https://bugs.openldap.org/show_bug.cgi?id=9433
Issue ID: 9433
Summary: ldapsearch -Z fails to continue when StartTLS fails
Product: OpenLDAP
Version: 2.4.56
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: client tools
Assignee: bugs(a)openldap.org
Reporter: simon.pichugin(a)gmail.com
Target Milestone: ---
Created attachment 783
--> https://bugs.openldap.org/attachment.cgi?id=783&action=edit
ldapsearch debug log
When -Z is passed to an OpenLDAP utility, it will try to establish a TLS
connection with StartTLS, and in case it fails to do so it should continue
without the TLS layer.
OpenLDAP version:
openldap-2.4.56-4.fc34.x86_64 (but it also doesn't work on older versions too)
How reproducible:
Always
Steps to Reproduce:
1. Run `ldapsearch ...' against a server and see successful operation result.
2. Run `ldapsearch -Z ...' against a server whose certificate is not trusted
(e.g. a hostname mismatch) and observe it fails to connect as in point 1.
Actual results:
~~~
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate
# and it hangs there
~~~
Expected results:
The line
~~~
ldap_result: Can't contact LDAP server (-1)
~~~
is not present and the utility successfully continues with plain LDAP protocol
as expected.
Additional info:
I'm attaching a full debug log (-d -1) to this bug.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9199
Bug ID: 9199
Summary: Disable IPv6 makes listener work on IP address but
hostname or localhost
Product: OpenLDAP
Version: 2.4.49
Hardware: All
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: st-wong(a)cuhk.edu.hk
Target Milestone: ---
Hi,
We're compiling 2.4.49 on CentOS8.
Make test fails at "test000-rootdse" with error Can't contact LDAP server.
Debug log shows error "Address already in use".
We're quite sure the port (9011) is not in use.
Starting slapd with test command verified the error:
../servers/slapd/slapd -f testrun/slapd.1.conf -h ldap://localhost:9011
Found that it's okay to start slapd if listener URL is using IP address
instead.
Checked ldap_url_parse* call may not work as expected with V6 disabled
(configure option --disable-ipv6).
Re-do configuration and make without "--disable-ipv6" works as expected.
Would you help? Thanks.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=8977
Howard Chu <hyc(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|CONFIRMED |RESOLVED
Resolution|--- |TEST
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=8977
--- Comment #14 from Howard Chu <hyc(a)openldap.org> ---
(In reply to Quanah Gibson-Mount from comment #8)
> --On Thursday, June 27, 2019 8:56 PM +0000 quanah(a)symas.com wrote:
>
> > --On Thursday, June 27, 2019 8:35 PM +0000 hyc(a)symas.com wrote:
> >
> >> No, because order is irrelevant for these.
> >
> > Cool, thanks! I'll continue on with deeper testing then. :)
>
> Given the current implementation of OpenLDAP, this feature is impossible to
> use w/o recompiling OpenLDAP when a change to the IDL size is made. This
> is because LDAP_PVT_THREAD_STACK_SIZE must be adjusted as well and that
> requires a recompile.
This is actually not correct. The stack size was only required because
IDLs were of constant size and some were allocated on the stack. But with
this patch, since IDL sizes are variable they must all be dynamically
allocated using ch_malloc, and so has no impact on the stack any more.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=7509
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|2.5.3 |---
Keywords|OL_2_5_REQ |
Status|RESOLVED |VERIFIED
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=7425
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |VERIFIED
Target Milestone|2.5.3 |---
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=7129
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |VERIFIED
Target Milestone|2.5.3 |---
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=7036
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords|OL_2_5_REQ |
Target Milestone|2.5.3 |---
Status|RESOLVED |VERIFIED
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=6277
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|2.5.3 |---
Keywords|OL_2_5_REQ |
Status|RESOLVED |VERIFIED
--
You are receiving this mail because:
You are on the CC list for the issue.