openldap-bugs May 2020

openldap-bugs@openldap.org

1 participants
134 discussions

[Bug 9227] New: Fix syncrepl exattrs to not delete local attrs
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9227 Bug ID: 9227 Summary: Fix syncrepl exattrs to not delete local attrs Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- An issue with syncrepl using exattrs is that the local replica may delete attrs that are being managed by locally deployed overlays such as memberOf (See bug#7400 for example). This behavior needs to be fixed so that the locally managed attributes are not deleted when included in an exattrs statement. -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Issue 9265] New: modifying a schema beneath an overlay hits assert
by openldap-its＠openldap.org 09 Jul '20

09 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9265 Issue ID: 9265 Summary: modifying a schema beneath an overlay hits assert Product: OpenLDAP Version: 2.4.50 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ratness(a)gmail.com Target Milestone: --- I'm doing to demo this on debian-unstable so it's on 2.4.50, but I've also been able to achieve the following failure with CentOS7's package (openldap-servers-2.4.44-21.el7_6.x86_64), so I don't think it's packager-related. I apologize that I don't have a gdb run with this report, but I've been having poor luck compiling it or getting a non-stripped binary. Steps to reproduce: * grab a vm/droplet/whatever of debian, convert source to unstable, apt update / apt full-upgrade * apt-get install slapd ldap-utils * reboot * Add the ppolicy schema: ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif * Add the ppolicy module: ** ``` cat >/tmp/moduleadd <<EOF dn: cn=module{0},cn=config add: olcModuleLoad olcModuleLoad: ppolicy EOF ``` ** /usr/bin/ldapmodify -cQY EXTERNAL -H ldapi:/// -f /tmp/moduleadd * Add a super boring ppolicy overlay: ``` cat >/tmp/overlayadd <<EOF dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE EOF ``` ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/overlayadd * Halt slapd, and then start it up in debug mode: ** service slapd stop ** /usr/sbin/slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d -d any * now, the weird one. Run an attempted 'replace' ldif against the ppolicy schema that would result in no net change to it. ``` cat >/tmp/trauma <<EOF dn: cn={4}ppolicy,cn=schema,cn=config changetype: modify replace: olcAttributeTypes olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - replace: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) ) - EOF ``` ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/trauma The client comes back with: modifying entry "cn={4}ppolicy,cn=schema,cn=config" ldap_result: Can't contact LDAP server (-1) The server, however, has failed on an assertion. The tail of the debug stream is: 5ec71e94 => access_allowed: add access granted by manage(=mwrscxd) 5ec71e94 slap_queue_csn: queueing 0x7facb8105700 20200522003636.287264Z#000000#000#000000 5ec71e94 oc_check_required entry (cn={4}ppolicy,cn=schema,cn=config), objectClass "olcSchemaConfig" 5ec71e94 oc_check_allowed type "objectClass" 5ec71e94 oc_check_allowed type "cn" 5ec71e94 oc_check_allowed type "structuralObjectClass" 5ec71e94 oc_check_allowed type "entryUUID" 5ec71e94 oc_check_allowed type "creatorsName" 5ec71e94 oc_check_allowed type "createTimestamp" 5ec71e94 oc_check_allowed type "olcAttributeTypes" 5ec71e94 oc_check_allowed type "olcObjectClasses" 5ec71e94 oc_check_allowed type "entryCSN" 5ec71e94 oc_check_allowed type "modifiersName" 5ec71e94 oc_check_allowed type "modifyTimestamp" slapd: ../../../../servers/slapd/at.c:277: at_clean: Assertion `a->sat_syntax != NULL' failed. Aborted "Why do you have an overlay there?" Beats me. It was like that when I got here, and since it's enforcing password policies, I don't think I can change it. "Why would you ever run such a silly modify!?" I wouldn't. This stems from a Puppet module where any time it spots the timestamp of /etc/path/to/ldap/schema/foo.schema is newer than the 'modifyTimestamp' of schema 'foo' in slapd, it kicks off a modify so slapd will be timestamp-newer than what's on disk. It just happens that if you ever do something as simple as `touch /etc/ldap/slapd.d/ppolicy.schema`, it triggers this update process and crashes the server on the next Puppet run. And I bet most people don't have an overlay and so this is probably a not-often-seen edge case. But unfortunately I'm not a good C person so I don't see the issue well enough to offer a PR. Thanks for reading. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 8675] tools continuing after ldap_start_tls_ returns non-LDAP error
by openldap-its＠openldap.org 28 May '20

28 May '20

https://bugs.openldap.org/show_bug.cgi?id=8675 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|has_patch, IPR_OK, | |openldap-scratch | -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9020] Inconsistent cn=config objectClasses for overlays
by openldap-its＠openldap.org 27 May '20

27 May '20

https://bugs.openldap.org/show_bug.cgi?id=9020 --- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> --- In fact, for autoCA, I'm not a fan of the other olc config attr names either -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9020] Inconsistent cn=config objectClasses for overlays
by openldap-its＠openldap.org 27 May '20

27 May '20

https://bugs.openldap.org/show_bug.cgi?id=9020 --- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> --- and Dyngroup does this as well -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9020] Inconsistent cn=config objectClasses for overlays
by openldap-its＠openldap.org 27 May '20

27 May '20

https://bugs.openldap.org/show_bug.cgi?id=9020 --- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> --- autoca continues this unfortunate trend -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8888] doc: sdf number disorder
by openldap-its＠openldap.org 27 May '20

27 May '20

https://bugs.openldap.org/show_bug.cgi?id=8888 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |IN_PROGRESS --- Comment #1 from Quanah Gibson-Mount <quanah(a)openldap.org> --- https://git.openldap.org/openldap/openldap/-/merge_requests/75 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7530] gethostbyname_r fails if initial buffer size is too small
by openldap-its＠openldap.org 26 May '20

26 May '20

https://bugs.openldap.org/show_bug.cgi?id=7530 --- Comment #4 from ujvari(a)microsec.hu <ujvari(a)microsec.hu> --- Én köszönöm a javítást. It's me who thank you for fixing the problem. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8873] slapd-meta/ldap - Remove deprecated options
by openldap-its＠openldap.org 26 May '20

26 May '20

https://bugs.openldap.org/show_bug.cgi?id=8873 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|OL_2_5_REQ | Status|IN_PROGRESS |RESOLVED Resolution|--- |TEST --- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Commits: • f926e667 by Quanah Gibson-Mount at 2020-05-26T19:59:56+00:00 ITS#8873 - Delete obsolete configuration options from back-ldap, back-meta, and back-asyncmeta -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7990] (docs) Admin guide: bad link in password policy overlay section
by openldap-its＠openldap.org 26 May '20

26 May '20

https://bugs.openldap.org/show_bug.cgi?id=7990 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9156 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

← Newer
1
...
4
5
6
7
8
9
10
...
14
Older →

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2020