openldap-bugs December 2017

openldap-bugs@openldap.org

15 participants
26 discussions

Re: (ITS#8788) slapd-pcache undef not compatible with mdb
by hyc＠symas.com 11 Dec '17

11 Dec '17

quanah(a)openldap.org wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.45 > OS: N/A > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (47.208.148.239) > > > The pcache backend to slapd has the option for attr sets to note if an attribute > that being cached is not defined in the local schema by prefixing it with > "undef:", such as "undef:myattr". While this functionality works fine when > pcache is using back-bdb or back-hdb, it does not work with back-mdb. In the > case where back-mdb is used, an error will be logged if the hidden "pcaache" > loglevel is used, but it will still attempt to answer queries (it will return no > results, but with a success return code). pcache uses slap_bv2tmp_ad() to register undef attributes. It looks like there's a bug here in that it doesn't initialize ad->ad_index. (bv2undef initializes this to zero.) Of course, that still doesn't change the fact that back-mdb requires schema to be fully defined. > At a minimum, the documentation needs to be updated to note this feature > incompatibility. It would be additionally useful if either slapd would refuse > to start if undef was used on top of back-mdb, or pcache would log an error that > it could not answer the result from the cache, and fall back to doing a direct > lookup. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8788) slapd-pcache undef not compatible with mdb
by quanah＠openldap.org 11 Dec '17

11 Dec '17

Full_Name: Quanah Gibson-Mount Version: 2.4.45 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) The pcache backend to slapd has the option for attr sets to note if an attribute that being cached is not defined in the local schema by prefixing it with "undef:", such as "undef:myattr". While this functionality works fine when pcache is using back-bdb or back-hdb, it does not work with back-mdb. In the case where back-mdb is used, an error will be logged if the hidden "pcaache" loglevel is used, but it will still attempt to answer queries (it will return no results, but with a success return code). At a minimum, the documentation needs to be updated to note this feature incompatibility. It would be additionally useful if either slapd would refuse to start if undef was used on top of back-mdb, or pcache would log an error that it could not answer the result from the cache, and fall back to doing a direct lookup.

1 0

(ITS#8787) mkdep does not get CFLAGS during cross compilation
by jinxinliang＠yahoo.com 08 Dec '17

08 Dec '17

Full_Name: Jeremy Jin Version: 2.4 OS: mingw and ubuntu URL: Submission from: (NULL) (209.29.4.43) I am trying to build mingw in two different situations, 1. on mingw 2. cross build from ubuntu 14 for target arm linux In both situation I found that, some dependencies (such as regex) does not exist in system default /usr/include. So I download regex from somewhere and build it. Then I need to specify a custom CFLAGS for configure command such as below ./configure CFLAGS=-I/home/user1/include LDFLAGS=-L/home/user1/lib LIBS=-lregex the configuration run successfully,then I proceed to do "make depend". However it will report "regex.h" file not found. And I found that "mkdep" command does not make use of the CFLAGS I provided on configure command at all. I worked around it by create another mkdep command to wrap the existing mkdep command and add my additional include folders and it worked. Then next issue I found is I had to modify "portable.h" file as well. I had to comment out "#define socklen_t int" and add "typedef unsigned int uint32_t". I am not sure why the portable.h is not generated correctly (this only happens on mingw, not tested on ubuntu cross compiling ARM at all).

1 0

Re: (ITS#8784) SIGBUS in mdb_page_touch
by hyc＠symas.com 08 Dec '17

08 Dec '17

balaret(a)gmail.com wrote: > Full_Name: Sergey Z > Version: LMDB_0.9.19 > OS: Android > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2620:119:5001:2242:9215:2763:ff1b:ae35) > > > Hey guys, > > We are using LMDB 0.9.19 in our Android project and sometimes we are getting > SIGBUS in mdb_page_touch(). We can't reproduce this issue on our side but we > have plenty of crash reports from our users (about 400 daily): > > SIGBUS > libLMDBAndroid.so.mdb_page_touch ( mdb .c :2412) > libLMDBAndroid.so.mdb_page_search ( mdb .c :5610) > libLMDBAndroid.so.mdb_freelist_save ( mdb .c :3128) > libLMDBAndroid.so.mdb_txn_commit ( mdb .c :3606) > > This is probably a platform specific issue because 95% of crashes happened on > Android 7.0. > > I would greatly appreciate if you help to shed a light on this - any ideas what > might goes wrong or what might cause such an issue. I've encountered this as well. I believe there's a bug in the Android FUSE filesystem driver. Every time I've analyzed one of these crashes in the debugger, the relevant addresses are perfectly valid, which leads me to believe there's a race condition in their page fault handler. I.e., eventually the handler returns a valid memory page but the application has been killed before the handler completes. Then, by the time the debugger gets control, all of memory looks valid. If you root the device and mount the storage partition directly, bypassing the Android FUSE filesystem, you'll find that these crashes all disappear - even if using the same storage device as before. Which again points to a bug in their FUSE filesystem driver. But I haven't been able to pinpoint the bug in their FUSE driver source code yet. I suggest you focus your debugging efforts there. > > Thank you, > Sergey > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8429) deadlock on a modification operation with replication
by quanah＠symas.com 08 Dec '17

08 Dec '17

--On Thursday, May 19, 2016 12:31 PM +0000 elecharny(a)apache.org wrote: > Full_Name: Emmanuel Lecharny > Version: 2.4.44 > OS: Linux CentOS 6 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (92.169.142.218) This should be fixed now, tracked under ITS#8752. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8786) Allow OpenLDAP to start as non-root
by hyc＠symas.com 08 Dec '17

08 Dec '17

akram.benaissi(a)gmail.com wrote: > Full_Name: Akram Ben Aissi > Version: 1.1.10 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (77.154.204.242) > > > Hi, > > We want to run OpenLDAP in containers without root privilege, nor root user id. > Actually, we start it with user uid=100000009, gid=0 > And we do proper chgrp 0 and chmod 0770 on require directories. > > Because of this: https://github.com/winlibs/openldap/blob/master/servers/slapd/user.c#L158 > > we have that: > Could not set real user id to 100000009 > > It would be better to check that setuid is required only if asked user is > different from actual user. > > Does it make sense ? No. Just start slapd without specifying a userID. Closing this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8785) Password quality/Strength check
by michael＠stroeder.com 08 Dec '17

08 Dec '17

This is a cryptographically signed message in MIME format. --------------ms020404010102000204010800 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable kashyap_sunita(a)ongc.co.in wrote: > We have successfully implemented existing password policy in our DIT bu= t the > most required feature of password strength is missing in existing overl= ay.=20 > Can you suggest that how we could implement password quality/strength i= n this > version of openldap. The ITS is for reporting bug only. Please post usage questions to openldap-technical mailing list where you reach more recipients. So others can answer and learn as well. https://www.openldap.org/lists/ Ciao, Michael. --------------ms020404010102000204010800 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CucwggT9MIID5aADAgECAhBFRleVrRF8X5GwbV0tcLCgMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwOTE2MDcxNjUxWhcNMTkxMjE2MDcxNjUxWjBEMR0wGwYDVQQDDBRtaWNo YWVsQHN0cm9lZGVyLmNvbTEjMCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChMBt5jtuLXsNQ5U7rBbZit8sknIwz hfaousT3d/fssQ6qZwe9l1yklILSXVMqI7/bxbiqcd3zrz+imdSlZPrFBHGfh04DZHCfss2F RwSswGejqP1qE3hPvZi96wFfOMqenpN+pSXqNJ1OPBCJ8a+8ZEioFKoEj3HkCCXjbmezAgms FuA7aFE9BfjJ2eQKw8B9G8X1FjvOTinYSZ2F+qHpKgywl4HTx0dMnYy+Pwu4DDIHkEaVH+uj K1/ed76WUEH51mX9m2Xu0onfQlSM3me6EvAAZiIDsCEbF9WttRuJbpfCFo0m2uW7BBugS7EG Jro1nRSQVnpJyTFgHb5EGMVVAgMBAAGjggG4MIIBtDAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMAkGA1UdEwQCMAAwHQYDVR0OBBYEFFh1801TSuxT Nltnv9rOjrZzUUgNMB8GA1UdIwQYMBaAFCSBbDlhvkkPj7cbRivJKLUnSG1oMG8GCCsGAQUF BwEBBGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDkGCCsGAQUF BzAChi1odHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zY2EuY2xpZW50MS5jcnQwOAYD VR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNsaWVudDEuY3Js MB8GA1UdEQQYMBaBFG1pY2hhZWxAc3Ryb2VkZXIuY29tMCMGA1UdEgQcMBqGGGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tLzBHBgNVHSAEQDA+MDwGCysGAQQBgbU3AQIFMC0wKwYIKwYBBQUH AgEWH2h0dHBzOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kwDQYJKoZIhvcNAQELBQADggEB AKiJ9wpjJeHdEzHDZyqmhn4cHcRj9Ag7ZQK0meq1N3oQ9M1YeVge6vZe20LXojgXsNUQGLSt 1lW2s7fABkL9CF+/RtWznHxlp4YpWX/RgbHBo3uXKNA5JUOjbxQ2+1b1jaTp/FUrSIISAxgd RpeYAODJ0db1x8Q+l66DtIVjj7ktWISdJWE2Opn4QnaRwdj6n35Rul4S2ikUsmxtGrHLpjRR XJqbsGa0RZdJyUKlZ2ZRAoRz4jKHOogQcig937sR5Ut2pGOhrScEhgARY2c8Gs2olRTL3pue mE4vjY0g1Nwr9RzeFwMuasiFh4yD34i6jIRfoNzuLPgydjsJ0grw0akwggXiMIIDyqADAgEC AhBrp4p9CteI1lEK+Vnk57ThMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNVBAYTAklMMRYwFAYD VQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0 ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe Fw0xNTEyMTYwMTAwMDVaFw0zMDEyMTYwMTAwMDVaMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC9fdr3w6J9g/Zbgv3bW1+uHht1wLUZr5gkrLtXedg17Ake fMyUGwrQdvwObhajcVmnKVxhrUwkZPXRAwZZosRHfEIi5FH7x6SV/8Sp5lZEuiMnvMFG2MzL A84J6Ws5T4NfXZ0qn4TPgnr3X2vPVS51M7Ua9nIJgn8jvTra4eyyQzxvuA/GZwKg7VQfDCmC S+kICslYYWgXOMt2xlsSslxLce0CGWRsT8EpMyt1iDflSjXZIsE7m1uTyHaKZspMLyIyz6my Su8j8BWWHpChNNeTrFuhVfrOAyDPFJVUvKZCLKBhibTLloyy+LatoWELrjdI4a8StZY8+dIR 9t4APXGzAgMBAAGjggFkMIIBYDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQIMAYBAf8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0 cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMGYGCCsGAQUFBwEBBFowWDAkBggrBgEF BQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDAGCCsGAQUFBzAChiRodHRwOi8vYWlh LnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwHQYDVR0OBBYEFCSBbDlhvkkPj7cbRivJKLUn SG1oMB8GA1UdIwQYMBaAFE4L7xqkQFulF2mHMMo0aEPQQa7yMD8GA1UdIAQ4MDYwNAYEVR0g ADAsMCoGCCsGAQUFBwIBFh5odHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kwDQYJKoZI hvcNAQELBQADggIBAIvj94fsAYuErQ8BAluc4SMnIwS9NPBwAm5SH9uh2NCXTq7im61g7F1L IiNI/+wq37fUuaMbz4g7VarKQTgf8ubs0p7NZWcIe7Bvem2AWaXBsxsaRTYw5kG3DN8pd1hS EUuFoTa7DmNeFe8tiK1BrL3rbA/m48jp4AiFXgvxprJrW7izsyetOrRHPbkW4Y07v29MdhaP v3u1JELyszXqOzjIYo4sWlC8iDQXwgSW/ntvWy2n4LuiaozlCfXl149tKeqvwlvrla2Yklue /quWp9j9ou4T/OY0CXMuY+B8wNK0ohd2D4ShgFlMSjzAFRoHGKF81snTr2d1A7Ew02oF6UQy CkC2aNNsK5cWOojBar5c7HplX9aHYUCZouxIeU28SONJAxnATgR4cJ2jrpmYSz/kliUJ46S6 UpVDo/ebn9c6PaM/XtDYCCaM/7XX6wc3s++sbQ7CtCn1Ax7df6ufQbwyO0V+oFa9H0KAsjHM zcwk3EV2B2NLatidKE/m7G+rB9m+FlVgIiSp0mGlg43QO9Kh1+JqvTCIzv2bJJkmPMLQJNuK KwHNL8F4GGp6jbAV+WL+LDeGfVcq8DHS3LrD+xyYEXQBiqZEdiPVOMxLDSUCXsDO0uCWpaNQ 8j6y6S9p0xE/Ga0peVLadVHhqf9nXqKaxnr358VgfrxzUIrvOaOjMYIDzDCCA8gCAQEwgYkw dTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAx IENsaWVudCBDQQIQRUZXla0RfF+RsG1dLXCwoDANBglghkgBZQMEAgEFAKCCAhMwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcxMjA4MTA1MTE5WjAvBgkq hkiG9w0BCQQxIgQgcivLnD1qr1O+sbnbgTzcTC7OBlvjiiJA47PQEaHC9HAwbAYJKoZIhvcN AQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3 DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBmgYJKwYB BAGCNxAEMYGMMIGJMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkw JwYDVQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3Rh cnRDb20gQ2xhc3MgMSBDbGllbnQgQ0ECEEVGV5WtEXxfkbBtXS1wsKAwgZwGCyqGSIb3DQEJ EAILMYGMoIGJMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYD VQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRD b20gQ2xhc3MgMSBDbGllbnQgQ0ECEEVGV5WtEXxfkbBtXS1wsKAwDQYJKoZIhvcNAQEBBQAE ggEAGHRmJV2ToBGfFpRVMZDu0TVUdJwApUWjXa5oDYAw6yk1QqNtIWHXJWSIl1shNN4REHod 72z4OvN7bQYJShoniiK/adWekwzB4ynXDmLlYWaasnbI5vi72SEPU6gRKOSVZqSBzuxdxYtc bqSiIOEBJHLuQbQwE7Drf6WD44cIEdK8vOiPl2wRSmJb9oR7CmowmEMWioCkBhu/aeWDXqi0 uEHWcGG6+fP1n8C5V/EH/fPX6lmdpnV3iakpGkkNJC8BMJ+COJ2hZekplAWPThNZrAoWntln UKxedySSpSX0Q6xGmDynG2jepyFEzAUOSaOBGGZoYD6pJfbUi5K0Qz69MgAAAAAAAA== --------------ms020404010102000204010800--

1 0

Re: (ITS#8786) Allow OpenLDAP to start as non-root
by michael＠stroeder.com 08 Dec '17

08 Dec '17

This is a cryptographically signed message in MIME format. --------------ms040106020009060205040508 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable akram.benaissi(a)gmail.com wrote: > We want to run OpenLDAP in containers without root privilege, nor root = user id. > Actually, we start it with user uid=3D100000009, gid=3D0 AFAICT and independent of OpenLDAP's slapd allowing an arbitrary uid to use gid=3D0 would be an unauthorized privilege escalation / security hole= =2E Why don't you use the primary gid of uid=3D100000009? Ciao, Michael. --------------ms040106020009060205040508 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CucwggT9MIID5aADAgECAhBFRleVrRF8X5GwbV0tcLCgMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwOTE2MDcxNjUxWhcNMTkxMjE2MDcxNjUxWjBEMR0wGwYDVQQDDBRtaWNo YWVsQHN0cm9lZGVyLmNvbTEjMCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChMBt5jtuLXsNQ5U7rBbZit8sknIwz hfaousT3d/fssQ6qZwe9l1yklILSXVMqI7/bxbiqcd3zrz+imdSlZPrFBHGfh04DZHCfss2F RwSswGejqP1qE3hPvZi96wFfOMqenpN+pSXqNJ1OPBCJ8a+8ZEioFKoEj3HkCCXjbmezAgms FuA7aFE9BfjJ2eQKw8B9G8X1FjvOTinYSZ2F+qHpKgywl4HTx0dMnYy+Pwu4DDIHkEaVH+uj K1/ed76WUEH51mX9m2Xu0onfQlSM3me6EvAAZiIDsCEbF9WttRuJbpfCFo0m2uW7BBugS7EG Jro1nRSQVnpJyTFgHb5EGMVVAgMBAAGjggG4MIIBtDAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMAkGA1UdEwQCMAAwHQYDVR0OBBYEFFh1801TSuxT Nltnv9rOjrZzUUgNMB8GA1UdIwQYMBaAFCSBbDlhvkkPj7cbRivJKLUnSG1oMG8GCCsGAQUF BwEBBGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDkGCCsGAQUF BzAChi1odHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zY2EuY2xpZW50MS5jcnQwOAYD VR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNsaWVudDEuY3Js MB8GA1UdEQQYMBaBFG1pY2hhZWxAc3Ryb2VkZXIuY29tMCMGA1UdEgQcMBqGGGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tLzBHBgNVHSAEQDA+MDwGCysGAQQBgbU3AQIFMC0wKwYIKwYBBQUH AgEWH2h0dHBzOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kwDQYJKoZIhvcNAQELBQADggEB AKiJ9wpjJeHdEzHDZyqmhn4cHcRj9Ag7ZQK0meq1N3oQ9M1YeVge6vZe20LXojgXsNUQGLSt 1lW2s7fABkL9CF+/RtWznHxlp4YpWX/RgbHBo3uXKNA5JUOjbxQ2+1b1jaTp/FUrSIISAxgd RpeYAODJ0db1x8Q+l66DtIVjj7ktWISdJWE2Opn4QnaRwdj6n35Rul4S2ikUsmxtGrHLpjRR XJqbsGa0RZdJyUKlZ2ZRAoRz4jKHOogQcig937sR5Ut2pGOhrScEhgARY2c8Gs2olRTL3pue mE4vjY0g1Nwr9RzeFwMuasiFh4yD34i6jIRfoNzuLPgydjsJ0grw0akwggXiMIIDyqADAgEC AhBrp4p9CteI1lEK+Vnk57ThMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNVBAYTAklMMRYwFAYD VQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0 ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe Fw0xNTEyMTYwMTAwMDVaFw0zMDEyMTYwMTAwMDVaMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC9fdr3w6J9g/Zbgv3bW1+uHht1wLUZr5gkrLtXedg17Ake fMyUGwrQdvwObhajcVmnKVxhrUwkZPXRAwZZosRHfEIi5FH7x6SV/8Sp5lZEuiMnvMFG2MzL A84J6Ws5T4NfXZ0qn4TPgnr3X2vPVS51M7Ua9nIJgn8jvTra4eyyQzxvuA/GZwKg7VQfDCmC S+kICslYYWgXOMt2xlsSslxLce0CGWRsT8EpMyt1iDflSjXZIsE7m1uTyHaKZspMLyIyz6my Su8j8BWWHpChNNeTrFuhVfrOAyDPFJVUvKZCLKBhibTLloyy+LatoWELrjdI4a8StZY8+dIR 9t4APXGzAgMBAAGjggFkMIIBYDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQIMAYBAf8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0 cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMGYGCCsGAQUFBwEBBFowWDAkBggrBgEF BQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDAGCCsGAQUFBzAChiRodHRwOi8vYWlh LnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwHQYDVR0OBBYEFCSBbDlhvkkPj7cbRivJKLUn SG1oMB8GA1UdIwQYMBaAFE4L7xqkQFulF2mHMMo0aEPQQa7yMD8GA1UdIAQ4MDYwNAYEVR0g ADAsMCoGCCsGAQUFBwIBFh5odHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kwDQYJKoZI hvcNAQELBQADggIBAIvj94fsAYuErQ8BAluc4SMnIwS9NPBwAm5SH9uh2NCXTq7im61g7F1L IiNI/+wq37fUuaMbz4g7VarKQTgf8ubs0p7NZWcIe7Bvem2AWaXBsxsaRTYw5kG3DN8pd1hS EUuFoTa7DmNeFe8tiK1BrL3rbA/m48jp4AiFXgvxprJrW7izsyetOrRHPbkW4Y07v29MdhaP v3u1JELyszXqOzjIYo4sWlC8iDQXwgSW/ntvWy2n4LuiaozlCfXl149tKeqvwlvrla2Yklue /quWp9j9ou4T/OY0CXMuY+B8wNK0ohd2D4ShgFlMSjzAFRoHGKF81snTr2d1A7Ew02oF6UQy CkC2aNNsK5cWOojBar5c7HplX9aHYUCZouxIeU28SONJAxnATgR4cJ2jrpmYSz/kliUJ46S6 UpVDo/ebn9c6PaM/XtDYCCaM/7XX6wc3s++sbQ7CtCn1Ax7df6ufQbwyO0V+oFa9H0KAsjHM zcwk3EV2B2NLatidKE/m7G+rB9m+FlVgIiSp0mGlg43QO9Kh1+JqvTCIzv2bJJkmPMLQJNuK KwHNL8F4GGp6jbAV+WL+LDeGfVcq8DHS3LrD+xyYEXQBiqZEdiPVOMxLDSUCXsDO0uCWpaNQ 8j6y6S9p0xE/Ga0peVLadVHhqf9nXqKaxnr358VgfrxzUIrvOaOjMYIDzDCCA8gCAQEwgYkw dTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAx IENsaWVudCBDQQIQRUZXla0RfF+RsG1dLXCwoDANBglghkgBZQMEAgEFAKCCAhMwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcxMjA4MTA0OTEwWjAvBgkq hkiG9w0BCQQxIgQgiNJK+D2jTREoCmmfpYNwdS6gvB4/epr+uNS/6LBL2IUwbAYJKoZIhvcN AQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3 DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBmgYJKwYB BAGCNxAEMYGMMIGJMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkw JwYDVQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3Rh cnRDb20gQ2xhc3MgMSBDbGllbnQgQ0ECEEVGV5WtEXxfkbBtXS1wsKAwgZwGCyqGSIb3DQEJ EAILMYGMoIGJMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYD VQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRD b20gQ2xhc3MgMSBDbGllbnQgQ0ECEEVGV5WtEXxfkbBtXS1wsKAwDQYJKoZIhvcNAQEBBQAE ggEAf0b7Dn2zH+5wTYnI0vba1dKppAhYQm5V9wBXSciP0kZFdUTb2qXhA87B0bP5MxQ/8IM9 dVp6TlI9XXG2Ye8GYF4w5CprBDN4fopmJ6p4QiF4etjXdVR2fu+UMtAeRbg2di/cq334Hquy cpLceAaLBVY6+P1kPI/oA9GWv6m9djxCigpy+jeWRWAuoujSLid0qOD6A+gimNm/CLYfNvu7 A+Aq3QiKBSemoB39/JyFoxjuXknFtruzn2q50O0lcjwClSgjdYKp6uZDPdKuHegp91iuItGu K9mG6vlzw3WM/i0XyXy+FZF/BjXOPny/VnyRIezlWO8m3aFBZ8sSTnUItwAAAAAAAA== --------------ms040106020009060205040508--

1 0

(ITS#8786) Allow OpenLDAP to start as non-root
by akram.benaissi＠gmail.com 08 Dec '17

08 Dec '17

Full_Name: Akram Ben Aissi Version: 1.1.10 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (77.154.204.242) Hi, We want to run OpenLDAP in containers without root privilege, nor root user id. Actually, we start it with user uid=100000009, gid=0 And we do proper chgrp 0 and chmod 0770 on require directories. Because of this: https://github.com/winlibs/openldap/blob/master/servers/slapd/user.c#L158 we have that: Could not set real user id to 100000009 It would be better to check that setuid is required only if asked user is different from actual user. Does it make sense ?

1 0

(ITS#8785) Password quality/Strength check
by kashyap_sunita＠ongc.co.in 08 Dec '17

08 Dec '17

Full_Name: Sunita Kashyap Version: 2.4.40-5 OS: RHEL 6.7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (59.185.103.72) Hi, We have successfully implemented existing password policy in our DIT but the most required feature of password strength is missing in existing overlay. Can you suggest that how we could implement password quality/strength in this version of openldap. Regards, Sunita Kashyap Manager(Programming) ONGC

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs December 2017