https://bugs.openldap.org/show_bug.cgi?id=9823
Issue ID: 9823
Summary: syncprov doesn't fallback when deltasync consumer's
offline beyond accesslog depth
Product: OpenLDAP
Version: 2.6.1
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: smckinney(a)symas.com
Target Milestone: ---
Configured w/ deltasync. When a consumer goes offline for a duration exceeding
the the logpurge interval, won't fallback into syncrepl, resulting in a dsync.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9795
Issue ID: 9795
Summary: Remove memberof overlay
Product: OpenLDAP
Version: 2.6.1
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
The memberof overlay was deprecated with the release of OpenLDAP 2.5. It
should be removed prior for the next minor release (i.e., 2.7)
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10014
Issue ID: 10014
Summary: TLS handle using MbedTLS
Product: OpenLDAP
Version: 2.6.4
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: contrib
Assignee: bugs(a)openldap.org
Reporter: johan.pascal(a)linphone.org
Target Milestone: ---
Created attachment 950
--> https://bugs.openldap.org/attachment.cgi?id=950&action=edit
Add a TLS handle using MbedTLS
Hi,
I wrote a TLS handle based on MbedTLS.
I attach the patch here but I can also put in on gitlab and make a merge
request there.
The patch contains the minimal modifications to build openldap using MbedTLS as
backend for TLS. You must run aclocal, autoheader amd autoconf to regenerate
the archived aclocal.m4, configure and include/portable.hin files.
This contribution was originally written for the linphone project, and
copyright belongs to Belledonne Communications SARL.
The attached file is derived from OpenLDAP Software. All of the modifications
to OpenLDAP Software represented in the following patch were developed by
Belledonne Communications SARL. Belledonne Communications SARL has not assigned
rights and/or interest in this work to any party. I, Johan Pascal am authorized
by Belledonne Communications, my employer, to release this work under the
following terms.
The attached modifications to OpenLDAP Software are subject to the following
notice:
Copyright 2010-2023 Belledonne Communications SARL
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP Public License.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10080
Issue ID: 10080
Summary: refreshAndPersist synchronization problem with glue +
rwm
Product: OpenLDAP
Version: 2.6.2
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: homma(a)allworks.co.jp
Target Milestone: ---
Created attachment 972
--> https://bugs.openldap.org/attachment.cgi?id=972&action=edit
Stack trace of segfault
I have an openldap 2.6.2 server "ldap1" with the following DIT:
dc=example,dc=com (back-mdb)
ou=users
ou=local
cn=admin
cn=sync
...
ou=remote (back-ldap -> ldaps://dc1.example.com)
...
Local user entries are created under subtree
"ou=local,ou=users,dc=example,dc=com", and the subtree
"ou=remote,ou=users,dc=example,dc=com" is a proxy to an Active Directory server
"dc1.example.com" (subtree "ou=users,dc=ad,dc=example,dc=com").
The concrete configuration is as follows:
----------------
dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcSuffix: ou=remote,ou=users,dc=example,dc=com
olcSubordinate: TRUE
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcDbURI: ldaps://dc1.example.com
olcDbIDAssertBind: bindmethod=simple
binddn="cn=aduser,ou=users,dc=ad,dc=example,dc=com"
credentials=secret
tls_reqcert=demand
mode=none
olcDbIDAssertAuthzFrom:
{0}dn.exact:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcDbIDAssertAuthzFrom:
{1}dn.exact:cn=admin,ou=local,ou=users,dc=example,dc=com
dn: olcOverlay={0}rwm,olcDatabase={2}ldap,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: {0}rwm
olcRwmRewrite: {0}rwm-suffixmassage "ou=users,dc=ad,dc=example,dc=com"
olcRwmMap: {0}objectclass inetOrgPerson organizationalPerson
olcRwmMap: {1}objectclass posixAccount user
olcRwmMap: {2}attribute uid sAMAccountName
olcRwmMap: {3}attribute homeDirectory unixHomeDirectory
olcRwmMap: {4}attribute ou *
olcRwmMap: {5}attribute cn *
olcRwmMap: {6}attribute sn *
olcRwmMap: {7}attribute givenName *
olcRwmMap: {8}attribute mail *
olcRwmMap: {9}attribute uidNumber *
olcRwmMap: {10}attribute gidNumber *
olcRwmMap: {11}attribute *
dn: olcDatabase={3}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {3}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcAccess: {0}to *
by dn.exact="cn=admin,ou=local,ou=users,dc=example,dc=com" write
by dn.exact="cn=sync,ou=local,ou=users,dc=example,dc=com" write
by * break
olcAccess: {1}to attrs=userPassword
by anonymous auth
by self write
by * none
olcAccess: {2}to *
by * read
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
----------------
So far, so good. A subtree search on "ou=users,dc=example,dc=com" returns both
local and remote users.
But when I create the second server "ldap2" with similar configuration and
configure refreshAndPersist replication, I run into a problem.
(1) When I configure on "ldap1" server,
----------------
dn: olcOverlay={0}syncprov,olcDatabase={3}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
----------------
and on "ldap2" server,
----------------
dn: olcDatabase={3}mdb,cn=config
changeType: modify
replace: olcSyncrepl
olcSyncrepl: {0}rid=301
provider="ldap://ldap1/"
bindmethod=simple
binddn="cn=sync,ou=local,ou=users,dc=example,dc=com"
credentials=secret
searchbase="dc=example,dc=com"
type=refreshAndPersist
retry="5 12 60 +" timeout=1
----------------
the initial refresh stage fails.
(a) Whith the above configuration, the refresh failes with "(48) Inappropriate
authentication", because the bind DN
"cn=sync,ou=local,ou=users,dc=example,dc=com" does not have access to the
subordinate database.
(b) When I add "cn=sync,ou=local,ou=users,dc=example,dc=com" to the ID
assertion list on "ldap1" server,
----------------
dn: olcDatabase={2}ldap,cn=config
changeType: modify
add: olcDbIDAssertAuthzFrom
olcDbIDAssertAuthzFrom: {2}dn.exact:cn=sync,ou=local,ou=users,dc=example,dc=com
----------------
the refresh fails with "(12) Critical extension is unavailable", because Active
Directory does not support Sync Request Control.
(c) Even if the remote server supports Sync Request Control, the refresh fails
with the message "server sent multiple refreshDone messages? Ending session".
The refreshDone messages are sent twice, one for the sperior databese and the
other for the subordinate database.
(d) If I delete olcSubordinate attribute and restart slapd on "ldap1" server,
----------------
dn: olcDatabase={2}ldap,cn=config
changeType: modify
delete: olcSubordinate
----------------
then the refresh stage completes successfully.
Once the persistent session is established, I can add olcSubordinate attribute
again.
----------------
dn: olcDatabase={2}ldap,cn=config
changeType: modify
add: olcSubordinate
olcSubordinate: TRUE
----------------
When I modify entries in the subordinate database on "ldap1" server, no change
notification is sent to "ldap2" server.
This is the desired behavior, but if I restart slapd on "ldap1" server, the
refresh starts failing again.
(2) When I configure the glue overlay explicitly before the syncprov overlay,
as described in "man slapd-config",
----------------
dn: olcOverlay={0}glue,olcDatabase={3}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
olcOverlay: {0}glue
dn: olcOverlay={1}syncprov,olcDatabase={3}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {1}syncprov
----------------
the refresh stage completes successfully without attempting to search the
subordinate database.
This is fine because I do not need to synchronize the subordinate database
between "ldap1" and "ldap2" servers.
However, when I modify an entry in the subordinate database on "ldap1" server,
slapd crashes by segmentation fault. See the attached file for stack trace.
After some research, I found that the cause of the crash is as follows:
In syncprov_matchops(), it attempts to get the modified entry with DN =
op->o_req_ndn.
But since op->o_req_ndn has been rewritten in the rmw overlay,
glue_back_select() incorrectly selects the mdb backend, which should be the
ldap backend.
At this point, op->o_bd->be_private holds a value of type ldapinfo_t, but
mdb_entry_get() tries to interpret it as type struct mdb_info, causing a
segfault.
In summary, the problem is:
When I configure refreshAndPersist synchronization for a database with a
subordinate ldap backend using DN rewriting,
(1) The subordinate database cannot be excluded from both refresh and
persistent stage of the synchronization:
When the glue overlay is not explicitly configured:
- In the refresh stage, the subordinate database is included in the search.
- In the persist stage, the subordinate database is excluded from the
synchronization.
When the glue overlay is explicitly configured before the syncprov overlay:
- In the refresh stage, the subordinate database is excluded from the
search.
- In the persist stage, the subordinate database is included in the
synchronization.
This seems to be inconsistent.
(2) If the subordinate database is included in the refresh stage, the refresh
fails for one of the following reasons:
- the syncrepl user is not allowed to access the subordinate database
- the remote server does not support Sync Request Control
- multiple refreshDone messages are returned
The refresh stage completes successfully if olcSubordinate attribute is deleted
from the subordinate database.
olcSubordinate attribute can be added again once the persistent session is
established, but the refresh stage starts failing again if slapd is restarted.
(3) If the subordinate database is included in the persist stage, modifying
entries in the subordinate database causes slapd to crash.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10092
Issue ID: 10092
Summary: Local logging doesn't build on Windows
Product: OpenLDAP
Version: 2.6.6
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: hyc(a)openldap.org
Target Milestone: ---
slapd/logging.c uses writev() to write a prefix and the log message together in
one call. This feature doesn't exist on Windows. The closest equivalent,
WriteFileGather, only works on page sized and aligned writes. On Windows the
only way to write as desired is to copy the message into a new buffer first.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10074
Issue ID: 10074
Summary: lloadd: build broken with more recent versions of LLVM
Product: OpenLDAP
Version: 2.6.4
Hardware: All
OS: FreeBSD
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: lloadd
Assignee: bugs(a)openldap.org
Reporter: delphij(a)freebsd.org
Target Milestone: ---
There are two issues preventing lloadd from building with more recent versions
of LLVM. These are discovered on FreeBSD but may affect other operating
systems too.
The first one is that ldap_pvt_thread_self is returning pthread_t (which is a
pointer of struct pthread) on FreeBSD, but evthread_set_id_callback was
expecting unsigned long.
A possible solution would be to create a wrapper for the function, like:
--- servers/lloadd/libevent_support.c.orig 2023-02-08 18:53:35 UTC
+++ servers/lloadd/libevent_support.c
@@ -131,6 +131,20 @@ lload_libevent_cond_timedwait(
return ldap_pvt_thread_cond_wait( cond, mutex );
}
+/*
+ * libevent2 expects the thread id has a type of unsigned long.
+ */
+static unsigned long
+lload_libevent_thread_self(void)
+{
+ unsigned long retval;
+ static_assert(sizeof(ldap_pvt_thread_t) <= sizeof(unsigned long),
+ "ldap_pvt_thread_t has to be smaller or equal to unsigned
long");
+
+ retval = (unsigned long)ldap_pvt_thread_self();
+ return (retval);
+}
+
int
lload_libevent_init( void )
{
@@ -152,7 +166,7 @@ lload_libevent_init( void )
evthread_set_lock_callbacks( &cbs );
evthread_set_condition_callbacks( &cond_cbs );
- evthread_set_id_callback( ldap_pvt_thread_self );
+ evthread_set_id_callback( lload_libevent_thread_self );
return 0;
}
Or, maybe the code should just use evthread_use_pthreads() instead? (It's not
very clear to me why we have the ldap_pvt_thread_self wrapper).
Another issue is that module_init.c is trying to assign config_generic_wrapper
to bi->bi_config:
module_init.c:154:19: error: incompatible function pointer types assigning to
'BI_config *' (aka 'int (*)(struct BackendInfo *, const char *, int, int, char
**)') from 'int (Backend *, const char *, int, int, char **)' (aka 'int (struct
BackendDB *, const char *, int, int, char **)')
[-Wincompatible-function-pointer-types]
bi->bi_config = config_generic_wrapper;
^ ~~~~~~~~~~~~~~~~~~~~~~
For other backends, it's used as bi_db_config. It seems that I can set
bi_config to NULL and bi_db_config to config_generic_wrapper, but it's not
clear to me what the original intention was...
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10025
Issue ID: 10025
Summary: Add option to disable filtered searches for memberURL
groups
Product: OpenLDAP
Version: 2.5.14
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: subbarao(a)computer.org
Target Milestone: ---
One of the changes from 2.4 to 2.5 is that dynlist groups are now returned with
(member=memberDN) searches. This is potentially appealing, but even with the
ITS#9929 performance improvements, given the number of dynlist groups we have,
search times are significantly impacted.
We'd like to be able to cleanly disable this feature and exclude dynlist groups
from (member=memberDN) filter consideration. The only way I've found so far is
to patch the dynlist code itself. What I'm currently doing is adding a continue
statement right above this line in dynlist_search():
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5_14/s…
That way the member searches are excluded, but dynlists otherwise work as
expected.
Here is the dynlist config we're using, just basic support for
groupOfURLs/memberURL:
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
I'd like to request a configurable option to exclude dynlists from
(member=memberDN) searches.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10083
Issue ID: 10083
Summary: lload: Receiving a NoD while connection is closing
already corrupts c_state
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: lloadd
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
If the backend closes a connection with a NoD, two things happen: we won't be
able to write to the socket and we receive the NoD message.
lloadd might encounter those in either order, but handle_unsolicited() doesn't
expect to be the second one to come in and happily overrides c_state, even if
c_unlink() has been called by the write side already. upstream_destroy()
eventually discovers the inconsistent state (LLOAD_C_CLOSING vs. LLOAD_C_DYING)
and assert()s.
A fix to handle_unsolicited() is coming.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10091
Issue ID: 10091
Summary: slapd segfaults when the dynlist overlay is applied on
the frontend db (with `<memberOf-ad>@<static-oc>`
parameters)
Product: OpenLDAP
Version: 2.6.6
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: philip.schildkamp(a)uni-koeln.de
Target Milestone: ---
Created attachment 974
--> https://bugs.openldap.org/attachment.cgi?id=974&action=edit
Full stacktrace of the segfault
Dear OpenLDAP Development-Team,
first of all, thank You for Your continued efforts to provide this great
software!
I've run into a segfault when trying to apply the dynlist overlay to the
frontend db. As I'm running Alpine Linux (based on musl libc), I've verified
that this segfault also occurs under GLIBC-based distros. Furthermore, I've
trimmed my config down to the bare minimum to provide a replicable setting.
This segfault only occurs when I'm trying to use the full `dynlist-attrset`
configuration (including the `+<memberOf-ad>@<static-oc>` parameters). If I
only supply the `<group-oc> <URL-ad> <member-ad>` parts of the configruation,
the segfault does not occur. And the segfault does not happen on startup, but
when connecting to the running `slapd` instance.
The version I'm running:
> @(#) $OpenLDAP: slapd 2.6.6 (Aug 7 2023 12:57:03) $
My `slapd.conf` (the same segfault occures through a `cn=config` setup):
> moduleload dynlist
>
> include /etc/openldap/schema/core.schema
>
> overlay dynlist
> dynlist-attrset labeledURIObject labeledURI member+memberOf@groupOfNames
>
> database ldif
> directory /tmp
> suffix "dc=example,dc=com"
I've attached a complete stacktrace of the segfault, which is traced back to
`dynlist.c:2057`. If I can provide any other means of debugging (e.g. a
coredump) or help in locating the root of this issue, I'd be happy to!
If this issue is known or the dynlist overlay does not support this
functionality on the frontend db, I'm sorry for the noise; but as far as I've
been able to verify, there is no mention of such a limitation within the
`slapo-dynlist` manpage (which does mention the possibility to apply the
dynlist overlay to the frontend db), nor did I find an issue regarding exactly
this error.
Again, thank You for Your efforts and
kind regards,
Philip Schildkamp
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10070
Issue ID: 10070
Summary: Allow running when /etc/resolv.conf is missing
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: lloadd
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
A resolv.conf file might be missing, usually that means that no name services
are available (often in test environments) or in some container environments
where the resolver is assumed to run on localhost.
We should adopt the proposal discussed in
https://github.com/libevent/libevent/issues/1155#issuecomment-918826471 which
lets us honour the file if it exists but keep the libevent default, allowing to
deal with both cases, no name resolution is needed (all URIs are numeric) and
the implicit local resolver.
--
You are receiving this mail because:
You are on the CC list for the issue.