openldap-bugs July 2022

openldap-bugs@openldap.org

1 participants
103 discussions

[Issue 9882] New: slapd crashes when lastbind enabled w/ multi-provider
by openldap-its＠openldap.org 14 Jul '22

14 Jul '22

https://bugs.openldap.org/show_bug.cgi?id=9882 Issue ID: 9882 Summary: slapd crashes when lastbind enabled w/ multi-provider Product: OpenLDAP Version: 2.6.2 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: smckinney(a)symas.com Target Milestone: --- Created attachment 907 --> https://bugs.openldap.org/attachment.cgi?id=907&action=edit slapd.conf Description: Crash during bind operation when lastbind's enabled in a multi-provider env. Built from source: commit 23ef018c6f321413141f26ed6e1909f85047ba76 (HEAD -> OPENLDAP_REL_ENG_2_6, origin/OPENLDAP_REL_ENG_2_6) Configuration: attached System: AlmaLinux8 Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00000000004dfe66 in over_op_func (op=0x7d6b1fffe690, rs=0x7d6b1fffe620, which=op_modify) at backover.c:749 749 on = oi->oi_list; [Current thread is 1 (Thread 0x7d6b1ffff700 (LWP 96272))] Missing separate debuginfos, use: yum debuginfo-install cyrus-sasl-lib-2.1.27-6.el8_5.x86_64 glibc-2.28-189.5.el8_6.x86_64 keyutils-libs-1.5.10-9.el8.x86_64 krb5-libs-1.18.2-14.el8.x86_64 libblkid-2.32.1-35.el8.x86_64 libcap-2.48-2.el8.x86_64 libcom_err-1.45.6-4.el8.x86_64 libdb-5.3.28-42.el8_4.x86_64 libgcc-8.5.0-10.1.el8_6.alma.x86_64 libmount-2.32.1-35.el8.x86_64 libselinux-2.9-5.el8.x86_64 libtool-ltdl-2.4.6-25.el8.x86_64 libuuid-2.32.1-35.el8.x86_64 libxcrypt-4.1.1-6.el8.x86_64 openssl-libs-1.1.1k-6.el8_5.x86_64 pcre2-10.32-2.el8.x86_64 systemd-libs-239-58.el8.x86_64 zlib-1.2.11-18.el8_5.x86_64 (gdb) bt #0 0x00000000004dfe66 in over_op_func (op=0x7d6b1fffe690, rs=0x7d6b1fffe620, which=op_modify) at backover.c:749 #1 0x00000000004e0135 in over_op_modify (op=0x7d6b1fffe690, rs=0x7d6b1fffe620) at backover.c:808 #2 0x000000000046d785 in fe_op_lastbind (op=0x7d6b1010ed40) at bind.c:503 #3 0x000000000046da7f in fe_op_bind_success (op=0x7d6b1010ed40, rs=0x7d6b1fffe960) at bind.c:548 #4 0x000000000046d1e1 in fe_op_bind (op=0x7d6b1010ed40, rs=0x7d6b1fffe960) at bind.c:386 #5 0x000000000046c8cd in do_bind (op=0x7d6b1010ed40, rs=0x7d6b1fffe960) at bind.c:206 #6 0x000000000044427d in connection_operation (ctx=0x7d6b1fffea90, arg_v=0x7d6b1010ed40) at connection.c:1115 #7 0x000000000044488f in connection_read_thread (ctx=0x7d6b1fffea90, argv=0x16) at connection.c:1267 #8 0x00007f5f2d60a470 in ldap_int_thread_pool_wrapper (xpool=0xc79d80) at tpool.c:1053 #9 0x00007f5f2c1a51cf in start_thread () from /lib64/libpthread.so.0 #10 0x00007f5f2be11dd3 in clone () from /lib64/libc.so.6 -- You are receiving this mail because: You are on the CC list for the issue.

1 10

[Issue 9847] New: kqueue problem with OpenBSD
by openldap-its＠openldap.org 14 Jul '22

14 Jul '22

https://bugs.openldap.org/show_bug.cgi?id=9847 Issue ID: 9847 Summary: kqueue problem with OpenBSD Product: OpenLDAP Version: 2.6.2 Hardware: All OS: Other Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: stu(a)spacehopper.org Target Milestone: --- The kqueue support added to slapd for 2.5 isn't working correctly on OpenBSD. If slapd runs as a daemon, errors like these are seen: slap_client_connect: URI=ldaps://XXX Warning, ldap_start_tls failed (1) mdb_opinfo_get: err Invalid argument(22) However if slapd is run in the foreground with -d, things are ok. They are also OK if kqueue is disabled (by neutering the autoconf check). I've tested 2.5.4, 2.5.9 and 2.6.2. Here are some log excerpts: 17:23:44.692: slapd starting 17:23:44.692: daemon: added 3r listener=0x0 17:23:44.692: daemon: added 6r listener=0x100263797200 17:23:44.692: daemon: added 7r listener=0x100263785400 17:23:44.692: daemon: kqueue: listen=6 active_threads=0 tvp=zero 17:23:44.692: daemon: kqueue: listen=7 active_threads=0 tvp=zero 17:23:44.692: daemon: activity on 1 descriptor 17:23:44.692: daemon: activity on: 17:23:44.692: 17:23:44.692: daemon: kqueue: listen=6 active_threads=0 tvp=zero 17:23:44.692: daemon: kqueue: listen=7 active_threads=0 tvp=zero 17:23:44.692: >>> dnNormalize: <cn=Consumer 101> 17:23:44.692: <<< dnNormalize: <cn=consumer 101> 17:23:44.692: =>do_syncrepl rid=101 17:23:44.763: slap_client_connect: URI=ldaps://XXXXXXXXXXXXXXX Warning, ldap_start_tls failed (1) 17:23:44.781: => mdb_entry_get: ndn: "dc=XXXXXXX,dc=XXX" 17:23:44.782: => mdb_entry_get: oc: "(null)", at: "contextCSN" 17:23:44.782: mdb_opinfo_get: err Invalid argument(22) 17:23:44.782: =>do_syncrep2 rid=101 17:23:44.782: daemon: added 9r listener=0x0 17:23:44.783: daemon: activity on 1 descriptor 17:23:44.783: daemon: activity on: 17:23:44.783: 17:23:44.783: daemon: kqueue: listen=6 active_threads=0 tvp=NULL 17:23:44.783: daemon: kqueue: listen=7 active_threads=0 tvp=NULL 17:23:44.800: daemon: activity on 1 descriptor 17:23:44.800: daemon: activity on: 17:23:44.800: 9r 17:23:44.800: 17:23:44.800: daemon: read active on 9 17:23:44.800: daemon: kqueue: listen=6 active_threads=0 tvp=NULL 17:23:44.800: daemon: kqueue: listen=7 active_threads=0 tvp=NULL 17:23:44.800: connection_get(9) 17:23:44.800: connection_get(9): got connid=0 17:23:44.801: =>do_syncrepl rid=101 17:23:44.801: =>do_syncrep2 rid=101 Not sure if it's any help but looking at kdump(1) output after a run under ktrace(1) I didn't spot the immediate problem resulting in "ldap_start_tls failed (1)" however the "mdb_opinfo_get: err Invalid argument(22)" occurs after attempting to call fcntl with F_SETLK on the fd 5 which is the kqueue fd: 65304 slapd RET write 97/0x61 65304 slapd CALL poll(0x89d39cb9004,1,INFTIM) 65304 slapd STRU struct kevent [2] { ident=9, filter=EVFILT_READ, flags=0x1005<EV_ADD|EV_ENABLE>, fflags=0<>, data=0, udata=0x231a1bea } { ident=9, filter=EVFILT_EXCEPT, flags=0x1005<EV_ADD|EV_ENABLE>, fflags=0x4<>, data=0, udata=0x231a1bea } 65304 slapd STRU struct kevent { ident=9, filter=EVFILT_READ, flags=0x1005<EV_ADD|EV_ENABLE>, fflags=0<>, data=36, udata=0x231a1bea } 65304 slapd STRU struct pollfd { fd=9, events=0x3<POLLIN|POLLPRI>, revents=0x1<POLLIN> } 65304 slapd RET poll 1 65304 slapd CALL read(9,0x89ccfb103e0,0x5) 65304 slapd GIO fd 9 read 5 bytes "\^W\^C\^C\0\^_" 65304 slapd RET read 5 65304 slapd CALL read(9,0x89ccfb349c5,0x1f) 65304 slapd GIO fd 9 read 31 bytes "\M^W\M-r\M-f\M^C\M-2\M^V\M-E\^O\M-hdgq\M-"\M-o\M-&\M^[*\M-9\M^E\M-Sd\M^A2\M-QE\M-cb |\M^VI" 65304 slapd RET read 31/0x1f 65304 slapd CALL mmap(0,0x2000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 65304 slapd RET mmap 9468564512768/0x89c926ca000 65304 slapd CALL fcntl(5,F_SETLK,0x8ef465d0) 65304 slapd RET fcntl -1 errno 22 Invalid argument 65304 slapd CALL getpid() 65304 slapd RET getpid 65304/0xff18 65304 slapd CALL sendsyslog(0x89c8ef44040,59,0<>) 65304 slapd GIO fd -1 wrote 59 bytes "<167>slapd[65304]: mdb_opinfo_get: err Invalid argument(22)" Any suggestions or requests for further information/tests would be welcome. Thanks! -- You are receiving this mail because: You are on the CC list for the issue.

1 16

[Issue 9868] New: backglue and syncprov must use same pending_csn_list
by openldap-its＠openldap.org 14 Jul '22

14 Jul '22

https://bugs.openldap.org/show_bug.cgi?id=9868 Issue ID: 9868 Summary: backglue and syncprov must use same pending_csn_list Product: OpenLDAP Version: 2.5.12 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: hyc(a)openldap.org Target Milestone: --- When replication is performed on a glued DB hierarchy the syncprov overlay must only be configured on the top DB. But when writes occur on a subDB their CSNs will be queued on the subDB's be_pending_csn_list. When syncprov sees these writes it will try to graduate these CSNs from the top DB's be_pending_csn_list, but never find them there. The CSN list will grow without bound. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9726] New: Admin guide and man pages need better documentation on disabling syslog
by openldap-its＠openldap.org 14 Jul '22

14 Jul '22

https://bugs.openldap.org/show_bug.cgi?id=9726 Issue ID: 9726 Summary: Admin guide and man pages need better documentation on disabling syslog Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- 2.6.0 added the new feature allowing using a logfile for all debug/loglevel messages and bypassing syslog entirely. However, there is no documentation on the new settings or examples of how to do this in the admin guide, and the man page sections on the new parameters for the logfile side do not note at when/how they enable bypassing syslog. -- You are receiving this mail because: You are on the CC list for the issue.

1 30

[Issue 9883] New: OpenLDAP version 2.4.44 for CentoOS 7.9 contains several CVEs
by openldap-its＠openldap.org 12 Jul '22

12 Jul '22

https://bugs.openldap.org/show_bug.cgi?id=9883 Issue ID: 9883 Summary: OpenLDAP version 2.4.44 for CentoOS 7.9 contains several CVEs Product: OpenLDAP Version: 2.4.44 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: meirav.rath(a)imperva.com Target Milestone: --- Hello, My name is Meirav Rath, I'm a software developer and security champion at Imperva. As part of our effort to map security risks in our products I've been scanning our 3rd party rpms for vulnerabilities. It looks like OpenLDAP version 2.4.44 for CentOS 7.9 has the following security issues: 1. CVE-2020-36229 - https://nvd.nist.gov/vuln/detail/CVE-2020-36229 2. CVE-2019-13565 - https://nvd.nist.gov/vuln/detail/CVE-2019-13565 3. CVE-2020-36223 - https://nvd.nist.gov/vuln/detail/CVE-2020-36223 4. CVE-2020-36222 - https://nvd.nist.gov/vuln/detail/CVE-2020-36222 5. CVE-2019-13057 - https://nvd.nist.gov/vuln/detail/CVE-2019-13057 6. CVE-2021-27212 - https://nvd.nist.gov/vuln/detail/CVE-2021-27212 7. CVE-2020-36226 - https://nvd.nist.gov/vuln/detail/CVE-2020-36226 8. CVE-2020-36228 - https://nvd.nist.gov/vuln/detail/CVE-2020-36228 9. CVE-2022-29155 - https://nvd.nist.gov/vuln/detail/CVE-2022-29155 10. CVE-2020-36230 - https://nvd.nist.gov/vuln/detail/CVE-2020-36230 11. CVE-2020-36225 - https://nvd.nist.gov/vuln/detail/CVE-2020-36225 12. CVE-2020-36227 - https://nvd.nist.gov/vuln/detail/CVE-2020-36227 13. CVE-2020-36224 - https://nvd.nist.gov/vuln/detail/CVE-2020-36224 14. CVE-2020-36221 - https://nvd.nist.gov/vuln/detail/CVE-2020-36221 When can we expect an updated RPM with fixes for this issues, aimed for CentOS7.9? Thanks. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9782] New: regression test its8752 failure
by openldap-its＠openldap.org 08 Jul '22

08 Jul '22

https://bugs.openldap.org/show_bug.cgi?id=9782 Issue ID: 9782 Summary: regression test its8752 failure Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- If a contextCSN update (new cookie) goes from server A through server B to server C, server C will use that CSN to update entryCSN as well (which neither A nor B did). This fails the initial replication check. The issue has likely existed since deltasync was made possible, a version of this is confirmed at least in 2.4.60 onwards to current master. In principle, it is related to concerns raised in ITS#9580. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 8752] MMR delta-sync deadlock using slapd.conf
by openldap-its＠openldap.org 08 Jul '22

08 Jul '22

https://bugs.openldap.org/show_bug.cgi?id=8752 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9782 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9879] New: Crash in bindconf_free
by openldap-its＠openldap.org 07 Jul '22

07 Jul '22

https://bugs.openldap.org/show_bug.cgi?id=9879 Issue ID: 9879 Summary: Crash in bindconf_free Product: OpenLDAP Version: 2.6.2 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- Slapd 2.6 (git commit 0dc9ff2594da) produes at start this output: free(): invalid pointer . The core-dump is: gdb /git/openldap bt f #0 __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:45 pid = 3060261 tid = 3060261 pd = <optimized out> val = 0 tid = <optimized out> pd = <optimized out> val = <optimized out> sc_ret = <optimized out> resultvar = <optimized out> __x = <optimized out> pid = <optimized out> resultvar = <optimized out> __arg3 = <optimized out> __arg2 = <optimized out> __arg1 = <optimized out> _a3 = <optimized out> _a2 = <optimized out> _a1 = <optimized out> #1 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at pthread_kill.c:62 No locals. #2 0x00007ff2445a91f2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 ret = <optimized out> #3 0x00007ff24459443b in __GI_abort () at abort.c:79 save_stage = 1 act = { __sigaction_handler = { sa_handler = 0x7ff244e0b590, sa_sigaction = 0x7ff244e0b590 }, sa_mask = { __val = {140678513857256, 140678514176000, 0, 4360521566522441729, 4294967295, 17981341232831397889, 140678513857472, 140678514176000, 140678513858576, 140678514161728, 37835024, 140678514167232, 5433280, 140727718055568, 140727718055515, 140678514247725} }, sa_flags = 1, sa_restorer = 0x0 } sigs = { __val = {32, 1, 140678501620784, 1, 0, 1, 140678514176000, 1, 140678501620784, 140678514176000, 140678514176880, 0, 140678514389536, 1, 140677358813185, 4294967295} } #4 0x00007ff2445e7c00 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ff2447185f4 "%s\n") at ../sysdeps/posix/libc_fatal.c:155 ap = {{ gp_offset = 24, fp_offset = 0, overflow_arg_area = 0x7ffdb9a4f2e0, reg_save_area = 0x7ffdb9a4f270 }} [31/1957] fd = <optimized out> list = <optimized out> nlist = <optimized out> cp = <optimized out> #5 0x00007ff2445fc64a in malloc_printerr (str=str@entry=0x7ff244716247 "free(): invalid pointer") at malloc.c:5543 No locals. #6 0x00007ff2445fddbc in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:4326 size = 0 fb = <optimized out> nextchunk = <optimized out> nextsize = <optimized out> nextinuse = <optimized out> prevsize = <optimized out> bck = <optimized out> fwd = <optimized out> __PRETTY_FUNCTION__ = "_int_free" #7 0x00007ff244600821 in __GI___libc_free (mem=<optimized out>) at malloc.c:3278 ar_ptr = <optimized out> p = <optimized out> err = 13 #8 0x000000000041ab72 in bindconf_free (bc=bc@entry=0x52b970 <ldifocs+48>) at config.c:1611 No locals. #9 0x000000000046b908 in syncinfo_free (sie=0x52b940 <ldifocs>, free_all=free_all@entry=1) at syncrepl.c:6052 si_next = 0x4d8530 #10 0x0000000000429815 in backend_destroy_one (bd=0x52d8f0 <cfBackInfo+16>, dynamic=0) at backend.c:456 No locals. #11 0x000000000041651a in config_back_db_destroy (be=<optimized out>, cr=<optimized out>) at bconfig.c:7610 cfb = 0x52d8e0 <cfBackInfo> #12 0x000000000042981d in backend_destroy_one (bd=0x2445920, dynamic=1) at backend.c:459 No locals. #13 0x000000000042993a in backend_destroy () at backend.c:498 bd = <optimized out> bi = <optimized out> #14 0x000000000043e04f in slap_destroy () at init.c:258 rc = <optimized out> #15 0x000000000040a12c in main (argc=<optimized out>, argv=0x7ffdb9a4f628) at main.c:890 i = <optimized out> no_detach = <optimized out> rc = 1 urls = 0x7ffdb9a50e90 "ldap://ldap.aegee.org/ ldaps://ldap.aegee.org ldapi://%2Fvar%2Frun%2Fldapi" username = 0x7ffdb9a50e60 "openldap" groupname = 0x0 sandbox = 0x7ffdb9a50e6c "/home/openldap" pid = <optimized out> waitfds = {38815280, 0} g_argc = <optimized out> g_argv = 0x7ffdb9a4f628 configfile = 0x0 configdir = 0x7ffdb9a50e7e "/etc/openldap/" serverMode = 1 scp = <optimized out> scp_entry = <optimized out> serverNamePrefix = <synthetic pointer> l = <optimized out> slapd_pid_file_unlink = <optimized out> slapd_args_file_unlink = <optimized out> firstopt = <optimized out> Going back to commit 2cf617938 does work fine. To be precise, openldap reads certificates from its chrooted file - chr/etc/openssl/certs/ca-bundle.crt , but it had no read-access to the chr/etc/openssl/certs directory. At commit 2cf617938 does not crash at the latest 2.6 it crashes. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9534] New: Persistent test043 failures
by openldap-its＠openldap.org 07 Jul '22

07 Jul '22

https://bugs.openldap.org/show_bug.cgi?id=9534 Issue ID: 9534 Summary: Persistent test043 failures Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- In testing current RE25 as of 4/23/2021 (73b2769d05529a7d474661023f2c4f3a931417b2) test043 is sporadically failing. Examining the testrun log, it appears replication never even initiated. -- You are receiving this mail because: You are on the CC list for the issue.

1 10

[Issue 9877] New: Session Tracking failing to log IP addresses
by openldap-its＠openldap.org 05 Jul '22

05 Jul '22

https://bugs.openldap.org/show_bug.cgi?id=9877 Issue ID: 9877 Summary: Session Tracking failing to log IP addresses Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- From slapd log in master with session tracking enabled: 62c45cfe.3b59f358 0x7fa3b0aa8700 conn=1002 fd=15 ACCEPT from IP=127.0.0.1:58790 (IP=127.0.0.1:9012) 62c45cff.017af6f5 0x7fa3b0aa8700 conn=1002 op=1 [IP=[ USERNAME=cn=manager,dc=example,dc=com] modifications: 62c45cff.017b2c53 0x7fa3b0aa8700 conn=1002 op=1 [IP=[ USERNAME=cn=manager,dc=example,dc=com] MOD dn="cn=replicator,dc=example,dc=com" 62c45cff.017bb35e 0x7fa3b0aa8700 conn=1002 op=1 [IP=[ USERNAME=cn=manager,dc=example,dc=com] MOD attr=pwdLastSuccess Note the missing IP address. This works correctly in current 2.6.2 -- You are receiving this mail because: You are on the CC list for the issue.

1 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs July 2022