openldap-bugs August 2023

openldap-bugs@openldap.org

1 participants
146 discussions

[Issue 10089] New: regex that does not pass `regtest()` causes the entire process to exit
by openldap-its＠openldap.org 29 Jan '24

29 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=10089 Issue ID: 10089 Summary: regex that does not pass `regtest()` causes the entire process to exit Product: OpenLDAP Version: 2.6.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: gburd(a)symas.com Target Milestone: --- There are 6 locations in `aclparse.c` in the function `parse_acl()` that call `regtest()` validating a regex expression before its use. Currently, when `regtest()` finds an issue it calls `exit()` and the process must be restarted. It seems that a better approach would be to allow the failures to be processed by the caller where the severity might be better understood. In some (most?) cases it's likely just fine for the process to continue after some information about the issue is logged and resources are released properly. https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/aclp… -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 10057] New: slapo-homedir(5) incorrectly refers to olcArchivePath instead of olcHomedirArchivePath
by openldap-its＠openldap.org 29 Jan '24

29 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=10057 Issue ID: 10057 Summary: slapo-homedir(5) incorrectly refers to olcArchivePath instead of olcHomedirArchivePath Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: craig.balfour(a)gmail.com Target Milestone: --- The homedir overlay manual page, slapo-homedir(5), refers to attribute olcArchivePath when the attribute is actually named olcHomedirArchivePath. -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 10068] New: back-null dies on shutdown when dosearch specified
by openldap-its＠openldap.org 29 Jan '24

29 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=10068 Issue ID: 10068 Summary: back-null dies on shutdown when dosearch specified Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- It copies the suffix DN pointer into its entry rather than doing a ber_dupbv. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10094] New: When TLSv1.3 only are set TLS connection does not work
by openldap-its＠openldap.org 29 Jan '24

29 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=10094 Issue ID: 10094 Summary: When TLSv1.3 only are set TLS connection does not work Product: OpenLDAP Version: 2.5.12 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: nikigen68(a)gmail.com Target Milestone: --- The configuration with only TLSv1.3 ciphers does not work /etc/openldap/ldap.conf ... TLS_CIPHER_SUITE TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256 TLS_PROTOCOL_MIN 3.4 Configuration works only if at least one TLSv1.2 cipher suite is added. Then TLSv1.3 cipher is negotiated with the server. Is there a known issue? -- You are receiving this mail because: You are on the CC list for the issue.

1 14

[Issue 10059] New: slapo-homedir(5) could benefit from an configuration example
by openldap-its＠openldap.org 29 Jan '24

29 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=10059 Issue ID: 10059 Summary: slapo-homedir(5) could benefit from an configuration example Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: craig.balfour(a)gmail.com Target Milestone: --- Created attachment 967 --> https://bugs.openldap.org/attachment.cgi?id=967&action=edit Patch This module could do with an example of how to configure it. Patch attached. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 10076] New: suffixmassage in back-asyncmeta does not handle empty remote suffix correctly
by openldap-its＠openldap.org 29 Jan '24

29 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=10076 Issue ID: 10076 Summary: suffixmassage in back-asyncmeta does not handle empty remote suffix correctly Product: OpenLDAP Version: 2.6.4 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: nivanova(a)symas.com Target Milestone: --- When configuring a suffixmassage directive on an asyncmeta database, a configuration like: suffixmassage "dc=example,dc=com" "" causes search requests to return error 34 "Invalid DN", because the empty remote suffix is massaged incorrectly, adding an unnecessary ",". The issue applies only to asyncmeta, on other proxies it functions correctly. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9944] New: Reverting an olcDbACLBind statement breaks proxied write operations
by openldap-its＠openldap.org 16 Jan '24

16 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=9944 Issue ID: 9944 Summary: Reverting an olcDbACLBind statement breaks proxied write operations Product: OpenLDAP Version: 2.6.3 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- On a system with olcDbIDAssertBind configured, and proxied authorizations working correctly, an olcDbACLBind statement was added to the configuration for lastbind support. However an incorrect identity was in place for the authzid in the ACL bind statement which caused proxy authorization to fail. The change was backed out (There was never any change to the olcDbIDAssertBind config fragment) and after that, all write operations failed instead of being proxied, with err=80. Restarting slapd fixed the issue, which indicates an underlying problem in the cn=config db in reverting to the original working state. -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 9660] New: back-mdb Permission denied => Restore from backup
by openldap-its＠openldap.org 12 Jan '24

12 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=9660 Issue ID: 9660 Summary: back-mdb Permission denied => Restore from backup Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: geert.hendrickx(a)telenetgroup.be Target Milestone: --- Cosmetic issue: When an mdb database has incorrect ownership or permissions (typically after slapadd as root), back-mdb fails with: mdb_db_open: database "dc=my-domain,dc=com" cannot be opened: Permission denied (13). Restore from backup! "Permission denied" is correct, but "Restore from backup" is maybe not the most appropriate advice. ;-) -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9719] New: refreshOnly sends empty cookie when client up to date
by openldap-its＠openldap.org 16 Nov '23

16 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9719 Issue ID: 9719 Summary: refreshOnly sends empty cookie when client up to date Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Syncprov will send an empty cookie if the consumer has the same cookie as provider. To the best of my knowledge this is not in line with RFC4533 and consumers would effectively drop their cookie when the search finishes. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10065] New: slapd needs a config option for the ssf of an external security proxy using "proxy protocol v2"
by openldap-its＠openldap.org 14 Nov '23

14 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=10065 Issue ID: 10065 Summary: slapd needs a config option for the ssf of an external security proxy using "proxy protocol v2" Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: sean(a)teletech.com.au Target Milestone: --- Commit 146889f introduced support for the haproxy "proxy protocol v2". A very welcome addition that allows an external security layer to be implemented. This implementation is however somewhat hobbled. Cyrus SASL uses "Security Strength Factors" or "ssf" to determine what Authentication mechanisms to offer. slapd conveys the implicit security of UNIX domain sockets to the SASL layer by specifying a non-zero ssf for these connections. This can be configured with the "olcLocalSSF" config setting. For implicit/explicit TLS connections, the "olcSecurity: tls=<n>" provides the cryptographic strength of the TLS layer to the SASL layer. For an external TLS-terminating proxy, there does not appear to be any way to inform Cyrus SASL of the presence of TLS security on these proxied connections. The outcome of this is that PLAIN and EXTERNAL authentication mechanisms are not offered to clients connecting through the secure proxy. This can be overcome by weakening the security properties of the SASL layer with the olcSaslSecProps configuration option, but this weakening will apply to all clients, not just clients connecting via the secure proxy. What is required is some way to tell slapd and it's integrated SASL layer about the presence of TLS encryption on the proxy's input. As a precaution, this might be restricted to slapd connections in the 127.0.0.0/8 [IPv6:::] address ranges. -- You are receiving this mail because: You are on the CC list for the issue.

2 29

← Newer
1
...
8
9
10
11
12
13
14
15
Older →

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs August 2023