Re: (ITS#8230) [PATCH] totp: bug fixes and improvements
by hyc@symas.com
peter(a)adpm.de wrote:
>>> - allow padding to be omitted (totally, not only parts)
>>
>> Why?
> To allow using the keys encoded by other implementations that do
> not generate the padding (e.g. Perl's Convert::Base32).
> (e.g. in a mass-rollout that sets userPassword using LDIF)
We must reject this on security grounds. See RFC3548 Security Considerations.
https://tools.ietf.org/html/rfc3548#page-10
Also, as already noted in the code comments, allowing partial bytes would open
a subliminal channel allowing information leaks.
If Perl's encoder is being so careless then that is a security vulnerability.
The other 3 points on this ticket have been committed in master. I consider
this ticket resolved.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
8 years
Re: (ITS#8256) Fix install for LMDB
by luke.yeager@gmail.com
--001a11473c18e3466e0520962c9f
Content-Type: text/plain; charset=UTF-8
Sorry, the URL is:
https://github.com/lukeyeager/lmdb/commit/b0542bc783f2c349d1365a4e6472414...
On Fri, Sep 25, 2015 at 11:02 AM, <openldap-its(a)openldap.org> wrote:
>
> *** THIS IS AN AUTOMATICALLY GENERATED REPLY ***
>
> Thanks for your report to the OpenLDAP Issue Tracking System. Your
> report has been assigned the tracking number ITS#8256.
>
> One of our support engineers will look at your report in due course.
> Note that this may take some time because our support engineers
> are volunteers. They only work on OpenLDAP when they have spare
> time.
>
> If you need to provide additional information in regards to your
> issue report, you may do so by replying to this message. Note that
> any mail sent to openldap-its(a)openldap.org with (ITS#8256)
> in the subject will automatically be attached to the issue report.
>
> mailto:openldap-its@openldap.org?subject=(ITS#8256)
>
> You may follow the progress of this report by loading the following
> URL in a web browser:
> http://www.OpenLDAP.org/its/index.cgi?findid=8256
>
> Please remember to retain your issue tracking number (ITS#8256)
> on any further messages you send to us regarding this report. If
> you don't then you'll just waste our time and yours because we
> won't be able to properly track the report.
>
> Please note that the Issue Tracking System is not intended to
> be used to seek help in the proper use of OpenLDAP Software.
> Such requests will be closed.
>
> OpenLDAP Software is user supported.
> http://www.OpenLDAP.org/support/
>
> --------------
> Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
>
>
--001a11473c18e3466e0520962c9f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Sorry, the URL is:<div><a href=3D"https://github.com/lukey=
eager/lmdb/commit/b0542bc783f2c349d1365a4e6472414759e4f04a.patch">https://g=
ithub.com/lukeyeager/lmdb/commit/b0542bc783f2c349d1365a4e6472414759e4f04a.p=
atch</a><br></div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_=
quote">On Fri, Sep 25, 2015 at 11:02 AM, <span dir=3D"ltr"><<a href=3D"=
mailto:openldap-its@openldap.org" target=3D"_blank">openldap-its(a)openldap.o=
rg</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"marg=
in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
*** THIS IS AN AUTOMATICALLY GENERATED REPLY ***<br>
<br>
Thanks for your report to the OpenLDAP Issue Tracking System.=C2=A0 Your<br=
>
report has been assigned the tracking number ITS#8256.<br>
<br>
One of our support engineers will look at your report in due course.<br>
Note that this may take some time because our support engineers<br>
are volunteers.=C2=A0 They only work on OpenLDAP when they have spare<br>
time.<br>
<br>
If you need to provide additional information in regards to your<br>
issue report, you may do so by replying to this message.=C2=A0 Note that<br=
>
any mail sent to <a href=3D"mailto:openldap-its@openldap.org">openldap-its@=
openldap.org</a> with (ITS#8256)<br>
in the subject will automatically be attached to the issue report.<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 mailto:<a href=3D"mailto:openldap-its@openldap.=
org">openldap-its(a)openldap.org</a>?subject=3D(ITS#8256)<br>
<br>
You may follow the progress of this report by loading the following<br>
URL in a web browser:<br>
=C2=A0 =C2=A0 <a href=3D"http://www.OpenLDAP.org/its/index.cgi?findid=3D825=
6" rel=3D"noreferrer" target=3D"_blank">http://www.OpenLDAP.org/its/index.c=
gi?findid=3D8256</a><br>
<br>
Please remember to retain your issue tracking number (ITS#8256)<br>
on any further messages you send to us regarding this report.=C2=A0 If<br>
you don't then you'll just waste our time and yours because we<br>
won't be able to properly track the report.<br>
<br>
Please note that the Issue Tracking System is not intended to<br>
be used to seek help in the proper use of OpenLDAP Software.<br>
Such requests will be closed.<br>
<br>
OpenLDAP Software is user supported.<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://www.OpenLDAP.org/support/" re=
l=3D"noreferrer" target=3D"_blank">http://www.OpenLDAP.org/support/</a><br>
<br>
--------------<br>
Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.<br>
<br>
</blockquote></div><br></div>
--001a11473c18e3466e0520962c9f--
8 years
(ITS#8254) RFE: slapd-sock: more request and return parameters
by michael@stroeder.com
Full_Name: Michael Str.der
Version: HEAD
OS:
URL:
Submission from: (NULL) (79.223.42.126)
1. It would be nice if back-sock listeners could receive more details of an LDAP
request:
1.1 TLS client peer certificate would allow to distinguish between a normal
bind-DN and the system from which the LDAP request was sent.
- either subject-DN like used in authz-regexp configuration directive
- issuer-DN+serial like to be used with certificateExactMatch
1.2. Request controls
- either as base64-decoded BER (and the listener has to decode it) similar to
what RFC 2849 specifys
- in some suitable string representation (hard to define)
2. It would be nice if back-sock listeners could return extended response
controls to slapd which returns it to the LDAP client. Should be an extra line
"control:" with base64-encoded BER value similar to what RFC 2849 specifys
8 years
Re: ITS#8233
by hyc@symas.com
Michael Ströder wrote:
> Howard Chu wrote:
>> Howard Chu wrote:
>>> Michael Ströder wrote:
>>>> But then I would expect slapd to remove the backslash(es) used for quoting:
>>>
>>> Good point. OK, there's some more work needed in here somewhere.
>>
>> Fixed. Closing this ITS. If you have any other problems regarding this,
>> followup to ITS#8233. We don't open new ITSs for unreleased code.
>
> Sorry, but still I see the same problem with commit
> 23953716c76ab36fab7d5f6dea335bf9bdea6323.
>
> Example from ITS#8251 repeated here:
>
> In slapd.conf:
>
> ---------------------------------- snip ----------------------------------
> attributetype ( 1.3.6.1.4.1.5427.1.389.42.3
> DESC 'Test attribute type with \"double quotes\" in DESC'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
> ---------------------------------- snip ----------------------------------
>
> Returned via LDAP in subschema subentry (as LDIF):
>
> ---------------------------------- snip ----------------------------------
> attributeTypes: ( 1.3.6.1.4.1.5427.1.389.42.3 DESC 'Test attribute type with
> \"double quotes\" in DESC' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
> ---------------------------------- snip ----------------------------------
True, and irrelevant. This behavior is unchanged from any previous OpenLDAP
releases.
The regression you reported has been fixed, that is all.
> But regarding your comment in [1] I wonder what counts as an "argument"?
> Reading the section slapd.conf(5) more carefully it could mean that also all
> schema descriptions (containing spaces) count as one argument and therefore
> should be enclosed in double quotes (which is not the case also for all
> .schema files installed by OpenLDAP).
>
> Another example is:
>
> index foo,bar eq,sub
>
> Does the the config parser handle "foo,bar" and "eq,sub" as two separate
> arguments for directive "index"? Does the argument parsing depend on the
> configuration directive?
Yes, the argument parsing depends on the config directive. All of the
schema-related elements (attributetype, objectclass, syntax, ditcontentrule)
have their own parsers and (some of) the normal slapd.conf rules don't apply
to them.
> [1] https://www.openldap.org/its/index.cgi?findid=8251#followup9
>
> Ciao, Michael.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
8 years
ITS#8233
by michael@stroeder.com
Howard Chu wrote:
> Howard Chu wrote:
>> Michael Ströder wrote:
>>> But then I would expect slapd to remove the backslash(es) used for quoting:
>>
>> Good point. OK, there's some more work needed in here somewhere.
>
> Fixed. Closing this ITS. If you have any other problems regarding this,
> followup to ITS#8233. We don't open new ITSs for unreleased code.
Sorry, but still I see the same problem with commit
23953716c76ab36fab7d5f6dea335bf9bdea6323.
Example from ITS#8251 repeated here:
In slapd.conf:
---------------------------------- snip ----------------------------------
attributetype ( 1.3.6.1.4.1.5427.1.389.42.3
DESC 'Test attribute type with \"double quotes\" in DESC'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
---------------------------------- snip ----------------------------------
Returned via LDAP in subschema subentry (as LDIF):
---------------------------------- snip ----------------------------------
attributeTypes: ( 1.3.6.1.4.1.5427.1.389.42.3 DESC 'Test attribute type with
\"double quotes\" in DESC' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
---------------------------------- snip ----------------------------------
But regarding your comment in [1] I wonder what counts as an "argument"?
Reading the section slapd.conf(5) more carefully it could mean that also all
schema descriptions (containing spaces) count as one argument and therefore
should be enclosed in double quotes (which is not the case also for all
.schema files installed by OpenLDAP).
Another example is:
index foo,bar eq,sub
Does the the config parser handle "foo,bar" and "eq,sub" as two separate
arguments for directive "index"? Does the argument parsing depend on the
configuration directive?
[1] https://www.openldap.org/its/index.cgi?findid=8251#followup9
Ciao, Michael.
8 years