openldap-bugs July 2020

openldap-bugs@openldap.org

2 participants
120 discussions

[Issue 8701] account usability control for password less logins
by openldap-its＠openldap.org 21 Jul '20

21 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=8701 --- Comment #6 from Quanah Gibson-Mount <quanah(a)openldap.org> --- • c7b008ee by Ondřej Kuzník at 2020-07-21T10:48:47+01:00 ITS#8701 Fix documentation -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9296] New: OpenLDAP mishandles rpath and runpath tokens
by openldap-its＠openldap.org 20 Jul '20

20 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9296 Issue ID: 9296 Summary: OpenLDAP mishandles rpath and runpath tokens Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: noloader(a)gmail.com Target Milestone: --- Hi Everyone, I'm building OpenLDAP 2.4.50 release tarball on multiple operating systems. I've noticed there's a couple of issues with rpaths and runpaths. I configure OpenLDAP it includes the following LDFLAGS: LDFLAGS: -Wl,-R,'$ORIGIN/../lib' -Wl,-R,/export/home/jwalton/tmp/ok2delete/lib When I audit the result programs and shared objects, I see two issues. First, the rpaths and runpaths have been reordered. Second, rpath and runpath tokens were not preserved. The tokens include $ORIGIN, $LIB and $PLATFORM (see the ld.so(8) man page). In fact, the rpath and runpath seem to have been expanded to nothing. This is from Solaris. /export/home/jwalton/tmp/ok2delete/lib/libldap-2.4.so.2.10.13: RUNPATH /export/home/jwalton/tmp/ok2delete/lib:/../lib RPATH /export/home/jwalton/tmp/ok2delete/lib:/../lib And: /export/home/jwalton/tmp/ok2delete/lib/libldap_r-2.4.so.2.10.13: RUNPATH /export/home/jwalton/tmp/ok2delete/lib:/../lib RPATH /export/home/jwalton/tmp/ok2delete/lib:/../lib Expanding '$ORIGIN/../lib' to '/../lib' is especially problematic. '/../lib' is just '/lib', so OpenLDAP is runtime linking to the wrong libraries, like like zLib 1.2.8 and Bzip 1.0.6. Libraries like zLib 1.2.8 and Bzip 1.0.6 have active CVEs against them. It is better to runtime link against the new libraries I provide. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9266] Replace custom hostname and IP address verification with OpenSSL API
by openldap-its＠openldap.org 17 Jul '20

17 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9266 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Group|OpenLDAP-devs | -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8376] Use getaddrinfo to resolve FQDN
by openldap-its＠openldap.org 15 Jul '20

15 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=8376 Ryan Tandy <ryan(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9287 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9099] LMDB: range delete
by openldap-its＠openldap.org 15 Jul '20

15 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9099 --- Comment #3 from Howard Chu <hyc(a)openldap.org> --- (In reply to Markus from comment #2) > > Right, rebalancing would become quite a pain. > > Regarding re-balancing, maybe a pragmatic solution could be two phase > range-delete: > > 1) First, delete only those pages in the given range that will not trigger > re-balancing. > 2) Second, delete the remaining nodes in the range as is (causing > re-balancing). > > Another simplification might be to limit the page deletions to leaf pages. > I'd guess the speed-up would already be quite significant. > > > If you are interested, I could give it a shot. Just let me know. Without > more efficient range-deletes, we may have to look into workarounds. Thus, > I'd be happy to invest some time to solve that at the "core". You're welcome to try whatever approach. As long as it doesn't increase the code size too much, and you can document a significant speedup, it'll be considered. Going back to your original post, instead of using hierarchical keys you should be using separate named databases for each group. Then just use mdb_drop to delete a group. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9099] LMDB: range delete
by openldap-its＠openldap.org 15 Jul '20

15 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9099 --- Comment #2 from Markus <markus(a)objectbox.io> --- > Right, rebalancing would become quite a pain. Regarding re-balancing, maybe a pragmatic solution could be two phase range-delete: 1) First, delete only those pages in the given range that will not trigger re-balancing. 2) Second, delete the remaining nodes in the range as is (causing re-balancing). Another simplification might be to limit the page deletions to leaf pages. I'd guess the speed-up would already be quite significant. If you are interested, I could give it a shot. Just let me know. Without more efficient range-deletes, we may have to look into workarounds. Thus, I'd be happy to invest some time to solve that at the "core". -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9290] New: Trying to add new config to Ldap
by openldap-its＠openldap.org 14 Jul '20

14 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9290 Issue ID: 9290 Summary: Trying to add new config to Ldap Product: OpenLDAP Version: 2.4.49 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: koshlendra.singh(a)punchh.com Target Milestone: --- WHile i am trying to add new user config to the LDAP server getting following error: ldap_add: Invalid syntax (21) additional info: uidNumber: value #0 invalid per syntax Please share your ideas to getting resolve on this -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9265] New: modifying a schema beneath an overlay hits assert
by openldap-its＠openldap.org 09 Jul '20

09 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9265 Issue ID: 9265 Summary: modifying a schema beneath an overlay hits assert Product: OpenLDAP Version: 2.4.50 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ratness(a)gmail.com Target Milestone: --- I'm doing to demo this on debian-unstable so it's on 2.4.50, but I've also been able to achieve the following failure with CentOS7's package (openldap-servers-2.4.44-21.el7_6.x86_64), so I don't think it's packager-related. I apologize that I don't have a gdb run with this report, but I've been having poor luck compiling it or getting a non-stripped binary. Steps to reproduce: * grab a vm/droplet/whatever of debian, convert source to unstable, apt update / apt full-upgrade * apt-get install slapd ldap-utils * reboot * Add the ppolicy schema: ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif * Add the ppolicy module: ** ``` cat >/tmp/moduleadd <<EOF dn: cn=module{0},cn=config add: olcModuleLoad olcModuleLoad: ppolicy EOF ``` ** /usr/bin/ldapmodify -cQY EXTERNAL -H ldapi:/// -f /tmp/moduleadd * Add a super boring ppolicy overlay: ``` cat >/tmp/overlayadd <<EOF dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE EOF ``` ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/overlayadd * Halt slapd, and then start it up in debug mode: ** service slapd stop ** /usr/sbin/slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d -d any * now, the weird one. Run an attempted 'replace' ldif against the ppolicy schema that would result in no net change to it. ``` cat >/tmp/trauma <<EOF dn: cn={4}ppolicy,cn=schema,cn=config changetype: modify replace: olcAttributeTypes olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - replace: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) ) - EOF ``` ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/trauma The client comes back with: modifying entry "cn={4}ppolicy,cn=schema,cn=config" ldap_result: Can't contact LDAP server (-1) The server, however, has failed on an assertion. The tail of the debug stream is: 5ec71e94 => access_allowed: add access granted by manage(=mwrscxd) 5ec71e94 slap_queue_csn: queueing 0x7facb8105700 20200522003636.287264Z#000000#000#000000 5ec71e94 oc_check_required entry (cn={4}ppolicy,cn=schema,cn=config), objectClass "olcSchemaConfig" 5ec71e94 oc_check_allowed type "objectClass" 5ec71e94 oc_check_allowed type "cn" 5ec71e94 oc_check_allowed type "structuralObjectClass" 5ec71e94 oc_check_allowed type "entryUUID" 5ec71e94 oc_check_allowed type "creatorsName" 5ec71e94 oc_check_allowed type "createTimestamp" 5ec71e94 oc_check_allowed type "olcAttributeTypes" 5ec71e94 oc_check_allowed type "olcObjectClasses" 5ec71e94 oc_check_allowed type "entryCSN" 5ec71e94 oc_check_allowed type "modifiersName" 5ec71e94 oc_check_allowed type "modifyTimestamp" slapd: ../../../../servers/slapd/at.c:277: at_clean: Assertion `a->sat_syntax != NULL' failed. Aborted "Why do you have an overlay there?" Beats me. It was like that when I got here, and since it's enforcing password policies, I don't think I can change it. "Why would you ever run such a silly modify!?" I wouldn't. This stems from a Puppet module where any time it spots the timestamp of /etc/path/to/ldap/schema/foo.schema is newer than the 'modifyTimestamp' of schema 'foo' in slapd, it kicks off a modify so slapd will be timestamp-newer than what's on disk. It just happens that if you ever do something as simple as `touch /etc/ldap/slapd.d/ppolicy.schema`, it triggers this update process and crashes the server on the next Puppet run. And I bet most people don't have an overlay and so this is probably a not-often-seen edge case. But unfortunately I'm not a good C person so I don't see the issue well enough to offer a PR. Thanks for reading. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9043] Improve loglevel sync logging
by openldap-its＠openldap.org 08 Jul '20

08 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9043 --- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> --- • 31423439 by Ondřej Kuzník at 2020-07-08T12:54:08+01:00 ITS#9043 Make sure uuidstr is initialised on use -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7748] rare failure of test058
by openldap-its＠openldap.org 08 Jul '20

08 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=7748 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=5973, | |https://bugs.openldap.org/s | |how_bug.cgi?id=6531, | |https://bugs.openldap.org/s | |how_bug.cgi?id=9282, | |https://bugs.openldap.org/s | |how_bug.cgi?id=5470 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs July 2020