openldap-bugs July 2017

openldap-bugs@openldap.org

22 participants
41 discussions

(ITS#8704) LMDB add option to use prev meta page
by hyc＠openldap.org 31 Jul '17

31 Jul '17

Full_Name: Howard Chu Version: LMDB 0.9 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (83.136.45.220) Submitted by: hyc Generally, running LMDB in NOSYNC mode means all integrity guarantees are gone, in even of a system crash. However, if some other thread runs mdb_env_sync periodically it's possible that the older DB state is still consistent, even if slightly out of date. I have always intended to add an env flag for using the older meta page, to potentially access a DB … [View More]

1 0

Re: (ITS#8703) slapd should create its PID file before dropping privileges
by michael＠orlitzky.com 29 Jul '17

29 Jul '17

The problem scenario looks like the following: 1. I run "/etc/init.d/slapd start" to start the daemon. 2. slapd drops to the "slapd" user. 3. slapd writes its PID file, now owned by the "slapd" user. 4. Someone compromises the daemon, which sits on the open network. 5. The attacker is generally limited in what he can do because the daemon doesn't run as root. However, he can write "1" into the slapd.pid file, and he does. 6. I run "/etc/init.d/slapd stop" to stop the daemon while I … [View More]

1 0

Re: (ITS#8703) slapd should create its PID file before dropping privileges
by hyc＠symas.com 29 Jul '17

29 Jul '17

michael(a)orlitzky.com wrote: > Full_Name: Michael Orlitzky > Version: 2.4.45 > OS: Gentoo > URL: > Submission from: (NULL) (98.218.46.55) > > > The slapd daemon should create its PID file before dropping privileges. This > represents a minor security issue; additional factors are needed to make it > exploitable. > > Why? > > The purpose of the PID file is to hold the PID of the running daemon, > so that later it can be stopped, restarted, or … [View More]

1 0

(ITS#8703) slapd should create its PID file before dropping privileges
by michael＠orlitzky.com 28 Jul '17

28 Jul '17

Full_Name: Michael Orlitzky Version: 2.4.45 OS: Gentoo URL: Submission from: (NULL) (98.218.46.55) The slapd daemon should create its PID file before dropping privileges. This represents a minor security issue; additional factors are needed to make it exploitable. Why? The purpose of the PID file is to hold the PID of the running daemon, so that later it can be stopped, restarted, or otherwise signalled (many daemons reload their configurations in response to a SIGHUP). To fulfill that … [View More]

1 0

(ITS#8702) SLAPD_MAX_DAEMON_THREADS is too small
by hyc＠openldap.org 28 Jul '17

28 Jul '17

Full_Name: Howard Chu Version: HEAD OS: Solaris 11.3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (31.216.236.133) Submitted by: hyc Was benchmarking on an Oracle M8 box with 2048 SPARC VCPUs. With 1024 slapd threads configured, we needed 64 listener threads and 64 threadqueues to eliminate slapd bottlenecks, but the current default in daemon.c only allows up to 16 listener threads. It's a #ifndef so easily overridable at compile time, but 16 is probably too small in this … [View More]

1 0

(ITS#8701) account usability control for password less logins
by manikya.prabhu.salveru＠oracle.com 27 Jul '17

27 Jul '17

Full_Name: Manikya Version: 2.4.44 OS: Solaris 11.3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (141.143.213.56) Solaris ldap clients are configured for pam_ldap and requires a control to validate users for password less logins. http://docs.oracle.com/cd/E19253-01/816-4556/schemas-250/index.html >From open-ds documentation. account usability control The account usability control provides a pair of request and response controls that can be used to determine whether a … [View More]

1 0

(ITS#8700) Compile error
by papachoco＠gmail.com 26 Jul '17

26 Jul '17

Full_Name: Carlos Sanchez Version: 2.4.45 OS: macOS 10.12.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (68.97.40.67) I am getting the error below while compiling openldap 2.4.45 on the latest macOS sierra (10.12.6). I am only setting two configuration options configure-options = --disable-slapd --disable-slurpd Undefined symbols for architecture x86_64: "_ERR_remove_thread_state", referenced from: _tlso_destroy in libldap.a(tls_o.o) ld: symbol(s) not … [View More]

1 0

(ITS#8699) More for cursor_del with DUPSORT
by hyc＠openldap.org 26 Jul '17

26 Jul '17

Full_Name: Howard Chu Version: LMDB 0.9.21 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (31.216.236.133) Submitted by: hyc When deleting a series of records in a loop using mdb_cursor_get(MDB_NEXT) in a DUPSORT DB, when deleting the last dup of one key, the first dup of the next key gets skipped on the next iteration. This appears to be due to an incomplete fix to ITS#8622

1 0

(ITS#8698) ppolicy: responses from pwdCheckModule discarded when using an extended password modify
by tim＠bishnet.net 26 Jul '17

26 Jul '17

Full_Name: Tim Bishop Version: 2.4.42 OS: Ubuntu 16.04 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:630:340:1141::13) Whilst this issue was discovered on OpenLDAP 2.4.42, the code is unchanged on the latest version, so I believe it is still applicable there. The high-level overview of the problem is that when using the ppolicy overlay with an external pwdCheckModule, and a password is changed using the LDAPv3 Password Modify (RFC 3062) extended operation (ie. … [View More]

1 0

(ITS#8697) Remove refptr symbols from slapd.def
by quanah＠openldap.org 20 Jul '17

20 Jul '17

Full_Name: Quanah Gibson-Mount Version: 2.4.45 OS: Windows 10 64-bit URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) When building OpenLDAP with a newer version of gcc, dlltool now exports a ton of ".refptr.FUNCTION" values out to the slapd.def file. This breaks the build process, as they aren't real functions. This is due to this change to gcc: https://gcc.gnu.org/ml/gcc-patches/2013-03/msg00858.html Fix is simple enough, simply update our sed that we run … [View More]

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs July 2017