openldap-bugs July 2015

openldap-bugs@openldap.org

24 participants
75 discussions

Re: (ITS#8207) ppolicy: pwdMinLength not checked if pwdInHistory == 0
by michael＠stroeder.com 29 Jul '15

29 Jul '15

porjo38(a)yahoo.com.au wrote: > Using password policy overlay, pwdMinLength is not checked when pwdInHistory == > 0. I tried to reproduce this with my local OpenLDAP 2.4.41 installation. In one case I thought to see this but I could not reproduce all the time. Maybe there's another condition for this to happen. Could you please also test with release 2.4.41? And please also post the entry with the password (and relevant pwd* attrs) and the pwdPolicy entry used, both as LDIF (minus sensitive data). Ciao, Michael.

1 0

Re: (ITS#8206) ldapsearch incorrectly cannonicalizes dns names for GSSAPI
by michael＠stroeder.com 29 Jul '15

29 Jul '15

cwinkows(a)vt.edu wrote: > When using ldapsearch GSSAPI mechanism with a server whose reverse DNS name > doesn't match its DNS name, ldapsearch will do the DNS lookups and hand the > reverse DNS entry to GSSAPI. If the reverse DNS entry is not what is used by > kerberos then kerberos will fail. Did you already try with -N? $ ldapsearch -h [..] -N do not use reverse DNS to canonicalize SASL host name [..] Ciao, Michael.

1 0

(ITS#8207) ppolicy: pwdMinLength not checked if pwdInHistory == 0
by porjo38＠yahoo.com.au 29 Jul '15

29 Jul '15

Full_Name: Ian Bishop Version: 2.4.39 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:388:e001:ce00:f2de:f1ff:fea7:d755) Using password policy overlay, pwdMinLength is not checked when pwdInHistory == 0. I tested this by setting pwdMinLength=6 and pwdInHistory=0. I was then able to set a 3 character password. When I changed pwdInHistory > 0 and tried to set a 3 charactepapassword, the attempt was denied. I repeated this several times, and also restarted slapd just in case - same result. Running Openldap 2.4.39 on Centos7, installed from Centos RPM repo.

1 0

(ITS#8206) ldapsearch incorrectly cannonicalizes dns names for GSSAPI
by cwinkows＠vt.edu 28 Jul '15

28 Jul '15

Full_Name: Calvin Winkowski Version: 2.4.41 OS: ArchLinux URL: Submission from: (NULL) (2001:468:c80:a202:3b1d:f567:f43c:7b3a) When using ldapsearch GSSAPI mechanism with a server whose reverse DNS name doesn't match its DNS name, ldapsearch will do the DNS lookups and hand the reverse DNS entry to GSSAPI. If the reverse DNS entry is not what is used by kerberos then kerberos will fail. There are settings in /etc/krb5.conf to disable canonicalizing the hostname provided. I have a server with a record example.ad.example.com whose PTR record is example.example.com, but the realm is ad.example.com and it's entry in the kerberos database is example.ad.example.com, not example.example.com. If I execute the command ``ldapsearch -b "" -s base -Y GSSAPI -D "dn" -H ldap://example.ad.example.com'' GSSAPI will submit a ticket request for example.example.com instead and result in a failure. All other services I've tested with this setup (disabling reverse dns in kerberos) do not give the PTR record, but the user provided hostname. These include mbsync, msmtp, and another ldap utility. I believe that the correct behaviour should be to provide the hostname provided to the utility to GSSAPI. I can provide packet captures illustrating the incorrect lookup if needed.

1 0

(ITS#8205) [PATCH] man pages in contrib
by peter＠adpm.de 26 Jul '15

26 Jul '15

Full_Name: Peter Marschall Version: 2.4.41 OS: Linux URL: Submission from: (NULL) (84.57.119.212) Hi, it always troubled me that the modules in contrib/slapd-modules did either not have a manual page, or - when there was one - did not install it. This week-end Iat down and tried to fix the issue by * amending the Makefiles in contrib to also Rdeal with man page in their install target * writing some man-pages for contrib modules You can find them in ther github branch: https://github.com/marschap/openldap/tree/contrib-manpages It differs from today's master by these commits: * https://github.com/marschap/openldap/commit/25ea4e1e7ab6a6f6a609b70095a0c47… contrib/smbk5pwd: add man page, install it too * https://github.com/marschap/openldap/commit/16395e3b971e3d1734fc1294b5e9ada… contrib/lastbind: install man page * https://github.com/marschap/openldap/commit/2ede55ce9ada228c7382b5bee9e0d29… contrib/passwd/sha2: add man page, install it too * https://github.com/marschap/openldap/commit/d37b3d2f3e297105f603eccbc5221b5… contrib/adremap: install man page * https://github.com/marschap/openldap/commit/e6f3ad1f035f40fd94ac90da14ac8b2… contrib/allop: install man page * https://github.com/marschap/openldap/commit/3b417c99028fb37be3f88afc3da7511… contrib/cloak: install man page * https://github.com/marschap/openldap/commit/9902b56e7830588d761c74a5a5f7b8d… contrib/lastmod: install man page * https://github.com/marschap/openldap/commit/6590fff13b591cdb481daa38c572c2d… contrib/nops: install n n page * https://github.com/marschap/openldap/commit/7f618c17e0f40764fa1590bb9dba5a9… contrib/nssov: install man page * https://github.com/marschap/openldap/commit/b07b66e36ada9c57a85180710b326ed… contrib/passwd: add man page slapd-pw-sha2.5, install it too * https://github.com/marschap/openldap/commit/ca81d5ef6245ece3609a8708376cb91… contrib/passwd/totp: add man page, install it too that change these files contrib/slapd-modules/adremap/Makefile | 14 +- contrib/slapd-modules/allop/Makefile | 14 +- contrib/slapd-modules/cloak/Makefile | 14 +- contrib/slapd-modules/lastbind/Makefile | 14 +- contrib/slapd-modules/lastmod/Makefile | 13 +- contrib/slapd-modules/nops/Makefi | 14 +- contrib/slapd-modules/nssov/Makefile | 15 +- contrib/slapd-modules/passwd/Makefile | 14 +- contrib/slapd-modules/passwd/sha2/Makefile | 14 +- contrib/slapd-modules/passwd/sha2/slapd-pw-sha2.57C7C 118 ++++++++++++++ contrib/slapd-modules/passwd/slapd-pw-radius.5 | 110 +++++++++++++ contrib/slapd-modules/passwd/totp/Makefile | 14 +- contrib/slapd-modules/passwd/totp/slapo-totp.5 | 131 ++++++++++++++++ contrib/slapd-modules/smbk5pwd/Makefile | 14 +- contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 | 179 ++++++++++++++++++++++ 15 files changed, 681 insertions(+), 11 deletions(-) create mode 100644 contrib/slapd-modules/passwd/sha2/slapd-pw-sha2.5 create mode 100644 contrib/slapd-modules/passwd/slapd-pw-radius.5 create mode 100644 contrib/slapd-modules/passwd/totp/slapo-totp.5 create mode 100644 contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 I'd appreciate if you include them into OpenLDAP. The referenced patch files are derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Peter Marschall <peter(a)adpm.de>. I have not assigned rights and/or interest in this work to any party. The referenced modifications to OpenLDAP Software are subject to the following notice: Copyright 2015 Peter Marschall Redistribution and use in source and binary forms, with or without modification, are permitted only as authorizedy y the OpenLDAP Public License. Thanks in advance Peter

1 0

(ITS#8204) rfc2782 shuffle implementation doesn't treat equal-weight records equally
by Sergio.Gelato＠astro.su.se 25 Jul '15

25 Jul '15

Full_Name: Sergio Gelato Version: 2.4.40 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (85.225.123.9) As currently implemented (since ITS#7027, 5de85b922aaa5bfa6eb53db6000adf01ebdb0736) the algorithm to shuffle DNS SRV records of a given priority according to their weights is flawed: if all records have the same weight, the implementation is biased towards the first record and against the last. In the most extreme case of two records of weight 1, the current implementation will never swap them (whereas one would have hoped for a swap 50% of the time). The problem can be cured by changing (r <= 0) to (r < 0). (The wording of the RFC may have contributed to this error; I suspect it was written with real random deviates in mind, not integer ones. In any event, the principle that records of equal weight should have the same probability of being picked trumps the RFC since the latter only says what algorithm SHOULD be used.) I've written and tested a patch for this and found it to solve the above problem. My patch also addresses another (operationally minor, which is why I'm not reporting it separately) issue in the same piece of code: what if at least two, but not all, of the records of a given priority have weight zero? One should be prepared to switch to a Fisher-Yates shuffle if "total" becomes zero during the iteration. (Yet another potential issue is overflow of "total" on platforms where INT_MAX==32767 if the sum of the weights exceeds that value. Consider declaring it uint32_t or u_long.)

1 0

Fix in ITS#8036 is incomplete
by hyc＠openldap.org 24 Jul '15

24 Jul '15

Full_Name: Howard Chu Version: 2.4.41 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (78.155.231.122) Submitted by: hyc The fix in ITS#8036 only corrects the situation for candidate-based searches, not for scope-based searches. In scope-based searches the "fix" treats the scopes array incorrectly and can overwrite the heap. A new fix is coming shortly.

1 0

Re: (ITS#8202) openldap assumes printf has %z
by h.b.furuseth＠usit.uio.no 22 Jul '15

22 Jul '15

On 22. juli 2015 17:54, Howard Chu wrote: > h.b.furuseth(a)usit.uio.no wrote: >> If we require C99 library features like this, then I >> think we should add a configure test for them. Strange >> breakage at runtime is rather worse than a failed build. >> >> (That's not the same as testing for a C99 compiler, since >> one can have a C99 compiler like gcc with a C90 library.) > > The fewer configure tests we need, the better. Happy to replace %zu with %llu > and forget about it. It's not worth a fuss. Right. Looks like it should be %ld and (long) though, we don't use long long either except inside HAVE_LONG_LONG etc and mdb.c -- Hallvard

1 0

Re: (ITS#8202) openldap assumes printf has %z
by hyc＠symas.com 22 Jul '15

22 Jul '15

h.b.furuseth(a)usit.uio.no wrote: > If we require C99 library features like this, then I > think we should add a configure test for them. Strange > breakage at runtime is rather worse than a failed build. > > (That's not the same as testing for a C99 compiler, since > one can have a C99 compiler like gcc with a C90 library.) The fewer configure tests we need, the better. Happy to replace %zu with %llu and forget about it. It's not worth a fuss. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8202) openldap assumes printf has %z
by iand＠ekit-inc.com 21 Jul '15

21 Jul '15

Hi Howard, Yes I'm well aware of the state of Solaris 9 support and we support key components of the OS ourselves. However that doesn't mean that people don't still run it, like we do on some systems yet to be upgraded. (yes we have Sun systems purchased over 15 years ago that are still happily running; the hardware is very reliable; many are well overdue for upgrade though; its a resource/priority thing just look at how many people are running WinXP still) However this issue is a portability of openldap issue, not a OS support/patch thing (the C library in this case is not broken; its doing as the man page says, which doesn't mention %z), and the %z support is only a recent thing in the lifetime of unix (well last ~15 years it started to appear... C99 I think) There will be other legacy OS's that don't support %z too; no idea what ones though. Anyway I've got an (ugly) patch for me to use now and it passes 'make check' on Solaris 9; it was hard to find the cause of the problem though. Ian D On 07/22/15 04:01, Howard Chu wrote: > Howard Chu wrote: >> iand(a)ekit-inc.com wrote: >>> Full_Name: Ian Donaldson >>> Version: 2.4.41 >>> OS: Solaris 9 >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (60.241.85.68) >>> >>> >>> Built 2.4.41 on Solaris 9; ran 'make check' which failed to start slapd with >>> the following errors: >> >> Thanks for the report. Not sure that it's worth our taking any action though. >> The last release of Solaris 9 was 10 years ago, and it has been end-of-life'd >> by Oracle. > > For reference: Solaris 9 EOL > http://www.oracle.com/technetwork/server-storage/solaris10/overview/index-1… > > In short it means Solaris 9 is no longer eligible for any Oracle updates including security updates, fixes, patches or any other changes. Solaris 9 went into sustaining support in October 2014. > > Since Oracle is no longer providing any patches for this OS, I don't see much reason for us to either. Fortunately you are free to patch and build OpenLDAP for yourself for as long as you wish. >

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs July 2015