openldap-bugs October 2021

openldap-bugs@openldap.org

1 participants
170 discussions

[Issue 9693] New: Section 9.6 html formatting issue
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9693 Issue ID: 9693 Summary: Section 9.6 html formatting issue Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: mnormann(a)symas.com Target Milestone: --- Section 9.6 of documentation is missing a closing anchor tag and closing title tag (Glued/Subordinate database configurations) -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9689] New: Redundancy in the description of syncprov-nopresent
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9689 Issue ID: 9689 Summary: Redundancy in the description of syncprov-nopresent Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- https://www.openldap.org/devel/admin/replication.html#Set%20up%20the%20prov… says: “““ The nonpresent option **should only be configured if the overlay is being placed on top of a log database**, such as when used with delta-syncrepl. The nonpresent option is configured by the syncprov-nopresent <TRUE|FALSE> directive. This value **should only be set TRUE for a syncprov instance on top of a log database** (such as one managed by the accesslog overlay). The default is FALSE. ””” I think, the circumstances when the option shall be used, are repeated twice. One of the repetitions can be shortened. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9688] New: Is EQ index on entryCSN mandatory for replication?
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9688 Issue ID: 9688 Summary: Is EQ index on entryCSN mandatory for replication? Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- https://www.openldap.org/devel/admin/replication.html says about the EQ index on entryCSN: “On databases which support inequality indexing, setting an eq index on the entryCSN attribute and configuring contextCSN checkpoints will greatly speed up this scanning step.” → The index is recommended, but not mandatory, and not always possible. man 5 slapo-syncprov / https://www.openldap.org/software/man.cgi?query=slapo-syncprov&apropos=0&se… says “On databases that support inequality indexing, it is mandatory to set an eq index on the entryCSN attribute when using this overlay.” Between both documents there is a discrepancy, whether the EQ index is mandatory or not. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9687] New: olcTLSECName is not required in order to use ECDHE-based cipher suites in OpenSSL
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9687 Issue ID: 9687 Summary: olcTLSECName is not required in order to use ECDHE-based cipher suites in OpenSSL Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- SLAPD-CONFIG(5) says that olcTLSECName is used to set the names of the Elliptic Curves. It does not say, that the option is required, nor does it say what happens, when the option is not set. https://www.openldap.org/doc/admin25/tls.html#TLS%20Configuration says for TLSECName: This is required in order to use ECDHE-based cipher suites in OpenSSL. I do not set TLSECName and call ./testssl.sh ldap.aegee.org:636 which prints: Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- TLSv1 (server order) xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLSv1.1 (server order) xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLSv1.2 (server order) xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLSv1.3 (server order) x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 This means, that when olcTLSECName is not set, OpenSSL defaults are used, and ECDHE-based cipher suites are still offered. testssl.sh can be obtianed from https://github.com/drwetter/testssl.sh . -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 9674] New: Is olcMonitoring enabled by default for MDB?
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9674 Issue ID: 9674 Summary: Is olcMonitoring enabled by default for MDB? Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- The manual page doc/man/man5/slapd-config.5 misses a .TP before .B olcMonitoring. In turn at https://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&sekt… olcMonitoring appears in the description of olcMultiProvider . The same man page says, that only MBD supports the olcMonitoring mechanims and the default for olcMonitoring depends on the backend. The documentation for mdb does not say, if olcMonitoring is by default enabled or disabled -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9669] New: Incorrect Heimdal download site in OpenLDAP Administrator's Guide
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9669 Issue ID: 9669 Summary: Incorrect Heimdal download site in OpenLDAP Administrator's Guide Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dewayne.geraghty(a)heuristicsystems.com.au Target Milestone: --- In section 4.2.3 page 18 of latest OpenLDAP 2.5 Admin Guide has Heimdal available from http://www.pdc.kth.se/heimdal/ which is a dead link. The more correct location is https://github.com/heimdal/heimdal (Thank-you for your great software!) -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9646] New: slapd-meta: deprecations in 2.4: “try-propagate is highly deprecated”
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9646 Issue ID: 9646 Summary: slapd-meta: deprecations in 2.4: “try-propagate is highly deprecated” Product: OpenLDAP Version: 2.5.4 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- The upgrade instructions from 2.4 at https://www.openldap.org/doc/admin25/appendix-upgrading.html says > B.4. ldap and meta backends > > Several deprecated configuration directives for slapd-ldap(5) and slapd-meta(5) have been removed. Configurations using those directive must be updated to use supported directives prior to upgrade. See the slapd-ldap(5) and slapd-meta(5) man pages from OpenLDAP 2.4 for a list of deprecated directives. The slapd-meta(5) for 2.4 says at https://www.openldap.org/software/man.cgi?query=slapd-meta&apropos=0&sektio… , when I search for “deprecated”: > tls {[try-]start|[try-]propagate} > The try- prefix instructs the proxy to continue operations if the StartTLS operation failed; its use is highly deprecated. ... > DEPRECATED STATEMENTS > The following statements have been deprecated and should no longer be used. > pseudorootdn <substitute DN in case of rootdn bind> > Use idassert-bind instead. > > pseudorootpw <substitute password in case of rootdn bind> > Use idassert-bind instead. I object the wording “highly deprecated”. It should be “highly discouraged”. With the current wording it is not very clear, whether the try- variants disappeared in 2.5 -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9656] New: slapd (2.5.7) crashes when ppm settings don't exist in the schema
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9656 Issue ID: 9656 Summary: slapd (2.5.7) crashes when ppm settings don't exist in the schema Product: OpenLDAP Version: unspecified Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ktmdms(a)gmail.com Target Milestone: --- using ppolicy with ppm causes slapd to crash (2.5.7. I would have selected that as the version but it's not available to be selected) when pwdCheckModuleArg doesn't exist in the schema and/or the full path to ppm.so isn't defined in pwdCheckModule. at the time slapd would crash, pwdCheckModule was set to ppm.so not the full path of /usr/local/libexec/openldap/ppm.so and the pwdCheckModuleArg attribute didn't exist at all. whenever I would attempt to change my user password, slapd would crash. setting the full path and creating and setting the Arg attribute has stopped that behavior but I'm unsure if it was simply added the attribute or some combination of setting the full path, creating the attribute, and populating the attribute. fwiw, the attribute is set as: bWluUXVhbGl0eSA0Cm1heExlbmd0aCAwCmNoZWNrUkROIDEKZm9yYmlkZGVuQ2hhcnMgCmNsYXNz LXVwcGVyQ2FzZSBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWiAxIDEKY2xhc3MtbG93ZXJDYXNl IGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6IDEgMQpjbGFzcy1kaWdpdCAwMTIzNDU2Nzg5IDEg MQpjbGFzcy1zcGVjaWFsIDw+LD87LjovIcKnw7klKsK1XsKoJMKjwrImw6l+IiMneyhbLXzDqGBf XMOnXsOgQCldwrA9fSsgMSAxCgo= -- You are receiving this mail because: You are on the CC list for the issue.

1 23

[Issue 9644] New: provide a man page for ppm
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9644 Issue ID: 9644 Summary: provide a man page for ppm Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: contrib Assignee: bugs(a)openldap.org Reporter: david.coutadeur(a)gmail.com Target Milestone: --- Provide a man page for ppm proposed PR is coming -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 9648] New: 'MAXPATHLEN' undeclared on some systems
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9648 Issue ID: 9648 Summary: 'MAXPATHLEN' undeclared on some systems Product: OpenLDAP Version: 2.5.4 Hardware: All OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: git(a)freundtech.com Target Milestone: --- Created attachment 834 --> https://bugs.openldap.org/attachment.cgi?id=834&action=edit Docker reproduction I'm trying to compile OpenLDAP 2.5.7 on Alpine Linux, but have verified that the problem exists since 2.5.4. Version 2.4.59 compiles correctly with everything else equal. Compilation fails with In file included from ldap-int.h:119, from request.c:53: request.c: In function 'ldap_dump_connection': ../../include/ldap_pvt.h:181:25: error: 'MAXPATHLEN' undeclared (first use in this function) 181 | #define LDAP_IPADDRLEN (MAXPATHLEN + sizeof("PATH=")) | ^~~~~~~~~~ request.c:859:17: note: in expansion of macro 'LDAP_IPADDRLEN' 859 | char from[LDAP_IPADDRLEN]; | ^~~~~~~~~~~~~~ ../../include/ldap_pvt.h:181:25: note: each undeclared identifier is reported only once for each function it appears in 181 | #define LDAP_IPADDRLEN (MAXPATHLEN + sizeof("PATH=")) | ^~~~~~~~~~ request.c:859:17: note: in expansion of macro 'LDAP_IPADDRLEN' 859 | char from[LDAP_IPADDRLEN]; | ^~~~~~~~~~~~~~ make[2]: Leaving directory '/tmp/openldap/libraries/libldap' Thanks to JoBbZ on IRC I found out that including <ac/param.h> in ldap_pvt.h seems to fix the issue. My best guess as to why this fails on Alpine Linux and not on other distributions is that Alpine uses musl instead of glibc as it's libc implementation. I have attacked an (unfinished) dockerfile for reproduction of the issue. -- You are receiving this mail because: You are on the CC list for the issue.

1 17

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs October 2021