January 2017 - openldap-bugs

(ITS#8575) Argon2 Password hashing contrib module

by simon＠slevermann.de

Full_Name: Simon Levermann Version: OS: URL: ftp://ftp.openldap.org/incoming/simon-levermann-170126.patch Submission from: (NULL) (2001:638:708:f002:deab:9ae4:7f07:d350) This patch adds a password hashing module for the argon2 function to the contrib/slapd-modules/passwd/ modules. Argon2 is a relatively new hash function which has won the Password Hashing Competition (https://password-hashing.net) The attached patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Simon Levermann simon(a)slevermann.de. I have not assigned rights and/or interest in this work to any party. I, Simon Levermann, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

6 years, 4 months

1
0
0 / 0

(ITS#8574) bconfig support for DNs that need escaping

by okuznik＠symas.com

Full_Name: Ondrej Kuznik Version: master OS: URL: ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170125-Deal-with-rDN-corr... Submission from: (NULL) (151.228.185.198) When an rdn under cn=config needs escaping, incorrect value gets passed to the attribute and, if the attribute is single-value, the entry is rejected by entry_naming_check(). Patch against master is attached.

6 years, 4 months

1
0
0 / 0

(ITS#8573) ldap* tools should be able to function w/o a conf file

by quanah＠openldap.org

Full_Name: Quanah Gibson-Mount Version: 2.4.44 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.26) Right now, it is impossible to configure the ldap* command line tools so that they function in major circumstances w/o also having a configuration file (I.e., ldap.conf, .ldaprc, etc). For example, the ability to use startTLS with LDAP requires such a file so that the CA file and/or cert path for the tool can be defined. The "-o" option should be expanded to cover additional configuration parameters from the conf file, as has already been done with the network timeout parameter.

6 years, 4 months

1
0
0 / 0

Re: (ITS#8572) FOR INFO ONLY: SASL SCRAM-SHA-1 authz may fail incorrectly

by quanah＠symas.com

--On Thursday, January 19, 2017 8:55 AM +0000 william.b.clay(a)acm.org wrote: > Full_Name: Bill Clay > Version: 2.4.44 > OS: Debian/GNU Linux 7.8 (Wheezy) > URL: > Submission from: (NULL) (79.12.44.250) Hi Bill, I appreciate that you are attempting to be helpful. However, the ITS system is only for reporting bugs occuring in OpenLDAP as clearly noted on the ITS submission form. If you want to provide informational updates, they would probably best go to the openldap-technical mailing list. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 4 months

1
0
0 / 0

(ITS#8572) FOR INFO ONLY: SASL SCRAM-SHA-1 authz may fail incorrectly

by william.b.clay＠acm.org

Full_Name: Bill Clay Version: 2.4.44 OS: Debian/GNU Linux 7.8 (Wheezy) URL: Submission from: (NULL) (79.12.44.250) Cyrus SASL 2.1.26 plugins/scram.c decode_saslname() may return a corrupt authz name. SASL SCRAM-SHA-1 auth with a "dn:" style authzID can return an authzID string with trailing original (escaped) characters appended. slapd may then incorrectly deny the requested proxy authorization because the returned value may fail match criteria that a correctly-decoded SASL name would pass. (There may be other SASL SCRAM scenarios in which this flaw would produce incorrect results.) Cyrus SASL issue: https://github.com/cyrusimap/cyrus-sasl/issues/416

6 years, 4 months

1
0
0 / 0

(ITS#8571) Added a test for pcache + ldap backen with proxyauthz

by elecharny＠symas.com

Full_Name: Emmanuel L.charny Version: 2.4.45 OS: N/A URL: ftp://ftp.openldap.org/incoming/elecharny-20170118.patch Submission from: (NULL) (86.246.56.212) This patch adds a unit test for a server configured with proxycache and ldap backend, redirecting all the requests to a remote master server, which does not accept anonymous bind). The proxycache server caches searches and binds. The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Symas. Symas has not assigned rights and/or interest in this work to any party. I, Emmanuel Lecharny, am authorized by Symas, my employer, to release this work under the following terms. Symas hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

6 years, 4 months

1
0
0 / 0

Re: (ITS#8565) Clarification of the slapo-ppolicy manpage

by quanah＠symas.com

--On Wednesday, January 11, 2017 4:44 PM +0000 matthieu.cerda(a)nbs-system.com wrote: > Full_Name: Matthieu Cerda > Version: 2.4.40 > OS: Debian jessie > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (194.213.124.6) > > > Hello ! > > As per > http://www.openldap.org/lists/openldap-technical/201701/msg00017.html I > would like to submit a small improvement to the slapo-ppolicy manpage to > clarify rootdn presence / absence implications in a ppolicy enabled setup. > > Here is the patch (I thing it's short enough not to justify a separate > upload): Thanks! We went with something slightly different, but the rootdn requirement should be absolutely clear now. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 4 months

1
0
0 / 0

Re: (ITS#8544) manpage fixes

by quanah＠symas.com

--On Tuesday, December 13, 2016 9:10 PM +0000 sca+openldap(a)andreasschulze.de wrote: > Full_Name: Andreas Schulze > Version: git > OS: linux > URL: ftp://ftp.openldap.org/incoming/andreas-schulze-161213.patch > Submission from: (NULL) (2001:a60:f0b4:e502::152) > > > I uploaded a patch to polish some manpages. > All changes are suggested by debian lintian > - phrase "allows one to" instead of "allows to" > - some occurences of -foo have to be written as \-foo in a manpage Thanks for the report, this has been applied with one minor change. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 4 months

1
0
0 / 0

Re: (ITS#8568) slapd SASL EXTERNAL bind getprop SSF bug; can provoke SEGFAULT

by william.b.clay＠acm.org

> So you're using TLS client cert and SASL/EXTERNAL to a hostname (also in ther > server cert) but where the IP address of the hostname is directly routed through > 127.0.0.1? The slapd log of my same-host tests confirms they in fact used the IPv4 loopback address, 127.0.0.1, even though the bind URI specified the FQDN. > Not sure but the difference is the client IP address. If the client can reach > slapd through 127.0.0.1 the client's IP address is also 127.0.0.1 which could > make a difference in the SASL client handling. Anyone said hostname > canonicalization? Does setting sasl-host <fqdn> make a difference? The ~/.ldaprc used by the client in these tests contained "TLS_REQCERT none", so a mismatch between the server's FQDN and the peer address actually used would not have been detected. Another difference would be "ping-pong" memory allocation between client and server. Even though different processes, they may allocate from the same pool. With the client running on a different host in other tests, slapd would not be competing with other processes in a predictable, repeatable fashion (slapd SEGFAULTs were 100% repeatable for specific sequences of EXTERNAL binds, but only with client and server on the same host).

6 years, 4 months

1
0
0 / 0

Re: (ITS#6104) race condition with cancel operation

by michaelgarofalo404＠yahoo.com

6 years, 4 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs January 2017