May 2018 - openldap-bugs

Re: (ITS#8847) New LDAP URL syntax to support binding to specific IP address at client side

by michael＠stroeder.com

hyc(a)symas.com wrote: > ryan(a)openldap.org wrote: >> On Sun, May 06, 2018 at 01:50:23PM +0000, arekkusu(a)r42.ch wrote: >>> Adding a source IP to an URI feels wrong to it. >>> >>> I have not read RFC dealing with URI, however having a quick look [1] seems to >>> indicate that using the at sign in this way is non-standard. >> >> I agree. @ in URIs is already defined as separating credentials (or just >> username) from the host. I don't recall whether OpenLDAP supports that >> usage but in any case we shouldn't re-define it. > > Agreed. URI syntax is pretty thoroughly specified in multiple RFCs, nobody can > just arbitrarily decide to change it. And the point of a URI is that it is > valid for a destination no matter who/where the source is. > > This patch completely breaks the function and intent of URIs. IMO having the capability to specify the source IP is very useful in multi-homed host setups with strict network security. But of course one should not invent new URL syntax or abuse existing definitions. RFC 4516 indeed specifies LDAP URL extensions and this should be used. This also has the advantage that e.g. python-ldap's LDAP URL parser can also be used for that. Ideally one could write a very short I-D for such an extension. Ciao, Michael.

5 years, 1 month

1
0
0 / 0

RE: (ITS#8848) New LDAP URL syntax to support binding to specific IP address at client side

by sudhir.singam＠nokia.com

Sorry this is same as 8847, please close it. Somehow new ticket got created= when I refresh browser page from last time. Sorry for the trouble. Regards, Sudhir Singam DELIVERING BEST-IN-CLASS PLATFORM is our vision -----Original Message----- From: openldap-its(a)OpenLDAP.org [mailto:openldap-its@OpenLDAP.org]=20 Sent: Monday, May 07, 2018 12:02 PM To: Singam, Sudhir (Nokia - IN/Bangalore) <sudhir.singam(a)nokia.com> Subject: Re: (ITS#8848) New LDAP URL syntax to support binding to specific = IP address at client side *** THIS IS AN AUTOMATICALLY GENERATED REPLY *** Thanks for your report to the OpenLDAP Issue Tracking System. Your report has been assigned the tracking number ITS#8848. One of our support engineers will look at your report in due course. Note that this may take some time because our support engineers are volunteers. They only work on OpenLDAP when they have spare time. If you need to provide additional information in regards to your issue report, you may do so by replying to this message. Note that any mail sent to openldap-its(a)openldap.org with (ITS#8848) in the subject will automatically be attached to the issue report. mailto:openldap-its@openldap.org?subject=3D(ITS#8848) You may follow the progress of this report by loading the following URL in a web browser: http://www.OpenLDAP.org/its/index.cgi?findid=3D8848 Please remember to retain your issue tracking number (ITS#8848) on any further messages you send to us regarding this report. If you don't then you'll just waste our time and yours because we won't be able to properly track the report. Please note that the Issue Tracking System is not intended to be used to seek help in the proper use of OpenLDAP Software. Such requests will be closed. OpenLDAP Software is user supported. http://www.OpenLDAP.org/support/ -------------- Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.

5 years, 1 month

1
0
0 / 0

(ITS#8848) New LDAP URL syntax to support binding to specific IP address at client side

by sudhir.singam＠nokia.com

Full_Name: Singam Sudhir Reddy Version: master branch OS: fedora URL: ftp://ftp.openldap.org/incoming/sudhirsingam-180505.patch Submission from: (NULL) (131.228.66.13) The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by NOKIA. NOKIA has not assigned rights and/or interest in this work to any party. I, SINGAM SUDHIR REDDY authorized by NOKIA, my employer, to release this work under the following terms. NOKIA hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. **** Description: Currently when using the openldap client and try to connect to LDAP server using LDAP URL, client automatically binds to an IP address returned by kernel. For example, in the below usage, client automatically binds to an IP address returned by kernel. ldapsearch -H ldap://10.63.57.239:389 D "uid=admin, ou=administrators, ou=topologymanagement, o=netscaperoot" -x -w admin -b "uid=baha, ou=people, ou=accounts, ou=region-911080, ou=regions, ou=netact, dc=noklab, dc=net, dc=localdomain" But if we want to route the traffic on a specific interface/IP address, currently there is no provision. And the idea or enhancement is to introduce such provision by giving source bind IP address in the URL in the following format. ldap://TARGET-IP-ADDRESS@SOURCE-BIND-IP-ADDRESS:PORT For example, ldapsearch -H ldap://10.63.57.239@10.37.220.9:389 D "uid=admin, ou=administrators, ou=topologymanagement, o=netscaperoot" -x -w admin -b "uid=baha, ou=people, ou=accounts, ou=region-911080, ou=regions, ou=netact, dc=noklab, dc=net, dc=localdomain" Note this feature is backward compatible, that is, it is optional to provide source bind IP address in the URL. This feature also supports IPV6 addresses.

5 years, 1 month

1
0
0 / 0

Re: (ITS#8847) New LDAP URL syntax to support binding to specific IP address at client side

by hyc＠symas.com

ryan(a)openldap.org wrote: > On Sun, May 06, 2018 at 01:50:23PM +0000, arekkusu(a)r42.ch wrote: >> Adding a source IP to an URI feels wrong to it. >> >> I have not read RFC dealing with URI, however having a quick look [1] seems to >> indicate that using the at sign in this way is non-standard. > > I agree. @ in URIs is already defined as separating credentials (or just > username) from the host. I don't recall whether OpenLDAP supports that > usage but in any case we shouldn't re-define it. Agreed. URI syntax is pretty thoroughly specified in multiple RFCs, nobody can just arbitrarily decide to change it. And the point of a URI is that it is valid for a destination no matter who/where the source is. This patch completely breaks the function and intent of URIs. Closing this ITS. > I believe ITS#8654 is about the same feature? That one implemented this > by copying a Microsoft option, LDAP_OPT_SOCKET_BIND_ADDRESSES. I would > think that's probably a better approach. Maybe you could pick up where > the author of that one left off? He disappeared after posting his patch > for review... > > thanks > Ryan > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

5 years, 1 month

1
0
0 / 0

Re: (ITS#8846) Patch to introduce new LDAP option to ignore hostname checking while verifying certificates in TLS mode

by hyc＠symas.com

sudhir.singam(a)nokia.com wrote: > Full_Name: Singam Sudhir Reddy > Version: master branch > OS: fedora > URL: ftp://ftp.openldap.org/incoming/sudhirsingam-180506.patch > Submission from: (NULL) (61.1.232.154) > > > The attached file is derived from OpenLDAP Software. All of the modifications to > OpenLDAP Software represented in the following patch(es) were developed by > NOKIA. NOKIA has not assigned rights and/or interest in this work to any party. > I, SINGAM SUDHIR REDDY authorized by NOKIA, my employer, to release this work > under the following terms. > > NOKIA hereby place the following modifications to OpenLDAP Software (and only > these modifications) into the public domain. Hence, these modifications may be > freely used and/or redistributed for any purpose with or without attribution > and/or other notice. > > **** > Description: > > This is minor enhancement to introduce a new LDAP option > "LDAP_OPT_X_TLS_DEMAND_EXCL_HOSTNAME_CHECK" to ignore hostname checking by > client in TLS communication mode. This is very similar to > "LDAP_OPT_X_TLS_DEMAND" LDAP option except that HOSTNAME checking is ignored. > > This option can be set by client either by using LDAP API "ldap_set_option" or > can be globally set in the configuration file /etc/openldap/ldap.conf like > below. > > TLS_REQCERT demand_excl_hostname_check > > Purpose: > > Generally operators use same set of certificates for different services (from > different hosts) which support TLS communication. When such certificates are > used, this option gives facility for openldap based services to ignore hostname > checking at client side. No. If you're using a single set of certificates for multiple hosts you should be using a wildcard cert. Closing this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

5 years, 1 month

1
0
0 / 0

Re: (ITS#8847) New LDAP URL syntax to support binding to specific IP address at client side

by ryan＠openldap.org

On Sun, May 06, 2018 at 01:50:23PM +0000, arekkusu(a)r42.ch wrote: >Adding a source IP to an URI feels wrong to it. > >I have not read RFC dealing with URI, however having a quick look [1] seems to >indicate that using the at sign in this way is non-standard. I agree. @ in URIs is already defined as separating credentials (or just username) from the host. I don't recall whether OpenLDAP supports that usage but in any case we shouldn't re-define it. I believe ITS#8654 is about the same feature? That one implemented this by copying a Microsoft option, LDAP_OPT_SOCKET_BIND_ADDRESSES. I would think that's probably a better approach. Maybe you could pick up where the author of that one left off? He disappeared after posting his patch for review... thanks Ryan

5 years, 1 month

1
0
0 / 0

Re: (ITS#8847) New LDAP URL syntax to support binding to specific IP address at client side

by arekkusu＠r42.ch

Adding a source IP to an URI feels wrong to it. I have not read RFC dealing with URI, however having a quick look [1] seems to indicate that using the at sign in this way is non-standard. Regardless of the syntax, I don't think a Uniform Resource Identifier is the right place to add source IP information. An LDAP URI typically refer to a (usually remote) LDAP server or servers. It's all about the destination. A source IP is machine specific. I think a separate option would make more sense. Any specific reason for wanting to add it in the URI? I am not an OpenLDAP developer/contributor, this is just my opinion. [1] https://en.wikipedia.org/wiki/Uniform_Resource_Identifier On Sun, 2018-05-06 at 06:15 +0000, sudhir.singam(a)nokia.com wrote: > Full_Name: Singam Sudhir Reddy > Version: master branch > OS: fedora > URL: ftp://ftp.openldap.org/incoming/sudhirsingam-180505.patch > Submission from: (NULL) (61.1.232.154) > > > The attached file is derived from OpenLDAP Software. All of the modifications > to > OpenLDAP Software represented in the following patch(es) were developed by > NOKIA. NOKIA has not assigned rights and/or interest in this work to any > party. > I, SINGAM SUDHIR REDDY authorized by NOKIA, my employer, to release this work > under the following terms. > > NOKIA hereby place the following modifications to OpenLDAP Software (and only > these modifications) into the public domain. Hence, these modifications may be > freely used and/or redistributed for any purpose with or without attribution > and/or other notice. > > **** > > Description: > > Currently when using the openldap client and try to connect to LDAP server > using > LDAP URL, client automatically binds to an IP address returned by kernel. > > For example, in the below usage, client automatically binds to an IP address > returned by kernel. > > ldapsearch -H ldap://10.63.57.239:389 D "uid=admin, ou=administrators, > ou=topologymanagement, o=netscaperoot" -x -w admin -b "uid=baha, ou=people, > ou=accounts, ou=region-911080, ou=regions, ou=netact, dc=noklab, dc=net, > dc=localdomain" > > But if we want to route the traffic on a specific interface/IP address, > currently there is no provision. And the idea or enhancement is to introduce > such provision by giving source bind IP address in the URL in the following > format. > > ldap://TARGET-IP-ADDRESS@SOURCE-BIND-IP-ADDRESS:PORT > > For example, > > ldapsearch -H ldap://10.63.57.239@10.37.220.9:389 D "uid=admin, > ou=administrators, ou=topologymanagement, o=netscaperoot" -x -w admin -b > "uid=baha, ou=people, ou=accounts, ou=region-911080, ou=regions, ou=netact, > dc=noklab, dc=net, dc=localdomain" > > Note this feature is backward compatible, that is, it is optional to provide > source bind IP address in the URL. > > This feature also supports IPV6 addresses. > >

5 years, 1 month

1
0
0 / 0

(ITS#8847) New LDAP URL syntax to support binding to specific IP address at client side

by sudhir.singam＠nokia.com

Full_Name: Singam Sudhir Reddy Version: master branch OS: fedora URL: ftp://ftp.openldap.org/incoming/sudhirsingam-180505.patch Submission from: (NULL) (61.1.232.154) The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by NOKIA. NOKIA has not assigned rights and/or interest in this work to any party. I, SINGAM SUDHIR REDDY authorized by NOKIA, my employer, to release this work under the following terms. NOKIA hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. **** Description: Currently when using the openldap client and try to connect to LDAP server using LDAP URL, client automatically binds to an IP address returned by kernel. For example, in the below usage, client automatically binds to an IP address returned by kernel. ldapsearch -H ldap://10.63.57.239:389 D "uid=admin, ou=administrators, ou=topologymanagement, o=netscaperoot" -x -w admin -b "uid=baha, ou=people, ou=accounts, ou=region-911080, ou=regions, ou=netact, dc=noklab, dc=net, dc=localdomain" But if we want to route the traffic on a specific interface/IP address, currently there is no provision. And the idea or enhancement is to introduce such provision by giving source bind IP address in the URL in the following format. ldap://TARGET-IP-ADDRESS@SOURCE-BIND-IP-ADDRESS:PORT For example, ldapsearch -H ldap://10.63.57.239@10.37.220.9:389 D "uid=admin, ou=administrators, ou=topologymanagement, o=netscaperoot" -x -w admin -b "uid=baha, ou=people, ou=accounts, ou=region-911080, ou=regions, ou=netact, dc=noklab, dc=net, dc=localdomain" Note this feature is backward compatible, that is, it is optional to provide source bind IP address in the URL. This feature also supports IPV6 addresses.

5 years, 1 month

1
0
0 / 0

(ITS#8846) Patch to introduce new LDAP option to ignore hostname checking while verifying certificates in TLS mode

by sudhir.singam＠nokia.com

Full_Name: Singam Sudhir Reddy Version: master branch OS: fedora URL: ftp://ftp.openldap.org/incoming/sudhirsingam-180506.patch Submission from: (NULL) (61.1.232.154) The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by NOKIA. NOKIA has not assigned rights and/or interest in this work to any party. I, SINGAM SUDHIR REDDY authorized by NOKIA, my employer, to release this work under the following terms. NOKIA hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. **** Description: This is minor enhancement to introduce a new LDAP option "LDAP_OPT_X_TLS_DEMAND_EXCL_HOSTNAME_CHECK" to ignore hostname checking by client in TLS communication mode. This is very similar to "LDAP_OPT_X_TLS_DEMAND" LDAP option except that HOSTNAME checking is ignored. This option can be set by client either by using LDAP API "ldap_set_option" or can be globally set in the configuration file /etc/openldap/ldap.conf like below. TLS_REQCERT demand_excl_hostname_check Purpose: Generally operators use same set of certificates for different services (from different hosts) which support TLS communication. When such certificates are used, this option gives facility for openldap based services to ignore hostname checking at client side. ****

5 years, 1 month

1
0
0 / 0

(ITS#8845) Cannot preserve existing controls with new extended operations

by quanah＠openldap.org

Full_Name: Quanah Gibson-Mount Version: 2.4.46 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) As noted in the OpenLDAP source (http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/...) there is an issue with controls being reset with a new extended operation. This is problematic for a proxy auth mechanism being developed, as it needs to have the controls preserved while passing an extended op to slapd. A possibility would be to re-register the control, adding the corresponding extended operations, but the parsing function resets them so this unfortunately is not an option.

5 years, 1 month

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2018