openldap-bugs March 2014

openldap-bugs@openldap.org

23 participants
63 discussions

(ITS#7820) slapo-constraint falsely allows add with count 1
by michael＠stroeder.com 15 Mar '14

15 Mar '14

Full_Name: Version: 2.4.39 OS: not relevant URL: Submission from: (NULL) (79.219.107.130) Not sure whether this is a regression caused by the fix for ITS#7773. Given this constraint: constraint_attribute uid count 1 restrict="ldap:///ou=example??sub?(objectClass=account)" One can still add two 'uid' values when sending an add request like this: dn: uid=test1,ou=example changetype: add objectClass: account uid: test2 [..] Generally I don't like this magic of accepting both attribute values from DN and entry. :-/

1 0

Re: (ITS#7673) rwm and bad ACL evaluation
by hyc＠symas.com 15 Mar '14

15 Mar '14

michael(a)stroeder.com wrote: > This is a cryptographically signed message in MIME format. Is it really necessary to sign your emails to the ITS? The PKCS7 signature is longer than the message text. > --------------ms020400000305090906010704 > Content-Type: text/plain; charset=ISO-8859-1 > Content-Transfer-Encoding: quoted-printable > > Mosemann, Russell wrote: >>> Did you already try with this? >>> >>> rwm-drop-unrequested-attrs no >> =20 >> If you look through the messages >> (http://www.openldap.org/its/index.cgi?findid=3D7673), you will see tha= > t the >> same suggestion was made by Pierangelo Masarati 6 months ago in followu= > p 5. >> My response in followup 6 was that it doesn't work. A quick test indica= > tes >> that it still does not work in 2.4.39. > > I had a similar issue myself before: > > http://www.openldap.org/its/index.cgi?findid=3D7495 > > Using extra_attrs as suggested by Hallvard gave seg fault as result. > Did not investigate it further though. > > Using slapo-rwm is a pain. One will hit many seg faults. There are quite a few open bug reports against slapo-rwm. Patches welcome. > > Ciao, Michael. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7673) rwm and bad ACL evaluation
by michael＠stroeder.com 15 Mar '14

15 Mar '14

This is a cryptographically signed message in MIME format. --------------ms020400000305090906010704 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Mosemann, Russell wrote: >> Did you already try with this? >> >> rwm-drop-unrequested-attrs no >=20 > If you look through the messages > (http://www.openldap.org/its/index.cgi?findid=3D7673), you will see tha= t the > same suggestion was made by Pierangelo Masarati 6 months ago in followu= p 5. > My response in followup 6 was that it doesn't work. A quick test indica= tes > that it still does not work in 2.4.39. I had a similar issue myself before: http://www.openldap.org/its/index.cgi?findid=3D7495 Using extra_attrs as suggested by Hallvard gave seg fault as result. Did not investigate it further though. Using slapo-rwm is a pain. One will hit many seg faults. Ciao, Michael. --------------ms020400000305090906010704 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFfzCC BXswggNjoAMCAQICAwxOfTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMjEw MDIyMDE3MDlaFw0xNDEwMDIyMDE3MDlaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/ 0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH AgMBAAGjggFEMIIBQDAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91 ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0Fj ZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMC BgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMB8GA1UdEQQYMBaBFG1pY2hhZWxAc3Ry b2VkZXIuY29tMA0GCSqGSIb3DQEBBQUAA4ICAQC9ouXq3p/bDWMM4tBKgD3tl4HY5H0eECl8 q9/nqk0UL6YeWkrCiQdrDtNPW7DcGqNYtzdgtzmyTr1GhiAX+igrOjdk/ge5NRcQOpONK/4b zrmpQEcIUyxSSDKLWh211/kcFfxxLEiJ5teF4GL8Fc1qbrLP4+DCvJXWfYaaR5NLjZMqm2VP yKTv3qpXWnGohiRkGTwS/11QM2XCfIGdRsQT9a8mO4m2fn2tGPp2TEIoCLrDDrbGVeDWaOWB OIeTrp4wa3Q4OI6yCptJhEqKvjhV96IBRYgM76nTBqsqnDzwxExAyhhWiUS5DunRHOr/+NyF pUpD4883RBLO0g9kUEGOhtZNF1u+8zEL0YgMGvifAom9JEklLOXZuqj0MThypKs/3d/OyOQb 4gURnu6oZwcKZ7LskytWnlRKUxF6o0A8grtmyKkqe14TS7cQbg0NTaIYXPkHR+dfFmb3uEqn BBjvpJXFcEtWI2lQXC/ET+au991pK797ExBOmpQwjIn3SjiW80vw/UoL6DMvqY/6JhVhyNTP MJ2W5AX5kc27DIbVtVGZs8J4AYhuNALJUq9N9Ka7rPRj3RcYDrfehDLOkM5iMnarpmtuOpLK d1SvZhqj/0N/JWGIDpPSTkTFOPP6ZN9I9Rqyf+9NGqb2sjo4DkIiZcHxt735/GJLwus5KLBl 2DGCA6EwggOdAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93 d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8G CSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMTn0wCQYFKw4DAhoFAKCCAfUwGAYJ KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwMzE1MTEwMDAyWjAj BgkqhkiG9w0BCQQxFgQUUSa2ArlMv5dRmzJlQRq5PcrRHkUwbAYJKoZIhvcNAQkPMV8wXTAL BglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGD MIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9y ZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS c3VwcG9ydEBjYWNlcnQub3JnAgMMTn0wgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNV BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnAgMMTn0wDQYJKoZIhvcNAQEBBQAEggEAvyDf1DHX6lO5GY/rJUE8fG+SMoafXeCK H7gMAa2TDdkjvgjPDrfVSXHu+c0SGwayuluYm+A1NLPrJ0yuDD056fBFEBle/2mf6iD/AUC4 WqoLNLNtNAXomiyHoztxopV83jzbbA4xCHMvPr9PRtbtrr+uTmZGjOcxuEBj+0K+nUM4xFAU OFWve6ySjrFpGj/7JfTkgMq2hqlkmLn6v9VgqqldkY5lEEKDbS3pFPyi+cTpB8EGh5uANGv9 q2ga1fkbkSBrMHEntQdvdT/puvVPZPJxgtL7ooTIXvmCQVMGnUEtOylUgYpCpCUHq3LXJ7dE DM2tyDJ3+1IRihV81j/h0AAAAAAAAA== --------------ms020400000305090906010704--

1 0

RE: (ITS#7673) rwm and bad ACL evaluation
by Russell.Mosemann＠cune.edu 15 Mar '14

15 Mar '14

> Did you already try with this? > > rwm-drop-unrequested-attrs no If you look through the messages (http://www.openldap.org/its/index.cgi?findid=7673), you will see that the same suggestion was made by Pierangelo Masarati 6 months ago in followup 5. My response in followup 6 was that it doesn't work. A quick test indicates that it still does not work in 2.4.39. -- Russell Mosemann, Ph.D. Professor of Computer Science

1 0

Re: (ITS#7673) rwm and bad ACL evaluation
by michael＠stroeder.com 15 Mar '14

15 Mar '14

This is a cryptographically signed message in MIME format. --------------ms000109040804090309020609 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Russell.Mosemann(a)cune.edu wrote: > simply referencing rwm >=20 > overlay rwm >=20 > returns no search results at all, if an attribute is specified for the > search. Specifying no attributes returns all of the allowed attributes.= > Commenting the line above permits the specified attribute to be returne= d, > as expected. Did you already try with this? rwm-drop-unrequested-attrs no Ciao, Michael. --------------ms000109040804090309020609 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFfzCC BXswggNjoAMCAQICAwxOfTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMjEw MDIyMDE3MDlaFw0xNDEwMDIyMDE3MDlaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/ 0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH AgMBAAGjggFEMIIBQDAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91 ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0Fj ZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMC BgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMB8GA1UdEQQYMBaBFG1pY2hhZWxAc3Ry b2VkZXIuY29tMA0GCSqGSIb3DQEBBQUAA4ICAQC9ouXq3p/bDWMM4tBKgD3tl4HY5H0eECl8 q9/nqk0UL6YeWkrCiQdrDtNPW7DcGqNYtzdgtzmyTr1GhiAX+igrOjdk/ge5NRcQOpONK/4b zrmpQEcIUyxSSDKLWh211/kcFfxxLEiJ5teF4GL8Fc1qbrLP4+DCvJXWfYaaR5NLjZMqm2VP yKTv3qpXWnGohiRkGTwS/11QM2XCfIGdRsQT9a8mO4m2fn2tGPp2TEIoCLrDDrbGVeDWaOWB OIeTrp4wa3Q4OI6yCptJhEqKvjhV96IBRYgM76nTBqsqnDzwxExAyhhWiUS5DunRHOr/+NyF pUpD4883RBLO0g9kUEGOhtZNF1u+8zEL0YgMGvifAom9JEklLOXZuqj0MThypKs/3d/OyOQb 4gURnu6oZwcKZ7LskytWnlRKUxF6o0A8grtmyKkqe14TS7cQbg0NTaIYXPkHR+dfFmb3uEqn BBjvpJXFcEtWI2lQXC/ET+au991pK797ExBOmpQwjIn3SjiW80vw/UoL6DMvqY/6JhVhyNTP MJ2W5AX5kc27DIbVtVGZs8J4AYhuNALJUq9N9Ka7rPRj3RcYDrfehDLOkM5iMnarpmtuOpLK d1SvZhqj/0N/JWGIDpPSTkTFOPP6ZN9I9Rqyf+9NGqb2sjo4DkIiZcHxt735/GJLwus5KLBl 2DGCA6EwggOdAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93 d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8G CSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMTn0wCQYFKw4DAhoFAKCCAfUwGAYJ KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwMzE1MDkxMjE4WjAj BgkqhkiG9w0BCQQxFgQUrABzEjElf3V/cUntQuLyr7sa6GcwbAYJKoZIhvcNAQkPMV8wXTAL BglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGD MIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9y ZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS c3VwcG9ydEBjYWNlcnQub3JnAgMMTn0wgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNV BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnAgMMTn0wDQYJKoZIhvcNAQEBBQAEggEAv0di+TXxwjmc85Xw+S9qBwQag6dOQupE IkAwHTdBFaFAYayl0ohH4+WQk2G7lxxyy1Mr1dmva4ziV9Q0qhN7Oo7NMBMenK8WfcFJGlEs +DrZoe4ZXws9BwArgzny5zZzJBaWod0nFaJ30Jj5A0S0GyiKAiOt2rzuFNIoEqiy9aSa/rqF APQR7P3ocuY9yZsHi9Sr5vNQrQA9E1qk/iERvL2YTA0QAWSeNoD0YWY7qr5QoSQofwhmkGYf UuCgmgjEPtztIVXrmxfx6FAx+/rr2ynYfMGwy3oLd9AhIC937NYoMxsBVsc7Tf7damWDanjH rrcuNYm9zXayrPcANmjgHAAAAAAAAA== --------------ms000109040804090309020609--

1 0

RE: (ITS#7673) rwm and bad ACL evaluation
by Russell.Mosemann＠cune.edu 14 Mar '14

14 Mar '14

I'm still looking for a resolution to the issue of the rewrite module interfering with a search that does not use the rewrite module. The behavior has not changed in the intervening updates. We are running 2.4.39, and simply referencing rwm overlay rwm returns no search results at all, if an attribute is specified for the search. Specifying no attributes returns all of the allowed attributes. Commenting the line above permits the specified attribute to be returned, as expected. The rewrite module should have no interaction with the search whatsoever, since no rewrite has been specified. Instead, it appears that the rwm intercepts the returned results and somehow "loses" all of the attributes when the search specifies a specific attribute. When no attribute is specified in the search, rwm quietly stays out of the way and lets all of the returned attributes proceed to the frontend. -- Russell Mosemann, Ph.D. Professor of Computer Science

1 0

Re: (ITS#7817) Wrong if condition for string length
by flo＠geekplace.eu 11 Mar '14

11 Mar '14

I just got a report [1] that the patch is incomplete, because authzid is used to calculate A1 value of the response (RFC2831 2.1.2.1). Stay tuned for an updated version. 1: https://github.com/Flowdalic/asmack/commit/2b4d004fe5a7b4224380a32658ff2056…

1 0

(ITS#7819) jldap DigesetMD5SaslClient is using m_serverName for digest-uri, when it should be use m_digestURI instead
by flo＠geekplace.eu 11 Mar '14

11 Mar '14

Full_Name: Florian Schmaus Version: OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (131.188.31.107) com.novell.sasl.client.DigestMD5SaslClient is using a hard-coded prefix "ldap/" concatenated with 'm_ServerName' as value for the 'digest-uri' attribute in the SASL response. The correct value for 'digest-uri' is 'm_digestURI'. This would make the code ldap agnostic and re-useable for other purposes (e.g. XMPP), while still being able to perform ldap auth. See the following patch: --- a/com/novell/sasl/client/DigestMD5SaslClient.java 2009-12-07 19:14:10.000000000 +0100 +++ b/com/novell/sasl/client/DigestMD5SaslClient.java 2009-12-07 19:19:07.000000000 +0100 @@ -673,8 +673,8 @@ digestResponse.append("00000001"); //nounce count digestResponse.append(",qop="); digestResponse.append(m_qopValue); - digestResponse.append(",digest-uri=\"ldap/"); - digestResponse.append(m_serverName); + digestResponse.append(",digest-uri=\""); + digestResponse.append(m_digestURI); digestResponse.append("\",response="); digestResponse.append(response); digestResponse.append(",charset=utf-8,nonce=\"");

1 0

Re: (ITS#7817) Wrong if condition for string length
by quanah＠zimbra.com 11 Mar '14

11 Mar '14

--On Tuesday, March 11, 2014 5:31 PM +0000 quanah(a)zimbra.com wrote: > --On Tuesday, March 11, 2014 2:03 PM +0000 fschmaus(a)gmail.com wrote: > >> --bcaec53969d8ce043204f45455b2 >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Of course the if condition for string length should be '>0' not '>=0'. > > Can you expand upon your report? What source code, for example, you're > referring to? This is a bit vague. Never mind. ;) Your reply came through like a new ITS. :P --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#7817) Wrong if condition for string length
by quanah＠zimbra.com 11 Mar '14

11 Mar '14

--On Tuesday, March 11, 2014 2:03 PM +0000 fschmaus(a)gmail.com wrote: > --bcaec53969d8ce043204f45455b2 > Content-Type: text/plain; charset=ISO-8859-1 > > Of course the if condition for string length should be '>0' not '>=0'. Can you expand upon your report? What source code, for example, you're referring to? This is a bit vague. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs March 2014