openldap-bugs March 2022

openldap-bugs@openldap.org

1 participants
115 discussions

[Issue 9791] New: Build failure with certain disabled features in openssl
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9791 Issue ID: 9791 Summary: Build failure with certain disabled features in openssl Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: orgads(a)gmail.com Target Milestone: --- If openssl is configured with either OPENSSL_NO_MD4 or OPENSSL_NO_MD5 the build fails. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9794] New: Define behaviour for pwdChangedTime modifications
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9794 Issue ID: 9794 Summary: Define behaviour for pwdChangedTime modifications Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: david.coutadeur(a)gmail.com Target Milestone: --- This issue applies to: - draft-behera-ldap-password-policy - openldap 2.5 - openldap 2.6 It is a proposition of behaviour for pwdChangedTime modifications. modification of the draft: -------------------------- In section: "8.2.7. Policy State Updates", change this paragraph: If the value of either pwdMaxAge or pwdMinAge is non-zero, the server updates the pwdChangedTime attribute on the entry to the current time. into: If the value of either pwdMaxAge or pwdMinAge is non-zero, the server MUST update the pwdChangedTime attribute on the entry according to this workflow: Then insert a new paragraph: - if the current operation (add or modify) on the password includes adding or modifying a valid pwdChangedTime attribute, then use this pwdChangedTime. A "Valid" pwdChangedTime means a syntactically correct value, compliant with the schema, approved by access rules, and MAY require a relax control according to the schema defined in section 5.3.2. See Relax control RFC for more information: https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax - an invalid pwdChangedTime value MUST result in an error, and the pwdChangedTime MUST NOT be stored - in any other case, compute the current date and store it in a GeneralizedTime format Feel free to comment or propose other ideas. modification of the code: -------------------------- If this behaviour makes a consensus, it would be useful to patch both OpenLDAP 2.5 and 2.6. NOTE: current OpenLDAP 2.5 allows modifying pwdChangedTime alone, but fails to add a user with both userPassword and pwdChangedTime (it results in a duplicated pwdChangedTime error) modification of the documentation: ---------------------------------- In slapo-ppolicy, it can be useful to add a comment in "OPERATIONAL ATTRIBUTES" section: Every attribute defined as "NO-USER-MODIFICATION" SHOULD not be written by standard users. If needed, an administrator MAY modify them with the relax control. See Relax control RFC for more information: https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax -- You are receiving this mail because: You are on the CC list for the issue.

1 12

[Issue 9620] New: back-monitor: search can access a persistent entry freed in the meantime
by openldap-its＠openldap.org 25 Apr '22

25 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9620 Issue ID: 9620 Summary: back-monitor: search can access a persistent entry freed in the meantime Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- With ITS#9600 there is now code that adds and removes "persistent" monitor entries outside a server pause. A concurrent cn=monitor search lists all children first and sends them later - monitor is happy to free some of them in the meantime. It seems to me that the monitor cache should be protected by a rw mutex instead, which would be held for reading while a search is happening. -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 9784] New: Adding our OpenLDAP support services
by openldap-its＠openldap.org 12 Apr '22

12 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9784 Issue ID: 9784 Summary: Adding our OpenLDAP support services Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: contact(a)linuxstans.com Target Milestone: --- Hi, We offer OpenLDAP support and we'd really appreciate it if you can add our details to your support page https://www.openldap.org/support/ Here are the details: <a href="https://linuxstans.com/support/">Linux Stans</a> - USA Provides installation, configuration, maintenance, and 24/7 support services for OpenLDAP. Let me know if you need more info. Thanks! -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9812] New: Registered SLAPI plugin functions are not called
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9812 Issue ID: 9812 Summary: Registered SLAPI plugin functions are not called Product: OpenLDAP Version: 2.6.1 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: guru(a)unixarea.de Target Milestone: --- We're running since ages with an OpenLDAP server 2.4.40 a plugin which publishes changes (add, modify, delete) in LDAP to an Identity Server (IDM). We compile on SuSE Linux from source. The configure options for 2.6.1 are: ./configure --enable-aci=yes --enable-dynacl --enable-spasswd=yes --enable-crypt=yes --enable-debug=yes --enable-shared=yes --enable-modules=yes --enable-slapi --enable-slapd=yes --with-tls --prefix=/opt/openldap-2.6.1 Our SLAPI plugin, written in C works fine for 2.4.40 and stopped working for 2.6.1. It is configured in slapd.conf as plugin postoperation /opt/openldap-2.6.1/lib64/idm.so idm_init "IDM Plugin" 10.23.33.52 3001 The function idm_init() registers static C functions the supposed way: int idm_init(Slapi_PBlock * pb) { int rc = LDAP_SUCCESS; log("idm-plugin:","now in idm_init()\n"); // first call, create new list and register the functions ... rc |= slapi_pblock_set( /* Plug-in API version */ pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_CURRENT_VERSION); rc |= slapi_pblock_set( /* Plug-in description */ pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &desc); rc |= slapi_pblock_set( /* Modify function */ pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *) modify_user); ... // read arguments and add list entry rc |= read_arguments(pb); log("idm-plugin", "idm_init() return rc:%d\n", rc); return rc; } The begin of the function for modify_user() looks like this: static int modify_user(Slapi_PBlock * pb) { Slapi_Entry *entry; log("idm-plugin:", "now in modify_user\n"); if (slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &entry) != LDAP_SUCCESS) { log("IDM-Connector Plugin", "entry modified, but couldn't get entry"); return -1; } ... But the function gets never called from slapd on changes in LDAP. The log shows only the registering: 03/16/22 10:52:26 idm-plugin:: now in idm_init() 03/16/22 10:52:26 IDM-Connector Plugin: idm_init: Initializing plugin 03/16/22 10:52:26 idm-plugin:: now in read_arguments() 03/16/22 10:52:26 IDM Plugin: added idm connector: ip=10.23.33.52, port=3001 03/16/22 10:52:26 idm-plugin: idm_init() returns rc:0 03/16/22 10:52:26 plugin_pblock_new: Registered plugin OCLC-IDM-Connector-Notifier 1.0 [OCLC.org] (Notify the OCLC IDM-Connector of changes) As I said, with OpenLDAP 2.4.40 this works fine. It does not work anymore with 2.6.1. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 6461] back-sql quote characters in query
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=6461 --- Comment #10 from Howard Chu <hyc(a)openldap.org> --- Escaping with a backslash appears to be non-portable. All the major SQL implementations escape a single quote by doubling it, as done in the patch for ITS#9815. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6461] back-sql quote characters in query
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=6461 Ryan Tandy <ryan(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9815 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9816] New: slapcat cordeumps during mdb subtree dump with -s
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9816 Issue ID: 9816 Summary: slapcat cordeumps during mdb subtree dump with -s Product: OpenLDAP Version: 2.5.11 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: khoffmann(a)united-internet.de Target Milestone: --- Created attachment 887 --> https://bugs.openldap.org/attachment.cgi?id=887&action=edit gdb backtrace of slapcat run When trying to use slapcat in combination with -b and -s in order to create a LDIF backup of a mdb subtree, slapd crashes with a coredump (please see the attached snippet with gdb output from a reproduced test tree). The problem was reporducible with different mdb databases / suffixes and only appears with option -s. The same dump with -H 'ldap:///ou=users,o=company,c=de??sub?' instead of -s ou=users,o=company,c=de works perfectly fine, as long as the "attrs part" is empty in the ldap-uri. Also using slapcat with -b only (for a full database dump) works fine as well. I'm aware of the fact that -s option is marked as DEPRECATED - I'm not sure if you are going to fix this bug or if you rather take the change to remove the option completely from future major versions. Please let me also know if it's expected behaviour that the -H option doesn't work whenever the attribute part isn't empty and if I should contribute to a documentation update for this edge case. Best regards, Kris -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 7978] OpenLDAP 2.4 fails to build with LibreSSL
by openldap-its＠openldap.org 27 Mar '22

27 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7978 ismael(a)iodev.co.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ismael(a)iodev.co.uk --- Comment #13 from ismael(a)iodev.co.uk --- Created attachment 889 --> https://bugs.openldap.org/attachment.cgi?id=889&action=edit Fix building against LibreSSL OpenLDAP 2.6.1 works fine against LibreSSL 3.4+. The only problem is the configure script checks for a symbol LibreSSL doesn't implement yet. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7832] Proposing ppolicy extended module for OpenLDAP
by openldap-its＠openldap.org 22 Mar '22

22 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7832 --- Comment #25 from Quanah Gibson-Mount <quanah(a)openldap.org> --- (In reply to David Coutadeur from comment #24) > Hello, > I have just opened a new MR: > https://git.openldap.org/openldap/openldap/-/merge_requests/509 to upgrade > ppm to 2.1 release: > > Changes: > - Reject password if it contains tokens from an attribute of the LDAP entry > https://github.com/ltb-project/ppm/issues/17 You should file a new issue for this, rather than commenting in this issue. Thanks -- You are receiving this mail because: You are on the CC list for the issue.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs March 2022