openldap-bugs April 2020

openldap-bugs@openldap.org

2 participants
338 discussions

[Bug 9197] New: slapd-ldap/slapo-chain hits error 80 after idletimeout
by openldap-its＠openldap.org 27 Feb '21

27 Feb '21

https://bugs.openldap.org/show_bug.cgi?id=9197 Bug ID: 9197 Summary: slapd-ldap/slapo-chain hits error 80 after idletimeout Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- From a customer: In order to communicate via the LB managed writable ldap, we have to ensure that an idle connection is periodically refreshed. If we do not, the LB will silently drop the connection after 5 minutes. Therefore to combat that I set an olcIdleTimeout on the writable server so that the chain cached connections will be removed before the LB timeout hits. However the slapo-ldap client goes into CLOSE_WAIT state, which causes subsequent ldapmodify updates being brokered by the read only instance to fail with err=80. There appear to be a few bugs filed on this in the past against slapd-ldap, but it's not clear if we may be hitting the same issue, or if this is a new one. I've also connected the read only instances directly to the writable ldap instances and the CLOSE_WAIT issue persists, so I don't believe the CLOSE_WAIT issue is caused by the LB These were the other threads I found as I started looking for this problem, these are using the ldap-proxy though I think: https://www.openldap.org/lists/openldap-technical/201301/msg00323.html http://www.openldap.org/lists/openldap-software/201004/msg00060.html https://www.openldap.org/lists/openldap-bugs/200412/msg00029.html The LB we have seems to be set to forget connections that last over 5 min per the setting, so the 240:10:30 seemed like it should have worked and I just thought it wasn't working because in the man page the text "Only some systems support the customization of these values" is present. however after setting keepalive to 60:10:30 did I maintain a stable connection, so there may be other network settings at play I'm not aware of. -- You are receiving this mail because: You are on the CC list for the bug.

1 14

[Bug 9238] New: access control documentation is confusing
by openldap-its＠openldap.org 27 Feb '21

27 Feb '21

https://bugs.openldap.org/show_bug.cgi?id=9238 Bug ID: 9238 Summary: access control documentation is confusing Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: kop(a)karlpinc.com Target Milestone: --- Created attachment 716 --> https://bugs.openldap.org/attachment.cgi?id=716&action=edit git format-patch output slapd.access says "Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause." But this, by itself, is wrong. You have to read the next sentence, which says there's an implicit "by * none stop", meaning that the default is to stop when only <what> matches. Patch attached. I, Karl O. Pinc, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. -- You are receiving this mail because: You are on the CC list for the bug.

1 16

[Bug 9246] New: Improve authzFrom/authzTo docs
by openldap-its＠openldap.org 27 Feb '21

27 Feb '21

https://bugs.openldap.org/show_bug.cgi?id=9246 Bug ID: 9246 Summary: Improve authzFrom/authzTo docs Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: kop(a)karlpinc.com Target Milestone: --- Created attachment 724 --> https://bugs.openldap.org/attachment.cgi?id=724&action=edit Patch The defaults for group/objectclass/attributetype were not documented. Improve the section overall. I, Karl O. Pinc, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Bug 9205] New: Openldap 2.4.49 with overlays syncrepl+ppolicy+chain+ldap
by openldap-its＠openldap.org 02 Feb '21

02 Feb '21

https://bugs.openldap.org/show_bug.cgi?id=9205 Bug ID: 9205 Summary: Openldap 2.4.49 with overlays syncrepl+ppolicy+chain+ldap Product: OpenLDAP Version: 2.4.49 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: frederic.poisson(a)admin.gmessaging.net Target Milestone: --- Created attachment 700 --> https://bugs.openldap.org/attachment.cgi?id=700&action=edit test script copied from test022-ppolicy and modified to show the trouble Hello, I'm doing a OpenLDAP test with a master/slave replication configuration including ppolicy overlay. I would like to enable password change from the slave replica with chain overlay, in order to validate the ppolicy olcPPolicyForwardUpdates attribute to TRUE. I'm using LDAPS from slave to master with SASL External authentication with client certificate. The client certificate correspond to a user DN entry with "manage" rights on the master server (the same used for the replication). This user DN has authzTo attribute in order to match the correct PROXYAUTHZ request from its dn to user DN. All of this configuration works on replica when i do first a failed authentication (err=49) on replica. The pwdFailureTime value is updated on the DN entry from replica to slave normally. I'm also able to do after some self entry update on some attribute such as password or others from replica to master. But the weird behavior is that i need to run first an failed authentication, otherwise if i try to change attribute on the slave server, it respond an err=80 "Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?". The only way to retrieve correct behavior is to restart slapd, and redo one failed authentication first. It seems that the chain overlay do not connect the master server at startup. I've done a modification of test script test022-ppolicy to test022-policy-chain which use the same LDIF source and show the problem of modification on the consumer not "relayed" to the supplier if a fail operation is not done before. Regards -- You are receiving this mail because: You are on the CC list for the bug.

1 12

[Bug 9222] New: Fix presence list to use a btree instead of an AVL tree
by openldap-its＠openldap.org 22 Jan '21

22 Jan '21

https://bugs.openldap.org/show_bug.cgi?id=9222 Bug ID: 9222 Summary: Fix presence list to use a btree instead of an AVL tree Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- [23:34] <hyc> ok, so far heap profile shows that memory use during refresh is normal [23:35] <hyc> not wonderful, but normal. mem usage grows because we're recording the present list while receiving entries in the refresh [23:36] <hyc> I'm seeing for 1.2GB of data about 235MB of presentlist [23:36] <hyc> which is pretty awful, considering presentlist is just a list of UUIDs [23:36] <hyc> being stored in an avl tree [23:37] <hyc> a btree would have been better here, and we could just use an unsorted segmented array [23:42] <hyc> for the accumulation phase anyway. we need to be able to lookup records during the delete pphase [00:05] <hyc> this stuff seriously needs a rewrite [01:13] <hyc> 2.8M records x 16 bytes per uuid so this should be no more than 48MB of overhead [01:13] <hyc> and instead it's 3-400MB -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 9242] New: build failure with OpenSSL 0.9.7: EVP_sha256() undefined
by openldap-its＠openldap.org 15 Oct '20

15 Oct '20

https://bugs.openldap.org/show_bug.cgi?id=9242 Bug ID: 9242 Summary: build failure with OpenSSL 0.9.7: EVP_sha256() undefined Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: ryan(a)openldap.org Target Milestone: --- git master fails to build with OpenSSL 0.9.7d: $ openssl version OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333) $ ./configure --with-tls=openssl --disable-slapd && make [...] libtool: link: gcc -g -O2 -o apitest apitest.o -L/usr/sfw/lib ./.libs/libldap.a /export/home/ryan/openldap/libraries/liblber/.libs/liblber.a ../../libraries/liblber/.libs/liblber.a ../../libraries/liblutil/liblutil.a -lsasl -lssl -lcrypto -lresolv -lgen -lnsl -lsocket -R/usr/sfw/lib Undefined first referenced symbol in file EVP_sha256 ./.libs/libldap.a(tls_o.o) ld: fatal: symbol referencing errors. No output written to apitest collect2: ld returned 1 exit status *** Error code 1 The SHA-2 algorithms were first added in OpenSSL 0.9.8. If the use of EVP_sha256() is to be unconditional, please make configure fail if an older version is detected, and update the documentation as well (i.e. admin guide for 2.5). (This could also be an opportunity to make the CRL feature unconditional; currently it is enabled only with OpenSSL 0.9.7d or later.) -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 9239] New: test007 failed on Solaris 10: slapmodify crashed
by openldap-its＠openldap.org 15 Oct '20

15 Oct '20

https://bugs.openldap.org/show_bug.cgi?id=9239 Bug ID: 9239 Summary: test007 failed on Solaris 10: slapmodify crashed Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ryan(a)openldap.org Target Milestone: --- ./configure CPPFLAGS=-I/opt/csw/include LDFLAGS="-L/opt/csw/lib -R/opt/csw/lib" && make && make check >>>>> Starting test007-slapmodify for mdb... running defines.sh Running slapadd to build slapd database... Testing modify, add, and delete using slapmodify... Segmentation Fault - core dumped slapmodify failed (139)! >>>>> test007-slapmodify failed for mdb after $(( %s - %s )) seconds (exit 139) -bash-3.2$ dbx servers/slapd/slapd tests/core [...] program terminated by signal SEGV (no mapping at the fault address) 0xfead646c: strlen+0x000c: movl (%eax),%edx Current function is lutil_debug 74 len = vsnprintf( buffer+off, sizeof(buffer)-off, fmt, vl ); (dbx) where [1] strlen(0x0), at 0xfead646c [2] _ndoprnt(0x823a44b, 0x8046ebc, 0x8045e60, 0x0), at 0xfeb31bce [3] vsnprintf(0x8045e99, 0xff7, 0x823a430, 0x8046ebc), at 0xfeb34d8f =>[4] lutil_debug(debug = 16645, level = 1, fmt = 0x823a430 "oc_check_required entry (%s), objectClass "%s"\n", ... = <value unavailable>, ...), line 74 in "debug.c" [5] oc_check_required(e = 0x8534ad4, oc = 0x831a890, ocname = 0x852a1b8), line 514 in "schema_check.c" [6] entry_schema_check(op = 0x804718c, e = 0x8534ad4, oldattrs = (nil), manage = 0, add = 1, socp = (nil), text = 0x80475d0, textbuf = 0x804708c "", textlen = 256U), line 430 in "schema_check.c" [7] slap_tool_entry_check(progname = 0x824a964 "slapmodify", op = 0x804718c, e = 0x8534ad4, lineno = 3, text = 0x80475d0, textbuf = 0x804708c "", textlen = 256U), line 1186 in "slapcommon.c" [8] slapmodify(argc = 10, argv = 0x8047838), line 446 in "slapmodify.c" [9] main(argc = 10, argv = 0x8047838), line 670 in "main.c" (dbx) up Current function is oc_check_required 514 Debug( LDAP_DEBUG_TRACE, (dbx) list 514 Debug( LDAP_DEBUG_TRACE, 515 "oc_check_required entry (%s), objectClass \"%s\"\n", 516 e->e_dn, ocname->bv_val ); 517 518 519 /* check for empty oc_required */ 520 if(oc->soc_required == NULL) { 521 return NULL; 522 } 523 (dbx) print e->e_dn e->e_dn = (nil) (dbx) print ocname->bv_val ocname->bv_val = 0x852a1a0 "OpenLDAPperson" On other systems, the debug output is: 5ea0dcca oc_check_required entry ((null)), objectClass "OpenLDAPperson" It appears this version of vsnprintf cannot handle the %s argument being NULL. -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 9237] New: Remove back-perl
by openldap-its＠openldap.org 15 Oct '20

15 Oct '20

https://bugs.openldap.org/show_bug.cgi?id=9237 Bug ID: 9237 Summary: Remove back-perl Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- For 2.5, we will be removing back perl. In master, remove the ability to build back perl, but keep the source for the 2.5 branch, remove the source as well. -- You are receiving this mail because: You are on the CC list for the bug.

1 12

[Bug 9236] New: Remove back-shell
by openldap-its＠openldap.org 15 Oct '20

15 Oct '20

https://bugs.openldap.org/show_bug.cgi?id=9236 Bug ID: 9236 Summary: Remove back-shell Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- For 2.5+ remove back-shell from being built. In master, keep the source code for now (Delete for 2.6+) For 2.5 branch, delete the source as well. -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 9235] New: Stop building libldap
by openldap-its＠openldap.org 15 Oct '20

15 Oct '20

https://bugs.openldap.org/show_bug.cgi?id=9235 Bug ID: 9235 Summary: Stop building libldap Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- For 2.5+, we will no longer build libldap, only libldap_r Source should remain in the tree -- You are receiving this mail because: You are on the CC list for the bug.

1 13

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs April 2020