openldap-bugs June 2018

openldap-bugs@openldap.org

14 participants
35 discussions

Re: (ITS#8872) configure.in has long been deprecated
by hyc＠symas.com 30 Jun '18

30 Jun '18

fturco(a)fastmail.fm wrote: > Full_Name: Francesco Turco > Version: 2.4.45 > OS: Gentoo Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2001:b07:2eb:c9ed:21c:c0ff:fead:3d70) > > > The Portage package manager reports the following warning message when building > net-nds/openldap-2.4.45 on Gentoo Linux: > > * This package has a configure.in file which has long been deprecated. Please > * update it to use configure.ac instead as newer versions of autotools will > die > * when it finds this file. See https://bugs.gentoo.org/426262 for details. > > Original bug report: https://bugs.gentoo.org/607686 Not a priority. The version of autoconf we use has been frozen for a long time and isn't going to change any time soon. End-users aren't expected to run the autotools themselves anyway, only the OpenLDAP Release Engineer does that. And changing filenames out of the blue is not viewed fondly by people trolling commit histories. Closing this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8872) configure.in has long been deprecated
by fturco＠fastmail.fm 30 Jun '18

30 Jun '18

Full_Name: Francesco Turco Version: 2.4.45 OS: Gentoo Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:b07:2eb:c9ed:21c:c0ff:fead:3d70) The Portage package manager reports the following warning message when building net-nds/openldap-2.4.45 on Gentoo Linux: * This package has a configure.in file which has long been deprecated. Please * update it to use configure.ac instead as newer versions of autotools will die * when it finds this file. See https://bugs.gentoo.org/426262 for details. Original bug report: https://bugs.gentoo.org/607686

1 0

(ITS#8871) mutex issue with cancel operation
by hsuenju_ko＠stratus.com 26 Jun '18

26 Jun '18

Full_Name: HsuenJu Ko Version: 2.4.46 OS: VOS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (198.97.42.5) A multi-threaded test case using C API experiences a hang involving cancel operation. One thread which performs cancel operation hangs waiting for a mutex(ld_conn_mutex) in ldap_send_initial_request while the other thread is performing ldap_result loop waiting for the result of search operation. The same mutex is held by wait4msg() across the ldap_int_select() call. It appears that before the ITS#6672 is installed, the ld_conn_mutex is unlocked before the ldap_int_select() and after the ITS#6672 the unlock is moved after ldap_int_select() which causes the thread performing the cancel to hang until ldap_result returns. By holding this mutex across select(), then all other threads needing the mutex are frozen until this select completes.

1 0

Re: (ITS#8667) slapcat not honoring '-g' option
by ondra＠mistotebe.net 25 Jun '18

25 Jun '18

On Mon, Jun 05, 2017 at 03:11:06PM +0000, gnoe(a)symas.com wrote: > Slapcat is not honoring the '-g' option. The output includes entries from glued > subordinates when it shouldn't. The attached test script > (gregory-noe-170605.tar) sets up the following DIT with inetOrgPerson entries in > each OU: > > dn: dc=example,dc=com > |- ou=NonSub00,dc=example,dc=com > |- ou=NonSub01,dc=example,dc=com > |- ou=NonSub02,dc=example,dc=com > > glued sub: ou=Accounting,dc=example,dc=com > glued sub: ou=Administrative,dc=example,dc=com > glued sub: ou=Janitorial,dc=example,dc=com > > Then the script runs 'slapcat -g -b dc=example,dc=com | grep ^dn'. The result > contains entries from all three glued subordinates. Hi Gregory, the branch linked below has a patch to this that results in the test script you provided produce output that's expected, let me know if it fixes your issue: https://github.com/mistotebe/openldap/tree/its8667 Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8870) SASL_NOCANON changing default to ON
by alexandr.nedvedicky＠oracle.com 25 Jun '18

25 Jun '18

On Fri, Jun 22, 2018 at 06:17:15PM -0700, Quanah Gibson-Mount wrote: > --On Saturday, June 23, 2018 1:56 AM +0000 quanah(a)symas.com wrote: > > >--On Friday, June 22, 2018 9:01 PM +0000 alexandr.nedvedicky(a)oracle.com > >wrote: > > > >>Full_Name: Alexandr Nedvedicky > >>Version: 2.46 > >>OS: Solaris 11.3 > >>URL: ftp://ftp.openldap.org/incoming/ > >>Submission from: (NULL) (141.143.193.76) > >> > >> > >>Disclaimer: I understand I'm asking for change, which might be disruptive > >>for many OpenLDAP users. > > > >Hi, > > > >This has already been covered extensively in > ><http://www.openldap.org/its/index.cgi/?findid=5812>. If you prefer to > >have it turned off > > Turned on, even. ;) > thank you for the link. will change global ldap.conf we ship. regards sasha

1 0

Re: (ITS#8870) SASL_NOCANON changing default to ON
by quanah＠symas.com 22 Jun '18

22 Jun '18

--On Saturday, June 23, 2018 1:56 AM +0000 quanah(a)symas.com wrote: > --On Friday, June 22, 2018 9:01 PM +0000 alexandr.nedvedicky(a)oracle.com > wrote: > >> Full_Name: Alexandr Nedvedicky >> Version: 2.46 >> OS: Solaris 11.3 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (141.143.193.76) >> >> >> Disclaimer: I understand I'm asking for change, which might be disruptive >> for many OpenLDAP users. > > Hi, > > This has already been covered extensively in > <http://www.openldap.org/its/index.cgi/?findid=5812>. If you prefer to > have it turned off Turned on, even. ;) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8870) SASL_NOCANON changing default to ON
by quanah＠symas.com 22 Jun '18

22 Jun '18

--On Friday, June 22, 2018 9:01 PM +0000 alexandr.nedvedicky(a)oracle.com wrote: > Full_Name: Alexandr Nedvedicky > Version: 2.46 > OS: Solaris 11.3 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (141.143.193.76) > > > Disclaimer: I understand I'm asking for change, which might be disruptive > for many OpenLDAP users. Hi, This has already been covered extensively in <http://www.openldap.org/its/index.cgi/?findid=5812>. If you prefer to have it turned off for all clients on a system, you can use your global ldap.conf file to do so. The project will not be changing long-standing behavior. But I appreciate your time in filing the ITS. Warm regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8870) SASL_NOCANON changing default to ON
by alexandr.nedvedicky＠oracle.com 22 Jun '18

22 Jun '18

Full_Name: Alexandr Nedvedicky Version: 2.46 OS: Solaris 11.3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (141.143.193.76) Disclaimer: I understand I'm asking for change, which might be disruptive for many OpenLDAP users. The issue popped up as a fallout of transition from Mozilla LDAP to OpenLDAP. The mozilla ldap does not canonicalize hostname using DNS by default, while OpenLDAP does the exact opposite. Using DNS to canonicalize hosts to domain name opens potential attack vector via. DNS spoofing. For example samba client opts out from name canonicalization, snippet comes from lib/libsmbns/common/smbns_ads.c: 1539 /* 1540 * smb_ads_open 1541 * 1542 * Open an LDAP connection to a discovered AD server for the specified domain. 1543 * Specify our capability to support LDAP_VERSION3 when binding to the AD 1544 * server. On success, returns an AD handle. Otherwise, returns NULL. 1545 * 1546 * By default, 'encrypt_ldap' property is set to B_TRUE. For debugging 1547 * purposes, it can be set to B_FALSE to disable LDAP encryption. 1548 * 1549 * Pre-condition: 1550 * A Kerberos TGT ticket must be found in ccache in order to acquire a LDAP 1551 * service ticket. 1552 * 1553 * Parameters: 1554 * domain - fully-qualified domain name 1555 */ 1556 static smb_ads_handle_t * 1557 smb_ads_open(char *domain) 1558 { .... 1590 (void) ldap_unbind(ld); 1591 return (NULL); 1592 } 1593 1594 (void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); 1595 (void) ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); 1596 1597 ah->ld = ld; 1598 ah->domain = strdup(domain); 1599 1600 if (ah->domain == NULL) { 1601 smb_ads_close(ah); 1602 smb_ads_free_host(ads_host); 1603 return (NULL); 1604 } 1605 I can't tell how other projects are handling/prefer handling of NOCANON option. The Solaris considers to tight the knob and say 'yes to NOCANON' in order to suppress hostname canonicalization. As I've said I fully understand if you decide not to change the current default as the change might hurt many users. I just rather want to share our experience we got when switching from mozilla ldap to OpenLDAP.

1 0

(ITS#8869) Gentoo QA notice
by fturco＠fastmail.fm 22 Jun '18

22 Jun '18

Full_Name: Francesco Turco Version: 2.4.45 OS: Gentoo Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:b07:2eb:c9ed:21c:c0ff:fead:3d70) My GNU/Linux distribution is Gentoo Linux. When installing net-nds/openldap-2.4.45 the Portage package manager reports the following warning: * QA Notice: Package triggers severe warnings which indicate that it * may exhibit random runtime failures. * /var/tmp/portage/net-nds/openldap-2.4.45/work/openldap-2.4.45/libraries/libldap/open.c:251:7: warning: implicit declaration of function ldap_is_ldapc_url; did you mean ldap_is_ldapi_url? [-Wimplicit-function-declaration] * /var/tmp/portage/net-nds/openldap-2.4.45/work/openldap-2.4.45/libraries/libldap_r/thr_posix.c:93:9: warning: implicit declaration of function pthread_setconcurrency; did you mean pthread_setcanceltype? [-Wimplicit-function-declaration] * /var/tmp/portage/net-nds/openldap-2.4.45/work/openldap-2.4.45/libraries/libldap_r/thr_posix.c:107:9: warning: implicit declaration of function pthread_getconcurrency; did you mean ldap_pvt_thread_get_concurrency? [-Wimplicit-function-declaration] * open.c:251:7: warning: implicit declaration of function ldap_is_ldapc_url; did you mean ldap_is_ldapi_url? [-Wimplicit-function-declaration] * /var/tmp/portage/net-nds/openldap-2.4.45/work/openldap-2.4.45/servers/slapd/back-ldap/bind.c:722:2: warning: implicit declaration of function slap_client_keepalive; did you mean slap_client_connect? [-Wimplicit-function-declaration] * /var/tmp/portage/net-nds/openldap-2.4.45/work/openldap-2.4.45/servers/slapd/back-meta/conn.c:424:2: warning: implicit declaration of function slap_client_keepalive; did you mean slap_client_connect? [-Wimplicit-function-declaration] * cloak.c:246:4: warning: implicit declaration of function attr_clean; did you mean entry_clean? [-Wimplicit-function-declaration] * Please do not file a Gentoo bug and instead report the above QA * issues directly to the upstream developers of this software. * Homepage: http://www.OpenLDAP.org/

1 0

Re: (ITS#8573) ldap* tools should be able to function w/o a conf file
by ondra＠mistotebe.net 22 Jun '18

22 Jun '18

Other tests might need to use the ldaps urls added with ITS#8573, the patch at https://github.com/mistotebe/openldap/tree/its8573-tables makes them available to scripts and $CONFFILTER users. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs June 2018