https://bugs.openldap.org/show_bug.cgi?id=9322
Issue ID: 9322
Summary: Update admin guide to recommend OpenSSL 1.1 as a
minimum release
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
For OpenLDAP 2.5, we need to update the recommended OpenSSL version to be 1.1
or later.
appendix-recommended-versions.sdf
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9205
Bug ID: 9205
Summary: Openldap 2.4.49 with overlays
syncrepl+ppolicy+chain+ldap
Product: OpenLDAP
Version: 2.4.49
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: frederic.poisson(a)admin.gmessaging.net
Target Milestone: ---
Created attachment 700
--> https://bugs.openldap.org/attachment.cgi?id=700&action=edit
test script copied from test022-ppolicy and modified to show the trouble
Hello,
I'm doing a OpenLDAP test with a master/slave replication configuration
including ppolicy overlay. I would like to enable password change from the
slave replica with chain overlay, in order to validate the ppolicy
olcPPolicyForwardUpdates attribute to TRUE. I'm using LDAPS from slave to
master with SASL External authentication with client certificate. The client
certificate correspond to a user DN entry with "manage" rights on the master
server (the same used for the replication). This user DN has authzTo attribute
in order to match the correct PROXYAUTHZ request from its dn to user DN.
All of this configuration works on replica when i do first a failed
authentication (err=49) on replica. The pwdFailureTime value is updated on the
DN entry from replica to slave normally. I'm also able to do after some self
entry update on some attribute such as password or others from replica to
master.
But the weird behavior is that i need to run first an failed authentication,
otherwise if i try to change attribute on the slave server, it respond an
err=80 "Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?". The
only way to retrieve correct behavior is to restart slapd, and redo one failed
authentication first. It seems that the chain overlay do not connect the master
server at startup.
I've done a modification of test script test022-ppolicy to test022-policy-chain
which use the same LDIF source and show the problem of modification on the
consumer not "relayed" to the supplier if a fail operation is not done before.
Regards
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=9222
Bug ID: 9222
Summary: Fix presence list to use a btree instead of an AVL
tree
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
[23:34] <hyc> ok, so far heap profile shows that memory use during refresh is
normal
[23:35] <hyc> not wonderful, but normal. mem usage grows because we're
recording the present list while receiving entries in the refresh
[23:36] <hyc> I'm seeing for 1.2GB of data about 235MB of presentlist
[23:36] <hyc> which is pretty awful, considering presentlist is just a list of
UUIDs
[23:36] <hyc> being stored in an avl tree
[23:37] <hyc> a btree would have been better here, and we could just use an
unsorted segmented array
[23:42] <hyc> for the accumulation phase anyway. we need to be able to lookup
records during the delete pphase
[00:05] <hyc> this stuff seriously needs a rewrite
[01:13] <hyc> 2.8M records x 16 bytes per uuid so this should be no more than
48MB of overhead
[01:13] <hyc> and instead it's 3-400MB
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=9311
Issue ID: 9311
Summary: Singular overlays should be flagged as such
Product: OpenLDAP
Version: 2.4.51
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
After the fix for issue#9309 it is now possible to ensure the singularity of
overlays that should only be instantiated once on a DB. Currently only two are
marked this way: ppolicy and rwm.
The following overlays should also be marked this way:
auditlog
autoca
collect
constraint
dds
deref
dyngroup
dynlist
seqmod
sssvlv
syncprov
unique
valsort
The following overlays it is valid to have multiple instances:
accesslog
memberOf
pcache
refint
retcode
translucent
The contrib overlays need examining as well.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9307
Issue ID: 9307
Summary: --enable-<option>=mod should require --enable-modules
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: build
Assignee: bugs(a)openldap.org
Reporter: ryan(a)openldap.org
Target Milestone: ---
In master/RE25,
./configure --enable-backends=mod
fails with:
checking configure arguments... configure: error: slapd requires a backend
if --enable-modules is not also specified.
In RE24, and for overlays in both versions, the specified modules get switched
to static automatically, and a warning is emitted for each:
configure: WARNING: building static accesslog overlay
The behaviour was changed in issue 8224; the idea was to have it fail earlier
if neither loadable module support nor any static backend was selected, but the
error is not clear enough.
Quanah and I agreed that it would be better to fail with an explicit error
message in this case, rather than automatically do something different than
requested.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9280
Issue ID: 9280
Summary: A read-only ppolicy installation
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
There might be environments where letting ppolicy write into the local database
is not appropriate, but neither is chaining. It should be possible to skip the
modifications altogether.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9264
Issue ID: 9264
Summary: Add lock to slapo-unique to delay new ops until
current op is complete
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: gnoe(a)symas.com
Target Milestone: ---
Locking is needed in slapo-unique to prevent duplicate values when new
operations are started before previous operations are completed.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9242
Bug ID: 9242
Summary: build failure with OpenSSL 0.9.7: EVP_sha256()
undefined
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: build
Assignee: bugs(a)openldap.org
Reporter: ryan(a)openldap.org
Target Milestone: ---
git master fails to build with OpenSSL 0.9.7d:
$ openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937
CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2006-7250
CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590
CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 CVE-2011-4619
CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333)
$ ./configure --with-tls=openssl --disable-slapd && make
[...]
libtool: link: gcc -g -O2 -o apitest apitest.o -L/usr/sfw/lib
./.libs/libldap.a /export/home/ryan/openldap/libraries/liblber/.libs/liblber.a
../../libraries/liblber/.libs/liblber.a ../../libraries/liblutil/liblutil.a
-lsasl -lssl -lcrypto -lresolv -lgen -lnsl -lsocket -R/usr/sfw/lib
Undefined first referenced
symbol in file
EVP_sha256 ./.libs/libldap.a(tls_o.o)
ld: fatal: symbol referencing errors. No output written to apitest
collect2: ld returned 1 exit status
*** Error code 1
The SHA-2 algorithms were first added in OpenSSL 0.9.8.
If the use of EVP_sha256() is to be unconditional, please make configure fail
if an older version is detected, and update the documentation as well (i.e.
admin guide for 2.5).
(This could also be an opportunity to make the CRL feature unconditional;
currently it is enabled only with OpenSSL 0.9.7d or later.)
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=9239
Bug ID: 9239
Summary: test007 failed on Solaris 10: slapmodify crashed
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ryan(a)openldap.org
Target Milestone: ---
./configure CPPFLAGS=-I/opt/csw/include LDFLAGS="-L/opt/csw/lib -R/opt/csw/lib"
&& make && make check
>>>>> Starting test007-slapmodify for mdb...
running defines.sh
Running slapadd to build slapd database...
Testing modify, add, and delete using slapmodify...
Segmentation Fault - core dumped
slapmodify failed (139)!
>>>>> test007-slapmodify failed for mdb after $(( %s - %s )) seconds
(exit 139)
-bash-3.2$ dbx servers/slapd/slapd tests/core
[...]
program terminated by signal SEGV (no mapping at the fault address)
0xfead646c: strlen+0x000c: movl (%eax),%edx
Current function is lutil_debug
74 len = vsnprintf( buffer+off, sizeof(buffer)-off, fmt, vl );
(dbx) where
[1] strlen(0x0), at 0xfead646c
[2] _ndoprnt(0x823a44b, 0x8046ebc, 0x8045e60, 0x0), at 0xfeb31bce
[3] vsnprintf(0x8045e99, 0xff7, 0x823a430, 0x8046ebc), at 0xfeb34d8f
=>[4] lutil_debug(debug = 16645, level = 1, fmt = 0x823a430 "oc_check_required
entry (%s), objectClass "%s"\n", ... = <value unavailable>, ...), line 74 in
"debug.c"
[5] oc_check_required(e = 0x8534ad4, oc = 0x831a890, ocname = 0x852a1b8),
line 514 in "schema_check.c"
[6] entry_schema_check(op = 0x804718c, e = 0x8534ad4, oldattrs = (nil),
manage = 0, add = 1, socp = (nil), text = 0x80475d0, textbuf = 0x804708c "",
textlen = 256U), line 430 in "schema_check.c"
[7] slap_tool_entry_check(progname = 0x824a964 "slapmodify", op = 0x804718c,
e = 0x8534ad4, lineno = 3, text = 0x80475d0, textbuf = 0x804708c "", textlen =
256U), line 1186 in "slapcommon.c"
[8] slapmodify(argc = 10, argv = 0x8047838), line 446 in "slapmodify.c"
[9] main(argc = 10, argv = 0x8047838), line 670 in "main.c"
(dbx) up
Current function is oc_check_required
514 Debug( LDAP_DEBUG_TRACE,
(dbx) list
514 Debug( LDAP_DEBUG_TRACE,
515 "oc_check_required entry (%s), objectClass \"%s\"\n",
516 e->e_dn, ocname->bv_val );
517
518
519 /* check for empty oc_required */
520 if(oc->soc_required == NULL) {
521 return NULL;
522 }
523
(dbx) print e->e_dn
e->e_dn = (nil)
(dbx) print ocname->bv_val
ocname->bv_val = 0x852a1a0 "OpenLDAPperson"
On other systems, the debug output is:
5ea0dcca oc_check_required entry ((null)), objectClass "OpenLDAPperson"
It appears this version of vsnprintf cannot handle the %s argument being NULL.
--
You are receiving this mail because:
You are on the CC list for the bug.