openldap-bugs October 2024

openldap-bugs@openldap.org

1 participants
122 discussions

[Issue 10234] New: syncrepl does not reset the retrynum
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10234 Issue ID: 10234 Summary: syncrepl does not reset the retrynum Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: hamano(a)osstech.co.jp Target Milestone: --- ``` syncrepl retry="5 10 30 +" ``` When replication fails with the above settings, syncrepl retries "10 times at 5 second intervals". Then, the retry count should be reset on the next replication failure. In actual, it does not reset. The behavior is as follows: ``` (first time replication failure) do_syncrepl: rid=001 rc -1 retrying (9 retries left) do_syncrepl: rid=001 rc -1 retrying (8 retries left) (resume replication) (second time replication failure) do_syncrepl: rid=001 rc -1 retrying (7 retries left) do_syncrepl: rid=001 rc -1 retrying (6 retries left) ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10263] New: ldapmodify error messages should be more helpful when dealing with trailing whitespace
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10263 Issue ID: 10263 Summary: ldapmodify error messages should be more helpful when dealing with trailing whitespace Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Often when copy-pasting, a trailing whitespace can sneak in to a modify LDIF (e.g. "delete: attribute \nattribute: ..."), ldapmodify should emit a different message than: "ldapmodify: wrong attributeType at line x" because that is just not helpful. First off, the line number refers to the one that's usually correct. Emitting an "expecting '%s'" would be a start. Maybe we should even warn/error when an attribute name in a change record contains whitespace, because it's not valid as RFC 2849 grammar only allows ALPHA/DIGIT/'-'/'.'/';' anyway. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10249] New: slapo-nestgroup leak with non-nested groups
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10249 Issue ID: 10249 Summary: slapo-nestgroup leak with non-nested groups Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Searching for a member= of a group when no nesting is in place will leak memory. It seems to stem from a few `gi.gi_numDNs` tests that should most likely be against `gi.gi_DNs` instead. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10218] New: Disabling and re-enabling an asyncmeta database via cn=config leaks memory
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10218 Issue ID: 10218 Summary: Disabling and re-enabling an asyncmeta database via cn=config leaks memory Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: nivanova(a)symas.com Target Milestone: --- To reproduce - run OpenLDAP with valgrind, and set the olcDisabled attribute of an asyncmeta database to TRUE, then again to FALSE. The connection structures of the database are subsequently shown as leaked. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10230] New: memberof addcheck must ignore other overlays
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10230 Issue ID: 10230 Summary: memberof addcheck must ignore other overlays Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: hyc(a)openldap.org Target Milestone: --- The addcheck feature added in ITS#10167 does a search to see if a newly added entry is already a member of any existing groups, and fixes its memberof attribute appropriately if so. The values written here should only be static values, but if the nestgroup overlay was configured, dynamic values were also being included. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10256] New: Custom attribute disappears after slapd restart
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10256 Issue ID: 10256 Summary: Custom attribute disappears after slapd restart Product: OpenLDAP Version: 2.4.57 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: heinrich.blatt(a)googlemail.com Target Milestone: --- Hi, i want to use a custom attribute in my schema. I use that ldif: dn: cn=schema,cn=config changetype: modify add: olcAttributeTypes olcAttributeTypes: ( 1.2.840.113556.1.4.7000 NAME 'rfidtoken' DESC 'RFID Token' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) This i inject via ldapmodify. For the session it works, but after restarting slapd the attribute disappears. If i add it again via ldapmodify it is there for the session again. My /etc/ldap/slapd.d/cn=config/cn=schema.ldif contains the change. This seems related to #9066, however the documentation indicates that i can make the changes via ldapmodify persistent. What is the right approach there? What i can do to persist the change? Thanks in advance for support -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 10231] New: slapadd segfault on non-configured backend
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10231 Issue ID: 10231 Summary: slapadd segfault on non-configured backend Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: hyc(a)openldap.org Target Milestone: --- If the LDIF being loaded corresponds to a different backend than the one specified (or the default backend, if none was specified), and the specified backend's configuration is incomplete and lacks a suffix, slapadd will SEGV when trying to print the error message about the LDIF not matching the specified backend, because it tries to print the suffix but the suffix is NULL. E.g. using this setup: ### mkdir dumb dumb/db cat > dumb/slapd.conf <<EOF include schema/core.schema backend ldif database ldif directory dumb/db EOF slapd -Ta -f dumb/slapd.conf -l schema/inetorgperson.ldif ### When fixed, the normal error message will be shown instead: slapadd: line 1: database #1 ((null)) not configured to hold "cn=inetorgperson,cn=schema,cn=config"; did you mean to use database #0 (cn=config)? Closing DB... -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10221] New: Fix build script for 2.5.18
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10221 Issue ID: 10221 Summary: Fix build script for 2.5.18 Product: OpenLDAP Version: 2.5.17 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: delphij(a)freebsd.org Target Milestone: --- Hi, In revision 619afaccab5 (ITS#10177) an extra " was introduced, which will prevent configure script from working with FreeBSD's sh(1) (I suspect it would also break on other shell implementations). The fix is to delete that extra ". This affects OpenLDAP 2.5.18 only. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10223] New: tlso_ctx_cipherfree: does not check result of SSL_CTX_set_ciphersuites; can fail with incomplete input provided earlier on in the function
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10223 Issue ID: 10223 Summary: tlso_ctx_cipherfree: does not check result of SSL_CTX_set_ciphersuites; can fail with incomplete input provided earlier on in the function Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: yaneurabeya(a)gmail.com Target Milestone: --- The code on line 366 [1] doesn't check the return value of SSL_CTX_set_ciphersuites(..) before returning from the function, if there's leftover data in the tls13_suites buffer, after processing tls13_suites looking for TLS v1.3 compatible ciphers. OpenSSL doesn't state what specific scenarios could result in a failure with the function, but doing some code inspection [2] it appears that a failure could occur if the value provided in the second parameter (`str` per the manpage [3]) to SSL_CTX_set_ciphersuites(..) is either invalid or an internal memory allocation error occurs. While this isn't necessarily something that can be easily handled, it would be prudent to either ignore the return code explicitly by casting the result to (void) and clearing the error, or handling the OpenSSL error explicitly, using the ERR_* family APIs. This issue was reported by Coverity. 1. https://github.com/openldap/openldap/blob/15edb3b30f2b6a3dbdf77cc42d39466d5… 2. https://github.com/openssl/openssl/blob/5bbdbce856c7ca132e039a24a3156184848… 3. https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 10248] New: translucent + subordinate regression
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10248 Issue ID: 10248 Summary: translucent + subordinate regression Product: OpenLDAP Version: 2.6.8 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: mike(a)nolta.net Target Milestone: --- Created attachment 1027 --> https://bugs.openldap.org/attachment.cgi?id=1027&action=edit translucent + subordinate regression testcase, formatted for tests/data/regressions/ Hi, Attached please find a testcase for a regression we noticed in a translucent + subordinate slapd configuration. The test works in version 2.4.59, but fails in versions 2.5.5 and 2.6.8. In a nutshell, search results from the subordinate database aren't being returned, even though (judging by the logs) they appear to be found. Thanks, -Mike -- You are receiving this mail because: You are on the CC list for the issue.

1 9

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs October 2024