[Bug 9256] New: The ACLs required for SASL binding are not fully documented
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9256
Bug ID: 9256
Summary: The ACLs required for SASL binding are not fully
documented
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: kop(a)karlpinc.com
Target Milestone: ---
Created attachment 727
--> https://bugs.openldap.org/attachment.cgi?id=727&action=edit
Patch massaging the SASL binding requirement docs
While some ACL requirements for SASL binding are documented, some are not.
E.g, that olcAuthzRegexp requires =x on objectClass when direct DN mapping is
not documented. Other requirements can be reasoned out based on the existing
documentation, but this can be very difficult when unfamiliar with all the
moving parts and the places they are documented. E.g. knowing that
(objectClass=*) is the default filter, and that there's _always_ _some_ filter,
and connecting this with ACLs required to do search-based SASL mapping.
The attached patch brings all the SASL binding requirements together in one
place in the docs and makes everything explicit. The word "SASL" is included,
for those searching for that keyword.
I, Karl O. Pinc, hereby place the following modifications to OpenLDAP Software
(and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.
--
You are receiving this mail because:
You are on the CC list for the bug.
1 year, 6 months
[Issue 9731] New: startup messages still go to syslog when logfile-only is on
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9731
Issue ID: 9731
Summary: startup messages still go to syslog when logfile-only
is on
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
When setting logfile-only on, slapd still logs its startup message to syslog:
Oct 29 21:07:47 u18test slapd[18534]: @(#) $OpenLDAP: slapd 2.6.0 (Oct 29 2021
05:12:17) $#012#011openldap
This is useful information to have consolidated into the specified logfile.
Note that:
617c62a3.16f03fdb 0x7f9325ed67c0 slapd starting
does make it to the logfile. However, it would be useful to have the build
date and version in the specified logfile.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 6 months
[Issue 9502] New: Implement TCP_USER_TIMEOUT in meta and asyncmeta
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9502
Issue ID: 9502
Summary: Implement TCP_USER_TIMEOUT in meta and asyncmeta
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: nivanova(a)symas.com
Target Milestone: ---
Implement TCP_USER_TIMEOUT as an option to libldap and as a configuration
option in back-meta and back-asyncmeta
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 7 months
[Bug 9189] New: Add GSSAPI channel-bindings support
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9189
Bug ID: 9189
Summary: Add GSSAPI channel-bindings support
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: iboukris(a)gmail.com
Target Milestone: ---
Recently MS has announce they plan to enforce channel-bindings for LDAP over
TLS (ADV190023).
To support it on client side, we need to pass "tls-endpoint" bindings (RFC
5929) to the SASL plugin, and make use of that in GSSAPI.
See also:
https://github.com/cyrusimap/cyrus-sasl/pull/601
--
You are receiving this mail because:
You are on the CC list for the bug.
1 year, 7 months
[Issue 9350] New: Expand test suite for null base
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9350
Issue ID: 9350
Summary: Expand test suite for null base
Product: OpenLDAP
Version: 2.5
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: build
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
Currently we have no tests that use the empty suffix (null base).
This is an entirely valid configuration setup, and there are unique challenges
and bugs that crop up with this usage.
We need to ensure we're covering this use case, particularly with syncrepl and
delta-syncrepl configurations.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 7 months
[Issue 9730] New: logfile-rotate directive fails in 2.6.0
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9730
Issue ID: 9730
Summary: logfile-rotate directive fails in 2.6.0
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: david.coutadeur(a)gmail.com
Target Milestone: ---
Hello,
When setting the logfile-rotate, I get:
617bc9ae.1b73de17 0x7f44f87c9740 /usr/local/openldap/etc/openldap/slapd.conf:
line 12 (logfile-rotate 10 100 24)
617bc9ae.1b759154 0x7f44f87c9740 /usr/local/openldap/etc/openldap/slapd.conf:
line 12: <logfile-rotate> handler exited with 16384!
My configuration file is below. I am using the 2.6.0 release.
The strange part is that the same configuration converted into cn=config seems
to work well.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/dyngroup.schema
logfile-rotate 10 100 24
logfile /var/log/slapd-ltb/slapd.log
logLevel 256
sasl-host ldap.my-domain.com
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
# Load dynamic backend modules:
# moduleload back_ldap.la
modulepath /usr/local/openldap/libexec/openldap
moduleload argon2.la
moduleload back_mdb.la
moduleload dynlist.la
moduleload memberof.la
moduleload ppolicy.la
moduleload syncprov.la
moduleload unique.la
access to dn.base="" by * read
access to dn.base="cn=subschema" by * read
#######################################################################
# config database definitions
#######################################################################
database config
rootdn cn=config
rootpw secret
access to attrs="userPassword"
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth =wdx
by * auth
access to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 4294967296
suffix dc=my-domain,dc=com
rootdn cn=Manager,dc=my-domain,dc=com
rootpw secret
directory /usr/local/openldap/var/openldap-data
index objectClass eq
index cn eq,sub
index uid pres,eq
index givenName pres,eq,sub
index l pres,eq
index employeeType pres,eq
index mail pres,eq,sub
index sn pres,eq,sub
limits group="cn=admin,ou=groups,dc=my-domain,dc=com" size=unlimited
time=unlimited
access to attrs="userPassword"
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth =wdx
by group.exact="cn=admin,ou=groups,dc=my-domain,dc=com" =wdx
by self =wdx
by * auth
access to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by group.exact="cn=admin,ou=groups,dc=my-domain,dc=com" write
by users read
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 8 months
[Issue 9725] New: attribute olcLastBindPrecision redefined in slapo-lastbind
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9725
Issue ID: 9725
Summary: attribute olcLastBindPrecision redefined in
slapo-lastbind
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: michael(a)stroeder.com
Target Milestone: ---
An attribute type description for 'olcLastBindPrecision' is present in
servers/slapd/bconfig.c and contrib/slapd-modules/lastbind/lastbind.c.
Thus the migration of deployments using slapo-lastbind is not as smooth as it
should be. With release 2.6.0 one is forced to disable slapo-lastbind.
Removing the attribute type description for 'olcLastBindPrecision' from
contrib/slapd-modules/lastbind/lastbind.c should work.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 8 months
[Issue 9647] New: Glue entry creation doesn't replicate properly
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9647
Issue ID: 9647
Summary: Glue entry creation doesn't replicate properly
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
In plain syncrepl, when an entry is turned into glue (to remove it when it
still has children), it won't replicate correctly to its consumers - a
NEW_COOKIE intermediate message is sent instead.
Scenario:
- 4 servers (A, B, C, D) and a tree with two entries - cn=parent,cn=suffix and
its parent, the database suffix
- D replicates from C, C replicates from A and B, no other links set up for
this
Now:
1. add an entry "cn=child,cn=parent,cn=suffix" on A
2. remove "cn=parent,cn=suffix" from B
As things settle, cn=parent,cn=suffix is retained on D while being deleted from
C.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 8 months
[Issue 9728] New: For lastbind-precision, note it is important in busy replicated environments
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9728
Issue ID: 9728
Summary: For lastbind-precision, note it is important in busy
replicated environments
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
It would be good to note in the slapd.conf(5)/slapd-config(5) man pages that
the lastbind-precision setting can be very important to set in busy, replicated
environments.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 8 months
[Issue 9727] New: slapd-watcher fails to start if any slapd instance is down
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9727
Issue ID: 9727
Summary: slapd-watcher fails to start if any slapd instance is
down
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: client tools
Assignee: bugs(a)openldap.org
Reporter: gnoe(a)symas.com
Target Milestone: ---
When starting slapd-watcher and slapd isn't running on one of the monitored
servers, slapd-watcher fails to start:
Example w/host2 slapd not running:
[user@host]# slapd-watcher -xD dc=example,dc=com -w secret -b
dc=example,dc=com -s 1,2 ldap://host1/ ldap://host2/
slapd-watcher PID=11892: ldap_sasl_bind_s: Can't contact LDAP server (-1)
I would expect that slapd-watcher would start up completely and indicate the
host was down, like in the case where a host goes down while slapd-watcher is
running. This would allow slapd-watcher to start when one or more replication
node is down for maintenance.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 8 months