January 2018 - openldap-bugs

Re: (ITS#8799) slaptest fails to properly convert chain configuration

by ondra＠mistotebe.net

On Mon, Jan 22, 2018 at 09:59:21PM +0000, quanah(a)openldap.org wrote: > The process for converting a slapd configuration to cn=config making use of > slapo-chain at a global level is seriously broken. It's not as bad, just a little bit broken: > This can be trivially illustrated by using the slapd.conf generated by test032. > > After doing conversion, the resulting cn=config database has *two* ldap backends > defined: > > dn: olcDatabase={-1}frontend,cn=config > dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config > dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf This is the catchall database used to handle referrals that are not handled by any other database you configure by hand. It collects all the chain-* settings that appear before the first chain-uri. > dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf > > The first instance ({0}ldap,...) isn't even valid. If you remove the entire > chain configuration from this database, and then attempt to import it, you get > the following: Yeah that is a problem. > ldap_add: Object class violation (65) > > This is because the first instance ({0}) is *missing* the required olcDbURI > attribute. In addition, it generates completely bogus attribute values (See > ITS#8693) Maybe we just need to inherit objectclass: olcLdapDatabase somehow in olcChainOverlay and keep these settings in the overlay entry, or specify a bogus URI to be configured there. Whatever is most useable and still allows for seamless expansion. > The *second* generated LDAP backend database is what is correct. > > Here's the LDIF for the incorrect database: > > [...] > > Here's the LDIF for the *correct* database: > > [...] -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

5 years, 8 months

1
0
0 / 0

(ITS#8799) slaptest fails to properly convert chain configuration

by quanah＠openldap.org

Full_Name: Quanah Gibson-Mount Version: 2.4.45 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) The process for converting a slapd configuration to cn=config making use of slapo-chain at a global level is seriously broken. This can be trivially illustrated by using the slapd.conf generated by test032. After doing conversion, the resulting cn=config database has *two* ldap backends defined: dn: olcDatabase={-1}frontend,cn=config dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf The first instance ({0}ldap,...) isn't even valid. If you remove the entire chain configuration from this database, and then attempt to import it, you get the following: ldapadd -H ldap:/// -D cn=config -w secret -f ./olcOverlay\=\{0\}chain.ldif adding new entry "olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config" ldapadd -H ldap:/// -D cn=config -w secret -f ./olcDatabase\=\{0\}ldap.ldif adding new entry "olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config" ldap_add: Object class violation (65) This is because the first instance ({0}) is *missing* the required olcDbURI attribute. In addition, it generates completely bogus attribute values (See ITS#8693) The *second* generated LDAP backend database is what is correct. Here's the LDIF for the incorrect database: dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbStartTLS: none starttls=no olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 Here's the LDIF for the *correct* database: dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {1}ldap olcDbURI: "ldap://localhost:9012" olcDbStartTLS: none starttls=no olcDbIDAssertBind: mode=self flags=non-prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0 network-timeout=0 binddn="cn=manager,dc=exampl e,dc=com" credentials="secret" keepalive=0:0:0 olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 However, even in the case of the *correct* LDIF, the bogus olcDbStartTLS attribute is defined (Again, ITS#8693) This is the slapd.conf used to convert: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /tmp/slapd.1.pid argsfile /tmp/slapd.1.args modulepath /usr/local/libexec/openldap moduleload back_mdb.la moduleload back_ldap.la moduleload back_monitor.la overlay chain chain-uri ldap://localhost:9012/ chain-idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=secret mode=self flags=non-prescriptive database mdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret directory /tmp/db.1.a index objectClass eq index cn,sn,uid pres,eq,sub database monitor

5 years, 8 months

1
0
0 / 0

Re: (ITS#8798) slapd-tester tools improvements

by hyc＠symas.com

ondra(a)openldap.org wrote: > Full_Name: Ondrej Kuznik > Version: master > OS: > URL: https://github.com/mistotebe/openldap/tree/ITS8798 > Submission from: (NULL) (82.10.24.68) > > > The above branch unifies most of the configuration/set-up between the tester > programs and adds support for the following: > - retry support for binds > - debug level (-d option) > - SASL bind support > > slapd-tester and slapd-auth (a slamd helper) are left intact. > > Looks great. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

5 years, 8 months

1
0
0 / 0

(ITS#8798) slapd-tester tools improvements

by ondra＠openldap.org

Full_Name: Ondrej Kuznik Version: master OS: URL: https://github.com/mistotebe/openldap/tree/ITS8798 Submission from: (NULL) (82.10.24.68) The above branch unifies most of the configuration/set-up between the tester programs and adds support for the following: - retry support for binds - debug level (-d option) - SASL bind support slapd-tester and slapd-auth (a slamd helper) are left intact.

5 years, 8 months

1
0
0 / 0

Re: (ITS#8797) improper use of gnutls causes segfault

by hyc＠symas.com

lukas(a)selfnet.de wrote: >> PAM should be using nss-pam-ldapd, not calling libldap directly. This >> is an architectural flaw in both GnuTLS and PAM, not an OpenLDAP bug. >> This ITS is invalid. > > It's called _lib_ldap after all, so are other projects linking against / > dlopen()ing libldap doing the wrong thing? PAM should not be polluting the application namespace with libraries that the application may itself be using. The same type of problems arise if e.g. the application uses Kerberos and PAM also uses Kerberos, and the application and PAM want to use different configurations. The only correct way for a PAM module to work is to never expose its underlying libraries to the calling application. This is not an OpenLDAP issue. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

5 years, 8 months

1
0
0 / 0

Re: (ITS#8797) improper use of gnutls causes segfault

by lukas＠selfnet.de

> PAM should be using nss-pam-ldapd, not calling libldap directly. This > is an architectural flaw in both GnuTLS and PAM, not an OpenLDAP bug. > This ITS is invalid. It's called _lib_ldap after all, so are other projects linking against / dlopen()ing libldap doing the wrong thing? Messing with other libraries global state and not undoing it on cleanup isn't exactly what a well-behaved library should do. The gnutls documentation explicitly mentions not to call gnutls_global_set_mutex from libraries: > Do not call this function from a library, or preferably from any > application unless really needed to.

5 years, 8 months

1
0
0 / 0

Re: (ITS#8797) improper use of gnutls causes segfault

by lukas＠selfnet.de

> Removing the custom mutex functions and (for sufficiently recent GnuTLS) > the calls to gnutls_global_{,de}init() looks like a more and more > attractive solution. I am not aware of anyone using OpenLDAP with GnuTLS > on a platform for which GnuTLS lacks built-in mutex functions... Just for the record: I recompiled libldap with the call to gnutls_global_set_mutex removed and cups doesn't segfault anymore.

5 years, 8 months

1
0
0 / 0

Re: (ITS#8797) improper use of gnutls causes segfault

by hyc＠symas.com

ryan(a)nardis.ca wrote: > On Mon, Jan 15, 2018 at 07:33:52PM +0000, lukas(a)selfnet.de wrote: >> During initialization, libldap sets custom gnutls mutex functions: >> https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=librari... >> >> PAM uses libldap via dlopen and unloads it when it's done, but openldap doesn't >> undo gnutls_global_set_mutex, so any further calls to locking functions inside >> openldap will segfault since these function pointers now point to nowhere since >> openldap is unloaded. >> >> I encountered this issue in cups since cups uses gnutls itself for the web >> interface and segfaults when it uses gnutls after libldap. > > Thanks for this report. > > This is not the first issue caused by our usage of the custom mutex > functions; see also <https://bugs.debian.org/803197>. > > Removing the custom mutex functions and (for sufficiently recent GnuTLS) > the calls to gnutls_global_{,de}init() looks like a more and more > attractive solution. I am not aware of anyone using OpenLDAP with GnuTLS > on a platform for which GnuTLS lacks built-in mutex functions... PAM should be using nss-pam-ldapd, not calling libldap directly. This is an architectural flaw in both GnuTLS and PAM, not an OpenLDAP bug. This ITS is invalid. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

5 years, 8 months

1
0
0 / 0

Re: (ITS#8797) improper use of gnutls causes segfault

by ryan＠nardis.ca

On Mon, Jan 15, 2018 at 07:33:52PM +0000, lukas(a)selfnet.de wrote: >During initialization, libldap sets custom gnutls mutex functions: >https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=librari... > >PAM uses libldap via dlopen and unloads it when it's done, but openldap doesn't >undo gnutls_global_set_mutex, so any further calls to locking functions inside >openldap will segfault since these function pointers now point to nowhere since >openldap is unloaded. > >I encountered this issue in cups since cups uses gnutls itself for the web >interface and segfaults when it uses gnutls after libldap. Thanks for this report. This is not the first issue caused by our usage of the custom mutex functions; see also <https://bugs.debian.org/803197>. Removing the custom mutex functions and (for sufficiently recent GnuTLS) the calls to gnutls_global_{,de}init() looks like a more and more attractive solution. I am not aware of anyone using OpenLDAP with GnuTLS on a platform for which GnuTLS lacks built-in mutex functions...

5 years, 8 months

1
0
0 / 0

(ITS#8797) improper use of gnutls causes segfault

by lukas＠selfnet.de

Full_Name: Lukas K. Version: 2.4.44+dfsg-5+deb9u1 OS: Debian Stretch URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:7c7:2100:130:b9b5:f8df:7b98:8c2e) During initialization, libldap sets custom gnutls mutex functions: https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=librari... PAM uses libldap via dlopen and unloads it when it's done, but openldap doesn't undo gnutls_global_set_mutex, so any further calls to locking functions inside openldap will segfault since these function pointers now point to nowhere since openldap is unloaded. I encountered this issue in cups since cups uses gnutls itself for the web interface and segfaults when it uses gnutls after libldap.

5 years, 8 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs January 2018