https://bugs.openldap.org/show_bug.cgi?id=10094
Issue ID: 10094
Summary: When TLSv1.3 only are set TLS connection does not work
Product: OpenLDAP
Version: 2.5.12
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: nikigen68(a)gmail.com
Target Milestone: ---
The configuration with only TLSv1.3 ciphers does not work
/etc/openldap/ldap.conf
...
TLS_CIPHER_SUITE
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256
TLS_PROTOCOL_MIN 3.4
Configuration works only if at least one TLSv1.2 cipher suite is added. Then
TLSv1.3 cipher is negotiated with the server.
Is there a known issue?
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10059
Issue ID: 10059
Summary: slapo-homedir(5) could benefit from an configuration
example
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: craig.balfour(a)gmail.com
Target Milestone: ---
Created attachment 967
--> https://bugs.openldap.org/attachment.cgi?id=967&action=edit
Patch
This module could do with an example of how to configure it.
Patch attached.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10101
Issue ID: 10101
Summary: Fix double file close when first TLS connection fails
Product: OpenLDAP
Version: 2.6.2
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: florin.crisan(a)axigen.com
Target Milestone: ---
Created attachment 981
--> https://bugs.openldap.org/attachment.cgi?id=981&action=edit
Proof of concept
1. ldap_initialize a connection with multiple URLs, the first one being
LDAPS. (For example: "ldaps://server,ldap://server").
The LDAPS connection needs to successfully open the TCP connection,
but fail during TLS negotiation.
2. When TLS negotiation fails, ldap_int_open_connection calls
ber_int_sb_close (which closes the connections attached to the sockbuf)
but fails to call ber_int_sb_destroy, so the TCP layers are still attached
to the sockbuf structure.
3. When the second connection is opened, a new TCP layer is added to the
sockbuf structure, but the existing one is still there. Both now point to
the updated sockbuf structure, with the new file descriptor.
4. When the connection is closed, the layers attached to the sockbuf close
the new file descriptor twice.
This may be the same problem as
https://lists.openldap.org/hyperkitty/list/openldap-devel@openldap.org/thre…
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10076
Issue ID: 10076
Summary: suffixmassage in back-asyncmeta does not handle empty
remote suffix correctly
Product: OpenLDAP
Version: 2.6.4
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: backends
Assignee: bugs(a)openldap.org
Reporter: nivanova(a)symas.com
Target Milestone: ---
When configuring a suffixmassage directive on an asyncmeta database,
a configuration like:
suffixmassage "dc=example,dc=com" ""
causes search requests to return error 34 "Invalid DN", because the empty
remote suffix is massaged incorrectly, adding an unnecessary ",".
The issue applies only to asyncmeta, on other proxies it functions correctly.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10013
Issue ID: 10013
Summary: Some code (ppolicy, etc.) ignores
REP_CTRLS_MUSTBEFREED when touching rs->sr_ctrls
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
Certain parts of the source indicate that rs->sr_ctrls shouldn't be
realloc'd/free'd unless REP_CTRLS_MUSTBEFREED is set, but then other parts of
slapd (slap_ctrl_whatFailed_add, glue_op_search?, ...) and overlays (ppolicy,
syncprov, ...) will blindly overwrite and/or realloc it.
slap_add_control() (an analog of slap_add_controls()) might be useful for this,
possibly alongside some way to free the other data kept around to streamline
the code other users need for correct operation.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9944
Issue ID: 9944
Summary: Reverting an olcDbACLBind statement breaks proxied
write operations
Product: OpenLDAP
Version: 2.6.3
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
On a system with olcDbIDAssertBind configured, and proxied authorizations
working correctly, an olcDbACLBind statement was added to the configuration for
lastbind support. However an incorrect identity was in place for the authzid
in the ACL bind statement which caused proxy authorization to fail. The change
was backed out (There was never any change to the olcDbIDAssertBind config
fragment) and after that, all write operations failed instead of being proxied,
with err=80. Restarting slapd fixed the issue, which indicates an underlying
problem in the cn=config db in reverting to the original working state.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9660
Issue ID: 9660
Summary: back-mdb Permission denied => Restore from backup
Product: OpenLDAP
Version: 2.5.7
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: backends
Assignee: bugs(a)openldap.org
Reporter: geert.hendrickx(a)telenetgroup.be
Target Milestone: ---
Cosmetic issue:
When an mdb database has incorrect ownership or permissions (typically after
slapadd as root), back-mdb fails with:
mdb_db_open: database "dc=my-domain,dc=com" cannot be opened: Permission denied
(13). Restore from backup!
"Permission denied" is correct, but "Restore from backup" is maybe not the most
appropriate advice. ;-)
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9717
Issue ID: 9717
Summary: The RADIUSOV overlay can be incorporated into OpenLDAP
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: contrib
Assignee: bugs(a)openldap.org
Reporter: rdubner(a)symas.com
Target Milestone: ---
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9719
Issue ID: 9719
Summary: refreshOnly sends empty cookie when client up to date
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
Syncprov will send an empty cookie if the consumer has the same cookie as
provider. To the best of my knowledge this is not in line with RFC4533 and
consumers would effectively drop their cookie when the search finishes.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10065
Issue ID: 10065
Summary: slapd needs a config option for the ssf of an external
security proxy using "proxy protocol v2"
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: sean(a)teletech.com.au
Target Milestone: ---
Commit 146889f introduced support for the haproxy "proxy protocol v2". A very
welcome addition that allows an external security layer to be implemented. This
implementation is however somewhat hobbled.
Cyrus SASL uses "Security Strength Factors" or "ssf" to determine what
Authentication mechanisms to offer. slapd conveys the implicit security of UNIX
domain sockets to the SASL layer by specifying a non-zero ssf for these
connections. This can be configured with the "olcLocalSSF" config setting.
For implicit/explicit TLS connections, the "olcSecurity: tls=<n>" provides the
cryptographic strength of the TLS layer to the SASL layer.
For an external TLS-terminating proxy, there does not appear to be any way to
inform Cyrus SASL of the presence of TLS security on these proxied connections.
The outcome of this is that PLAIN and EXTERNAL authentication mechanisms are
not offered to clients connecting through the secure proxy.
This can be overcome by weakening the security properties of the SASL layer
with the olcSaslSecProps configuration option, but this weakening will apply to
all clients, not just clients connecting via the secure proxy.
What is required is some way to tell slapd and it's integrated SASL layer about
the presence of TLS encryption on the proxy's input. As a precaution, this
might be restricted to slapd connections in the 127.0.0.0/8 [IPv6:::] address
ranges.
--
You are receiving this mail because:
You are on the CC list for the issue.