openldap-bugs February 2022

openldap-bugs@openldap.org

1 participants
109 discussions

[Issue 9791] New: Build failure with certain disabled features in openssl
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9791 Issue ID: 9791 Summary: Build failure with certain disabled features in openssl Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: orgads(a)gmail.com Target Milestone: --- If openssl is configured with either OPENSSL_NO_MD4 or OPENSSL_NO_MD5 the build fails. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9794] New: Define behaviour for pwdChangedTime modifications
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9794 Issue ID: 9794 Summary: Define behaviour for pwdChangedTime modifications Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: david.coutadeur(a)gmail.com Target Milestone: --- This issue applies to: - draft-behera-ldap-password-policy - openldap 2.5 - openldap 2.6 It is a proposition of behaviour for pwdChangedTime modifications. modification of the draft: -------------------------- In section: "8.2.7. Policy State Updates", change this paragraph: If the value of either pwdMaxAge or pwdMinAge is non-zero, the server updates the pwdChangedTime attribute on the entry to the current time. into: If the value of either pwdMaxAge or pwdMinAge is non-zero, the server MUST update the pwdChangedTime attribute on the entry according to this workflow: Then insert a new paragraph: - if the current operation (add or modify) on the password includes adding or modifying a valid pwdChangedTime attribute, then use this pwdChangedTime. A "Valid" pwdChangedTime means a syntactically correct value, compliant with the schema, approved by access rules, and MAY require a relax control according to the schema defined in section 5.3.2. See Relax control RFC for more information: https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax - an invalid pwdChangedTime value MUST result in an error, and the pwdChangedTime MUST NOT be stored - in any other case, compute the current date and store it in a GeneralizedTime format Feel free to comment or propose other ideas. modification of the code: -------------------------- If this behaviour makes a consensus, it would be useful to patch both OpenLDAP 2.5 and 2.6. NOTE: current OpenLDAP 2.5 allows modifying pwdChangedTime alone, but fails to add a user with both userPassword and pwdChangedTime (it results in a duplicated pwdChangedTime error) modification of the documentation: ---------------------------------- In slapo-ppolicy, it can be useful to add a comment in "OPERATIONAL ATTRIBUTES" section: Every attribute defined as "NO-USER-MODIFICATION" SHOULD not be written by standard users. If needed, an administrator MAY modify them with the relax control. See Relax control RFC for more information: https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax -- You are receiving this mail because: You are on the CC list for the issue.

1 12

[Issue 9620] New: back-monitor: search can access a persistent entry freed in the meantime
by openldap-its＠openldap.org 25 Apr '22

25 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9620 Issue ID: 9620 Summary: back-monitor: search can access a persistent entry freed in the meantime Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- With ITS#9600 there is now code that adds and removes "persistent" monitor entries outside a server pause. A concurrent cn=monitor search lists all children first and sends them later - monitor is happy to free some of them in the meantime. It seems to me that the monitor cache should be protected by a rw mutex instead, which would be held for reading while a search is happening. -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 9784] New: Adding our OpenLDAP support services
by openldap-its＠openldap.org 12 Apr '22

12 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9784 Issue ID: 9784 Summary: Adding our OpenLDAP support services Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: contact(a)linuxstans.com Target Milestone: --- Hi, We offer OpenLDAP support and we'd really appreciate it if you can add our details to your support page https://www.openldap.org/support/ Here are the details: <a href="https://linuxstans.com/support/">Linux Stans</a> - USA Provides installation, configuration, maintenance, and 24/7 support services for OpenLDAP. Let me know if you need more info. Thanks! -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9497] New: back-ldif: test022-ppolicy failure
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9497 Issue ID: 9497 Summary: back-ldif: test022-ppolicy failure Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: hamano(a)osstech.co.jp Target Milestone: --- The test022-ppolicy with back-ldif fail for two issue. 1. too short pwdMaxAge ~~~ $ ./run -b ldif test022-ppolicy (snip) Testing password expiration Waiting seconds for password to expire... sleep: missing operand Try 'sleep --help' for more information. Password expiration test failed ~~~ The script tries test for lockout and then a test for password expiration. It will fail if the password has expired(pwdMaxAge: 30) by the time it starts the password expiration test. This is a timing issue and not directly caused by back-ldif. However, the issue is reproduced only with back-ldif in my environment. This test passed in my environment by extending pwdMaxAge by 5 seconds, but there may be a better way. 2. duplicate ldap control response ~~~ Reconfiguring policy to remove grace logins... Clearing forced reset... expr: syntax error: unexpected argument '15' Testing password expiration Waiting seconds for password to expire... sleep: missing operand Try 'sleep --help' for more information. ~~~ This is back-ldif issue. back-ldif responds duplicate ldap control response. -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 9798] New: Clearing pending ops on Bind
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9798 Issue ID: 9798 Summary: Clearing pending ops on Bind Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Some context first. The only universal way of reset an arbitrary (SASL) bind in progress, at least in my reading of RFC4511 is to send an anonymous bind op, so that's what the load balancer does when needed (the client goes away, etc.). Incidentally, this is also what the balancer chooses to do when the pending bind needs to be "abandoned" when the backend doesn't respond within a configured timeout. That's skating the edge of what RFC4511 allows, probably just past it. The issue: When slapd receives a bind and another operation X (lloadd sends the above mentioned "reset" bind) before that first bind starts processing, X gets added into conn->c_ops_pending and does c_n_pending_ops++. Bind then eventually invokes connection_abandon which forgets to zero out c_n_pending_ops and the connection remains unusable forever. On the surface that's trivial to fix and a fix is coming. On the other hand, operation X in the pending list is actually discarded too, so that kind of defeats the idea of trying to "abandon" the original bind and completely reset the connection state. Question is, do we want to retain the last bind in the pending list or does the balancer have to destroy the connection unconditionally when a bind times out? -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9748] New: Deleted values of pwdFailureTime seem to reappear
by openldap-its＠openldap.org 03 Mar '22

03 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9748 Issue ID: 9748 Summary: Deleted values of pwdFailureTime seem to reappear Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Created attachment 854 --> https://bugs.openldap.org/attachment.cgi?id=854&action=edit accesslog for uid=dm01-R2H2-956,ou=People,dc=example,dc=com Somehow, ppolicy seems to be able to reference values of pwdFailureTime that had been deleted before the actual bind even started. In the attached accesslog, trace, deletion of everything (including "20211115154510.478330Z") is recorded from reqSession: 3, then a bind comes in and the same value is explicitly removed again. -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 9800] New: ACL with set.expand in <who> clause does not work with deref control
by openldap-its＠openldap.org 03 Mar '22

03 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9800 Issue ID: 9800 Summary: ACL with set.expand in <who> clause does not work with deref control Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- This ACL returns correct values with a normal search requesting the attribute sudoUser: access to dn.subtree="ou=ae-dir" attrs=sudoUser val.regex="^%(.+)$" by set.expand="(user/-1 | user/aeSrvGroup)/aeLoginGroups & [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeGroup)(aeStatus=0)(cn=${v1}))]/entryDN" read by * none But it does not work with a search like this using deref control: ldapsearch -Q -E deref=aeVisibleSudoers:cn,sudoUser '(objectClass=aeSrvGroup)' For completeness see docs and schema for aeSrvGroup: https://www.ae-dir.com/docs.html#schema-oc-aeSrvGroup https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/master/fi… -- You are receiving this mail because: You are on the CC list for the issue.

1 1

[Issue 7335] Create process for updating man pages to handle both cn=config and slapd.conf configurations
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=7335 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.2 |2.7.0 Assignee|hyc(a)openldap.org |bugs(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Bug 9256] New: The ACLs required for SASL binding are not fully documented
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=9256 Bug ID: 9256 Summary: The ACLs required for SASL binding are not fully documented Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: kop(a)karlpinc.com Target Milestone: --- Created attachment 727 --> https://bugs.openldap.org/attachment.cgi?id=727&action=edit Patch massaging the SASL binding requirement docs While some ACL requirements for SASL binding are documented, some are not. E.g, that olcAuthzRegexp requires =x on objectClass when direct DN mapping is not documented. Other requirements can be reasoned out based on the existing documentation, but this can be very difficult when unfamiliar with all the moving parts and the places they are documented. E.g. knowing that (objectClass=*) is the default filter, and that there's _always_ _some_ filter, and connecting this with ACLs required to do search-based SASL mapping. The attached patch brings all the SASL binding requirements together in one place in the docs and makes everything explicit. The word "SASL" is included, for those searching for that keyword. I, Karl O. Pinc, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. -- You are receiving this mail because: You are on the CC list for the bug.

1 27

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs February 2022