December 2016 - openldap-bugs

(ITS#8555) slapo-pcache forgets credentials for binddn

by quanah＠openldap.org

Full_Name: Quanah Gibson-Mount Version: 2.4.44 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.26) When slapo-pcache is set up to use the user credentials for binding, the first bind will succeed accordingly, but subsequent binds will fall back to anonymous, as slapd logs that the credentials are not found: 58645256 conn=1024 op=1 ldap_back_dobind_int: DN="cn=james a jones 1,ou=alumni association,ou=people,dc=example,dc=com" without creds, binding anonymouslyldap_sasl_bind This is trivial to reproduce by making a slight modification to test020-proxycache: index f4e5cb7..105b911 100755 --- a/tests/scripts/test020-proxycache +++ b/tests/scripts/test020-proxycache @@ -645,6 +645,22 @@ if test $RC != 4 ; then test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait exit 1 fi + +CNT=`expr $CNT + 1` +FILTER="(sn=Jon)" +ATTRS="cn mail telephonenumber" +echo "Query $CNT: (Result should not be cached)" +echo "# Query $CNT: (Result should not be cached)" >> $SEARCHOUT +$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT2 \ + -D "$USERDN" -w "$UPASSWD" "$FILTER" $ATTRS >> $SEARCHOUT 2>> $TESTOUT +RC=$? + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + The error test case isn't useful here, but slapd.2.log can be examined to see the behavior. It appears that there's a problem with this block of code in back-ldap/bind.c, that starts at line 2489 in RE24: if ( rc == LDAP_SUCCESS ) { /* set rebind stuff in case of successful proxyAuthz bind, * so that referral chasing is attempted using the right * identity */ LDAP_BACK_CONN_ISBOUND_SET( lc ); if ( !BER_BVISNULL( binddn ) ) { ber_bvreplace( &lc->lc_bound_ndn, binddn ); } if ( !BER_BVISNULL( &lc->lc_cred ) ) { memset( lc->lc_cred.bv_val, 0, lc->lc_cred.bv_len ); } if ( LDAP_BACK_SAVECRED( li ) ) { if ( !BER_BVISNULL( bindcred ) ) { ber_bvreplace( &lc->lc_cred, bindcred ); ldap_set_rebind_proc( lc->lc_ld, li->li_rebind%2, lc ); } } else { lc->lc_cred.bv_len = 0; } }

6 years, 5 months

1
0
0 / 0

(ITS#8554) lmdb build failure on GNU/kFreeBSD

by ryan＠openldap.org

Full_Name: Ryan Tandy Version: 2.4.44 OS: Debian GNU/kFreeBSD URL: Submission from: (NULL) (24.68.41.160) Forwarded from https://bugs.debian.org/845394: lmdb fails to build on Debian GNU/kFreeBSD. https://buildd.debian.org/status/fetch.php?pkg=openldap&arch=kfreebsd-amd... mdb.c: In function mdb_env_setup_locks: mdb.c:4625:13: warning: implicit declaration of function pthread_mutexattr_setrobust [-Wimplicit-function-declaration] || (rc = pthread_mutexattr_setrobust(&mattr, PTHREAD_MUTEX_ROBUST)) ^~~~~~~~~~~~~~~~~~~~~~~~~~~ mdb:4A4625:49: error: PTHREAD_MUTEX_ROBUST undeclared (first use in this function) || (rc = pthread_mutexattr_setrobust(&mattr, PTHREAD_MUTEX_ROBUST)) ^~~~~~~~~~~~~~~~~~~~ mdb.c:4625:%3: note: each undeclared identifier is reported only once for each function it appears in mdb.c: In function mdb_mutex_failed: mdb.c:351:37: warning: implicit declaration of function pthread_mutex_consistent [-Wimplicit-function-declaration] #define mdb_mutex_consistent(mutex) pthread_mutex_consistent(mutex) ^ mdb.c:10002:10: note: in expansion of macro mdb_mutex_consistent rc2 = mdb_mutex_consistent(mutex); ^~~~~~~~~~~~~~~~~~~~ The patch applied by Ondřej Surý to the Debian lmdb package fixes this, please consider applying it. http://sources.debian.net/data/main/l/lmdb/0.9.18-5/debian/patches/0003-U...

6 years, 5 months

1
0
0 / 0

Re: (ITS#8444) Out-of-sync issue with memberOf overlay, Delta-syncrepl MMR and >2 nodes

by henson＠acm.org

I sent this to the mailing list and was advised to add it to ITS 8444, so here it is: I recently updated to openldap 2.4.44 with the patch for ITS 8432. I'd been holding off in hopes of a new release with that patch included and for some update on ITS 8444, but decided to go ahead and push it through during the holiday break. I installed it on my dev environment and was unable to replicate the issues reported in ITS 8444 so went ahead and rolled into production. However, now that I'm in production, I'm seeing different issues with the memberOf overlay. It seems for some reason group membership deletions are getting replicated multiple times? In the logs, I will see something like the following: Dec 21 04:16:59 themis slapd[2607]: conn=364875 op=227806 MOD dn="uid=members,ou=group,dc=cpp,dc=edu" Dec 21 04:16:59 themis slapd[2607]: conn=364875 op=227806 MOD attr=member My identity management system connected and removed some members from this group. Next, there will be a number of lines like this: Dec 21 04:17:15 themis slapd[2607]: conn=-1 op=0: memberof_value_modify DN="uid=prsloan,ou=user,dc=cpp,dc=edu" delete memberOf="uid=members,ou=group,dc=cpp,dc=edu" failed err=16 Dec 21 04:17:16 themis slapd[2607]: conn=-1 op=0: memberof_value_modify DN="uid=prsloan,ou=user,dc=cpp,dc=edu" delete memberOf="uid=members,ou=group,dc=cpp,dc=edu" failed err=16 Dec 21 04:17:17 themis slapd[2607]: conn=-1 op=0: memberof_value_modify DN="uid=prsloan,ou=user,dc=cpp,dc=edu" delete memberOf="uid=members,ou=group,dc=cpp,dc=edu" failed err=16 Dec 21 04:17:18 themis slapd[2607]: conn=-1 op=0: memberof_value_modify DN="uid=prsloan,ou=user,dc=cpp,dc=edu" delete memberOf="uid=members,ou=group,dc=cpp,dc=edu" failed err=16 Dec 21 04:17:18 themis slapd[2607]: conn=-1 op=0: memberof_value_modify DN="uid=prsloan,ou=user,dc=cpp,dc=edu" delete memberOf="uid=members,ou=group,dc=cpp,dc=edu" failed err=16 Dec 21 04:17:18 themis slapd[2607]: conn=-1 op=0: memberof_value_modify DN="uid=prsloan,ou=user,dc=c Where the memberOf overlay is complaining that it can't remove the corresponding memberOf attribute from the user. Reviewing the accesslog, we see: dn: reqStart=20161221121659.000002Z,cn=accesslog objectClass: auditModify structuralObjectClass: auditModify reqStart: 20161221121659.000002Z reqEnd: 20161221121706.000000Z reqType: modify reqSession: 364875 reqAuthzID: cn=idmgmt,ou=user,ou=service,dc=cpp,dc=edu reqDN: uid=members,ou=group,dc=cpp,dc=edu reqResult: 0 reqMod: member:- uid=jjtringali,ou=user,dc=cpp,dc=edu reqMod: member:- uid=kaijulee,ou=user,dc=cpp,dc=edu reqMod: member:- uid=srknight,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ppimentel,ou=user,dc=cpp,dc=edu reqMod: member:- uid=epdetering,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ktran,ou=user,dc=cpp,dc=edu [...] reqMod: member:- uid=prsloan,ou=user,dc=cpp,dc=edu The initial tranaction from my client, authenticated as cn=idmgmt. This one is successful and the overlay deletes the memberOf attribute. However, there are then *six* more instances of the same transaction: dn: reqStart=20161221121714.000001Z,cn=accesslog objectClass: auditModify structuralObjectClass: auditModify reqStart: 20161221121714.000001Z reqEnd: 20161221121715.000000Z reqType: modify reqSession: 3 reqAuthzID: cn=ldaproot,dc=cpp,dc=edu reqDN: uid=members,ou=group,dc=cpp,dc=edu reqResult: 0 reqMod: member:- uid=jjtringali,ou=user,dc=cpp,dc=edu reqMod: member:- uid=kaijulee,ou=user,dc=cpp,dc=edu reqMod: member:- uid=srknight,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ppimentel,ou=user,dc=cpp,dc=edu reqMod: member:- uid=epdetering,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ktran,ou=user,dc=cpp,dc=edu [...] reqMod: member:- uid=prsloan,ou=user,dc=cpp,dc=edu dn: reqStart=20161221121716.000001Z,cn=accesslog objectClass: auditModify structuralObjectClass: auditModify reqStart: 20161221121716.000001Z reqEnd: 20161221121716.000002Z reqType: modify reqSession: 1 reqAuthzID: cn=ldaproot,dc=cpp,dc=edu reqDN: uid=members,ou=group,dc=cpp,dc=edu reqResult: 0 reqMod: member:- uid=jjtringali,ou=user,dc=cpp,dc=edu reqMod: member:- uid=kaijulee,ou=user,dc=cpp,dc=edu reqMod: member:- uid=srknight,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ppimentel,ou=user,dc=cpp,dc=edu reqMod: member:- uid=epdetering,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ktran,ou=user,dc=cpp,dc=edu [...] reqMod: member:- uid=prsloan,ou=user,dc=cpp,dc=edu dn: reqStart=20161221121716.000004Z,cn=accesslog objectClass: auditModify structuralObjectClass: auditModify reqStart: 20161221121716.000004Z reqEnd: 20161221121717.000002Z reqType: modify reqSession: 1 reqAuthzID: cn=ldaproot,dc=cpp,dc=edu reqDN: uid=members,ou=group,dc=cpp,dc=edu reqResult: 0 reqMod: member:- uid=jjtringali,ou=user,dc=cpp,dc=edu reqMod: member:- uid=kaijulee,ou=user,dc=cpp,dc=edu reqMod: member:- uid=srknight,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ppimentel,ou=user,dc=cpp,dc=edu reqMod: member:- uid=epdetering,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ktran,ou=user,dc=cpp,dc=edu [...] reqMod: member:- uid=prsloan,ou=user,dc=cpp,dc=edu dn: reqStart=20161221121717.000001Z,cn=accesslog objectClass: auditModify structuralObjectClass: auditModify reqStart: 20161221121717.000001Z reqEnd: 20161221121718.000000Z reqType: modify reqSession: 2 reqAuthzID: cn=ldaproot,dc=cpp,dc=edu reqDN: uid=members,ou=group,dc=cpp,dc=edu reqResult: 0 reqMod: member:- uid=jjtringali,ou=user,dc=cpp,dc=edu reqMod: member:- uid=kaijulee,ou=user,dc=cpp,dc=edu reqMod: member:- uid=srknight,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ppimentel,ou=user,dc=cpp,dc=edu reqMod: member:- uid=epdetering,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ktran,ou=user,dc=cpp,dc=edu [...] reqMod: member:- uid=prsloan,ou=user,dc=cpp,dc=edu dn: reqStart=20161221121718.000001Z,cn=accesslog objectClass: auditModify structuralObjectClass: auditModify reqStart: 20161221121718.000001Z reqEnd: 20161221121718.000002Z reqType: modify reqSession: 2 reqAuthzID: cn=ldaproot,dc=cpp,dc=edu reqDN: uid=members,ou=group,dc=cpp,dc=edu reqResult: 0 reqMod: member:- uid=jjtringali,ou=user,dc=cpp,dc=edu reqMod: member:- uid=kaijulee,ou=user,dc=cpp,dc=edu reqMod: member:- uid=srknight,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ppimentel,ou=user,dc=cpp,dc=edu reqMod: member:- uid=epdetering,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ktran,ou=user,dc=cpp,dc=edu [...] reqMod: member:- uid=prsloan,ou=user,dc=cpp,dc=edu dn: reqStart=20161221121718.000003Z,cn=accesslog objectClass: auditModify structuralObjectClass: auditModify reqStart: 20161221121718.000003Z reqEnd: 20161221121718.000004Z reqType: modify reqSession: 2 reqAuthzID: cn=ldaproot,dc=cpp,dc=edu reqDN: uid=members,ou=group,dc=cpp,dc=edu reqResult: 0 reqMod: member:- uid=jjtringali,ou=user,dc=cpp,dc=edu reqMod: member:- uid=kaijulee,ou=user,dc=cpp,dc=edu reqMod: member:- uid=srknight,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ppimentel,ou=user,dc=cpp,dc=edu reqMod: member:- uid=epdetering,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ktran,ou=user,dc=cpp,dc=edu [...] reqMod: member:- uid=prsloan,ou=user,dc=cpp,dc=edu These are are performed by cn=ldaproot, and correspond to the six error messages from the overlay about failing to remove the attribute (which was already removed). Similarly, on a replica: Dec 21 04:17:16 coeus slapd[2841]: conn=-1 op=0: memberof_value_modify DN="uid=prsloan,ou=user,dc=cpp,dc=edu" delete memberOf="uid=members,ou=group,dc=cpp,dc=edu" failed err=16 There is one error, because there are two copies of the transaction: dn: reqStart=20161221121706.000001Z,cn=accesslog objectClass: auditModify structuralObjectClass: auditModify reqStart: 20161221121706.000001Z reqEnd: 20161221121716.000000Z reqType: modify reqSession: 1 reqAuthzID: cn=ldaproot,dc=cpp,dc=edu reqDN: uid=members,ou=group,dc=cpp,dc=edu reqResult: 0 reqMod: member:- uid=jjtringali,ou=user,dc=cpp,dc=edu reqMod: member:- uid=kaijulee,ou=user,dc=cpp,dc=edu reqMod: member:- uid=srknight,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ppimentel,ou=user,dc=cpp,dc=edu reqMod: member:- uid=epdetering,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ktran,ou=user,dc=cpp,dc=edu [...] reqMod: member:- uid=prsloan,ou=user,dc=cpp,dc=edu dn: reqStart=20161221121714.000002Z,cn=accesslog objectClass: auditModify structuralObjectClass: auditModify reqStart: 20161221121714.000002Z reqEnd: 20161221121716.000001Z reqType: modify reqSession: 3 reqAuthzID: cn=ldaproot,dc=cpp,dc=edu reqDN: uid=members,ou=group,dc=cpp,dc=edu reqResult: 0 reqMod: member:- uid=jjtringali,ou=user,dc=cpp,dc=edu reqMod: member:- uid=kaijulee,ou=user,dc=cpp,dc=edu reqMod: member:- uid=srknight,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ppimentel,ou=user,dc=cpp,dc=edu reqMod: member:- uid=epdetering,ou=user,dc=cpp,dc=edu reqMod: member:- uid=ktran,ou=user,dc=cpp,dc=edu [...] reqMod: member:- uid=prsloan,ou=user,dc=cpp,dc=edu So far, I've only seem this behavior for group membership removals. Adds don't seem to cause a problem, nor do create/delete of groups or users as far as I can tell. Any thoughts on what's going on here? It's not causing any failures yet, as removing members multiple times results in the same end state and the multiple replication seems to have a fairly low upper bound. But it would be nice to fix it :). Thanks...

6 years, 5 months

1
0
0 / 0

(ITS#8553) LMDB Windows UWP Patch

by smlu＠s5.net

Full_Name: Crt Vavros Version: 0.9.70 OS: Windows 10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (89.142.169.104) This patch updates LMDB library code to compile under windows UWP platform. The patch was made against mdb.master branch [4bc270a2c] (21.12.2016). Note that the code was not modified much, merely additional code was added to existing one. The code had to be adapted to compile under C++ standards (LMDB lib cannot be compiled as C code under UWP platform). This is handled via "TC" macro which casts "raw type" to appropriate type when compiling library under C++, it should do nothing when compiling as C code. The test github repo can be found at https://github.com/ZeroPass/lmdb (Note that this port is not made aginst the latest commit) Patch was uploaded to ftp.openldap.org/incoming

6 years, 5 months

1
0
0 / 0

(ITS#8552) Strange behaviour of attribute using password policy overlay

by a.rossini＠cineca.it

Full_Name: Angelo Rossini Version: OpenLDAP-LTB 2.4.44.1 OS: Debian 8 x86-64 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (130.186.19.204) Hi, I'm using the password policy overlay with this configuration: pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdCheckModule: /usr/local/openldap/lib64/check_password.so pwdCheckQuality: 2 pwdExpireWarning: 432000 pwdFailureCountInterval: 300 pwdGraceAuthNLimit: 0 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 120 pwdMaxAge: 63072000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: TRUE When I try to change the password and the password is one of the last five in history I find that attributes pwdChangedTime and modifyTimestamp have changed their values. I think that this behaviour is quite strange, because I haven't changed anything on the entry. Can someone explain me if is possible to avoid this behaviour? Regards, Angelo.

6 years, 5 months

1
0
0 / 0

Re: (ITS#8551) allow bind_anon_cred in slapd.conf does not work

by quanah＠symas.com

--On Thursday, December 15, 2016 9:37 PM +0000 yelin(a)venustech.com.cn wrote: > To be specific, "allow bind_anon_cred" in slapd.conf does not work as Hello, This report is invalid. The documentation clearly states: bind_anon_cred allows anonymous bind when credentials are not empty (e.g. when DN is empty). I.e., bind_anon_cred allows you to bind with a ldapsearch -W or -w flag, but no -D flag provided. You may be looking for: bind_anon_dn allows unauthenticated (anonymous) bind when DN is not empty. Which allows one to bind anonymously rather than as a user, if the DN is specified. I.e., if using ldapsearch, ldapsearch -D DN without a -W or -w would allow the bind to occur as an anonymous connection. Hope that helps. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 5 months

1
0
0 / 0

(ITS#8551) allow bind_anon_cred in slapd.conf does not work

by yelin＠venustech.com.cn

Full_Name: yelin Version: 2.4.44 OS: win7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (106.37.236.166) Hello, This is yelin from venusTech.inc reporting OpenLDAP server configure file issue. To be specific, "allow bind_anon_cred" in slapd.conf does not work as expected. Please help to look at the issue and help my business application move on. "Unauthenticated bind mechanism" is specified in LDAP RFC 4153. My application has the business logic requires "Unauthenticated bind mechanism". And my application depends on OpenLDAP Sever. OpenLDAP claims to support it by specifying "allow bind_anon_cred" in slapd.conf. (http://www.openldap.org/doc/admin24/security.html) But the "allow bind_anon_cred" in slapd.conf does not work as expected. Enviroment: OpenLDAP version 2.4.44 OS: Win7 Detail Steps: 1. Install OpenLDAP server with all default settings. 2. Create a new myuser/mypwd. 2.1 Test bind "myuser"/"mypwd" completes as expected. 2.2 Test bind "myuser"/"" to see the Exception as expected. connection.bind( "uid=myuser,ou=people,dc=maxcrc,dc=com", "" ); unauthenticeded bind (DN with no password) disallowed 3. Modify slapd.conf, add a line "allow bind_anon_cred", save it. 4. Restart the server. 5. Test "myuser"/"" 6. Unexpected Result. There is unauthenticated bind disallowed Exception. Could you please help fix the issue? My business application can not run well without OpenLDAP "Unauthenticated bind mechanism". Thanks, yelin

6 years, 5 months

1
0
0 / 0

(ITS#8550) aa

by aa＠aa.com

Full_Name: aa Version: 2.4.44 OS: win7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (106.37.236.166) aa

6 years, 5 months

1
0
0 / 0

Re: (ITS#8543) CVE-2015-3276: incorrect multi-keyword mode cipherstring parsing

by he＠NetBSD.org

>> CVE-2015-3276 appears to be unfixed in 2.4.44, and from several >> attempts at finding the bug reported in your mailing list archive >> I came up empty. So ... The best I've found from this CVE is >> RedHat's bugzilla entry at >> >> https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322 >> >> which contains a (suggested) patch. > > We can integrate a suggested fix if the patch author submits their > patch to our ITS directly. Due to IPR concerns we don't accept or act= > on 3rd party patch submissions. Hm, ok. I've submitted an update to the above bug entry petitioning for them to release the fix. We'll see if they act on it. Regards, - H=E5vard

6 years, 5 months

1
0
0 / 0

(ITS#8545) Undesired timeout when polling for results

by shalopo＠gmail.com

Full_Name: Shahar Lupu Version: 2.4.44 OS: Ubuntu URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (81.218.29.26) When calling ldap_result with a timeout={0,0} (polling), it returns LDAP_TIMEOUT even though there are available messages in the socket. This occurs when calling ldap_results with all=true and a multi-message response has arrived. In this case, if the client has already received on the socket every message for the response, it is desirable that all the messages are collected within this ldap_result call. Instead of only polling for the specified timeout, ldap_result applies the timeout (zero when polling) on the wait4msg loop. Consequently, ldap_result returns LDAP_TIMEOUT after the first message if the response is composed of more than one message. While it may be a good idea to apply a timeout for the wai4msg loop (rather than only the polling on the socket), it is undesirable in some cases and should at least be configurable. Or perhaps timeout=polling should never be applied on the wait4msg loop.

6 years, 5 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs December 2016