openldap-bugs September 2014

openldap-bugs@openldap.org

23 participants
58 discussions

Re: (ITS#7935) fails to convert slapd.conf including schema with "+" in name
by hyc＠symas.com 09 Sep '14

09 Sep '14

ryan(a)nardis.ca wrote: > On 08/09/14 01:30 PM, quanah(a)zimbra.com wrote: >> Schema filenames should only be alphanumeric. Noted to update the >> documentation with this restriction. > > OK, noted. Even so, please consider a change along the lines of > <http://paste.debian.net/119969/>, just to avoid crashing on an > inappropriate filename. Patched in master, thanks. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7935) fails to convert slapd.conf including schema with "+" in name
by ryan＠nardis.ca 08 Sep '14

08 Sep '14

On 08/09/14 01:30 PM, quanah(a)zimbra.com wrote: > Schema filenames should only be alphanumeric. Noted to update the > documentation with this restriction. OK, noted. Even so, please consider a change along the lines of <http://paste.debian.net/119969/>, just to avoid crashing on an inappropriate filename.

1 0

Re: (ITS#7935) fails to convert slapd.conf including schema with "+" in name
by quanah＠zimbra.com 08 Sep '14

08 Sep '14

--On Monday, September 08, 2014 7:03 PM +0000 ryan(a)nardis.ca wrote: > Full_Name: Ryan Tandy > Version: master, RE24 > OS: Debian > URL: > Submission from: (NULL) (24.68.121.206) > > > Hi, > > Debian bug report: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603544 Schema filenames should only be alphanumeric. Noted to update the documentation with this restriction. --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#7935) fails to convert slapd.conf including schema with "+" in name
by ryan＠nardis.ca 08 Sep '14

08 Sep '14

Full_Name: Ryan Tandy Version: master, RE24 OS: Debian URL: Submission from: (NULL) (24.68.121.206) Hi, Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603544 Steps to reproduce: ln -s /usr/local/etc/openldap/schema/core.schema core+test.schema echo 'include ./core+test.schema' > slapd.confA0Amkdir slapd.d slaptest -f slapd.conf -F slapd.d Before commit d1b38bd ("ITS#6967 normalize schema RDN"), this fails with: config_build_entry: build "cn={0}core+test" failed: "(null)" backend_startup_one (type=config, suffix="cn=config"): bi_db_open failed! (-1) but slapd still works if running with slapd.conf only (-F omitted). After that commit, slaptest and slapd both crash shortly after rdnNormalize at bconfig.c:6841. rdnNormalize() fails because the constructed DN is not valid, but its return value is not checked. It would be really nice if it would automatically escape or replace inappropriate characters in the filename, but I'll understand if that's asking too much. :) (Alternatively, if there are restrictions on what is considered a valid schema filename, please document them.)

1 0

Re: (ITS#7929) memberof overlay supresses accesslog olcAccessLogOps = all
by hyc＠symas.com 08 Sep '14

08 Sep '14

varkoly(a)suse.com wrote: > Full_Name: Peter Varkoly > Version: 2.4.26, 2.4.39 > OS: SUSE Enterprise Server > URL: ftp://ftp.suse.com/pub/people/varkoly > Submission from: (NULL) (2620:113:80c0:5::2222) > > > Enabling both the "memberof" and "accesslog" overlays in openldap causes > accesslog to only log "reads" and "session" operations when logops is set to > all (olcAccessLogOps = all). > > Disabling the "memberof" overlay results in "writes", "reads" and "session" > operations to be logged. > > Setting "olcAccessLogOps = writes" in conjunction with the "memberof" overlay > results in "writes" operations to be logged. Fixed now in git master. > > Expected result is that when "olcAccessLogOps = all" is set for the "accesslog" > overlay together with the "memberof" overlay, that all operations (add, modify, > delete, modrdn, search, bind, unbind, abandon, compare) are logged to > cn=accesslog. > > The order of activating the overlays is irrelevant. We have tested it by > activating first memberof and accesslog too. > > We are using the config-backend. > > The configuration will be available soon under the provided URL. > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7929) memberof overlay supresses accesslog olcAccessLogOps = all
by hyc＠symas.com 08 Sep '14

08 Sep '14

varkoly(a)suse.com wrote: > Full_Name: Peter Varkoly > Version: 2.4.26, 2.4.39 > OS: SUSE Enterprise Server > URL: ftp://ftp.suse.com/pub/people/varkoly > Submission from: (NULL) (2620:113:80c0:5::2222) > > We are using the config-backend. > > The configuration will be available soon under the provided URL. The config DB is a slapd backend like any other. The proper way to export any slapd backend is using slapcat, as plainly documented already. A tar (or any other type of) archive of the raw slapd backend files is nonportable. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7934) wrong search behavior in accesslog entries
by hyc＠symas.com 08 Sep '14

08 Sep '14

alexoz66(a)gmail.com wrote: > Full_Name: John Alex. > Version: 2.4.39 > OS: FreeBSD 9.2 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (37.6.134.63) > > > Values of reqAttr in accesslog entries are not searchable the normal way if they > contain at least an uppercase character. Thanks for the report, fixed in git master > > Even though the reqAttr attribute has a caseIgnoreMatch search rule, the only > way to search for values containing uppercase characters is to explicitly use a > caseExactMatch rule. > > Consider this accesslog entry for example: > > dn: reqStart=20140905054555.000001Z,cn=accesslog > objectClass: auditSearch > reqAttr: givenName > reqAttrsOnly: FALSE > reqAuthzID: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > reqDerefAliases: never > reqDN: dc=example,dc=com > reqEnd: 20140905054555.000002Z > reqEntries: 9 > reqFilter: (objectClass=*) > reqResult: 0 > reqScope: sub > reqSession: 1268 > reqSizeLimit: 500 > reqStart: 20140905054555.000001Z > reqTimeLimit: 3600 > reqType: search > > > Searching with "(reqAttr=givenName)" will not return results, while using > "(reqAttr:caseExactMatch:=givenName)" will return the above entry. Accesslog > entries where values of reqAttr contain only lowercase characters are returned > correctly with the "(reqAttr=givenName)" filter. > > The same behavior can be observed with reqFilter (and probably other attributes > as well but I didn't test). > > This applies to entries added to the db by the accesslog overlay and not to > entries otherwise inserted. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7934) wrong search behavior in accesslog entries
by alexoz66＠gmail.com 08 Sep '14

08 Sep '14

Full_Name: John Alex. Version: 2.4.39 OS: FreeBSD 9.2 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (37.6.134.63) Values of reqAttr in accesslog entries are not searchable the normal way if they contain at least an uppercase character. Even though the reqAttr attribute has a caseIgnoreMatch search rule, the only way to search for values containing uppercase characters is to explicitly use a caseExactMatch rule. Consider this accesslog entry for example: dn: reqStart=20140905054555.000001Z,cn=accesslog objectClass: auditSearch reqAttr: givenName reqAttrsOnly: FALSE reqAuthzID: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth reqDerefAliases: never reqDN: dc=example,dc=com reqEnd: 20140905054555.000002Z reqEntries: 9 reqFilter: (objectClass=*) reqResult: 0 reqScope: sub reqSession: 1268 reqSizeLimit: 500 reqStart: 20140905054555.000001Z reqTimeLimit: 3600 reqType: search Searching with "(reqAttr=givenName)" will not return results, while using "(reqAttr:caseExactMatch:=givenName)" will return the above entry. Accesslog entries where values of reqAttr contain only lowercase characters are returned correctly with the "(reqAttr=givenName)" filter. The same behavior can be observed with reqFilter (and probably other attributes as well but I didn't test). This applies to entries added to the db by the accesslog overlay and not to entries otherwise inserted.

1 0

Re: (ITS#7933) [PATCH] fix frontend config
by hyc＠symas.com 08 Sep '14

08 Sep '14

jsynacek(a)redhat.com wrote: > Full_Name: Jan Synacek > Version: 2.4.39 > OS: > URL: https://jsynacek.fedorapeople.org/openldap/jsynacek-20140908-fix-frontend-c… > Submission from: (NULL) (209.132.186.34) > > > The frontend database in slapd.ldif misses the olcFrontendConfig object class. Thanks, fixed in master. > The slapd-config reads: > > GLOBAL DATABASE OPTIONS > Options in this section may be set in the special "frontend" database and > inherited in all the other databases. These options may be altered by further > settings in each specific database. The frontend entry must be named > olcDatabase=frontend,cn=config and must have the olcFrontendConfig > objectClass. > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7933) [PATCH] fix frontend config
by jsynacek＠redhat.com 08 Sep '14

08 Sep '14

Full_Name: Jan Synacek Version: 2.4.39 OS: URL: https://jsynacek.fedorapeople.org/openldap/jsynacek-20140908-fix-frontend-c… Submission from: (NULL) (209.132.186.34) The frontend database in slapd.ldif misses the olcFrontendConfig object class. The slapd-config reads: GLOBAL DATABASE OPTIONS Options in this section may be set in the special "frontend" database and inherited in all the other databases. These options may be altered by further settings in each specific database. The frontend entry must be named olcDatabase=frontend,cn=config and must have the olcFrontendConfig objectClass.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs September 2014