmin,dc=bgctv,dc=net,dc=cn" write
by anonymous auth
by * none
access to *
by dn="userid=cmadmin,dc=bgctv,dc=net,dc=cn" read
by * none
database bdb
suffix "cn=auditlog"
index reqStart eq
11 years, 4 months