January 2022 - openldap-bugs

[Issue 8255] slapd-sock: response parsing in str2result() is broken

by openldap-its＠openldap.org

https://bugs.openldap.org/show_bug.cgi?id=8255 --- Comment #6 from Ondřej Kuzník <ondra(a)mistotebe.net> --- str2result() doesn't expect "msgid:" to be passed in the response, even though that's part of the protocol as documented. Now that back-sock is its only user, it should just be added. -- You are receiving this mail because: You are on the CC list for the issue.

5 months, 1 week

1
0
0 / 0

[Issue 9793] New: Question regarding password dictionary rules for when a user changes their password.

by openldap-its＠openldap.org

https://bugs.openldap.org/show_bug.cgi?id=9793 Issue ID: 9793 Summary: Question regarding password dictionary rules for when a user changes their password. Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: alan_andrea(a)yahoo.com Target Milestone: --- I have a question regarding password rules that are enforced when a user changes their password. We have a need to implement a dictionary rule whereby words and phrases in a dictionary are not allowed in a users password. I am not able to see currently where such functionality exists in OpenLDAP and am wondering if there are any extensions to OPenLDAP that were developed to support this or if it would be required to write code to support this feature. If you can please give me some guidelines here, that would be really great ! -- You are receiving this mail because: You are on the CC list for the issue.

5 months, 1 week

1
2
0 / 0

[Issue 9742] New: syncprov-nopresent is harmful

by openldap-its＠openldap.org

https://bugs.openldap.org/show_bug.cgi?id=9742 Issue ID: 9742 Summary: syncprov-nopresent is harmful Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- If setting up a new delta-MPR environment such that: - server A has been slapadd-ed the seed data - accesslog is set to "logops all" There is a sequence of events where servers are started and replicate from each other before they get a chance to talk to A, they will each generate a CSN and replicate it. Once they start talking to A, it will see that it has a CSN (its own) that none of them have sent and "syncprov-nopresent" makes it just go ahead where the only sane outcome is to send SYNC_REFRESH_REQUIRED. Am I missing a usecase for this or should it just have been this way all along? -- You are receiving this mail because: You are on the CC list for the issue.

5 months, 1 week

1
13
0 / 0

[Issue 9750] New: global vs. frontend config in slapd.conf - misleading warning message

by openldap-its＠openldap.org

https://bugs.openldap.org/show_bug.cgi?id=9750 Issue ID: 9750 Summary: global vs. frontend config in slapd.conf - misleading warning message Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- Since the fix for ITS#9575 there is this misleading message even when invoking slapcat: /opt/openldap-ms/etc/openldap/slapd.conf: line 126: setting password scheme in the global entry is deprecated. The server may refuse to start if it is provided by a loadable module, please move it to the frontend database instead There is currently no way to rearrange something in slapd.conf to make this confusing message go away. -- You are receiving this mail because: You are on the CC list for the issue.

5 months, 2 weeks

1
5
0 / 0

[Issue 9738] New: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL' failed.

by openldap-its＠openldap.org

https://bugs.openldap.org/show_bug.cgi?id=9738 Issue ID: 9738 Summary: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL' failed. Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- slapd 2.6.0 exits when an LDAP client sends an add operation with invalid data: 2021-11-04T22:07:36.790594+01:00 itn-dir-1 slapd[32415]: 61844b98.2ef8df5c 0x7fe42d9a6700 Entry (mail=michael(a)stroeder.com,ou=ext,ou=metadir,o=itn): object class 'itnmetaPerson' requires attribute 'displayName' 2021-11-04T22:07:36.790694+01:00 itn-dir-1 slapd[32415]: slapd: schema_check.c:89: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL' failed. -- You are receiving this mail because: You are on the CC list for the issue.

5 months, 2 weeks

1
13
0 / 0

[Issue 9730] New: logfile-rotate directive fails in 2.6.0

by openldap-its＠openldap.org

https://bugs.openldap.org/show_bug.cgi?id=9730 Issue ID: 9730 Summary: logfile-rotate directive fails in 2.6.0 Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: david.coutadeur(a)gmail.com Target Milestone: --- Hello, When setting the logfile-rotate, I get: 617bc9ae.1b73de17 0x7f44f87c9740 /usr/local/openldap/etc/openldap/slapd.conf: line 12 (logfile-rotate 10 100 24) 617bc9ae.1b759154 0x7f44f87c9740 /usr/local/openldap/etc/openldap/slapd.conf: line 12: <logfile-rotate> handler exited with 16384! My configuration file is below. I am using the 2.6.0 release. The strange part is that the same configuration converted into cn=config seems to work well. # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/dyngroup.schema logfile-rotate 10 100 24 logfile /var/log/slapd-ltb/slapd.log logLevel 256 sasl-host ldap.my-domain.com pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args # Load dynamic backend modules: # moduleload back_ldap.la modulepath /usr/local/openldap/libexec/openldap moduleload argon2.la moduleload back_mdb.la moduleload dynlist.la moduleload memberof.la moduleload ppolicy.la moduleload syncprov.la moduleload unique.la access to dn.base="" by * read access to dn.base="cn=subschema" by * read ####################################################################### # config database definitions ####################################################################### database config rootdn cn=config rootpw secret access to attrs="userPassword" by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth =wdx by * auth access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage ####################################################################### # MDB database definitions ####################################################################### database mdb maxsize 4294967296 suffix dc=my-domain,dc=com rootdn cn=Manager,dc=my-domain,dc=com rootpw secret directory /usr/local/openldap/var/openldap-data index objectClass eq index cn eq,sub index uid pres,eq index givenName pres,eq,sub index l pres,eq index employeeType pres,eq index mail pres,eq,sub index sn pres,eq,sub limits group="cn=admin,ou=groups,dc=my-domain,dc=com" size=unlimited time=unlimited access to attrs="userPassword" by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth =wdx by group.exact="cn=admin,ou=groups,dc=my-domain,dc=com" =wdx by self =wdx by * auth access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by group.exact="cn=admin,ou=groups,dc=my-domain,dc=com" write by users read -- You are receiving this mail because: You are on the CC list for the issue.

5 months, 2 weeks

1
5
0 / 0

[Issue 9725] New: attribute olcLastBindPrecision redefined in slapo-lastbind

by openldap-its＠openldap.org

https://bugs.openldap.org/show_bug.cgi?id=9725 Issue ID: 9725 Summary: attribute olcLastBindPrecision redefined in slapo-lastbind Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- An attribute type description for 'olcLastBindPrecision' is present in servers/slapd/bconfig.c and contrib/slapd-modules/lastbind/lastbind.c. Thus the migration of deployments using slapo-lastbind is not as smooth as it should be. With release 2.6.0 one is forced to disable slapo-lastbind. Removing the attribute type description for 'olcLastBindPrecision' from contrib/slapd-modules/lastbind/lastbind.c should work. -- You are receiving this mail because: You are on the CC list for the issue.

5 months, 2 weeks

1
10
0 / 0

[Issue 9647] New: Glue entry creation doesn't replicate properly

by openldap-its＠openldap.org

https://bugs.openldap.org/show_bug.cgi?id=9647 Issue ID: 9647 Summary: Glue entry creation doesn't replicate properly Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- In plain syncrepl, when an entry is turned into glue (to remove it when it still has children), it won't replicate correctly to its consumers - a NEW_COOKIE intermediate message is sent instead. Scenario: - 4 servers (A, B, C, D) and a tree with two entries - cn=parent,cn=suffix and its parent, the database suffix - D replicates from C, C replicates from A and B, no other links set up for this Now: 1. add an entry "cn=child,cn=parent,cn=suffix" on A 2. remove "cn=parent,cn=suffix" from B As things settle, cn=parent,cn=suffix is retained on D while being deleted from C. -- You are receiving this mail because: You are on the CC list for the issue.

5 months, 2 weeks

1
12
0 / 0

[Issue 9758] New: slapd-sock cn=config issues

by openldap-its＠openldap.org

https://bugs.openldap.org/show_bug.cgi?id=9758 Issue ID: 9758 Summary: slapd-sock cn=config issues Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- This module has multiple issues with cn=config processing: - empty/missing sockdnpat can trigger an assert - adding multiple olcDbSocketExtensions/olcOvSocketOps/olcOvSocketResps does not work as expected, deletes are also broken -- You are receiving this mail because: You are on the CC list for the issue.

5 months, 2 weeks

1
5
0 / 0

[Issue 9740] New: olcPPolicyCheckModule not working in 2.6.0

by openldap-its＠openldap.org

https://bugs.openldap.org/show_bug.cgi?id=9740 Issue ID: 9740 Summary: olcPPolicyCheckModule not working in 2.6.0 Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: david.coutadeur(a)gmail.com Target Milestone: --- Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use the olcPPolicyCheckModule directive in the overlay configuration, instead of the pwdCheckModule in the password policy. I have 3 remarks: 1/ it's a pity we can't define the chosen module in the corresponding ppolicy. It prevents having multiple extension to password policies (one for each policy) 2/ it does not seem to work. (ie the extended module is not launched). See below for my config and data. 3/ the slapo-ppolicy is quite unclear about the configuration. For example, I can read: ( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' AUXILIARY SUP top MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) ) Does pwdCheckModule and pwdUseCheckModule still have sense? Here is my configuration: dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=ppolicies,dc=my-domain,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE olcPPolicyDisableWrite: FALSE olcPPolicySendNetscapeControls: FALSE olcPPolicyCheckModule: /usr/local/openldap/libexec/openldap/ppm.so Here are my data: dn: cn=default,ou=ppolicies,dc=my-domain,dc=com objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: organizationalRole cn: default pwdAttribute: userPassword pwdCheckQuality: 2 pwdMaxAge: 7776000 pwdInHistory: 5 pwdLockout: TRUE pwdMaxFailure: 5 pwdFailureCountInterval: 86400 pwdMinLength: 8 pwdMaxLength: 30 pwdExpireWarning: 432000 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdMaxIdle: 31536000 pwdCheckModuleArg: bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKZm9yYmlkZGVuQ2hhcnMKbWF4Q29uc2VjdXRpdmVQZXJDbGFzcyAwCnVzZUNyYWNrbGliIDAKY3JhY2tsaWJEaWN0IC92YXIvY2FjaGUvY3JhY2tsaWIvY3JhY2tsaWJfZGljdApjbGFzcy11cHBlckNhc2UgQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVogMCAxCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEKY2xhc3MtZGlnaXQgMDEyMzQ1Njc4OSAwIDEKY2xhc3Mtc3BlY2lhbCA8Piw/Oy46LyHCp8O5JSrCtV7CqCTCo8KyJsOpfiIjJ3soWy18w6hgX1zDp17DoEApXcKwPX0rIDAgMQ== dn: uid=jack.oneill,ou=people,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top cn: Jack O Neill givenName: Jack mail: jack.oneill(a)my-example.com sn: O Neill uid: jack.oneill userPassword: {ARGON2}$argon2id$v=19$m=65536,t=2,p=1$LiSaGIqce9o2C6T8d2BOfg$BpPpokTfKY9/X7/jkvG1SXBcsNnm95UbTGSstc2aHKk -- You are receiving this mail because: You are on the CC list for the issue.

5 months, 2 weeks

1
10
0 / 0

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs January 2022