openldap-bugs June 2018

openldap-bugs@openldap.org

14 participants
35 discussions

Re: (ITS#8772) Build fail: thr_posix.c:329:16: error: only weak aliases are supported on darwin
by ondra＠mistotebe.net 22 Jun '18

22 Jun '18

On Wed, Nov 15, 2017 at 04:59:57PM +0000, minfrin(a)sharp.fm wrote: > Hi all, > > I am seeing a build failure when trying to build openldap master on MacOS > Sierra: Hi Graham, a proposed patch series is available here: https://github.com/mistotebe/openldap/tree/its8772 Does it fix the build issues for you? Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#7336) Ldapmodify crashes slapd when updating olcTLSVerifyClient attribute via TLS authentication
by ck＠cksoft.de 22 Jun '18

22 Jun '18

This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --214647081-852979057-1529664529=:67666 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT Hi, On Fri, 22 Jun 2018, Ondřej Kuzník wrote: > On Sun, Mar 23, 2014 at 09:32:22AM +0000, ck(a)cksoft.de wrote: >> Hi, >> >> I can confirm that openldap-2.4.39 still has in issue with this. >> >> When connecting via TLS I tried to modify olcTLSVerifyClient from never >> to try with following ldif: >> >> dn: cn=config >> changetype: modify >> replace: olcTLSVerifyClient >> olcTLSVerifyClient: try >> >> this caused slapd to hang indefinetely. >> >> I was able to successfully modify above when connecting without TLS. >> >> I need to complete my current task but will set up a small proof of >> concept later on in my lab. > > Hi Christian, > have you been able to set up a test configuration that reproduces it > with latest OpenLDAP? A cursory test here doesn't seem to do anything of > the sort. this is 4 years old and I had totally forgetten about it. But I just happen to have a developement cluster running with both the affected 2.4.39 and new 2.4.46 nodes. I will try to test over the weekend and will give you feedback. Greetings Christian -- Christian Kratzer CK Software GmbH Email: ck(a)cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ --214647081-852979057-1529664529=:67666--

1 0

Re: (ITS#7336) Ldapmodify crashes slapd when updating olcTLSVerifyClient attribute via TLS authentication
by ondra＠mistotebe.net 22 Jun '18

22 Jun '18

On Sun, Mar 23, 2014 at 09:32:22AM +0000, ck(a)cksoft.de wrote: > Hi, > > I can confirm that openldap-2.4.39 still has in issue with this. > > When connecting via TLS I tried to modify olcTLSVerifyClient from never > to try with following ldif: > > dn: cn=config > changetype: modify > replace: olcTLSVerifyClient > olcTLSVerifyClient: try > > this caused slapd to hang indefinetely. > > I was able to successfully modify above when connecting without TLS. > > I need to complete my current task but will set up a small proof of > concept later on in my lab. Hi Christian, have you been able to set up a test configuration that reproduces it with latest OpenLDAP? A cursory test here doesn't seem to do anything of the sort. Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

(ITS#8868) Inefficiency when processing certain search filters
by quanah＠openldap.org 21 Jun '18

21 Jun '18

Full_Name: Quanah Gibson-Mount Version: 2.4.46 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) Certain search filters are not processed efficiently in the back-{bhm}db code base. An example is: "(|(&(subscriberid=1)(objectClass=XYZ))(&(subscriberid=2)(objectClass=XYZ)))" In this situation, the contiguous list of possibilities for the objectClass result gets turned into a range, causing each entry to be examined as a match. This significantly increases CPU load and causes a delay in returning the result. Re-arranging the search in the following manner bypasses this issue: (&(objectClass=XYZ)(|(subscriberid=1)(subscriberid=2)))" General timing with back-mdb: .477 seconds for the expensive search .020 seconds for the optimized search For back-bdb, the timing was: .665 seconds for the expensive search .020 seconds for the optimized search

1 0

Re: (ITS#8867) ldap_sasl_bind_s failed error during replication
by michael＠stroeder.com 21 Jun '18

21 Jun '18

The ITS is for reporting bugs only. Please subscribe to the openldap-technical mailing list and post your usage questions there: https://www.openldap.org/lists/mm/listinfo/openldap-technical Ciao, Michael.

1 0

(ITS#8867) ldap_sasl_bind_s failed error during replication
by appana.anil＠gmail.com 21 Jun '18

21 Jun '18

Full_Name: anil kumar appanna Version: 2.4 OS: RHEL URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (143.112.32.4) I configured multi master replication. The configuration went well without any errors, but the data is not replicated from one server to another one. When i looked at the log file, i am getting the below errors slap_client_connect: URI=ldap://***.com DN="cn=config" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=001 rc -1 retrying slap_client_connect: URI=ldap://***.com DN="cn=ldapadm,dc=****,dc=com" ldap_sasl_bind_s failed (-1) appreciate any quick help. I am very new to openldap.

1 0

Re: (ITS#8842) NULL pointer derefence
by ondra＠mistotebe.net 21 Jun '18

21 Jun '18

On Tue, May 01, 2018 at 08:14:50PM +0000, openldap(a)katzen.cc wrote: > 2 small issues: > I'm keeping it brief, let me know if you need more information. > > A malicious LDAP server or mitm attacker can craft a response that causes the > ldap client to crash. Nothing critical, just a simoke DoS. > [...] > The problem here is that retoid can be NULL after ldap_parse_intermediate() is > called. > > Another NULL pointer dereference caused by a bad response: > [...] > The PoC leads to memcpy being called with a NULL pointer as second argument > (ava->la_value.bv_val) in dn2domain() (libraries/libldap/getdn.c): > > AC_MEMCPY( str, ava->la_value.bv_val, ava->la_value.bv_len + 1); Both are fixed in this branch: https://github.com/mistotebe/openldap/tree/its8842 -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8866) RFE: slapo-constraint to return filter used in diagnostic message
by michael＠stroeder.com 20 Jun '18

20 Jun '18

On 06/20/2018 01:41 PM, Michael Ströder wrote: > Ouch! This was not yet complete. I'll come up with a new revision soon. Please review this patch: https://www.stroeder.com/temp/0001-ITS-8866-slapo-unique-to-return-filter-u… Disclaimer: I'm not a C programmer. Thanks for your patience. Ciao, Michael.

1 0

Re: (ITS#8866) RFE: slapo-constraint to return filter used in diagnostic message
by michael＠stroeder.com 20 Jun '18

20 Jun '18

On 06/20/2018 01:26 PM, michael(a)stroeder.com wrote: > Find the patch against master here: > https://www.stroeder.com/temp/0001-ITS-8866-slapo-unique-to-return-filter-u… Ouch! This was not yet complete. I'll come up with a new revision soon. Ciao, Michael.

1 0

Re: (ITS#8866) RFE: slapo-constraint to return filter used in diagnostic message
by michael＠stroeder.com 20 Jun '18

20 Jun '18

Rationale: This patch is meant to enhance user experience in case a client software is used to maintain data directly via LDAP. This is a real-world issue. Find the patch against master here: https://www.stroeder.com/temp/0001-ITS-8866-slapo-unique-to-return-filter-u… Also cleanly applies to RE24 and therefore could be easily added to upcoming release 2.4.47. ;-)

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs June 2018