openldap-bugs September 2016

openldap-bugs@openldap.org

17 participants
49 discussions

Re: (ITS#8501) OpenLdap not RFC 2891 complaint
by hyc＠symas.com 12 Sep '16

12 Sep '16

mblagoeva(a)axway.com wrote: > Full_Name: Maria Blagoeva > Version: openldap-2.4.31/debian/build/servers/slapd > OS: docker image with 3.10.0-327.28.2.el7.x86_64 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (194.88.228.86) > > > It seems that openldap as of 2.4.31 is not RFC complaint > (https://www.ietf.org/rfc/rfc2891.txt) due to failure in response when ordering > match rule is empty while doing server side sorting. Example below: False. OpenLDAP is completely correct and RFC-compliant in its behavior. > empty ordering rule: > > ldapsearch -E sss=cn '(cn=ccc*)' cn' (&(objectClass=inetOrgPerson)(cn=ccc*))' -H > ldap://IP:389 -b "ou=Users,dc=openstack,dc=org" -D "cn=aaa1, > ou=Users,dc=openstack,dc=org" -x -W > # extended LDIF > # > # LDAPv3 > # base <ou=Users,dc=openstack,dc=org> with scope subtree > # filter: (cn=ccc*) > # requesting: cn (&(objectClass=inetOrgPerson)(cn=ccc*)) > # with server side sorting control > # > > # search result > search: 2 > result: 18 Inappropriate matching > text: serverSort control: No ordering rule This result is correct since the cn attribute has no ordering rule defined in the schema. > > # numResponses: 1 > > caseIgnoreOrderingMatch ordering rule: > > ldapsearch -E sss=cn:caseIgnoreOrderingMatch '(cn=ccc*)' cn' > (&(objectClass=inetOrgPerson)(cn=ccc*))' -H ldap://IP:389 -b > "ou=Users,dc=openstack,dc=org" -D "c3D3Daaa1, ou=Users,dc=openstack,dc=org" -x > -W > # extended LDIF > # > # LDAPv3 > # base <ou=Users,dc=openstack,dc=org> with scope subtree > # filter: (cn=ccc*) > # requesting: cn (&(objectClass=inetOrgPerson)(cn=ccc*)) > # with server side sorting control > # > > # ccc0, Users, openstack.org > dn: cn=ccc0,ou=Users,dc=openstack,dc=org > # search result > search: 2 > result: 0 Success > control: 1.2.840.113556.1.4.474 false MAMKAQA= > sortResult: (0) Success > > > however the RFC states that the orderingRule is OPTIONAL as below: > > SortKeyList ::= SEQUENCE OF SEQUENCE { > attributeType AttributeDescription, > orderingRule [0] MatchingRuleId OPTIONAL, > reverseOrder [1] BOOLEAN DEFAULT FALSE } > > however openldap fails to return entries. The rule is optional in the control itself, but a valid ordering rule must exist somewhere. Since the attribute schema doesn't define one then you must provide one yourself. Closing this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8501) OpenLdap not RFC 2891 complaint
by mblagoeva＠axway.com 12 Sep '16

12 Sep '16

Full_Name: Maria Blagoeva Version: openldap-2.4.31/debian/build/servers/slapd OS: docker image with 3.10.0-327.28.2.el7.x86_64 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (194.88.228.86) It seems that openldap as of 2.4.31 is not RFC complaint (https://www.ietf.org/rfc/rfc2891.txt) due to failure in response when ordering match rule is empty while doing server side sorting. Example below: empty ordering rule: ldapsearch -E sss=cn '(cn=ccc*)' cn' (&(objectClass=inetOrgPerson)(cn=ccc*))' -H ldap://IP:389 -b "ou=Users,dc=openstack,dc=org" -D "cn=aaa1, ou=Users,dc=openstack,dc=org" -x -W # extended LDIF # # LDAPv3 # base <ou=Users,dc=openstack,dc=org> with scope subtree # filter: (cn=ccc*) # requesting: cn (&(objectClass=inetOrgPerson)(cn=ccc*)) # with server side sorting control # # search result search: 2 result: 18 Inappropriate matching text: serverSort control: No ordering rule # numResponses: 1 caseIgnoreOrderingMatch ordering rule: ldapsearch -E sss=cn:caseIgnoreOrderingMatch '(cn=ccc*)' cn' (&(objectClass=inetOrgPerson)(cn=ccc*))' -H ldap://IP:389 -b "ou=Users,dc=openstack,dc=org" -D "c3D3Daaa1, ou=Users,dc=openstack,dc=org" -x -W # extended LDIF # # LDAPv3 # base <ou=Users,dc=openstack,dc=org> with scope subtree # filter: (cn=ccc*) # requesting: cn (&(objectClass=inetOrgPerson)(cn=ccc*)) # with server side sorting control # # ccc0, Users, openstack.org dn: cn=ccc0,ou=Users,dc=openstack,dc=org # search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.474 false MAMKAQA= sortResult: (0) Success however the RFC states that the orderingRule is OPTIONAL as below: SortKeyList ::= SEQUENCE OF SEQUENCE { attributeType AttributeDescription, orderingRule [0] MatchingRuleId OPTIONAL, reverseOrder [1] BOOLEAN DEFAULT FALSE } however openldap fails to return entries.

1 0

(ITS#8500) typo in slapo-ppolicy(5)
by michael＠stroeder.com 12 Sep '16

12 Sep '16

Full_Name: Version: git master OS: - URL: Submission from: (NULL) (85.115.23.42) diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5 index 91e0f8f..8306f97 100644 --- a/doc/man/man5/slapo-ppolicy.5 +++ b/doc/man/man5/slapo-ppolicy.5 @@ -104,7 +104,7 @@ object class. The definition of that class is as follows: pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ - pwdSafeModify 4 pwdMaxRecordedFailure ) ) + pwdSafeModify $ pwdMaxRecordedFailure ) ) .RE This implementation also provides an additional

1 0

(ITS#8499) fixes documentation typo
by gerardo.santana＠gmail.com 11 Sep '16

11 Sep '16

Full_Name: Gerardo Santana Gomez Garrido Version: 2.4 OS: Mac OS X URL: ftp://ftp.openldap.org/incoming/gerardo-santana-160911.patch Submission from: (NULL) (70.113.112.97) documentation typo

1 0

Re: (ITS#8498) slapadd complains about missing attrs
by quanah＠zimbra.com 09 Sep '16

09 Sep '16

--On Friday, September 09, 2016 11:32 PM +0100 Howard Chu <hyc(a)symas.com> wrote: >> I'd generally expect the warning to be consistently shown (or not). I >> don't think it's valid in the case of "". > > The warning is only printed in single-master replication configs. My point is the warning is invalid, and it was printed on the replica, nothing to do with a master... --Quanah -- Quanah Gibson-Mount

1 0

Re: (ITS#8498) slapadd complains about missing attrs
by hyc＠symas.com 09 Sep '16

09 Sep '16

quanah(a)openldap.org wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.44+ITS8432 > OS: Linux 3.13 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (75.111.52.177) > > > When slapadding a database rooted at "" on a replica, it outputs the following > warning: > > zimbra@zre-ldap014:~$ time ./libexec/zmslapadd > /home/build/ldap.bak.20160909144406 > 57d32561 slapadd: warning, missing attrs entryUUID,entryCSN from entry dn="" > -######## 42.58% eta 01m39s elapsed 01m13s spd 292.8 k/s > > > Interestingly enough, when slapadded to a master with cn=accesslog in play, it > doesn't output anything: > > zimbra@zre-ldap008:~$ ./libexec/zmslapadd /home/build/ldap.bak.20160909144406 > *#################### 100.00% eta none elapsed 02m45s spd 3.1 M/s > Closing DB... > > I'd generally expect the warning to be consistently shown (or not). I don't > think it's valid in the case of "". The warning is only printed in single-master replication configs. Closing this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8498) slapadd complains about missing attrs
by quanah＠openldap.org 09 Sep '16

09 Sep '16

Full_Name: Quanah Gibson-Mount Version: 2.4.44+ITS8432 OS: Linux 3.13 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.52.177) When slapadding a database rooted at "" on a replica, it outputs the following warning: zimbra@zre-ldap014:~$ time ./libexec/zmslapadd /home/build/ldap.bak.20160909144406 57d32561 slapadd: warning, missing attrs entryUUID,entryCSN from entry dn="" -######## 42.58% eta 01m39s elapsed 01m13s spd 292.8 k/s Interestingly enough, when slapadded to a master with cn=accesslog in play, it doesn't output anything: zimbra@zre-ldap008:~$ ./libexec/zmslapadd /home/build/ldap.bak.20160909144406 *#################### 100.00% eta none elapsed 02m45s spd 3.1 M/s Closing DB... I'd generally expect the warning to be consistently shown (or not). I don't think it's valid in the case of "".

1 0

Re: (ITS#8490) changes not written to accesslog, causing replicas to loop syncing
by quanah＠zimbra.com 09 Sep '16

09 Sep '16

--On Thursday, September 01, 2016 9:50 AM +0000 quanah(a)zimbra.com wrote: I finally was able to reproduce this in a new lab of servers I set up. The easiest way to reproduce this problem is to have 2 masters, and 6 replicas. 3 replicas pointing to each master. In my case, I have ldap07 through ldap014. 07/08 are the masters. Odd number replicas (9,11,13) point to 07, even number replicas point to 08 (10, 12, 14). What we find based on the logs is two MODRDNs coming in at approximately the same time: Sep 9 15:29:40 zre-ldap007 slapd[13794]: conn=1389 op=3179 MODRDN dn="uid=user.345,ou=people,dc=zre-ldap007,dc=eng,dc=zimbra,dc=com" Sep 9 15:29:40 zre-ldap007 slapd[13794]: conn=1120 op=2919 MODRDN dn="uid=user.250404,ou=people,dc=zre-ldap007,dc=eng,dc=zimbra,dc=com" Sep 9 15:29:40 zre-ldap007 slapd[13794]: slap_queue_csn: queueing 0xa046e80 20160909192940.809794Z#000000#001#000000 Sep 9 15:29:40 zre-ldap007 slapd[13794]: slap_queue_csn: queueing 0xa046a40 20160909192940.809794Z#000000#001#000000 Sep 9 15:29:40 zre-ldap007 slapd[13794]: slap_queue_csn: queueing 0xa07b740 20160909192940.810205Z#000000#001#000000 Sep 9 15:29:40 zre-ldap007 slapd[13794]: slap_graduate_commit_csn: removing 0xa046a40 20160909192940.809794Z#000000#001#000000 Sep 9 15:29:40 zre-ldap007 slapd[13794]: slap_queue_csn: queueing 0xa07bdc0 20160909192940.810205Z#000000#001#000000 Sep 9 15:29:40 zre-ldap007 slapd[13794]: conn=1389 op=3179 RESULT tag=109 err=0 etime=0.001278 text= Sep 9 15:29:40 zre-ldap007 slapd[13794]: slap_graduate_commit_csn: removing 0xa046e80 20160909192940.809794Z#000000#001#000000 Sep 9 15:29:40 zre-ldap007 slapd[13794]: slap_graduate_commit_csn: removing 0xa07bdc0 20160909192940.810205Z#000000#001#000000 Sep 9 15:29:40 zre-ldap007 slapd[13794]: conn=1120 op=2919 RESULT tag=109 err=0 etime=0.001597 text= Sep 9 15:29:40 zre-ldap007 slapd[13794]: slap_graduate_commit_csn: removing 0xa07b740 20160909192940.810205Z#000000#001#000000 But in the accesslog, we only find the one MODRDN logged: dn: reqStart=20160909192940.809465Z,cn=accesslog objectClass: auditModRDN structuralObjectClass: auditModRDN reqStart: 20160909192940.809465Z reqEnd: 20160909192940.810148Z reqType: modrdn reqSession: 1389 reqAuthzID: uid=zimbra,cn=admins,cn=zimbra reqDN: uid=user.345,ou=people,dc=zre-ldap007,dc=eng,dc=zimbra,dc=com reqResult: 0 reqMod: entryCSN:= 20160909192940.809794Z#000000#001#000000 reqMod: modifiersName:= uid=zimbra,cn=admins,cn=zimbra reqMod: modifyTimestamp:= 20160909192940Z reqNewRDN: uid=renamed-user.345 reqDeleteOldRDN: TRUE reqEntryUUID: c63b246a-0a20-1036-82cb-a772509d7f53 entryUUID: 7f740e6c-0b0f-1036-8c00-b1b4f08a59fc creatorsName: cn=config createTimestamp: 20160909192940Z entryCSN: 20160909192940.809794Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20160909192940Z Possibly a DN collision in writing the entry to the accesslog DB that causes the second OP to get lost. Likely the same root issue as ITS#8493. --Quanah -- Quanah Gibson-Mount

1 0

Re: (ITS#8497) userPassword attribute in password policy
by quanah＠zimbra.com 09 Sep '16

09 Sep '16

--On Friday, September 09, 2016 3:38 PM +0000 sagar437(a)gmail.com wrote: > Full_Name: Sagar Bhattarai > Version: 2.4.40-9 > OS: CentOS Linux release 7.2.1511 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (71.174.102.218) The ITS system is for reporting bugs, not asking usage questions. Questions should be sent to the openldap-technical(a)openldap.org email list. This ITS will be closed. --Quanah -- Quanah Gibson-Mount

1 0

(ITS#8497) userPassword attribute in password policy
by sagar437＠gmail.com 09 Sep '16

09 Sep '16

Full_Name: Sagar Bhattarai Version: 2.4.40-9 OS: CentOS Linux release 7.2.1511 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (71.174.102.218) I am trying to push the password policy with the following content of ldif file. dn: cn=passwordDefault4,ou=policy,dc=vivox,dc=com objectClass: pwdPolicy objectclass: device objectClass: top cn: passwordDefault4 pwdAttribu%3: userPassword pwdCheckQuality: 0 pwdMinAge: 0 pwdMaxAge: 0 pwdMinLength: 5 pwdInHistory: 5 pwdMaxFailure: 3 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdLockoutDuration: 0 pwdAllowUserChange: TRUE pwdExpireWarning: 0 pwdGraceAuthNLimit: 0 pwdMustChange: TRUE pwdSafeModify: TRUE I keep getting the following error when trying to add the above policy. ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax However id i change the pwdattribute vae frfrom "userPassword" to OID number i am able to add this policy but none of these policies work on my systems.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs September 2016