[Bug 9238] New: access control documentation is confusing
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9238
Bug ID: 9238
Summary: access control documentation is confusing
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: kop(a)karlpinc.com
Target Milestone: ---
Created attachment 716
--> https://bugs.openldap.org/attachment.cgi?id=716&action=edit
git format-patch output
slapd.access says "Access control checking stops
at the first match of the <what> and <who> clause, unless
otherwise dictated by the <control> clause." But
this, by itself, is wrong. You have to read the next
sentence, which says there's an implicit "by * none
stop", meaning that the default is to stop when only <what>
matches.
Patch attached.
I, Karl O. Pinc, hereby place the following modifications to OpenLDAP Software
(and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.
--
You are receiving this mail because:
You are on the CC list for the bug.
7 months, 3 weeks
[Bug 9205] New: Openldap 2.4.49 with overlays syncrepl+ppolicy+chain+ldap
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9205
Bug ID: 9205
Summary: Openldap 2.4.49 with overlays
syncrepl+ppolicy+chain+ldap
Product: OpenLDAP
Version: 2.4.49
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: frederic.poisson(a)admin.gmessaging.net
Target Milestone: ---
Created attachment 700
--> https://bugs.openldap.org/attachment.cgi?id=700&action=edit
test script copied from test022-ppolicy and modified to show the trouble
Hello,
I'm doing a OpenLDAP test with a master/slave replication configuration
including ppolicy overlay. I would like to enable password change from the
slave replica with chain overlay, in order to validate the ppolicy
olcPPolicyForwardUpdates attribute to TRUE. I'm using LDAPS from slave to
master with SASL External authentication with client certificate. The client
certificate correspond to a user DN entry with "manage" rights on the master
server (the same used for the replication). This user DN has authzTo attribute
in order to match the correct PROXYAUTHZ request from its dn to user DN.
All of this configuration works on replica when i do first a failed
authentication (err=49) on replica. The pwdFailureTime value is updated on the
DN entry from replica to slave normally. I'm also able to do after some self
entry update on some attribute such as password or others from replica to
master.
But the weird behavior is that i need to run first an failed authentication,
otherwise if i try to change attribute on the slave server, it respond an
err=80 "Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?". The
only way to retrieve correct behavior is to restart slapd, and redo one failed
authentication first. It seems that the chain overlay do not connect the master
server at startup.
I've done a modification of test script test022-ppolicy to test022-policy-chain
which use the same LDIF source and show the problem of modification on the
consumer not "relayed" to the supplier if a fail operation is not done before.
Regards
--
You are receiving this mail because:
You are on the CC list for the bug.
8 months, 2 weeks
[Bug 9222] New: Fix presence list to use a btree instead of an AVL tree
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9222
Bug ID: 9222
Summary: Fix presence list to use a btree instead of an AVL
tree
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
[23:34] <hyc> ok, so far heap profile shows that memory use during refresh is
normal
[23:35] <hyc> not wonderful, but normal. mem usage grows because we're
recording the present list while receiving entries in the refresh
[23:36] <hyc> I'm seeing for 1.2GB of data about 235MB of presentlist
[23:36] <hyc> which is pretty awful, considering presentlist is just a list of
UUIDs
[23:36] <hyc> being stored in an avl tree
[23:37] <hyc> a btree would have been better here, and we could just use an
unsorted segmented array
[23:42] <hyc> for the accumulation phase anyway. we need to be able to lookup
records during the delete pphase
[00:05] <hyc> this stuff seriously needs a rewrite
[01:13] <hyc> 2.8M records x 16 bytes per uuid so this should be no more than
48MB of overhead
[01:13] <hyc> and instead it's 3-400MB
--
You are receiving this mail because:
You are on the CC list for the bug.
9 months
[Bug 9189] New: Add GSSAPI channel-bindings support
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9189
Bug ID: 9189
Summary: Add GSSAPI channel-bindings support
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: iboukris(a)gmail.com
Target Milestone: ---
Recently MS has announce they plan to enforce channel-bindings for LDAP over
TLS (ADV190023).
To support it on client side, we need to pass "tls-endpoint" bindings (RFC
5929) to the SASL plugin, and make use of that in GSSAPI.
See also:
https://github.com/cyrusimap/cyrus-sasl/pull/601
--
You are receiving this mail because:
You are on the CC list for the bug.
9 months, 1 week
[Bug 9242] New: build failure with OpenSSL 0.9.7: EVP_sha256() undefined
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9242
Bug ID: 9242
Summary: build failure with OpenSSL 0.9.7: EVP_sha256()
undefined
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: build
Assignee: bugs(a)openldap.org
Reporter: ryan(a)openldap.org
Target Milestone: ---
git master fails to build with OpenSSL 0.9.7d:
$ openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937
CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2006-7250
CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590
CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 CVE-2011-4619
CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333)
$ ./configure --with-tls=openssl --disable-slapd && make
[...]
libtool: link: gcc -g -O2 -o apitest apitest.o -L/usr/sfw/lib
./.libs/libldap.a /export/home/ryan/openldap/libraries/liblber/.libs/liblber.a
../../libraries/liblber/.libs/liblber.a ../../libraries/liblutil/liblutil.a
-lsasl -lssl -lcrypto -lresolv -lgen -lnsl -lsocket -R/usr/sfw/lib
Undefined first referenced
symbol in file
EVP_sha256 ./.libs/libldap.a(tls_o.o)
ld: fatal: symbol referencing errors. No output written to apitest
collect2: ld returned 1 exit status
*** Error code 1
The SHA-2 algorithms were first added in OpenSSL 0.9.8.
If the use of EVP_sha256() is to be unconditional, please make configure fail
if an older version is detected, and update the documentation as well (i.e.
admin guide for 2.5).
(This could also be an opportunity to make the CRL feature unconditional;
currently it is enabled only with OpenSSL 0.9.7d or later.)
--
You are receiving this mail because:
You are on the CC list for the bug.
1 year
[Bug 9239] New: test007 failed on Solaris 10: slapmodify crashed
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9239
Bug ID: 9239
Summary: test007 failed on Solaris 10: slapmodify crashed
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ryan(a)openldap.org
Target Milestone: ---
./configure CPPFLAGS=-I/opt/csw/include LDFLAGS="-L/opt/csw/lib -R/opt/csw/lib"
&& make && make check
>>>>> Starting test007-slapmodify for mdb...
running defines.sh
Running slapadd to build slapd database...
Testing modify, add, and delete using slapmodify...
Segmentation Fault - core dumped
slapmodify failed (139)!
>>>>> test007-slapmodify failed for mdb after $(( %s - %s )) seconds
(exit 139)
-bash-3.2$ dbx servers/slapd/slapd tests/core
[...]
program terminated by signal SEGV (no mapping at the fault address)
0xfead646c: strlen+0x000c: movl (%eax),%edx
Current function is lutil_debug
74 len = vsnprintf( buffer+off, sizeof(buffer)-off, fmt, vl );
(dbx) where
[1] strlen(0x0), at 0xfead646c
[2] _ndoprnt(0x823a44b, 0x8046ebc, 0x8045e60, 0x0), at 0xfeb31bce
[3] vsnprintf(0x8045e99, 0xff7, 0x823a430, 0x8046ebc), at 0xfeb34d8f
=>[4] lutil_debug(debug = 16645, level = 1, fmt = 0x823a430 "oc_check_required
entry (%s), objectClass "%s"\n", ... = <value unavailable>, ...), line 74 in
"debug.c"
[5] oc_check_required(e = 0x8534ad4, oc = 0x831a890, ocname = 0x852a1b8),
line 514 in "schema_check.c"
[6] entry_schema_check(op = 0x804718c, e = 0x8534ad4, oldattrs = (nil),
manage = 0, add = 1, socp = (nil), text = 0x80475d0, textbuf = 0x804708c "",
textlen = 256U), line 430 in "schema_check.c"
[7] slap_tool_entry_check(progname = 0x824a964 "slapmodify", op = 0x804718c,
e = 0x8534ad4, lineno = 3, text = 0x80475d0, textbuf = 0x804708c "", textlen =
256U), line 1186 in "slapcommon.c"
[8] slapmodify(argc = 10, argv = 0x8047838), line 446 in "slapmodify.c"
[9] main(argc = 10, argv = 0x8047838), line 670 in "main.c"
(dbx) up
Current function is oc_check_required
514 Debug( LDAP_DEBUG_TRACE,
(dbx) list
514 Debug( LDAP_DEBUG_TRACE,
515 "oc_check_required entry (%s), objectClass \"%s\"\n",
516 e->e_dn, ocname->bv_val );
517
518
519 /* check for empty oc_required */
520 if(oc->soc_required == NULL) {
521 return NULL;
522 }
523
(dbx) print e->e_dn
e->e_dn = (nil)
(dbx) print ocname->bv_val
ocname->bv_val = 0x852a1a0 "OpenLDAPperson"
On other systems, the debug output is:
5ea0dcca oc_check_required entry ((null)), objectClass "OpenLDAPperson"
It appears this version of vsnprintf cannot handle the %s argument being NULL.
--
You are receiving this mail because:
You are on the CC list for the bug.
1 year
[Bug 9237] New: Remove back-perl
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9237
Bug ID: 9237
Summary: Remove back-perl
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: backends
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
For 2.5, we will be removing back perl.
In master, remove the ability to build back perl, but keep the source
for the 2.5 branch, remove the source as well.
--
You are receiving this mail because:
You are on the CC list for the bug.
1 year
[Bug 9236] New: Remove back-shell
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9236
Bug ID: 9236
Summary: Remove back-shell
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: backends
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
For 2.5+ remove back-shell from being built.
In master, keep the source code for now (Delete for 2.6+)
For 2.5 branch, delete the source as well.
--
You are receiving this mail because:
You are on the CC list for the bug.
1 year
[Bug 9235] New: Stop building libldap
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9235
Bug ID: 9235
Summary: Stop building libldap
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
For 2.5+, we will no longer build libldap, only libldap_r
Source should remain in the tree
--
You are receiving this mail because:
You are on the CC list for the bug.
1 year