(ITS#8968) Async connect mode does not work on Solaris
by vsmith@interlinknetworks.com
Full_Name: Vernon Smith
Version: 2.4.47
OS: Solaris 10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2601:40d:4300:679a:c0c9:ced:d06f:39a4)
I have managed to upgrade to version 2.4.47 libldap libraries using the Linux OS
and async connect mode works fine. But when I tried to upgrade to 2.4.47 using
Solaris OS and use async connect mode, no connections could be established to
the ldap server. The libldap code did not even send the ldap request to the ldap
server. The ldap debug trace showed it just freeing the request and returned an
unable to connect. I traced the issue to the routine ldap_int_flush_request
which checks the sock_errno return code for EAGAIN but Solaris 10 returns
ENOTCONN. This error code seems to mean the same thing as EAGAIN. I changed the
code to test for either return code and the async connect works for both Linux
and Solaris now. Here is may patch.
diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
index 9355d7e..321b79f 100644
--- a/libraries/libldap/request.c
+++ b/libraries/libldap/request.c
@@ -184,7 +184,7 @@ ldap_int_flush_request(
LDAP_ASSERT_MUTEX_OWNER( &ld->ld_conn_mutex );
if ( ber_flush2( lc->lconn_sb, lr->lr_ber, LBER_FLUSH_FREE_NEVER ) != 0 ) {
- if ( sock_errno() == EAGAIN ) {
+ if (( sock_errno() == EAGAIN ) || ( sock_errno() == ENOTCONN )) {
/* need to continue write later */
lr->lr_status = LDAP_REQST_WRITING;
ldap_mark_select_write( ld, lc->lconn_sb );
Thanks,
Vern
4 years, 7 months
(ITS#8967) back-mdb "unchecked" limit broken vs. search scope
by h.b.furuseth@usit.uio.no
Full_Name: Hallvard Breien Furuseth
Version: 2.4.47
OS: Linux
URL:
Submission from: (NULL) (2001:700:100:202::105)
The size.unchecked limit does not seem to consider search scope
other than 'base' in back-mdb.
$ ldapsearch -LLL -xh localhost:3890 -b l=there '(l=over)' 1.1
dn: l=over,l=here,l=there
$ ldapsearch -LLL -xh localhost:3890 -b l=over,l=here,l=there 1.1
Administrative limit exceeded (11)
$ ldapsearch -LLL -xh localhost:3890 -b l=over,l=here,l=there -s base 1.1
dn: l=over,l=here,l=there
$ cat test.ldif
dn: l=there
objectClass: locality
dn: l=here,l=there
objectClass: locality
dn: l=over,l=here,l=there
objectClass: locality
dn: l=under,l=here,l=there
objectClass: locality
$ cat test.conf
include schema/core.schema
loglevel 0
sizelimit size.unchecked=3
database mdb
directory test.db
suffix l=there
index l,objectClass eq
4 years, 7 months
Re: (ITS#8957)
by quanah@symas.com
--On Wednesday, January 30, 2019 1:44 AM -0500 Vernon Smith
<vsmith(a)interlinknetworks.com> wrote:
> I Tried to upload it to the openldap ftp server but was not successful so
> I am trying the patch again here.
>
> diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c
> index bb81d86..20b3dfc 100644
> --- a/libraries/libldap/open.c
> +++ b/libraries/libldap/open.c
> @@ -489,7 +489,7 @@ ldap_int_open_connection(
> #endif
>
> #ifdef HAVE_TLS
> - if (rc == 0 && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
> + if ((rc == 0 || rc == -2) && ( ld->ld_options.ldo_tls_mode ==
> LDAP_OPT_X_TLS_HARD || strcmp( srv->lud_scheme, "ldaps" ) == 0 ))
> {
> ++conn->lconn_refcnt; /* avoid premature free */
That worked, thanks!
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
4 years, 7 months
Re: (ITS#8957)
by vsmith@interlinknetworks.com
I Tried to upload it to the openldap ftp server but was not successful so I am trying
the patch again here.
diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c
index bb81d86..20b3dfc 100644
--- a/libraries/libldap/open.c
+++ b/libraries/libldap/open.c
@@ -489,7 +489,7 @@ ldap_int_open_connection(
#endif
#ifdef HAVE_TLS
- if (rc == 0 && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
+ if ((rc == 0 || rc == -2) && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
strcmp( srv->lud_scheme, "ldaps" ) == 0 ))
{
++conn->lconn_refcnt; /* avoid premature free */
Thanks,
Vern
On Tue, January 29, 2019 12:29 pm, Quanah Gibson-Mount wrote:
> --On Tuesday, January 29, 2019 4:51 PM +0000 vsmith(a)interlinknetworks.com
> wrote:
>
>
>
>
>> --- openldap-2.4.47/libraries/libldap/open.c?????? 2018-12-19
>> 10:57:06.000000000 -0500
>> +++ openldap-2.4.47.mod/libraries/libldap/open.c?????? 2019-01-26
>> 18:24:48.000000000 -0500
>> @@ -440,7 +440,7 @@
>> ??#endif
>>
>>
>> ??#ifdef HAVE_TLS
>> -?????? if (rc == 0 && ( ld->ld_options.ldo_tls_mode ==
>> LDAP_OPT_X_TLS_HARD || +?????? if ((rc == 0 || rc == -2) && (
>> ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD || ???????? ?????? strcmp(
>> srv->lud_scheme, "ldaps" ) == 0 )) ???????? {
>> ???????? ?????? ++conn->lconn_refcnt;?????? /* avoid premature free */
>>
>
> This is not a valid patch. I don't know if it's your email client that is
> destroying the patch? I suggest uploading it to the FTP site and responding with the
> link to the file.
>
> Thanks,
> Quanah
>
>
>
> --
>
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
>
4 years, 7 months
Re: (ITS#8957)
by quanah@symas.com
--On Tuesday, January 29, 2019 4:51 PM +0000 vsmith(a)interlinknetworks.com
wrote:
> --- openldap-2.4.47/libraries/libldap/open.c?????? 2018-12-19
> 10:57:06.000000000 -0500
> +++ openldap-2.4.47.mod/libraries/libldap/open.c?????? 2019-01-26
> 18:24:48.000000000 -0500
> @@ -440,7 +440,7 @@
> ??#endif
>
> ??#ifdef HAVE_TLS
> -?????? if (rc == 0 && ( ld->ld_options.ldo_tls_mode ==
> LDAP_OPT_X_TLS_HARD || +?????? if ((rc == 0 || rc == -2) && (
> ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
> ???????? ?????? strcmp( srv->lud_scheme, "ldaps" ) == 0 ))
> ???????? {
> ???????? ?????? ++conn->lconn_refcnt;?????? /* avoid premature free */
This is not a valid patch. I don't know if it's your email client that is
destroying the patch? I suggest uploading it to the FTP site and
responding with the link to the file.
Thanks,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
4 years, 7 months
(ITS#8957)
by vsmith@interlinknetworks.com
I reviewed some of the initial discussion about this same issue which
lead to this fix in version 2.4.26, "Fixed libldap ASYNC TLS setup
(ITS#6828)", and looked at the code that Ian Puleston suggested should
be fixed in ldap_int_open_connection. This routine does have the code to
do what was need for TSL to work but was not called since it received an
error code of -2 not 0. The -2 simply indicated that this was an
asynchronous call. I changed the test to call the TSL setup if the
return code was either 0 or -2. This fixes my issue. Here is my patch.
--- openldap-2.4.47/libraries/libldap/open.c 2018-12-19
10:57:06.000000000 -0500
+++ openldap-2.4.47.mod/libraries/libldap/open.c 2019-01-26
18:24:48.000000000 -0500
@@ -440,7 +440,7 @@
#endif
#ifdef HAVE_TLS
- if (rc == 0 && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
+ if ((rc == 0 || rc == -2) && ( ld->ld_options.ldo_tls_mode ==
LDAP_OPT_X_TLS_HARD ||
strcmp( srv->lud_scheme, "ldaps" ) == 0 ))
{
++conn->lconn_refcnt; /* avoid premature free */
Thanks,
Vernon
4 years, 7 months
(ITS#8965) ldap proxy segmentation fault
by praveen.adini@fireeye.com
Full_Name: Praveen Adini
Version: 2.4.47-r2
OS: Alpine Containers
URL:
Submission from: (NULL) (209.135.212.252)
I'm trying to setup a openldap proxy wherein the proxy denies any search
requests for uid=root. When i tried using the rwm overlay to stop the
operation(#), i'm getting a segmentation fault although i see the unwilling to
perform operation 53 message being printed. here is the snippet of the conf that
i'm using.
overlay rwm
rwm-rewriteEngine on
rwm-rewriteContext searchFilter
rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
4 years, 7 months
Re: (ITS#8957)
by quanah@symas.com
Hi,
Please read:
<https://www.openldap.org/devel/contributing.html>
and re-submit the patch accordingly. Please do not use HTML email.
Thanks!
--On Tuesday, January 29, 2019 6:05 AM +0000 vsmith(a)interlinknetworks.com
wrote:
> <html>
> <head>
>
> <meta http-equiv="content-type" content="text/html; charset=UTF-8">
> </head>
> <body text="#000000" bgcolor="#FFFFFF">
> <p><font face="Calibri">I reviewed some of the initial discussion
> about this same issue which lead to this fix in version 2.4.26,
> "</font>Fixed libldap ASYNC TLS setup (ITS#6828)", and looked at
> the code that Ian Puleston suggested should be fixed in
> ldap_int_open_connection. This routine does have the code to do
> what was need for TSL to work but was not called since it received
> an error code of -2 not 0. The -2 simply indicated that this was
> an asynchronous call. I changed the test to call the TSL setup if
> the return code was either 0 or -2. This fixes my issue. Here is
> my patch.</p>
> <p>--- openldap-2.4.47/libraries/libldap/open.c?????? 2018-12-19
> 10:57:06.000000000 -0500<br>
> +++ openldap-2.4.47.mod/libraries/libldap/open.c?????? 2019-01-26
> 18:24:48.000000000 -0500<br>
> @@ -440,7 +440,7 @@<br>
> ??#endif<br>
> ??<br>
> ??#ifdef HAVE_TLS<br>
> -?????? if (rc == 0 && ( ld->ld_options.ldo_tls_mode ==
> LDAP_OPT_X_TLS_HARD ||<br>
> +?????? if ((rc == 0 || rc == -2) && (
> ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||<br>
> ???????? ?????? strcmp( srv->lud_scheme, "ldaps" ) == 0 ))<br>
> ???????? {<br>
> ???????? ?????? ++conn->lconn_refcnt;?????? /* avoid premature
> free */<br> </p>
> <p><font face="Arial,Verdana,Helvetica">Thanks,<br>
> Vern</font><br>
> <font face="Arial,Verdana,Helvetica"></font></p>
> </body>
> </html>
>
>
>
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
4 years, 7 months
