[Issue 9750] New: global vs. frontend config in slapd.conf - misleading warning message
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9750
Issue ID: 9750
Summary: global vs. frontend config in slapd.conf - misleading
warning message
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: michael(a)stroeder.com
Target Milestone: ---
Since the fix for ITS#9575 there is this misleading message even when invoking
slapcat:
/opt/openldap-ms/etc/openldap/slapd.conf: line 126: setting password scheme in
the global entry is deprecated. The server may refuse to start if it is
provided by a loadable module, please move it to the frontend database instead
There is currently no way to rearrange something in slapd.conf to make this
confusing message go away.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 4 months
[Issue 9738] New: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL' failed.
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9738
Issue ID: 9738
Summary: entry_schema_check: Assertion `a->a_vals[0].bv_val !=
NULL' failed.
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: michael(a)stroeder.com
Target Milestone: ---
slapd 2.6.0 exits when an LDAP client sends an add operation with invalid data:
2021-11-04T22:07:36.790594+01:00 itn-dir-1 slapd[32415]: 61844b98.2ef8df5c
0x7fe42d9a6700 Entry (mail=michael(a)stroeder.com,ou=ext,ou=metadir,o=itn):
object class 'itnmetaPerson' requires attribute 'displayName'
2021-11-04T22:07:36.790694+01:00 itn-dir-1 slapd[32415]: slapd:
schema_check.c:89: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL'
failed.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 4 months
[Issue 9730] New: logfile-rotate directive fails in 2.6.0
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9730
Issue ID: 9730
Summary: logfile-rotate directive fails in 2.6.0
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: david.coutadeur(a)gmail.com
Target Milestone: ---
Hello,
When setting the logfile-rotate, I get:
617bc9ae.1b73de17 0x7f44f87c9740 /usr/local/openldap/etc/openldap/slapd.conf:
line 12 (logfile-rotate 10 100 24)
617bc9ae.1b759154 0x7f44f87c9740 /usr/local/openldap/etc/openldap/slapd.conf:
line 12: <logfile-rotate> handler exited with 16384!
My configuration file is below. I am using the 2.6.0 release.
The strange part is that the same configuration converted into cn=config seems
to work well.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/dyngroup.schema
logfile-rotate 10 100 24
logfile /var/log/slapd-ltb/slapd.log
logLevel 256
sasl-host ldap.my-domain.com
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
# Load dynamic backend modules:
# moduleload back_ldap.la
modulepath /usr/local/openldap/libexec/openldap
moduleload argon2.la
moduleload back_mdb.la
moduleload dynlist.la
moduleload memberof.la
moduleload ppolicy.la
moduleload syncprov.la
moduleload unique.la
access to dn.base="" by * read
access to dn.base="cn=subschema" by * read
#######################################################################
# config database definitions
#######################################################################
database config
rootdn cn=config
rootpw secret
access to attrs="userPassword"
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth =wdx
by * auth
access to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 4294967296
suffix dc=my-domain,dc=com
rootdn cn=Manager,dc=my-domain,dc=com
rootpw secret
directory /usr/local/openldap/var/openldap-data
index objectClass eq
index cn eq,sub
index uid pres,eq
index givenName pres,eq,sub
index l pres,eq
index employeeType pres,eq
index mail pres,eq,sub
index sn pres,eq,sub
limits group="cn=admin,ou=groups,dc=my-domain,dc=com" size=unlimited
time=unlimited
access to attrs="userPassword"
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth =wdx
by group.exact="cn=admin,ou=groups,dc=my-domain,dc=com" =wdx
by self =wdx
by * auth
access to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by group.exact="cn=admin,ou=groups,dc=my-domain,dc=com" write
by users read
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 4 months
[Issue 9725] New: attribute olcLastBindPrecision redefined in slapo-lastbind
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9725
Issue ID: 9725
Summary: attribute olcLastBindPrecision redefined in
slapo-lastbind
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: michael(a)stroeder.com
Target Milestone: ---
An attribute type description for 'olcLastBindPrecision' is present in
servers/slapd/bconfig.c and contrib/slapd-modules/lastbind/lastbind.c.
Thus the migration of deployments using slapo-lastbind is not as smooth as it
should be. With release 2.6.0 one is forced to disable slapo-lastbind.
Removing the attribute type description for 'olcLastBindPrecision' from
contrib/slapd-modules/lastbind/lastbind.c should work.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 4 months
[Issue 9647] New: Glue entry creation doesn't replicate properly
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9647
Issue ID: 9647
Summary: Glue entry creation doesn't replicate properly
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
In plain syncrepl, when an entry is turned into glue (to remove it when it
still has children), it won't replicate correctly to its consumers - a
NEW_COOKIE intermediate message is sent instead.
Scenario:
- 4 servers (A, B, C, D) and a tree with two entries - cn=parent,cn=suffix and
its parent, the database suffix
- D replicates from C, C replicates from A and B, no other links set up for
this
Now:
1. add an entry "cn=child,cn=parent,cn=suffix" on A
2. remove "cn=parent,cn=suffix" from B
As things settle, cn=parent,cn=suffix is retained on D while being deleted from
C.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 4 months
[Issue 9758] New: slapd-sock cn=config issues
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9758
Issue ID: 9758
Summary: slapd-sock cn=config issues
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
This module has multiple issues with cn=config processing:
- empty/missing sockdnpat can trigger an assert
- adding multiple olcDbSocketExtensions/olcOvSocketOps/olcOvSocketResps does
not work as expected, deletes are also broken
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 4 months
[Issue 9740] New: olcPPolicyCheckModule not working in 2.6.0
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9740
Issue ID: 9740
Summary: olcPPolicyCheckModule not working in 2.6.0
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: david.coutadeur(a)gmail.com
Target Milestone: ---
Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use the
olcPPolicyCheckModule directive in the overlay configuration, instead of the
pwdCheckModule in the password policy.
I have 3 remarks:
1/ it's a pity we can't define the chosen module in the corresponding ppolicy.
It prevents having multiple extension to password policies (one for each
policy)
2/ it does not seem to work. (ie the extended module is not launched). See
below for my config and data.
3/ the slapo-ppolicy is quite unclear about the configuration. For example, I
can read:
( 1.3.6.1.4.1.4754.2.99.1
NAME 'pwdPolicyChecker'
AUXILIARY
SUP top
MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) )
Does pwdCheckModule and pwdUseCheckModule still have sense?
Here is my configuration:
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=ppolicies,dc=my-domain,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
olcPPolicyDisableWrite: FALSE
olcPPolicySendNetscapeControls: FALSE
olcPPolicyCheckModule: /usr/local/openldap/libexec/openldap/ppm.so
Here are my data:
dn: cn=default,ou=ppolicies,dc=my-domain,dc=com
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdMaxAge: 7776000
pwdInHistory: 5
pwdLockout: TRUE
pwdMaxFailure: 5
pwdFailureCountInterval: 86400
pwdMinLength: 8
pwdMaxLength: 30
pwdExpireWarning: 432000
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdMaxIdle: 31536000
pwdCheckModuleArg:
bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKZm9yYmlkZGVuQ2hhcnMKbWF4Q29uc2VjdXRpdmVQZXJDbGFzcyAwCnVzZUNyYWNrbGliIDAKY3JhY2tsaWJEaWN0IC92YXIvY2FjaGUvY3JhY2tsaWIvY3JhY2tsaWJfZGljdApjbGFzcy11cHBlckNhc2UgQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVogMCAxCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEKY2xhc3MtZGlnaXQgMDEyMzQ1Njc4OSAwIDEKY2xhc3Mtc3BlY2lhbCA8Piw/Oy46LyHCp8O5JSrCtV7CqCTCo8KyJsOpfiIjJ3soWy18w6hgX1zDp17DoEApXcKwPX0rIDAgMQ==
dn: uid=jack.oneill,ou=people,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Jack O Neill
givenName: Jack
mail: jack.oneill(a)my-example.com
sn: O Neill
uid: jack.oneill
userPassword:
{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$LiSaGIqce9o2C6T8d2BOfg$BpPpokTfKY9/X7/jkvG1SXBcsNnm95UbTGSstc2aHKk
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 4 months
[Issue 9743] New: LDAP_OPT_SOCKET_BIND_ADDRESSES - sin_port is not initialized
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9743
Issue ID: 9743
Summary: LDAP_OPT_SOCKET_BIND_ADDRESSES - sin_port is not
initialized
Product: OpenLDAP
Version: 2.5.6
Hardware: All
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: dg0319q(a)gmail.com
Target Milestone: ---
When LDAP_OPT_SOCKET_BIND_ADDRESSES is set, and ldap_search_s is being called,
valgrind detects uninitialised value (ip4addr.sin_port).
Valgrind log:
=52721== Syscall param socketcall.bind(my_addr.sin_port) points to
uninitialised byte(s)
==52721== at 0x54C7F2B: bind (syscall-template.S:120)
==52721== by 0x52434A5: ldap_connect_to_host (in
/usr/lib/x86_64-linux-gnu/libldap-2.5.so.0.1.1)
==52721== by 0x52352CD: ldap_int_open_connection (in
/usr/lib/x86_64-linux-gnu/libldap-2.5.so.0.1.1)
==52721== by 0x524875B: ldap_new_connection (in
/usr/lib/x86_64-linux-gnu/libldap-2.5.so.0.1.1)
==52721== by 0x523494D: ldap_open_defconn (in
/usr/lib/x86_64-linux-gnu/libldap-2.5.so.0.1.1)
==52721== by 0x52493F7: ldap_send_initial_request (in
/usr/lib/x86_64-linux-gnu/libldap-2.5.so.0.1.1)
==52721== by 0x52387E7: ldap_search (in
/usr/lib/x86_64-linux-gnu/libldap-2.5.so.0.1.1)
==52721== by 0x52388AD: ldap_search_s (in
/usr/lib/x86_64-linux-gnu/libldap-2.5.so.0.1.1)
==52721== by 0x28565F: check_ldap (simple.c:83)
==52721== Address 0x1ffeff6122 is on thread 1's stack
==52721== in frame #1, created by ldap_connect_to_host (???:)
==52721== Uninitialised value was created by a stack allocation
==52721== at 0x5242DE0: ldap_connect_to_host (in
/usr/lib/x86_64-linux-gnu/libldap-2.5.so.0.1.1)
Looks like, the ip4addr.sin_port should be set to 0 in ldap_connect_to_host. It
works, but it looks like it is a bug, and may fail under other circumstances.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 4 months
[Issue 9728] New: For lastbind-precision, note it is important in busy replicated environments
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9728
Issue ID: 9728
Summary: For lastbind-precision, note it is important in busy
replicated environments
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
It would be good to note in the slapd.conf(5)/slapd-config(5) man pages that
the lastbind-precision setting can be very important to set in busy, replicated
environments.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 4 months
[Issue 9727] New: slapd-watcher fails to start if any slapd instance is down
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9727
Issue ID: 9727
Summary: slapd-watcher fails to start if any slapd instance is
down
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: client tools
Assignee: bugs(a)openldap.org
Reporter: gnoe(a)symas.com
Target Milestone: ---
When starting slapd-watcher and slapd isn't running on one of the monitored
servers, slapd-watcher fails to start:
Example w/host2 slapd not running:
[user@host]# slapd-watcher -xD dc=example,dc=com -w secret -b
dc=example,dc=com -s 1,2 ldap://host1/ ldap://host2/
slapd-watcher PID=11892: ldap_sasl_bind_s: Can't contact LDAP server (-1)
I would expect that slapd-watcher would start up completely and indicate the
host was down, like in the case where a host goes down while slapd-watcher is
running. This would allow slapd-watcher to start when one or more replication
node is down for maintenance.
--
You are receiving this mail because:
You are on the CC list for the issue.
1 year, 4 months