(ITS#7820) slapo-constraint falsely allows add with count 1
by michael@stroeder.com
Full_Name:
Version: 2.4.39
OS: not relevant
URL:
Submission from: (NULL) (79.219.107.130)
Not sure whether this is a regression caused by the fix for ITS#7773.
Given this constraint:
constraint_attribute
uid
count 1
restrict="ldap:///ou=example??sub?(objectClass=account)"
One can still add two 'uid' values when sending an add request like this:
dn: uid=test1,ou=example
changetype: add
objectClass: account
uid: test2
[..]
Generally I don't like this magic of accepting both attribute values from DN and
entry. :-/
9 years
Re: (ITS#7673) rwm and bad ACL evaluation
by hyc@symas.com
michael(a)stroeder.com wrote:
> This is a cryptographically signed message in MIME format.
Is it really necessary to sign your emails to the ITS? The PKCS7 signature is
longer than the message text.
> --------------ms020400000305090906010704
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> Mosemann, Russell wrote:
>>> Did you already try with this?
>>>
>>> rwm-drop-unrequested-attrs no
>> =20
>> If you look through the messages
>> (http://www.openldap.org/its/index.cgi?findid=3D7673), you will see tha=
> t the
>> same suggestion was made by Pierangelo Masarati 6 months ago in followu=
> p 5.
>> My response in followup 6 was that it doesn't work. A quick test indica=
> tes
>> that it still does not work in 2.4.39.
>
> I had a similar issue myself before:
>
> http://www.openldap.org/its/index.cgi?findid=3D7495
>
> Using extra_attrs as suggested by Hallvard gave seg fault as result.
> Did not investigate it further though.
>
> Using slapo-rwm is a pain. One will hit many seg faults.
There are quite a few open bug reports against slapo-rwm. Patches welcome.
>
> Ciao, Michael.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9 years
Re: (ITS#7673) rwm and bad ACL evaluation
by michael@stroeder.com
This is a cryptographically signed message in MIME format.
--------------ms020400000305090906010704
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Mosemann, Russell wrote:
>> Did you already try with this?
>>
>> rwm-drop-unrequested-attrs no
>=20
> If you look through the messages
> (http://www.openldap.org/its/index.cgi?findid=3D7673), you will see tha=
t the
> same suggestion was made by Pierangelo Masarati 6 months ago in followu=
p 5.
> My response in followup 6 was that it doesn't work. A quick test indica=
tes
> that it still does not work in 2.4.39.
I had a similar issue myself before:
http://www.openldap.org/its/index.cgi?findid=3D7495
Using extra_attrs as suggested by Hallvard gave seg fault as result.
Did not investigate it further though.
Using slapo-rwm is a pain. One will hit many seg faults.
Ciao, Michael.
--------------ms020400000305090906010704
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFfzCC
BXswggNjoAMCAQICAwxOfTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w
HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu
ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMjEw
MDIyMDE3MDlaFw0xNDEwMDIyMDE3MDlaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj
MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd
NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV
hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/
0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ
NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH
AgMBAAGjggFEMIIBQDAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91
ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0Fj
ZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMC
BgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG
CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMB8GA1UdEQQYMBaBFG1pY2hhZWxAc3Ry
b2VkZXIuY29tMA0GCSqGSIb3DQEBBQUAA4ICAQC9ouXq3p/bDWMM4tBKgD3tl4HY5H0eECl8
q9/nqk0UL6YeWkrCiQdrDtNPW7DcGqNYtzdgtzmyTr1GhiAX+igrOjdk/ge5NRcQOpONK/4b
zrmpQEcIUyxSSDKLWh211/kcFfxxLEiJ5teF4GL8Fc1qbrLP4+DCvJXWfYaaR5NLjZMqm2VP
yKTv3qpXWnGohiRkGTwS/11QM2XCfIGdRsQT9a8mO4m2fn2tGPp2TEIoCLrDDrbGVeDWaOWB
OIeTrp4wa3Q4OI6yCptJhEqKvjhV96IBRYgM76nTBqsqnDzwxExAyhhWiUS5DunRHOr/+NyF
pUpD4883RBLO0g9kUEGOhtZNF1u+8zEL0YgMGvifAom9JEklLOXZuqj0MThypKs/3d/OyOQb
4gURnu6oZwcKZ7LskytWnlRKUxF6o0A8grtmyKkqe14TS7cQbg0NTaIYXPkHR+dfFmb3uEqn
BBjvpJXFcEtWI2lQXC/ET+au991pK797ExBOmpQwjIn3SjiW80vw/UoL6DMvqY/6JhVhyNTP
MJ2W5AX5kc27DIbVtVGZs8J4AYhuNALJUq9N9Ka7rPRj3RcYDrfehDLOkM5iMnarpmtuOpLK
d1SvZhqj/0N/JWGIDpPSTkTFOPP6ZN9I9Rqyf+9NGqb2sjo4DkIiZcHxt735/GJLwus5KLBl
2DGCA6EwggOdAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93
d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8G
CSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMTn0wCQYFKw4DAhoFAKCCAfUwGAYJ
KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwMzE1MTEwMDAyWjAj
BgkqhkiG9w0BCQQxFgQUUSa2ArlMv5dRmzJlQRq5PcrRHkUwbAYJKoZIhvcNAQkPMV8wXTAL
BglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN
BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGD
MIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9y
ZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
c3VwcG9ydEBjYWNlcnQub3JnAgMMTn0wgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNV
BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl
cnQub3JnAgMMTn0wDQYJKoZIhvcNAQEBBQAEggEAvyDf1DHX6lO5GY/rJUE8fG+SMoafXeCK
H7gMAa2TDdkjvgjPDrfVSXHu+c0SGwayuluYm+A1NLPrJ0yuDD056fBFEBle/2mf6iD/AUC4
WqoLNLNtNAXomiyHoztxopV83jzbbA4xCHMvPr9PRtbtrr+uTmZGjOcxuEBj+0K+nUM4xFAU
OFWve6ySjrFpGj/7JfTkgMq2hqlkmLn6v9VgqqldkY5lEEKDbS3pFPyi+cTpB8EGh5uANGv9
q2ga1fkbkSBrMHEntQdvdT/puvVPZPJxgtL7ooTIXvmCQVMGnUEtOylUgYpCpCUHq3LXJ7dE
DM2tyDJ3+1IRihV81j/h0AAAAAAAAA==
--------------ms020400000305090906010704--
9 years
RE: (ITS#7673) rwm and bad ACL evaluation
by Russell.Mosemann@cune.edu
> Did you already try with this?
>
> rwm-drop-unrequested-attrs no
If you look through the messages (http://www.openldap.org/its/index.cgi?findid=7673), you will see that the same suggestion was made by Pierangelo Masarati 6 months ago in followup 5. My response in followup 6 was that it doesn't work. A quick test indicates that it still does not work in 2.4.39.
--
Russell Mosemann, Ph.D.
Professor of Computer Science
9 years
Re: (ITS#7673) rwm and bad ACL evaluation
by michael@stroeder.com
This is a cryptographically signed message in MIME format.
--------------ms000109040804090309020609
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Russell.Mosemann(a)cune.edu wrote:
> simply referencing rwm
>=20
> overlay rwm
>=20
> returns no search results at all, if an attribute is specified for the
> search. Specifying no attributes returns all of the allowed attributes.=
> Commenting the line above permits the specified attribute to be returne=
d,
> as expected.
Did you already try with this?
rwm-drop-unrequested-attrs no
Ciao, Michael.
--------------ms000109040804090309020609
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFfzCC
BXswggNjoAMCAQICAwxOfTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w
HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu
ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMjEw
MDIyMDE3MDlaFw0xNDEwMDIyMDE3MDlaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj
MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd
NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV
hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/
0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ
NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH
AgMBAAGjggFEMIIBQDAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91
ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0Fj
ZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMC
BgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG
CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMB8GA1UdEQQYMBaBFG1pY2hhZWxAc3Ry
b2VkZXIuY29tMA0GCSqGSIb3DQEBBQUAA4ICAQC9ouXq3p/bDWMM4tBKgD3tl4HY5H0eECl8
q9/nqk0UL6YeWkrCiQdrDtNPW7DcGqNYtzdgtzmyTr1GhiAX+igrOjdk/ge5NRcQOpONK/4b
zrmpQEcIUyxSSDKLWh211/kcFfxxLEiJ5teF4GL8Fc1qbrLP4+DCvJXWfYaaR5NLjZMqm2VP
yKTv3qpXWnGohiRkGTwS/11QM2XCfIGdRsQT9a8mO4m2fn2tGPp2TEIoCLrDDrbGVeDWaOWB
OIeTrp4wa3Q4OI6yCptJhEqKvjhV96IBRYgM76nTBqsqnDzwxExAyhhWiUS5DunRHOr/+NyF
pUpD4883RBLO0g9kUEGOhtZNF1u+8zEL0YgMGvifAom9JEklLOXZuqj0MThypKs/3d/OyOQb
4gURnu6oZwcKZ7LskytWnlRKUxF6o0A8grtmyKkqe14TS7cQbg0NTaIYXPkHR+dfFmb3uEqn
BBjvpJXFcEtWI2lQXC/ET+au991pK797ExBOmpQwjIn3SjiW80vw/UoL6DMvqY/6JhVhyNTP
MJ2W5AX5kc27DIbVtVGZs8J4AYhuNALJUq9N9Ka7rPRj3RcYDrfehDLOkM5iMnarpmtuOpLK
d1SvZhqj/0N/JWGIDpPSTkTFOPP6ZN9I9Rqyf+9NGqb2sjo4DkIiZcHxt735/GJLwus5KLBl
2DGCA6EwggOdAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93
d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8G
CSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMTn0wCQYFKw4DAhoFAKCCAfUwGAYJ
KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwMzE1MDkxMjE4WjAj
BgkqhkiG9w0BCQQxFgQUrABzEjElf3V/cUntQuLyr7sa6GcwbAYJKoZIhvcNAQkPMV8wXTAL
BglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN
BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGD
MIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9y
ZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
c3VwcG9ydEBjYWNlcnQub3JnAgMMTn0wgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNV
BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl
cnQub3JnAgMMTn0wDQYJKoZIhvcNAQEBBQAEggEAv0di+TXxwjmc85Xw+S9qBwQag6dOQupE
IkAwHTdBFaFAYayl0ohH4+WQk2G7lxxyy1Mr1dmva4ziV9Q0qhN7Oo7NMBMenK8WfcFJGlEs
+DrZoe4ZXws9BwArgzny5zZzJBaWod0nFaJ30Jj5A0S0GyiKAiOt2rzuFNIoEqiy9aSa/rqF
APQR7P3ocuY9yZsHi9Sr5vNQrQA9E1qk/iERvL2YTA0QAWSeNoD0YWY7qr5QoSQofwhmkGYf
UuCgmgjEPtztIVXrmxfx6FAx+/rr2ynYfMGwy3oLd9AhIC937NYoMxsBVsc7Tf7damWDanjH
rrcuNYm9zXayrPcANmjgHAAAAAAAAA==
--------------ms000109040804090309020609--
9 years
RE: (ITS#7673) rwm and bad ACL evaluation
by Russell.Mosemann@cune.edu
I'm still looking for a resolution to the issue of the rewrite module interfering with a search that does not use the rewrite module. The behavior has not changed in the intervening updates. We are running 2.4.39, and simply referencing rwm
overlay rwm
returns no search results at all, if an attribute is specified for the search. Specifying no attributes returns all of the allowed attributes. Commenting the line above permits the specified attribute to be returned, as expected.
The rewrite module should have no interaction with the search whatsoever, since no rewrite has been specified. Instead, it appears that the rwm intercepts the returned results and somehow "loses" all of the attributes when the search specifies a specific attribute. When no attribute is specified in the search, rwm quietly stays out of the way and lets all of the returned attributes proceed to the frontend.
--
Russell Mosemann, Ph.D.
Professor of Computer Science
9 years
(ITS#7819) jldap DigesetMD5SaslClient is using m_serverName for digest-uri, when it should be use m_digestURI instead
by flo@geekplace.eu
Full_Name: Florian Schmaus
Version:
OS:
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.188.31.107)
com.novell.sasl.client.DigestMD5SaslClient is using a hard-coded prefix "ldap/"
concatenated with 'm_ServerName' as value for the 'digest-uri' attribute in the
SASL response. The correct value for 'digest-uri' is 'm_digestURI'. This would
make the code ldap agnostic and re-useable for other purposes (e.g. XMPP), while
still being able to perform ldap auth. See the following patch:
--- a/com/novell/sasl/client/DigestMD5SaslClient.java 2009-12-07
19:14:10.000000000 +0100
+++ b/com/novell/sasl/client/DigestMD5SaslClient.java 2009-12-07
19:19:07.000000000 +0100
@@ -673,8 +673,8 @@
digestResponse.append("00000001"); //nounce count
digestResponse.append(",qop=");
digestResponse.append(m_qopValue);
- digestResponse.append(",digest-uri=\"ldap/");
- digestResponse.append(m_serverName);
+ digestResponse.append(",digest-uri=\"");
+ digestResponse.append(m_digestURI);
digestResponse.append("\",response=");
digestResponse.append(response);
digestResponse.append(",charset=utf-8,nonce=\"");
9 years
Re: (ITS#7817) Wrong if condition for string length
by quanah@zimbra.com
--On Tuesday, March 11, 2014 5:31 PM +0000 quanah(a)zimbra.com wrote:
> --On Tuesday, March 11, 2014 2:03 PM +0000 fschmaus(a)gmail.com wrote:
>
>> --bcaec53969d8ce043204f45455b2
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Of course the if condition for string length should be '>0' not '>=0'.
>
> Can you expand upon your report? What source code, for example, you're
> referring to? This is a bit vague.
Never mind. ;) Your reply came through like a new ITS. :P
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9 years
Re: (ITS#7817) Wrong if condition for string length
by quanah@zimbra.com
--On Tuesday, March 11, 2014 2:03 PM +0000 fschmaus(a)gmail.com wrote:
> --bcaec53969d8ce043204f45455b2
> Content-Type: text/plain; charset=ISO-8859-1
>
> Of course the if condition for string length should be '>0' not '>=0'.
Can you expand upon your report? What source code, for example, you're
referring to? This is a bit vague.
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9 years