openldap-bugs May 2017

openldap-bugs@openldap.org

20 participants
39 discussions

(ITS#8660) slapd segmentation faults (relay backend and rwm overlay)
by nespor＠id.ethz.ch 24 May '17

24 May '17

Full_Name: Vlado Nespor Version: 2.4.44 OS: Red Hat el7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:67c:10ec:32d0::222) We have experienced random slapd segmentation faults, when the relay backend and rwm overlay were used in the configuration. After some time I could reproduce the segmentation fault on a slow client and with test queries, which were supposed to return a larger set of entries. I could trace the problem to a wrong pointer in the slap_writewait_play function in the openldap-2.4.44/servers/slapd/result.c file, and then further to the openldap-2.4.44/servers/slapd/back-relay/op.c file. After the addition of the sc_writewait pointer initialisation (see the patch below), the test queries returned correct results and random slapd segmentation faults disappeared. With best regards, Vlado Nespor diff -rupN openldap-2.4.44/servers/slapd/back-relay/op.c openldap-2.4.44_back-relay/servers/slapd/back-relay/op.c --- openldap-2.4.44/servers/slapd/back-relay/op.c 2016-02-06 00:57:45.000000000 +0100 +++ openldap-2.4.44_back-relay/servers/slapd/back-relay/op.c 2017-02-07 15:09:55.046188340 +0100 @@ -97,6 +97,7 @@ relay_back_response_cb( Operation *op, S (rcb)->rcb_sc.sc_next = (op)->o_callback; \ (rcb)->rcb_sc.sc_response = relay_back_response_cb; \ (rcb)->rcb_sc.sc_cleanup = 0; \ + (rcb)->rcb_sc.sc_writewait = 0; \ (rcb)->rcb_sc.sc_private = (op)->o_bd; \ (op)->o_callback = (slap_callback *) (rcb); \ }

1 0

ITS#8655 published: SECURITY: Segfault by ldapsearch with pagesize=0
by openldap-its＠OpenLDAP.org 22 May '17

22 May '17

Private ITS#8655 is now publicly readable URL: http://www.OpenLDAP.org/its/?findid=8655

1 0

Re: (ITS#8659) accesslog man page updates
by michael＠stroeder.com 18 May '17

18 May '17

quanah(a)symas.com wrote: > Seems like it would have been better to leave audit* attrs with slapo-auditlog I was not aware of a specific schema for slapo-auditlog (except attribute type 'olcAuditlogFile' for back-config). Ciao, Michael.

1 0

Re: (ITS#8659) accesslog man page updates
by quanah＠symas.com 18 May '17

18 May '17

--On Thursday, May 18, 2017 6:10 PM +0200 Michael Str=C3=B6der=20 <michael(a)stroeder.com> wrote: > quanah(a)symas.com wrote: >> --On Thursday, May 18, 2017 9:23 AM +0000 elecharny(a)apache.org wrote: >>> There are some differences between the current slapo-accesslog man = page, >>> and the code base : >>> >>> - the auditObject ObjectClass is missing the reqEntryUUID AT >>> - the auditContainer ObjectClass is not described in the man page >>> - the auditModRDN ObjectClass is missing the reqMod AT >> >> I think you mean slapo-auditlog, not slapo-accesslog? > > No, Emmanuel is definitely referring to slapo-accesslog. Yeah, saw that when I grepped the code. Seems like it would have been=20 better to leave audit* attrs with slapo-auditlog and use something else for = accesslog. Oh well. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8659) accesslog man page updates
by michael＠stroeder.com 18 May '17

18 May '17

This is a cryptographically signed message in MIME format. --------------ms020708080809040305030308 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable quanah(a)symas.com wrote: > --On Thursday, May 18, 2017 9:23 AM +0000 elecharny(a)apache.org wrote: >> There are some differences between the current slapo-accesslog man pag= e, >> and the code base : >> >> - the auditObject ObjectClass is missing the reqEntryUUID AT >> - the auditContainer ObjectClass is not described in the man page >> - the auditModRDN ObjectClass is missing the reqMod AT >=20 > I think you mean slapo-auditlog, not slapo-accesslog? No, Emmanuel is definitely referring to slapo-accesslog. Ciao, Michael. --------------ms020708080809040305030308 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CucwggT9MIID5aADAgECAhBFRleVrRF8X5GwbV0tcLCgMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwOTE2MDcxNjUxWhcNMTkxMjE2MDcxNjUxWjBEMR0wGwYDVQQDDBRtaWNo YWVsQHN0cm9lZGVyLmNvbTEjMCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChMBt5jtuLXsNQ5U7rBbZit8sknIwz hfaousT3d/fssQ6qZwe9l1yklILSXVMqI7/bxbiqcd3zrz+imdSlZPrFBHGfh04DZHCfss2F RwSswGejqP1qE3hPvZi96wFfOMqenpN+pSXqNJ1OPBCJ8a+8ZEioFKoEj3HkCCXjbmezAgms FuA7aFE9BfjJ2eQKw8B9G8X1FjvOTinYSZ2F+qHpKgywl4HTx0dMnYy+Pwu4DDIHkEaVH+uj K1/ed76WUEH51mX9m2Xu0onfQlSM3me6EvAAZiIDsCEbF9WttRuJbpfCFo0m2uW7BBugS7EG Jro1nRSQVnpJyTFgHb5EGMVVAgMBAAGjggG4MIIBtDAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMAkGA1UdEwQCMAAwHQYDVR0OBBYEFFh1801TSuxT Nltnv9rOjrZzUUgNMB8GA1UdIwQYMBaAFCSBbDlhvkkPj7cbRivJKLUnSG1oMG8GCCsGAQUF BwEBBGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDkGCCsGAQUF BzAChi1odHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zY2EuY2xpZW50MS5jcnQwOAYD VR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNsaWVudDEuY3Js MB8GA1UdEQQYMBaBFG1pY2hhZWxAc3Ryb2VkZXIuY29tMCMGA1UdEgQcMBqGGGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tLzBHBgNVHSAEQDA+MDwGCysGAQQBgbU3AQIFMC0wKwYIKwYBBQUH AgEWH2h0dHBzOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kwDQYJKoZIhvcNAQELBQADggEB AKiJ9wpjJeHdEzHDZyqmhn4cHcRj9Ag7ZQK0meq1N3oQ9M1YeVge6vZe20LXojgXsNUQGLSt 1lW2s7fABkL9CF+/RtWznHxlp4YpWX/RgbHBo3uXKNA5JUOjbxQ2+1b1jaTp/FUrSIISAxgd RpeYAODJ0db1x8Q+l66DtIVjj7ktWISdJWE2Opn4QnaRwdj6n35Rul4S2ikUsmxtGrHLpjRR XJqbsGa0RZdJyUKlZ2ZRAoRz4jKHOogQcig937sR5Ut2pGOhrScEhgARY2c8Gs2olRTL3pue mE4vjY0g1Nwr9RzeFwMuasiFh4yD34i6jIRfoNzuLPgydjsJ0grw0akwggXiMIIDyqADAgEC AhBrp4p9CteI1lEK+Vnk57ThMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNVBAYTAklMMRYwFAYD VQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0 ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe Fw0xNTEyMTYwMTAwMDVaFw0zMDEyMTYwMTAwMDVaMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC9fdr3w6J9g/Zbgv3bW1+uHht1wLUZr5gkrLtXedg17Ake fMyUGwrQdvwObhajcVmnKVxhrUwkZPXRAwZZosRHfEIi5FH7x6SV/8Sp5lZEuiMnvMFG2MzL A84J6Ws5T4NfXZ0qn4TPgnr3X2vPVS51M7Ua9nIJgn8jvTra4eyyQzxvuA/GZwKg7VQfDCmC S+kICslYYWgXOMt2xlsSslxLce0CGWRsT8EpMyt1iDflSjXZIsE7m1uTyHaKZspMLyIyz6my Su8j8BWWHpChNNeTrFuhVfrOAyDPFJVUvKZCLKBhibTLloyy+LatoWELrjdI4a8StZY8+dIR 9t4APXGzAgMBAAGjggFkMIIBYDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQIMAYBAf8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0 cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMGYGCCsGAQUFBwEBBFowWDAkBggrBgEF BQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDAGCCsGAQUFBzAChiRodHRwOi8vYWlh LnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwHQYDVR0OBBYEFCSBbDlhvkkPj7cbRivJKLUn SG1oMB8GA1UdIwQYMBaAFE4L7xqkQFulF2mHMMo0aEPQQa7yMD8GA1UdIAQ4MDYwNAYEVR0g ADAsMCoGCCsGAQUFBwIBFh5odHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kwDQYJKoZI hvcNAQELBQADggIBAIvj94fsAYuErQ8BAluc4SMnIwS9NPBwAm5SH9uh2NCXTq7im61g7F1L IiNI/+wq37fUuaMbz4g7VarKQTgf8ubs0p7NZWcIe7Bvem2AWaXBsxsaRTYw5kG3DN8pd1hS EUuFoTa7DmNeFe8tiK1BrL3rbA/m48jp4AiFXgvxprJrW7izsyetOrRHPbkW4Y07v29MdhaP v3u1JELyszXqOzjIYo4sWlC8iDQXwgSW/ntvWy2n4LuiaozlCfXl149tKeqvwlvrla2Yklue /quWp9j9ou4T/OY0CXMuY+B8wNK0ohd2D4ShgFlMSjzAFRoHGKF81snTr2d1A7Ew02oF6UQy CkC2aNNsK5cWOojBar5c7HplX9aHYUCZouxIeU28SONJAxnATgR4cJ2jrpmYSz/kliUJ46S6 UpVDo/ebn9c6PaM/XtDYCCaM/7XX6wc3s++sbQ7CtCn1Ax7df6ufQbwyO0V+oFa9H0KAsjHM zcwk3EV2B2NLatidKE/m7G+rB9m+FlVgIiSp0mGlg43QO9Kh1+JqvTCIzv2bJJkmPMLQJNuK KwHNL8F4GGp6jbAV+WL+LDeGfVcq8DHS3LrD+xyYEXQBiqZEdiPVOMxLDSUCXsDO0uCWpaNQ 8j6y6S9p0xE/Ga0peVLadVHhqf9nXqKaxnr358VgfrxzUIrvOaOjMYIDzDCCA8gCAQEwgYkw dTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAx IENsaWVudCBDQQIQRUZXla0RfF+RsG1dLXCwoDANBglghkgBZQMEAgEFAKCCAhMwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcwNTE4MTUxMDMzWjAvBgkq hkiG9w0BCQQxIgQg9jM2o7OgykNVN+x7Wk7o6yyHAhqM5i1ZlIObhnQ+uW0wbAYJKoZIhvcN AQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3 DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBmgYJKwYB BAGCNxAEMYGMMIGJMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkw JwYDVQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3Rh cnRDb20gQ2xhc3MgMSBDbGllbnQgQ0ECEEVGV5WtEXxfkbBtXS1wsKAwgZwGCyqGSIb3DQEJ EAILMYGMoIGJMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYD VQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRD b20gQ2xhc3MgMSBDbGllbnQgQ0ECEEVGV5WtEXxfkbBtXS1wsKAwDQYJKoZIhvcNAQEBBQAE ggEAXwPJpYHRfcEVgXI6x6aKh5jcpnMv0hE15VTB9wYpvde8y1NXjbC8RrP0K607UXPe/zEO eg1KbsULDOmxc+/nL1G/mWYQpt9ye+PElCXrBDFPjXKp2rbTI7UD9JlZ0ZoiENvQTW2KO2GD LwaQuHvQ1I47M19t7Xw9eHktIhOlpe/AUC4fWPJf5Wpd5fjNePOiLYAex/dZvzjJmtyIRQBl JxiAQofcwDks9GqXbJpl20mWAO3Zz/uWaIKmDZJkzxacl5VF7UBgIAlmBy+bIVnMp4+Rm4e2 SuVkF8cnmArDYDTxagHp48QfcxHOu2wz/MhqEuzqPHOCVZ9XTzFgEOgIaAAAAAAAAA== --------------ms020708080809040305030308--

1 0

Re: (ITS#8659) accesslog man page updates
by quanah＠symas.com 18 May '17

18 May '17

--On Thursday, May 18, 2017 9:23 AM +0000 elecharny(a)apache.org wrote: > Full_Name: Emmanuel Lecharny > Version: 2.4.45 > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (83.202.2.198) > > > There are some differences between the current slapo-accesslog man page, > and the code base : > > - the auditObject ObjectClass is missing the reqEntryUUID AT > - the auditContainer ObjectClass is not described in the man page > - the auditModRDN ObjectClass is missing the reqMod AT I think you mean slapo-auditlog, not slapo-accesslog? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8659) accesslog man page updates
by elecharny＠apache.org 18 May '17

18 May '17

Full_Name: Emmanuel Lecharny Version: 2.4.45 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (83.202.2.198) There are some differences between the current slapo-accesslog man page, and the code base : - the auditObject ObjectClass is missing the reqEntryUUID AT - the auditContainer ObjectClass is not described in the man page - the auditModRDN ObjectClass is missing the reqMod AT

1 0

Re: (ITS#8658) Can't change olcTLSCipherSuite
by ryan＠nardis.ca 17 May '17

17 May '17

Hello Oleg, The Ubuntu package uses GnuTLS and therefore your olcTLSCipherSuite setting needs to contain a valid GnuTLS priority string. https://gnutls.org/manual/html_node/Priority-Strings.html The slapd crash you are seeing is an Ubuntu-specific bug and has been fixed in later versions. https://bugs.launchpad.net/bugs/1103353 If you configure a valid GnuTLS priority string, it will not crash. In future please report issues with distro packages to the distro's bug tracker (in this case Launchpad); we can always forward them here if appropriate. This ITS will be closed.

1 0

Re: (ITS#8658) Can't change olcTLSCipherSuite
by quanah＠symas.com 17 May '17

17 May '17

--On Wednesday, May 17, 2017 9:24 AM +0000 slonvpalto(a)gmail.com wrote: > Full_Name: Oleg Pekar > Version: 2.4.31 Please use a current release of OpenLDAP. 2.4.31 is over 5 years old and hundreds of bugs with cn=config have been fixed since then. If you can reproduce the issue with a current release, then follow up at that time. In the meantime, this ITS will be closed. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8658) Can't change olcTLSCipherSuite
by slonvpalto＠gmail.com 17 May '17

17 May '17

Full_Name: Oleg Pekar Version: 2.4.31 OS: Ubuntu 14.04 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:420:4482:1252:a136:e35f:4494:428b) When I try to change olcTLSCipherSuite in LDAP configuration I get the following error: root@LDAP-server:/oleg# ldapmodify -Y EXTERNAL -H ldapi:/// -d 1 -f cipher ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 4 ldap_connect_to_path: Trying /var/run/slapd/ldapi ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_ndelay_on: 4 ldap_close_socket: 4 ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) File "cipher" used for update in the command above: dn: cn=config changetype: modify replace: olcTLSCipherSuite olcTLSCipherSuite: AES128-SHA The server is indicated as running: root@LDAP-server:/oleg# service slapd status * slapd is running Therefore I cannot change the cipher that is used by secure LDAP. Thanks Oleg

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2017