openldap-bugs September 2014

openldap-bugs@openldap.org

23 participants
58 discussions

(ITS#7946) Update OID for Don't Use Copy Control
by michael＠stroeder.com 23 Sep '14

23 Sep '14

Full_Name: Version: HEAD OS: URL: Submission from: (NULL) (79.227.134.63) Please update constant LDAP_CONTROL_DONTUSECOPY in ldap.h to OID 1.3.6.1.1.22 as defined in RFC 6171 (Standards Track). Currently an experimental OpenLDAP .666 OID is used which makes this control rather unusable outside OpenLDAP implementation.

1 0

Re: (ITS#7797) crash with slapo-collect with existing attribute
by ondra＠mistotebe.net 23 Sep '14

23 Sep '14

On Fri, Feb 07, 2014 at 11:04:06PM +0000, danno(a)umich.edu wrote: > Requested stacktrace is below. Hi, I've uploaded a fix to ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20140923-ITS-7797.patch could you confirm it fixes the issue for you? Cheers, Ondrej

1 0

Re: (ITS#7945) attribute 'olcPPolicyDefault' not allowed(openldap password policy)
by quanah＠zimbra.com 22 Sep '14

22 Sep '14

--On Monday, September 22, 2014 8:55 AM +0000 q03765(a)sohu.com wrote: > Full_Name: Crane.YQ.Feng > Version: 2.4.23 > OS: redhat linux 6.4 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (218.29.136.228) > > > Hello openldap Expert, > Could anyone do me a big favor. when i config my openldap's function > about the password policy and to define the " olcPPolicyDefault ", a > problem has occurted?? The ITS system is for reporting bugs, not asking usage questions. Use the openldap-technical list for asking questions. This ITS will be closed. -- Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#7945) attribute 'olcPPolicyDefault' not allowed(openldap password policy)
by q03765＠sohu.com 22 Sep '14

22 Sep '14

Full_Name: Crane.YQ.Feng Version: 2.4.23 OS: redhat linux 6.4 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (218.29.136.228) Hello openldap Expert, Could anyone do me a big favor. when i config my openldap's function about the password policy and to define the " olcPPolicyDefault ", a problem has occurted¡£ Note(The enldldap has configed ,it is worked on cn=config model) when i add a password default policy entry(olcPPolicyDefault) in to my openldap database(cn=config). the system returned a error message : ------------------------------------------------------------------------------------ file content(olcPPolicy-new.ldif): dn: cn=config changetype: modify add: olcPPolicyDefault olcPPolicyDefault: cn=default,ou=policies,dc=ldap,dc=idpbg,dc=com [root@GL-LDAP01 data]# ldapmodify -Y EXTERNAL -H ldapi:/// -f olcPPolicy-new.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPPolicyDefault7 7 not allowed Used another way to add this entry,the problem is same: ----------------------------------------------------------------------------- olcPPolicyDefault.ldif file content: dn: cn=config changetype: add olcPPolicyDefault: cn=default,ou=policies,dc=ldap,dc=idpbg,dc=com [root@GL-LDAP01 data]# ldapmodify -Y EXTERNAL -H ldapi:/// -f olcPPolicyDefault.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=config" ldap_add: Object class violation (65) additional info: no objectClass attribute So I can't add olcPPolicyDefault to make openldap password policy to available. attachment: ---------------------------------- cn=config content: [root@GL-LDAP01 openldap]# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(olcoverlay=ppolicy))" dn: olcOverlay={1}ppolicy,olcDatabase={2}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {1}ppolicy olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE [root@GL-LDAP01 openldap]# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config))" dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d/ olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: Trace olcLogLevel: Packets olcLogLevel: Args olcLogLevel: Conns olcLogLevel: BER olcLogLevel: Filter olcLogLevel: Config olcLogLevel: ACL olcLogLevel: Stats olcLogLevel: Stats2 olcLogLevel: Shell olcLogLevel: Parse olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcServerID: 1 ldap://GL-LDAP01.ldap.idpbg.com olcServerID: 2 ldap://GL-LDAP02.ldap.idpbg.com olcServerID: 3 ldap://TY-LDAP01.ldap.idpbg.com olcServerID: 4 ldap://TY-LDAP02.ldap.idpbg.com olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt olcTLSCertificateFile: /etc/pki/tls/certs/slapd.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapd.pem olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0

1 0

Re: (ITS#7944) Apples Common Crypto Services instea of OpenSSL
by michael＠stroeder.com 19 Sep '14

19 Sep '14

hyc(a)symas.com wrote: > Michael Ströder wrote: >> On the downside it's a pain to deal with all the LDAP_OPT_X_TLS_* options >> having no or different meaning/features for various crypto libs... > > Indeed. Even moreso if, as you seem to be suggesting, a client library gets > built against a different TLS API than the server side. The current libldap > infrastructure wouldn't even support such a build. (Although it could, as the > original version of modular TLS support allowed all of the libraries to be > supported concurrently. But we dropped that feature because there was no sane > usecase for it.) Personally I'd even prefer to have completely different LDAP_OPT_X_TLS_* values and configuration directives for the different crypto APIs. In this case one could really distinguish the different cases. E.g. pointing to an OpenSSL CA certificate path is something completely different than a libnss cert7.db/key3.db directory regarding the content even though in both cases the option just is a directory path. IMHO this would avoid a lot of the user/deployer confusion one can see on the mailing lists. Well, for discussing this openldap-devel list would be the better forum. > The real solution, if there are platform-specific keystores and such that you > want to gain access to, is to submit patches for them to the OpenSSL project. Hmm, openssl engine things are not really easy to deal with. I know that PKCS#11 engine for OpenSSL exists. But such a stack has lots of loose ends. Ciao, Michael.

1 0

Re: (ITS#7944) Apples Common Crypto Services instea of OpenSSL
by hyc＠symas.com 19 Sep '14

19 Sep '14

Michael Ströder wrote: > hyc(a)symas.com wrote: >> gabriel(a)gritsch-soft.com wrote: >>> would it be possible to support Apples "Common Crypto Services" instead of >>> OpenSSL >> [..] >> But in general, it sounds like a bad idea. In light of Apple's now-infamous >> "goto fail" bug >> http://www.zdnet.com/apples-goto-fail-tells-us-nothing-good-about-cupertino… >> it would be poor practice to migrate away from a security package that is now >> receiving broad and in-depth scrutiny, to one that only has Apple's assurances >> behind it. Also given Apple's success rate with security in general >> http://online.wsj.com/articles/apple-celebrity-accounts-compromised-by-very… >> it seems like a poor choice. > > Yes, I agree with these concerns - especially for OpenLDAP server deployments. > > But there are some advantages using the OS platform's mainstream crypto lib > for libldap to get access to the OS's own keyring (e.g. when using client certs). > > E.g. I'd avoid libnss for OpenLDAP servers but PKCS#11 in libnss gives some > better access to smartcards. OK, that may be nice to have. OpenSSL's engine API already allows such things to be supported dynamically, though. > On the downside it's a pain to deal with all the LDAP_OPT_X_TLS_* options > having no or different meaning/features for various crypto libs... Indeed. Even moreso if, as you seem to be suggesting, a client library gets built against a different TLS API than the server side. The current libldap infrastructure wouldn't even support such a build. (Although it could, as the original version of modular TLS support allowed all of the libraries to be supported concurrently. But we dropped that feature because there was no sane usecase for it.) The real solution, if there are platform-specific keystores and such that you want to gain access to, is to submit patches for them to the OpenSSL project. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7944) Apples Common Crypto Services instea of OpenSSL
by michael＠stroeder.com 19 Sep '14

19 Sep '14

This is a cryptographically signed message in MIME format. --------------ms000401080109060103090807 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable hyc(a)symas.com wrote: > gabriel(a)gritsch-soft.com wrote: >> would it be possible to support Apples "Common Crypto Services" instea= d of >> OpenSSL > [..] > But in general, it sounds like a bad idea. In light of Apple's now-infa= mous=20 > "goto fail" bug=20 > http://www.zdnet.com/apples-goto-fail-tells-us-nothing-good-about-cuper= tinos-software-delivery-process-7000027449/=20 > it would be poor practice to migrate away from a security package that = is now=20 > receiving broad and in-depth scrutiny, to one that only has Apple's ass= urances=20 > behind it. Also given Apple's success rate with security in general=20 > http://online.wsj.com/articles/apple-celebrity-accounts-compromised-by-= very-targeted-attack-1409683803=20 > it seems like a poor choice. Yes, I agree with these concerns - especially for OpenLDAP server deploym= ents. But there are some advantages using the OS platform's mainstream crypto l= ib for libldap to get access to the OS's own keyring (e.g. when using client= certs). E.g. I'd avoid libnss for OpenLDAP servers but PKCS#11 in libnss gives so= me better access to smartcards. On the downside it's a pain to deal with all the LDAP_OPT_X_TLS_* options= having no or different meaning/features for various crypto libs... Ciao, Michael. --------------ms000401080109060103090807 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFfzCC BXswggNjoAMCAQICAwxOfTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMjEw MDIyMDE3MDlaFw0xNDEwMDIyMDE3MDlaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/ 0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH AgMBAAGjggFEMIIBQDAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91 ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0Fj ZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMC BgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMB8GA1UdEQQYMBaBFG1pY2hhZWxAc3Ry b2VkZXIuY29tMA0GCSqGSIb3DQEBBQUAA4ICAQC9ouXq3p/bDWMM4tBKgD3tl4HY5H0eECl8 q9/nqk0UL6YeWkrCiQdrDtNPW7DcGqNYtzdgtzmyTr1GhiAX+igrOjdk/ge5NRcQOpONK/4b zrmpQEcIUyxSSDKLWh211/kcFfxxLEiJ5teF4GL8Fc1qbrLP4+DCvJXWfYaaR5NLjZMqm2VP yKTv3qpXWnGohiRkGTwS/11QM2XCfIGdRsQT9a8mO4m2fn2tGPp2TEIoCLrDDrbGVeDWaOWB OIeTrp4wa3Q4OI6yCptJhEqKvjhV96IBRYgM76nTBqsqnDzwxExAyhhWiUS5DunRHOr/+NyF pUpD4883RBLO0g9kUEGOhtZNF1u+8zEL0YgMGvifAom9JEklLOXZuqj0MThypKs/3d/OyOQb 4gURnu6oZwcKZ7LskytWnlRKUxF6o0A8grtmyKkqe14TS7cQbg0NTaIYXPkHR+dfFmb3uEqn BBjvpJXFcEtWI2lQXC/ET+au991pK797ExBOmpQwjIn3SjiW80vw/UoL6DMvqY/6JhVhyNTP MJ2W5AX5kc27DIbVtVGZs8J4AYhuNALJUq9N9Ka7rPRj3RcYDrfehDLOkM5iMnarpmtuOpLK d1SvZhqj/0N/JWGIDpPSTkTFOPP6ZN9I9Rqyf+9NGqb2sjo4DkIiZcHxt735/GJLwus5KLBl 2DGCA6EwggOdAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93 d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8G CSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMTn0wCQYFKw4DAhoFAKCCAfUwGAYJ KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwOTE5MTgwNTU3WjAj BgkqhkiG9w0BCQQxFgQU1Bu1xvzhKvbO2C4/UC5TemE/oDIwbAYJKoZIhvcNAQkPMV8wXTAL BglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGD MIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9y ZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS c3VwcG9ydEBjYWNlcnQub3JnAgMMTn0wgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNV BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnAgMMTn0wDQYJKoZIhvcNAQEBBQAEggEAJqysehHr7PX9CRn5k5b3vvjWRFBlZ267 gs5JFW7IRGga/8Qmd3OXCNpuAQIy1z3P92wxnT4jmRTtfym6t+dzicSqf7w6nORV76Y25I5d uz3t4Imzhe422I2DekCHSEKsYjI6D81+jz/zdBJxzDyFPnoxamcBeIzAqpZisMQmc59aNLTO JrzgCfsgzIJ5QkeLYIlyuCT2SgAtjdOakKSoVR36E++gfdMO9AjgJBHCuZsydYuMhiW40sDG 68+BthA3S5XqAf1S3xy3dPuVs08MhEnqPRcszILG2W/33LHcaxb1HuOpYfR44oxQfP01j9Wj v19+j+fkiLDwpEWhIfZFJgAAAAAAAA== --------------ms000401080109060103090807--

1 0

Re: (ITS#7944) Apples Common Crypto Services instea of OpenSSL
by hyc＠symas.com 19 Sep '14

19 Sep '14

gabriel(a)gritsch-soft.com wrote: > Full_Name: Gabriel Gritsch > Version: 2.4.39 > OS: Mac OS X 10.9.5 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (46.234.244.166) > > > Hi all, > > would it be possible to support Apples "Common Crypto Services" instead of > OpenSSL because the OpenSSL-functions are marked as deprecated since OS X 10.7 > and produce a lot of warnings. If someone submits a patch for this we will of course review and consider it. But in general, it sounds like a bad idea. In light of Apple's now-infamous "goto fail" bug http://www.zdnet.com/apples-goto-fail-tells-us-nothing-good-about-cupertino… it would be poor practice to migrate away from a security package that is now receiving broad and in-depth scrutiny, to one that only has Apple's assurances behind it. Also given Apple's success rate with security in general http://online.wsj.com/articles/apple-celebrity-accounts-compromised-by-very… it seems like a poor choice. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7944) Apples Common Crypto Services instea of OpenSSL
by gabriel＠gritsch-soft.com 19 Sep '14

19 Sep '14

Full_Name: Gabriel Gritsch Version: 2.4.39 OS: Mac OS X 10.9.5 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (46.234.244.166) Hi all, would it be possible to support Apples "Common Crypto Services" instead of OpenSSL because the OpenSSL-functions are marked as deprecated since OS X 10.7 and produce a lot of warnings. best regards Gabriel

1 0

Re: (ITS#7943) LMDB fails to process transactions after map resize
by hyc＠symas.com 18 Sep '14

18 Sep '14

carlopires(a)gmail.com wrote: > Full_Name: Carlo Pires > Version: LMDB 0.9.14 > OS: Ubuntu Linux 14.04 LTS > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (177.53.184.142) > > > LMDB 0.9.14 is refusing to process new transactions after map resize. The > following test case shows the error: Thanks for the report, fixed in mdb.master. > /* mtest7.c - memory-mapped database tester/toy */ > /* Tests for DB map resize */ > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > #include <assert.h> > #include "lmdb.h" > > #define E(expr) CHECK((rc = (expr)) == MDB_SUCCESS, #expr) > #define EX(err, expr) CHECK((rc = (expr)) == (err), #expr) > #define RES(err, expr) ((rc = expr) == (err) || (CHECK(!rc, #expr), 0)) > #define CHECK(test, msg) ((test) ? (void)0 : ((void)fprintf(stderr, \ > "%s:%d: %s: %s\n", __FILE__, __LINE__, msg, mdb_strerror(rc)), abort())) > > int main(int argc,char * argv[]) > { > int rc; > MDB_env *env; > MDB_dbi dbi; > MDB_val key, data; > MDB_txn *txn; > MDB_envinfo minfo; > > char kval[32]; > char* sval = calloc(1, 8*1024*1024); > assert(sval); > > // create database > E(mdb_env_create(&env)); > E(mdb_env_set_mapsize(env, 10*1024*1024)); > E(mdb_env_set_maxdbs(env, 0)); > E(mdb_env_open(env, "./testdb", MDB_NORDAHEAD|MDB_NOLOCK|MDB_NOSYNC, 0664)); > > // starts dbi > E(mdb_txn_begin(env, NULL, 0, &txn)); > E(mdb_open(txn, NULL, MDB_CREATE, &dbi)); > E(mdb_txn_commit(txn)); > > // check database mapsize > E(mdb_env_info(env, &minfo)); > printf("map size is %ldMB\n%, C minfo.me_mapsize/1048576); > > // try to insert data > E(mdb_txn_begin(env, NULL, 0, &txn)); > > key.mv_size = sizeof(kval); > key.mv_data = &kval; > data.mv_size = 8*1024*1024; > data.mv_data = sval; > > sprintf(kval, "0"); > E(mdb_put(txn, dbi, %kekey, &data, 0)); > > sprintf(kval, "1"); > EX(MDB_MAP_FULL, mdb_put(txn, dbi, &key, &data, 0)); > > // abort transaction and increase map size > mdb_txn_abort(txn); > mdb_env_set_mapsize(env, 20*1024*1024); > > // check database mapsize > E(mdb_env_info(env, &minfo)); > printf("new map size is %ldMB\n", minfo.me_mapsize/1048576); > > // try to insert data again > E(mdb_txn_begin(env, NULL, 0, &txn)); > > sprintf(kval, "0"); > E(mdb_put(txn, dbi, &key, &data, 0)); > > sprintf(kval, "1"); > E(mdb_put(txn, dbi, &key, &data, 0)); > > E(mdb_txn_commit(txn)); > mdb_env_close(env); > > free(sval); > return 0; > } > > The code worked fine until LMDB 0.9.13. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs September 2014