openldap-bugs April 2020

openldap-bugs@openldap.org

2 participants
338 discussions

[Bug 8591] back-perl: segmentation fault when loading SampleLDAP.pl
by openldap-its＠openldap.org 23 Apr '20

23 Apr '20

https://bugs.openldap.org/show_bug.cgi?id=8591 --- Comment #2 from Ryan Tandy <ryan(a)openldap.org> --- Created attachment 720 --> https://bugs.openldap.org/attachment.cgi?id=720&action=edit backtrace Reproduced on Debian unstable (sid) with OpenLDAP 2.4.49 and Perl 5.30. Attaching a better backtrace. I note that it doesn't happen every time, sometimes it does start up fine. So the crash is here: https://sources.debian.org/src/perl/5.30.0-10/util.c/#L5415 (gdb) p my_perl $1 = (PerlInterpreter *) 0x0 (gdb) p &my_perl->Ixsubfilename $2 = (const char **) 0x5d8 When it doesn't crash, my_perl is equal to PL_curinterp. (gdb) p my_perl $1 = (PerlInterpreter *) 0x7fffa8106560 (gdb) p PL_curinterp $2 = (PerlInterpreter *) 0x7fffa8106560 (gdb) p my_perl == PL_curinterp $3 = 1 my_perl seems to come from Perl_get_context(): https://sources.debian.org/src/perl/5.30.0-10/util.c/?hl=3339#L3339 The corresponding pthread_setspecific() happens inside perl_back_initialize. #0 __GI___pthread_setspecific (key=3, value=value@entry=0x7fffa8106560) at pthread_setspecific.c:33 #1 0x00007fffb5aac68e in S_init_tls_and_interp (my_perl=0x7fffa8106560) at perl.c:92 #2 perl_alloc () at perl.c:200 #3 0x00007ffff71aa70a in perl_back_initialize (bi=0x7ffff71b1220 <bi>) Later, Perl_eval_pv invokes a DynaLoader to load the eval'ed code. This module's startup is where Perl_xs_handshake is called, to check for compatibility between the library's global Perl context (Perl_get_context()) and the one passed in from the application (implicit argument to Perl_eval_pv()). Normally these would just be the same. Anyway, this looks like a pretty simple bug in back_perl: we're just missing a PERL_SET_CONTEXT() in perl_cf(), so it crashes if called from a different thread than perl_back_initialize(). We should audit and make sure every back_perl entry point calls it. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 8591] back-perl: segmentation fault when loading SampleLDAP.pl
by openldap-its＠openldap.org 23 Apr '20

23 Apr '20

https://bugs.openldap.org/show_bug.cgi?id=8591 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9237 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 8707] slapd: Add systemd service notification support
by openldap-its＠openldap.org 23 Apr '20

23 Apr '20

https://bugs.openldap.org/show_bug.cgi?id=8707 Ryan Tandy <ryan(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9240 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 8619] Enhancement request: Nested group support using dynlist recursion
by openldap-its＠openldap.org 23 Apr '20

23 Apr '20

https://bugs.openldap.org/show_bug.cgi?id=8619 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |OL_2_5_REQ Target Milestone|--- |2.5.0 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 6035] slapd requires restart after modifying olcAuthzRegexp
by openldap-its＠openldap.org 22 Apr '20

22 Apr '20

https://bugs.openldap.org/show_bug.cgi?id=6035 --- Comment #11 from Ryan Tandy <ryan(a)openldap.org> --- Commits: 7ce47405 by Ryan Tandy at 2020-04-16T09:51:28-07:00 ITS#6035 Fix test076 to specify SASL mech Still not ideal though. DIGEST-MD5 seems to be a Linux-centric (or maybe cyrus-sasl-centric) default. May need to make this opt-in, like test028. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 5573] Attribute types 'entryCSN' and 'contextCSN' not available in subschema
by openldap-its＠openldap.org 22 Apr '20

22 Apr '20

https://bugs.openldap.org/show_bug.cgi?id=5573 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |TEST Keywords|OL_2_5_REQ | Status|IN_PROGRESS |RESOLVED --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Commits: • 96fedda6 by Quanah Gibson-Mount at 2020-04-22T18:59:38+00:00 ITS#5573 - Expose contextCSN, entryCSN in subschema entry -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 5500] comments in cn=config entries
by openldap-its＠openldap.org 22 Apr '20

22 Apr '20

https://bugs.openldap.org/show_bug.cgi?id=5500 --- Comment #5 from Karl O. Pinc <kop(a)karlpinc.com> --- Here are portions of a current slapd.conf file to provide some idea of the comments that "need" preserving. (Note also the use of newlines and whitespace to make values readable. But that's another enhancement request.) This config applies to a very dated version of openldap. While one might want to argue that documentation on, say, creating a crypted password, belongs elsewhere, the only time anyone needs to make a crypted password was to edit this config file. So why have a separate document? include /etc/openldap/schema/core.schema # Cosine is the X500 telephone schema, but we need attributes in there include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema # We don't want nis, but we do need it's attributes include /etc/openldap/schema/nis.schema #include /etc/openldap/schema/redhat/rfc822-MailMember.schema #include /etc/openldap/schema/redhat/autofs.schema #include /etc/openldap/schema/redhat/kerberosobject.schema # Here's where inetMailRecipient is defined include /etc/openldap/schema/misc.schema # TROW specific stuff include /etc/openldap/schema/trow.schema # PWM specific stuff include /etc/openldap/schema/pwm.schema # eduPerson include /etc/openldap/schema/eduperson.schema # Amavisd-new stuff include /etc/openldap/schema/amavisd-new.schema TLSCipherSuite !ADH:MEDIUM:HIGH:!SSLv2:@STRENGTH # # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. # # Used the procedure below (openssl-0.9.6b-35.7) to make a # self-signed certificate for trixie.trow.com rsa key 1024 bits, expires # 365 days from Jul 23, 2003. (Karl) # #TLSCACertificateFile /var/openssl/demoCA/cacert.pem #TLSCertificateFile /etc/openldap/ssl.crt/trixie.crt #TLSCertificateKeyFile /etc/openldap/ssl.key/trixie-rsa-1024.key # # Self signed cert expires 2037. # TLSCertificateFile /etc/openldap/certificates/trixie-trow-com-cert.pem TLSCertificateKeyFile /etc/openldap/certificates/trixie-trow-com-key.pem # Nice as it is to be logging, Sam, it uses up a lot of resources. # Turn off logging. # loglevel 0 # Log search filter processing, config file parsing, access control processing # (useful for debugging access rules) #loglevel 224 # Log configuration file parsing (and errors!) #loglevel 64 loglevel 256 # To generate a crypted password, try: # perl -e 'print("rootpw {crypt}" . crypt("secretpassword","sa") . "\n");' # "secretpassword" is the password, "sa" is the salt. # (FYI, the salt used in /etc/passwd is the first 2 chars of the # encrypted password.) # We should really be using something better than crypt # to protect our password database! #rootpw {crypt}elLJ3HpZEUmIA # # To generate a md5 password, try: # perl -e 'print("rootpw {crypt}" # . crypt("secretpassword", "\$1\$somesalt") # . "\n");' # (Yes, {crypt} is correct -- system crypt() call handles md5.) # "secretpassword" is the password, "$1$somesalt" is the salt. # (should be 8 chars in addition to the leading $1$). # (FYI, the salt used in /etc/shadow is from the beginning of the # encrypted password up to and including the third dollar sign. # In the program above, all dollar signs should be written with # a preceeding backslash.) # Slave server replication. (for this database) # (This is all probably unnecessary, because we're not making # dynamic changes to the datbase anyhow.) # # Um, we could use kerberos instead of having a plaintext password # here. I can't say for sure, but it occurs to me that the # kerberos keys can't be stored in the filesystem and protected # better than by simply makeing them unreadable to anybody but root. # As long as this file is only readable by root (and we're not # worried about network sniffing) this should be sufficient. # Need to turn this off in order to replicate to Openldap 2.3 and 2.4. # Operational attributes are blown away by oracle2ldap daily anyway. lastmod off # # Need to set a limit here as a lot of children accumulate over time # and they each use close to 50MB of RAM. 3/30/04 Sam # threads 20 defaultaccess none # Evaluated in order. # CAREFUL, collating sequence could mean weird < compares. # Give the standard sort of unix access. Everybody can read # most stuff, but can't see the password. (Besides, more restrictive # access doesn't work.) # Be persnickity and do some filtering. # (except that we're filtering them out when we load the database) # access to filter="(&(objectclass=posixaccount)(uid<1000))" none # access to filter="(&(objectclass=posixgroup)(memberuid<900))" none # Order of access controls is very important! First "access ..." match wins! # Without a <control> after the <who>, it's only <what> that determines # the match. # As many of the 2.1 rules use the "by * + break" construct it might # be possible to enhance performance by re-ordering the rules so that # the most common matches are done early, but care is in (*ahem*) order. # The uid of password maintainers _must_ be the primary uid! # Some programs use the rootdn (Manager) to obtain global read/write # access. The only problem with this is oracle2ldap, where # if the database gets changed while oracle2ldap has the # database in read-only mode, the changes will be lost when # the database is replaced with the new database. # # Shipinet and GADS need to read the entire DB. # At the top to speed things up as ACL processing is hugely inefficient in this # version of LDAP. # access to * by dn.exact="cn=shipinet,ou=Service,dc=trow,dc=com" read by dn.exact="cn=gadirsync,ou=Service,dc=trow,dc=com" read by * + break # # Allow any authenticated users to see the intrinsic root dn. # access to dn.base="" by users read by * + break # #Oracle Self Service # access to dn.subtree="ou=People,dc=trow,dc=com" attrs=entry,preferredUid,oraclePClass,oracleId,preferredEmail,gec os,cn by dn.exact="cn=selfservice,ou=Service,dc=trow,dc=com" read by * + break access to dn.subtree="ou=People,dc=trow,dc=com" attrs=objectClass by dn.exact="cn=selfservice,ou=Service,dc=trow,dc=com" search by * + break # # Other global access # # (This is not really necessary and slows things down a _mite_, but is kind.) # Shipinet does need these -- I think. access to dn="^dc=trow,dc=com$" by * read # # Control access to the Service branch of the ldap database. # # Allow the "syscheck" service to read itself. access to dn.base="cn=syscheck,ou=Service,dc=trow,dc=com" by self read by * + break # PWM LDAP connection health checks. # Remove 'pwmGUID' once the three instances are using their own GUID attrs. access to dn.regex="^cn=pwmhealth[^,]*,ou=Service,dc=trow,dc=com$" attrs=entry,userPassword,pwmGUID,pwmLiveGUID,pwmTestGUID,pwmDevGUID by dn.exact="cn=pwm,ou=Service,dc=trow,dc=com" write by * + break access to dn.regex="^cn=pwmhealth[^,]*,ou=Service,dc=trow,dc=com$" by dn.exact="cn=pwm,ou=Service,dc=trow,dc=com" read by * + break # Apparently PWM needs to read its own objectClasses. access to dn.base="cn=pwm,ou=Service,dc=trow,dc=com" attrs=entry,objectClass by self read by * + break # Folks in Network Services can write, service DNs can bind. access to dn.subtree=ou=Service,dc=trow,dc=com by dn.exact="uid=swilson,ou=People,dc=trow,dc=com" write by dn.exact="uid=jswan,ou=People,dc=trow,dc=com" write by dn.exact="uid=fdavidson,ou=People,dc=trow,dc=com" write by anonymous auth # # Contral access to the group branch. # access to dn.subtree="ou=Group,dc=trow,dc=com" by dn.exact="cn=nss_ldap,ou=Service,dc=trow,dc=com" read by dn.exact="uid=swilson,ou=People,dc=trow,dc=com" write by dn.exact="uid=jswan,ou=People,dc=trow,dc=com" write by dn.exact="uid=fdavidson,ou=People,dc=trow,dc=com" write by * compare # # The rest of this is access to the People branch. # # # Binding # # These access lists disable binding to subsets of the directory. # # Accounts must be active for the user to bind. # # When firstActivated is missing, the account's not yet activated. # If the deactivated attribute is present then the account's # been deactivated. access to dn.subtree="ou=People,dc=trow,dc=com" filter=(|(!(firstActivated=*))(deactivated=*)) attrs=entry by anonymous none by * + break # # Configure the Service dn-s access to the People subtree. # # Try to put services that need to sync with LDAP, thus reading the whole direct ory (or a large # part) as near the top of this section as possible, as complex ACL processing a gainst a large # number of entries degrades performance substantially. # # Uniflow printing system. # access to dn.subtree="ou=People,dc=trow,dc=com" filter=(&(objectClass=AICPerson)(firstActivated=*)(!(deactivated=*))) attrs=entry,preferredUid,preferredEmail,organizationalStatus,gecos,consti tuency,objectClass,telephoneNumber,AICDepartment by dn.exact="cn=uniflow,ou=Service,dc=trow,dc=com" read by * + break # # nss_ldap (the glibc library and pam) # # (objectclass could probably be just search, or we could take the objectclass # filter out of /etc/ldap.conf and add the filter here and allow no access # to objectclass.) access to dn.subtree="ou=People,dc=trow,dc=com" attrs=dn,entry,cn,uid,uidNumber,gidNumber,homeDirectory,userPassword,logi nShell,gecos,description,shadowLastChange,shadowMin,shadowMax,shadowWarning,shad owInactive,shadowExpire,shadowFlag,description,objectclass,preferredUid,makeWWW, useEmail,useDialup,firstActivated,deactivated by dn.exact="cn=nss_ldap,ou=Service,dc=trow,dc=com" read by * + break # # postfix (mail mta, really just some of it's various processes) # access to dn.subtree="ou=People,dc=trow,dc=com" attrs=dn,entry,cn,uid,uidNumber,gidNumber,homeDirectory,gecos,mailrouting address,maillocaladdress,preferredemail,rejectMail by dn.exact="cn=postfix,ou=Service,dc=trow,dc=com" read by * + break -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 8614] Test suite fails when using --with-threads=no
by openldap-its＠openldap.org 22 Apr '20

22 Apr '20

https://bugs.openldap.org/show_bug.cgi?id=8614 --- Comment #9 from Quanah Gibson-Mount <quanah(a)openldap.org> --- (In reply to Howard Chu from comment #8) > For this particular example, just delete "slapd(8) must be compiled with > thread support, and " Sure... this wasn't a question of how to change the text, but a note that we need to take a thorough look through the documentation when making this change. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 8772] Build fail: thr_posix.c:329:16: error: only weak aliases are supported on darwin
by openldap-its＠openldap.org 22 Apr '20

22 Apr '20

https://bugs.openldap.org/show_bug.cgi?id=8772 --- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Commits: 82c8d3eb by Ryan Tandy at 2020-04-22T16:18:50+00:00 ITS#8772 Remove --with-threads=mach option -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 8224] configure --disable-slapd doesn't ignore every slapd option
by openldap-its＠openldap.org 22 Apr '20

22 Apr '20

https://bugs.openldap.org/show_bug.cgi?id=8224 Ryan Tandy <ryan(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Keywords|OL_2_5_REQ | Resolution|--- |TEST --- Comment #3 from Ryan Tandy <ryan(a)openldap.org> --- Commits: 82c8d3eb by Ryan Tandy at 2020-04-22T16:18:50+00:00 ITS#8772 Remove --with-threads=mach option - - - - - eadba4d0 by Ryan Tandy at 2020-04-22T16:18:50+00:00 ITS#8224 Use AS_HELP_STRING to indent configure options consistently - - - - - a2882e5e by Ryan Tandy at 2020-04-22T16:18:50+00:00 ITS#8224 Simplify --disable-slapd logic - - - - - 5144fba8 by Ryan Tandy at 2020-04-22T16:18:50+00:00 ITS#8224 Simplify slapd minimal built-in backend check --enable-slapd=auto is now implicitly handled the same as =yes. - - - - - 2678a32a by Ryan Tandy at 2020-04-22T16:18:50+00:00 ITS#8224 Consolidate configure options validation - - - - - 0c4ee60a by Ryan Tandy at 2020-04-22T11:31:01-07:00 ITS#8224 Regenerate configure - - - - - -- You are receiving this mail because: You are on the CC list for the bug.

1 0

← Newer
1
...
9
10
11
12
13
14
15
...
34
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs April 2020