September 2015 - openldap-bugs

by hyc＠symas.com

luke.yeager(a)gmail.com wrote: > --001a11473c18e3466e0520962c9f > Content-Type: text/plain; charset=UTF-8 > > Sorry, the URL is: > https://github.com/lukeyeager/lmdb/commit/b0542bc783f2c349d1365a4e6472414... > Thanks, added to mdb.master -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

8 years

1
0
0 / 0

Re: (ITS#8230) [PATCH] totp: bug fixes and improvements

by hyc＠symas.com

peter(a)adpm.de wrote: >>> - allow padding to be omitted (totally, not only parts) >> >> Why? > To allow using the keys encoded by other implementations that do > not generate the padding (e.g. Perl's Convert::Base32). > (e.g. in a mass-rollout that sets userPassword using LDIF) We must reject this on security grounds. See RFC3548 Security Considerations. https://tools.ietf.org/html/rfc3548#page-10 Also, as already noted in the code comments, allowing partial bytes would open a subliminal channel allowing information leaks. If Perl's encoder is being so careless then that is a security vulnerability. The other 3 points on this ticket have been committed in master. I consider this ticket resolved. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

8 years

1
0
0 / 0

Re: (ITS#8256) Fix install for LMDB

by luke.yeager＠gmail.com

--001a11473c18e3466e0520962c9f Content-Type: text/plain; charset=UTF-8 Sorry, the URL is: https://github.com/lukeyeager/lmdb/commit/b0542bc783f2c349d1365a4e6472414... On Fri, Sep 25, 2015 at 11:02 AM, <openldap-its(a)openldap.org> wrote: > > *** THIS IS AN AUTOMATICALLY GENERATED REPLY *** > > Thanks for your report to the OpenLDAP Issue Tracking System. Your > report has been assigned the tracking number ITS#8256. > > One of our support engineers will look at your report in due course. > Note that this may take some time because our support engineers > are volunteers. They only work on OpenLDAP when they have spare > time. > > If you need to provide additional information in regards to your > issue report, you may do so by replying to this message. Note that > any mail sent to openldap-its(a)openldap.org with (ITS#8256) > in the subject will automatically be attached to the issue report. > > mailto:openldap-its@openldap.org?subject=(ITS#8256) > > You may follow the progress of this report by loading the following > URL in a web browser: > http://www.OpenLDAP.org/its/index.cgi?findid=8256 > > Please remember to retain your issue tracking number (ITS#8256) > on any further messages you send to us regarding this report. If > you don't then you'll just waste our time and yours because we > won't be able to properly track the report. > > Please note that the Issue Tracking System is not intended to > be used to seek help in the proper use of OpenLDAP Software. > Such requests will be closed. > > OpenLDAP Software is user supported. > http://www.OpenLDAP.org/support/ > > -------------- > Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved. > > --001a11473c18e3466e0520962c9f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Sorry, the URL is:<div><a href=3D"https://github.com/lukey= eager/lmdb/commit/b0542bc783f2c349d1365a4e6472414759e4f04a.patch">https://g= ithub.com/lukeyeager/lmdb/commit/b0542bc783f2c349d1365a4e6472414759e4f04a.p= atch</a> </div></div><div class=3D"gmail_extra"> <div class=3D"gmail_= quote">On Fri, Sep 25, 2015 at 11:02 AM, <<a href=3D"= mailto:openldap-its@openldap.org" target=3D"_blank">openldap-its(a)openldap.o= rg</a>> wrote: <blockquote class=3D"gmail_quote" style=3D"marg= in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> *** THIS IS AN AUTOMATICALLY GENERATED REPLY *** Thanks for your report to the OpenLDAP Issue Tracking System.=C2=A0 Your<br= > report has been assigned the tracking number ITS#8256. One of our support engineers will look at your report in due course. Note that this may take some time because our support engineers are volunteers.=C2=A0 They only work on OpenLDAP when they have spare time. If you need to provide additional information in regards to your issue report, you may do so by replying to this message.=C2=A0 Note that<br= > any mail sent to <a href=3D"mailto:openldap-its@openldap.org">openldap-its@= openldap.org</a> with (ITS#8256) in the subject will automatically be attached to the issue report. =C2=A0 =C2=A0 =C2=A0 =C2=A0 mailto:<a href=3D"mailto:openldap-its@openldap.= org">openldap-its(a)openldap.org</a>?subject=3D(ITS#8256) You may follow the progress of this report by loading the following URL in a web browser: =C2=A0 =C2=A0 <a href=3D"http://www.OpenLDAP.org/its/index.cgi?findid=3D825= 6" rel=3D"noreferrer" target=3D"_blank">http://www.OpenLDAP.org/its/index.c= gi?findid=3D8256</a> Please remember to retain your issue tracking number (ITS#8256) on any further messages you send to us regarding this report.=C2=A0 If you don't then you'll just waste our time and yours because we won't be able to properly track the report. Please note that the Issue Tracking System is not intended to be used to seek help in the proper use of OpenLDAP Software. Such requests will be closed. OpenLDAP Software is user supported. =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://www.OpenLDAP.org/support/" re= l=3D"noreferrer" target=3D"_blank">http://www.OpenLDAP.org/support/</a> -------------- Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved. </blockquote></div> </div> --001a11473c18e3466e0520962c9f--

8 years

1
0
0 / 0

(ITS#8256) Fix install for LMDB

by luke.yeager＠gmail.com

Full_Name: Luke Yeager Version: OPENLDAP_REL_ENG_2_5, LMDB_0.9.16 OS: Ubuntu 14.04 URL: Submission from: (NULL) (216.228.112.22) This fixes two small issues. First, if the $(prefix) or $(prefix)/* directories don't exist, they should be created. Second, the shared library is not executable, and should not be marked as such. Patch here: https://github.com/keyeyeager/lmdb/commit/25db4c2ecdfc31653b702cf1e08a095...

8 years

1
0
0 / 0

(ITS#8255) slapd-sock: response parsing in str2result() is broken

by michael＠stroeder.com

Full_Name: Michael Str.der Version: RE24 OS: URL: Submission from: (NULL) (79.223.48.162) See more information in this thread: http://www.openldap.org/lists/openldap-devel/201509/msg00002.html

8 years

1
0
0 / 0

(ITS#8254) RFE: slapd-sock: more request and return parameters

by michael＠stroeder.com

Full_Name: Michael Str.der Version: HEAD OS: URL: Submission from: (NULL) (79.223.42.126) 1. It would be nice if back-sock listeners could receive more details of an LDAP request: 1.1 TLS client peer certificate would allow to distinguish between a normal bind-DN and the system from which the LDAP request was sent. - either subject-DN like used in authz-regexp configuration directive - issuer-DN+serial like to be used with certificateExactMatch 1.2. Request controls - either as base64-decoded BER (and the listener has to decode it) similar to what RFC 2849 specifys - in some suitable string representation (hard to define) 2. It would be nice if back-sock listeners could return extended response controls to slapd which returns it to the LDAP client. Should be an extra line "control:" with base64-encoded BER value similar to what RFC 2849 specifys

8 years

1
0
0 / 0

(ITS#8253) 2.4 Admin guide for syncprov-sessionlog is out of date

by quanah＠openldap.org

Full_Name: Quanah Gibson-Mount Version: 2.4.x OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.52.177) The admin guide for 2.4 section on replication has the description for syncprov-sessionlog from OpenLDAP 2.3, and needs to be updated to reflect current reality of what is tracked (i.e., updated to match the 2.4 man page for syncprov) http://www.openldap.org/doc/admin24/replication.html#Syncrepl, section 18.3.1.2

8 years

1
0
0 / 0

Re: ITS#8233

by hyc＠symas.com

Michael Ströder wrote: > Howard Chu wrote: >> Howard Chu wrote: >>> Michael Ströder wrote: >>>> But then I would expect slapd to remove the backslash(es) used for quoting: >>> >>> Good point. OK, there's some more work needed in here somewhere. >> >> Fixed. Closing this ITS. If you have any other problems regarding this, >> followup to ITS#8233. We don't open new ITSs for unreleased code. > > Sorry, but still I see the same problem with commit > 23953716c76ab36fab7d5f6dea335bf9bdea6323. > > Example from ITS#8251 repeated here: > > In slapd.conf: > > ---------------------------------- snip ---------------------------------- > attributetype ( 1.3.6.1.4.1.5427.1.389.42.3 > DESC 'Test attribute type with \"double quotes\" in DESC' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) > ---------------------------------- snip ---------------------------------- > > Returned via LDAP in subschema subentry (as LDIF): > > ---------------------------------- snip ---------------------------------- > attributeTypes: ( 1.3.6.1.4.1.5427.1.389.42.3 DESC 'Test attribute type with > \"double quotes\" in DESC' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) > ---------------------------------- snip ---------------------------------- True, and irrelevant. This behavior is unchanged from any previous OpenLDAP releases. The regression you reported has been fixed, that is all. > But regarding your comment in [1] I wonder what counts as an "argument"? > Reading the section slapd.conf(5) more carefully it could mean that also all > schema descriptions (containing spaces) count as one argument and therefore > should be enclosed in double quotes (which is not the case also for all > .schema files installed by OpenLDAP). > > Another example is: > > index foo,bar eq,sub > > Does the the config parser handle "foo,bar" and "eq,sub" as two separate > arguments for directive "index"? Does the argument parsing depend on the > configuration directive? Yes, the argument parsing depends on the config directive. All of the schema-related elements (attributetype, objectclass, syntax, ditcontentrule) have their own parsers and (some of) the normal slapd.conf rules don't apply to them. > [1] https://www.openldap.org/its/index.cgi?findid=8251#followup9 > > Ciao, Michael. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

8 years

1
0
0 / 0

ITS#8233

by michael＠stroeder.com

Howard Chu wrote: > Howard Chu wrote: >> Michael Ströder wrote: >>> But then I would expect slapd to remove the backslash(es) used for quoting: >> >> Good point. OK, there's some more work needed in here somewhere. > > Fixed. Closing this ITS. If you have any other problems regarding this, > followup to ITS#8233. We don't open new ITSs for unreleased code. Sorry, but still I see the same problem with commit 23953716c76ab36fab7d5f6dea335bf9bdea6323. Example from ITS#8251 repeated here: In slapd.conf: ---------------------------------- snip ---------------------------------- attributetype ( 1.3.6.1.4.1.5427.1.389.42.3 DESC 'Test attribute type with \"double quotes\" in DESC' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) ---------------------------------- snip ---------------------------------- Returned via LDAP in subschema subentry (as LDIF): ---------------------------------- snip ---------------------------------- attributeTypes: ( 1.3.6.1.4.1.5427.1.389.42.3 DESC 'Test attribute type with \"double quotes\" in DESC' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) ---------------------------------- snip ---------------------------------- But regarding your comment in [1] I wonder what counts as an "argument"? Reading the section slapd.conf(5) more carefully it could mean that also all schema descriptions (containing spaces) count as one argument and therefore should be enclosed in double quotes (which is not the case also for all .schema files installed by OpenLDAP). Another example is: index foo,bar eq,sub Does the the config parser handle "foo,bar" and "eq,sub" as two separate arguments for directive "index"? Does the argument parsing depend on the configuration directive? [1] https://www.openldap.org/its/index.cgi?findid=8251#followup9 Ciao, Michael.

8 years

1
0
0 / 0

Re: (ITS#8251) slapd fails schema parsing with double quotes in DESC

by hyc＠symas.com

Howard Chu wrote: > Michael Ströder wrote: >> But then I would expect slapd to remove the backslash(es) used for quoting: > > Good point. OK, there's some more work needed in here somewhere. Fixed. Closing this ITS. If you have any other problems regarding this, followup to ITS#8233. We don't open new ITSs for unreleased code. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

8 years

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs September 2015