openldap-bugs February 2017

openldap-bugs@openldap.org

22 participants
59 discussions

Re: (ITS#8586) load cert+chain from TLSCertificateFile
by quanah＠symas.com 28 Feb '17

28 Feb '17

--On Tuesday, February 14, 2017 3:16 AM +0000 ryan(a)nardis.ca wrote: > I found that useful in a setup very similar to what Andreas and Michael > describe: slapd with a server certificate issued by an external/public > CA, but trusting only a specific internal CA to authenticate clients. I found this to be a very common scenario while working for Zimbra. Many of the clients had a commercial sever cert but used their own CA for internal client cert auth. It would be extremely helpful for OpenLDAP to better support these types of configurations. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8605) spelling
by quanah＠symas.com 28 Feb '17

28 Feb '17

--On Sunday, February 26, 2017 8:20 AM +0000 jsoref(a)gmail.com wrote: > Full_Name: Josh Soref > Version: master > OS: > URL: > https://github.com/openldap/openldap/compare/master...jsoref:spelling?exp > and=1 Submission from: (NULL) (135.23.187.91) > > > This is a proposal of 144 changes. They should each be individually > applicable (although some may require earlier changes if they happen to > touch similar lines). > > Please don't expect me to submit 144 individual change requests, that > isn't reasonable. I am generally willing to provide 3-10 submissions, > preferably on the lower side. All you have to do is specify what you want > in them. Hi Josh, These look good, and I think it can be done as a single git-format-patch submission uploaded to the FTP server. Thanks! --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8605) spelling
by jsoref＠gmail.com 26 Feb '17

26 Feb '17

Full_Name: Josh Soref Version: master OS: URL: https://github.com/openldap/openldap/compare/master...jsoref:spelling?expan… Submission from: (NULL) (135.23.187.91) This is a proposal of 144 changes. They should each be individually applicable (although some may require earlier changes if they happen to touch similar lines). Please don't expect me to submit 144 individual change requests, that isn't reasonable. I am generally willing to provide 3-10 submissions, preferably on the lower side. All you have to do is specify what you want in them.

1 0

(ITS#8604) back-config breaks on Solaris 8/9
by quanah＠openldap.org 24 Feb '17

24 Feb '17

Full_Name: Quanah Gibson-Mount Version: 2.4.44 OS: Solaris 8 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.26) Filing for historical purposes: The stdio library on this version of Solaris doesn't understand %z. Change the definition (slapd/config.c around line 58). In the not _WIN32 case, add #ifdef __sun #if _SIZEOF_SIZE_T_ == 4 #define Z "ll" #define LUTIL_ATOULX lutil_atoullx #else #define Z "l" #define LUTIL_ATOULX lutil_atoulx #else ... (existing defs: LUTIL_ATOULX -> lutil_atoulx, Z -> "z" #endif #endif Otherwise one will see: 54505a71 config_build_attrs: error 21 on olcDbCacheSize value #0 54505a71 config_build_entry: build "zu" failed: "" 54505a71 backend_startup_one (type=config, suffix="cn=config"): bi_db_open failed! (-1)

1 0

Re: (ITS#8590) LMDB: Suppress SIGPIPE in mdb_env_copythr on OS X
by lmb＠cloudflare.com 23 Feb '17

23 Feb '17

I should probably mention that this bug will make compacting copies lock up on OS X, since the copy thread blocks in sigwait forever if the process set SIG_IGN on SIGPIPE. Regards, Lorenz

1 0

Re: (ITS#8485) [PATCH] Adding support for encrypted server private keys
by ahnolds＠gmail.com 22 Feb '17

22 Feb '17

--001a11447608411b0a054928d3c2 Content-Type: text/plain; charset=UTF-8 I completely agree that this doesn't add any security when running slapd. However, when I originally wrote this patch, I was more targeting API usage, and in particular, client-side API usage. My goal was to allow a user to present an encrypted key (stored on disk) and a password (only held in memory), and use these to query a secure LDAP server. The issue of how the password got into memory is certainly beyond the scope of OpenLDAP in this case, but it certainly could be done securely in a way that wouldn't leave it exposed to a third-party with file-system access. For example (in the use case that motivated me originally), an sysadmin could input the password through an online form, submit said form to a Python webserver over HTTPS, the Python code could pass the password to OpenLDAP through a Python interface like python-ldap ( https://www.python-ldap.org/), and then use the LDAPS or STARTTLS connection to talk securely to some LDAP server elsewhere. All without an unencrypted keyfile or a password ever existing on disk, hence the added security. If you feel that supporting encrypted keyfiles in slapd is a bad design choice, I'm willing to rework the patch to drop that part and only keep the API-level support. Personally, I would argue that it doesn't hurt to support the feature, although perhaps my documentation changes could do a better job emphasizing the inherent security limitations. Let me know what you think (or if this discussion should take place on a list, let me know which/where). On Wed, Feb 22, 2017 at 1:11 PM, Howard Chu <hyc(a)symas.com> wrote: > ahnolds(a)gmail.com wrote: > >> Full_Name: Alec Cooper >> Version: HEAD of master branch >> OS: Ubuntu Linux 16.04 >> URL: ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch >> Submission from: (NULL) (73.134.243.211) >> >> >> Adding support for encrypted server private keys. >> > > Thank you for your submission. I must compliment you on providing such a > comprehensive and well-written contribution. Unfortunately the feature > itself is clearly not useful. Perhaps you should have raised this topic on > the openldap-devel list for discussion before spending your time writing it. > > All your feature does is embed the encryption key in the filesystem, so an > encrypted private key is still no more secure than an unencrypted one. It > still just depends on setting proper file access permissions, and the > current documentation already makes that point. > > Indeed, all it does is give the false illusion of enhancing security, and > followups like balmerpeak92(a)gmail.com's shows that people will easily > fall for such illusions. > > I regret having to reject such a well written contribution, but we cannot > in good conscience accept a security feature that doesn't actually improve > security. > >> >> The meat of this patch is changes to tls2.c, tls_g.c, tls_m.c, and >> tls_o.c to >> send a password to the underlying TLS library. >> >> Changes to ldap.h, init.c and ldap-int.h expose the new >> LDAP_OPT_X_TLS_KEYPASSWORD in the main API. >> >> Changes in the contrib/ldapc++ directory expose the corresponding >> TlsOptions::KEYPASSWORD option in the C++ API. >> >> Changes in the servers directory expose equivalent options for servers as >> configuration file entries or environment variables. >> >> Changes in the doc directory add documentation about the new options and >> remove >> statements that indicated that encrypted keyfiles are not supported. >> >> New files in the test directory are for testing TLS connections, both in >> general >> and with encrypted keyfiles. Tests pass for OpenSSL and GnuTLS using PEM >> formatted certs and keys, and for MozNSS using cert/key databases. The >> new unit >> test (test065-tls) has been written to detect when using NSS, and use the >> cert/key databases in this case. I have been unable to get a working >> version of >> libnsspem, so I cannot test MozNSS with (or without) encrypted keyfiles - >> testing for this case would be welcome! >> >> Notice of origin: The attached patch file is derived from OpenLDAP >> Software. All >> of the modifications to OpenLDAP Software represented in the following >> patch >> were developed by Alec Cooper ahnolds(a)gmail.com. I have not assigned >> rights >> and/or interest in this work to any party. >> Rights statement: I, Alec Cooper, hereby place the following >> modifications to >> OpenLDAP Software (and only these modifications) into the public domain. >> Hence, >> these modifications may be freely used and/or redistributed for any >> purpose with >> or without attribution and/or other notice. >> >> The patch has been uploaded to the OpenLDAP FTP server and can be found at >> ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch >> >> >> > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > --001a11447608411b0a054928d3c2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">I completely agree that this doesn't add any security = when running slapd. However, when I originally wrote this patch, I was more= targeting API usage, and in particular, client-side API usage. My goal was= to allow a user to present an encrypted key (stored on disk) and a passwor= d (only held in memory), and use these to query a secure LDAP server. The i= ssue of how the password got into memory is certainly beyond the scope of O= penLDAP in this case, but it certainly could be done securely in a way that= wouldn't leave it exposed to a third-party with file-system access.<di= v> </div><div>For example (in the use case that motivated me originally)= , an sysadmin could input the password through an online form, submit said = form to a Python webserver over HTTPS, the Python code could pass the passw= ord to OpenLDAP through a Python interface like python-ldap (<a href=3D"htt= ps://www.python-ldap.org/">https://www.python-ldap.org/</a>), and then use = the LDAPS or STARTTLS connection to talk securely to some LDAP server elsew= here. All without an unencrypted keyfile or a password ever existing on dis= k, hence the added security.<div> </div><div>If you feel that supporting= encrypted keyfiles in slapd is a bad design choice, I'm willing to rew= ork the patch to drop that part and only keep the API-level support. Person= ally, I would argue that it doesn't hurt to support the feature, althou= gh perhaps my documentation changes could do a better job emphasizing the i= nherent security limitations. Let me know what you think (or if this discus= sion should take place on a list, let me know which/where).=C2=A0</div></di= v><div> </div></div><div class=3D"gmail_extra"> <div class=3D"gmail_q= uote">On Wed, Feb 22, 2017 at 1:11 PM, Howard Chu <<a = href=3D"mailto:hyc@symas.com" target=3D"_blank">hyc(a)symas.com</a>></span= > wrote: <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo= rder-left:1px #ccc solid;padding-left:1ex"><a href=3D"mailto:ahnolds@gmail.= com" target=3D"_blank">ahnolds(a)gmail.com</a> wrote: <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"> Full_Name: Alec Cooper Version: HEAD of master branch OS: Ubuntu Linux 16.04 URL: <a href=3D"ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch" r= el=3D"noreferrer" target=3D"_blank">ftp://ftp.openldap.org/incoming/Al= ec-Cooper-160827.patch</a> Submission from: (NULL) (73.134.243.211) Adding support for encrypted server private keys. </blockquote> Thank you for your submission. I must compliment you on providing such a co= mprehensive and well-written contribution. Unfortunately the feature itself= is clearly not useful. Perhaps you should have raised this topic on the op= enldap-devel list for discussion before spending your time writing it. All your feature does is embed the encryption key in the filesystem, so an = encrypted private key is still no more secure than an unencrypted one. It s= till just depends on setting proper file access permissions, and the curren= t documentation already makes that point. Indeed, all it does is give the false illusion of enhancing security, and f= ollowups like <a href=3D"mailto:balmerpeak92@gmail.com" target=3D"_blank">b= almerpeak92(a)gmail.com</a>'s shows that people will easily fall for such= illusions. I regret having to reject such a well written contribution, but we cannot i= n good conscience accept a security feature that doesn't actually impro= ve security. <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"> The meat of this patch is changes to tls2.c, tls_g.c, tls_m.c, and tls_o.c = to send a password to the underlying TLS library. Changes to ldap.h, init.c and ldap-int.h expose the new LDAP_OPT_X_TLS_KEYPASSWORD in the main API. Changes in the contrib/ldapc++ directory expose the corresponding TlsOptions::KEYPASSWORD option in the C++ API. Changes in the servers directory expose equivalent options for servers as<b= r> configuration file entries or environment variables. Changes in the doc directory add documentation about the new options and re= move statements that indicated that encrypted keyfiles are not supported. New files in the test directory are for testing TLS connections, both in ge= neral and with encrypted keyfiles. Tests pass for OpenSSL and GnuTLS using PEM<br= > formatted certs and keys, and for MozNSS using cert/key databases. The new = unit test (test065-tls) has been written to detect when using NSS, and use the<b= r> cert/key databases in this case. I have been unable to get a working versio= n of libnsspem, so I cannot test MozNSS with (or without) encrypted keyfiles -<b= r> testing for this case would be welcome! Notice of origin: The attached patch file is derived from OpenLDAP Software= . All of the modifications to OpenLDAP Software represented in the following patc= h were developed by Alec Cooper <a href=3D"mailto:ahnolds@gmail.com" target= =3D"_blank">ahnolds(a)gmail.com</a>. I have not assigned rights and/or interest in this work to any party. Rights statement: I, Alec Cooper, hereby place the following modifications = to OpenLDAP Software (and only these modifications) into the public domain. He= nce, these modifications may be freely used and/or redistributed for any purpose= with or without attribution and/or other notice. The patch has been uploaded to the OpenLDAP FTP server and can be found at<= br> <a href=3D"ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch" rel=3D= "noreferrer" target=3D"_blank">ftp://ftp.openldap.org/incoming/Alec-Co= oper-160827.patch</a> </blockquote> -- =C2=A0 -- Howard Chu =C2=A0 CTO, Symas Corp.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"= http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">http://www.symas= .com</a> =C2=A0 Director, Highland Sun=C2=A0 =C2=A0 =C2=A0<a href=3D"http://highland= sun.com/hyc/" rel=3D"noreferrer" target=3D"_blank">http://highlandsun.com/h= yc/</a> =C2=A0 Chief Architect, OpenLDAP=C2=A0 <a href=3D"http://www.openldap.org/p= roject/" rel=3D"noreferrer" target=3D"_blank">http://www.openldap.org/proje= ct/</a> </blockquote></div> </div> --001a11447608411b0a054928d3c2--

1 0

Re: (ITS#8574) bconfig support for DNs that need escaping
by okuznik＠symas.com 22 Feb '17

22 Feb '17

On Wed, Feb 22, 2017 at 06:34:18PM +0000, Ond=C5=99ej Kuzn=C3=ADk wrote: > On Wed, Feb 22, 2017 at 05:42:39PM +0000, Howard Chu wrote: >> okuznik(a)symas.com wrote: >>> When an rdn under cn=3Dconfig needs escaping, incorrect value gets pa= ssed to the >>> attribute and, if the attribute is single-value, the entry is rejecte= d by >>> entry_naming_check(). >>>=20 >>> Patch against master is attached. >>=20 >> Why are you running the normalizer in a for-loop: >>=20 >> + for ( cnt =3D 0; rDN[cnt]; cnt++ ) { >>=20 >> but always setting value #0? >>=20 >> + free( a->a_vals[0].bv_val ); >> + ber_dupbv( &a->a_vals[0], &ava->la_value ); >>=20 >> If the RDN is actually a compound with multiple AVAs you need to conca= tenate >> them into a single value. Otherwise, if you don't intend to support co= mpound >> RDNs, there's no point in using a for-loop. Just return an error if th= ere's >> more than one AVA. >=20 > While X-ORDERED 'SIBLINGS' are required to the single-valued in the > draft and back-config doesn't actually use multi-valued rDNs, it might > break if the latter ever changes. An updated fix is here: >=20 > ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170222-Deal-with-rDN-co= rrectly.patch >=20 > This will still pick the value if the rDN is multi-valued, this time > regardless of the attribute's position in the rDN. As pointed out by Howard, the patch was not against master (although my git doesn't complain anyway). The following patch is and also tests that the attribute we were asked to update is actually present in the rDN provided: ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170222b-Deal-with-rDN-cor= rectly.patch

1 0

Re: (ITS#8574) bconfig support for DNs that need escaping
by okuznik＠symas.com 22 Feb '17

22 Feb '17

On Wed, Feb 22, 2017 at 05:42:39PM +0000, Howard Chu wrote: > okuznik(a)symas.com wrote: >> When an rdn under cn=config needs escaping, incorrect value gets passed to the >> attribute and, if the attribute is single-value, the entry is rejected by >> entry_naming_check(). >> >> Patch against master is attached. > > Why are you running the normalizer in a for-loop: > > + for ( cnt = 0; rDN[cnt]; cnt++ ) { > > but always setting value #0? > > + free( a->a_vals[0].bv_val ); > + ber_dupbv( &a->a_vals[0], &ava->la_value ); > > If the RDN is actually a compound with multiple AVAs you need to concatenate > them into a single value. Otherwise, if you don't intend to support compound > RDNs, there's no point in using a for-loop. Just return an error if there's > more than one AVA. While X-ORDERED 'SIBLINGS' are required to the single-valued in the draft and back-config doesn't actually use multi-valued rDNs, it might break if the latter ever changes. An updated fix is here: ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170222-Deal-with-rDN-correc… This will still pick the value if the rDN is multi-valued, this time regardless of the attribute's position in the rDN. Ondrej

1 0

Re: (ITS#8485) [PATCH] Adding support for encrypted server private keys
by hyc＠symas.com 22 Feb '17

22 Feb '17

ahnolds(a)gmail.com wrote: > Full_Name: Alec Cooper > Version: HEAD of master branch > OS: Ubuntu Linux 16.04 > URL: ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch > Submission from: (NULL) (73.134.243.211) > > > Adding support for encrypted server private keys. Thank you for your submission. I must compliment you on providing such a comprehensive and well-written contribution. Unfortunately the feature itself is clearly not useful. Perhaps you should have raised this topic on the openldap-devel list for discussion before spending your time writing it. All your feature does is embed the encryption key in the filesystem, so an encrypted private key is still no more secure than an unencrypted one. It still just depends on setting proper file access permissions, and the current documentation already makes that point. Indeed, all it does is give the false illusion of enhancing security, and followups like balmerpeak92(a)gmail.com's shows that people will easily fall for such illusions. I regret having to reject such a well written contribution, but we cannot in good conscience accept a security feature that doesn't actually improve security. > > The meat of this patch is changes to tls2.c, tls_g.c, tls_m.c, and tls_o.c to > send a password to the underlying TLS library. > > Changes to ldap.h, init.c and ldap-int.h expose the new > LDAP_OPT_X_TLS_KEYPASSWORD in the main API. > > Changes in the contrib/ldapc++ directory expose the corresponding > TlsOptions::KEYPASSWORD option in the C++ API. > > Changes in the servers directory expose equivalent options for servers as > configuration file entries or environment variables. > > Changes in the doc directory add documentation about the new options and remove > statements that indicated that encrypted keyfiles are not supported. > > New files in the test directory are for testing TLS connections, both in general > and with encrypted keyfiles. Tests pass for OpenSSL and GnuTLS using PEM > formatted certs and keys, and for MozNSS using cert/key databases. The new unit > test (test065-tls) has been written to detect when using NSS, and use the > cert/key databases in this case. I have been unable to get a working version of > libnsspem, so I cannot test MozNSS with (or without) encrypted keyfiles - > testing for this case would be welcome! > > Notice of origin: The attached patch file is derived from OpenLDAP Software. All > of the modifications to OpenLDAP Software represented in the following patch > were developed by Alec Cooper ahnolds(a)gmail.com. I have not assigned rights > and/or interest in this work to any party. > Rights statement: I, Alec Cooper, hereby place the following modifications to > OpenLDAP Software (and only these modifications) into the public domain. Hence, > these modifications may be freely used and/or redistributed for any purpose with > or without attribution and/or other notice. > > The patch has been uploaded to the OpenLDAP FTP server and can be found at > ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8574) bconfig support for DNs that need escaping
by hyc＠symas.com 22 Feb '17

22 Feb '17

okuznik(a)symas.com wrote: > Full_Name: Ondrej Kuznik > Version: master > OS: > URL: ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170125-Deal-with-rDN-correc… > Submission from: (NULL) (151.228.185.198) > > > When an rdn under cn=config needs escaping, incorrect value gets passed to the > attribute and, if the attribute is single-value, the entry is rejected by > entry_naming_check(). > > Patch against master is attached. Why are you running the normalizer in a for-loop: + for ( cnt = 0; rDN[cnt]; cnt++ ) { but always setting value #0? + free( a->a_vals[0].bv_val ); + ber_dupbv( &a->a_vals[0], &ava->la_value ); If the RDN is actually a compound with multiple AVAs you need to concatenate them into a single value. Otherwise, if you don't intend to support compound RDNs, there's no point in using a for-loop. Just return an error if there's more than one AVA. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs February 2017