https://bugs.openldap.org/show_bug.cgi?id=10248
Issue ID: 10248
Summary: translucent + subordinate regression
Product: OpenLDAP
Version: 2.6.8
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: mike(a)nolta.net
Target Milestone: ---
Created attachment 1027
--> https://bugs.openldap.org/attachment.cgi?id=1027&action=edit
translucent + subordinate regression testcase, formatted for
tests/data/regressions/
Hi,
Attached please find a testcase for a regression we noticed in a translucent +
subordinate slapd configuration.
The test works in version 2.4.59, but fails in versions 2.5.5 and 2.6.8.
In a nutshell, search results from the subordinate database aren't being
returned, even though (judging by the logs) they appear to be found.
Thanks,
-Mike
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10249
Issue ID: 10249
Summary: slapo-nestgroup leak with non-nested groups
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
Searching for a member= of a group when no nesting is in place will leak
memory.
It seems to stem from a few `gi.gi_numDNs` tests that should most likely be
against `gi.gi_DNs` instead.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10253
Issue ID: 10253
Summary: Compile failure with GnuTLS and GCC 14 on 32-bit
Product: OpenLDAP
Version: 2.6.7
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: ryan(a)openldap.org
Target Milestone: ---
Debian bug report: https://bugs.debian.org/1078822
tls_g.c fails to compile on 32-bit platforms with GCC 14:
$ gcc --version
gcc (Debian 14.2.0-2) 14.2.0
Copyright (C) 2024 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ gcc -dumpmachine
i686-linux-gnu
$ ./configure --disable-slapd --with-tls=gnutls
[...]
$ make
[...]
libtool: compile: cc -g -O2 -I../../include -I../../include -DLDAP_LIBRARY -c
tls_g.c -fPIC -DPIC -o .libs/tls_g.o
tls_g.c: In function ‘tlsg_session_pinning’:
tls_g.c:971:57: error: passing argument 4 of ‘gnutls_fingerprint’ from
incompatible pointer type [-Wincompatible-pointer-types]
971 | keyhash.bv_val, &keyhash.bv_len
) < 0 ) {
| ^~~~~~~~~~~~~~~
| |
| ber_len_t *
{aka long unsigned int *}
In file included from tls_g.c:44:
/usr/include/gnutls/gnutls.h:2408:32: note: expected ‘size_t *’ {aka ‘unsigned
int *’} but argument is of type ‘ber_len_t *’ {aka ‘long unsigned int *’}
2408 | size_t *result_size);
| ~~~~~~~~^~~~~~~~~~~
make[2]: *** [Makefile:431: tls_g.lo] Error 1
It looks like the warning has always been emitted since the code was originally
committed, but with GCC 14 it became an error. (See
<https://gcc.gnu.org/gcc-14/porting_to.html>. The last successful Debian build
used GCC 13.)
Quoting from the Debian bug report:
> ber_len_t is typedef'ed in openldap as unsigned LBER_LEN_T, which is
> AC_DEFINED as long. I'm not sure what a static AC_DEFINE in configure.ac
> achieves, but that's what we have. On the other side, we have size_t,
> which happens to be 32bit. Bummer. I suggest passing the 4th argument as
> a temporary variable of type size_t and copying it from/to the target
> structure after validating that it fits.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10106
Issue ID: 10106
Summary: Add organization to web list of OpenLDAP support
providers
Product: website
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: website
Assignee: bugs(a)openldap.org
Reporter: sudo(a)migrateq.io
Target Milestone: ---
Hello! This request is being opened as suggested by Quanah Gibson-Mount.
Could you please add Migrateq to your OpenLDAP Support page on
https://openldap.org/support
Company: Migrateq Inc.
Website: https://migrateq.io/support/tech/openldap
Migrateq provides migrations, integrations and advanced 24/7/365 technical
support for OpenLDAP and most Linux and Open Source Software.
Thank you =)
Richard
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10254
Issue ID: 10254
Summary: Allow upgrading password hash on bind
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: me(a)floriswesterman.nl
Target Milestone: ---
Many OpenLDAP installations are likely to contain relatively old password
hashes such as SSHA and CRYPT, as modern alternatives such as Argon are only
recent additions. Due to the nature of password hashes, it is of course not
possible to "unhash" the old values and rehash them with a more modern
algorithm. The presence of these old password hashes poses a liability in case
of information leaks or hacks.
Currently, the only way to upgrade a password hash is to wait for the user to
change their password. This can be sped up by expiring passwords and forcing
users to change them. However, this can be slow and frequent password rotation
is no longer considered a best practice.
It would be a very helpful addition to add support for upgrading a password
hash on bind. This is implemented in the 389 directory server:
https://www.port389.org/docs/389ds/design/pwupgrade-on-bind.html
Essentially, when a user binds, the password is checked like normal. In case of
a successful bind, the proposed feature would check the hash algorithm used for
the password; and in case it is not equal to the current `olcPasswordHash`
value, the user-provided password is rehashed using the new algorithm and
stored. This way, the old hashes are phased out more quickly, without being a
disturbance to users.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9796
Issue ID: 9796
Summary: Deprecate GnuTLS support
Product: OpenLDAP
Version: 2.6.1
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
Support for GnuTLS was added specifically for the Debian (and thus Ubuntu) due
to the license objections at the time that the Debian project had for the
OpenSSL license.
Since that time, Debian has reclassified OpenSSL as a core library and the
OpenSSL project has resolved the original complaint by licensing OpenSSL 3 and
later under the Apache License v2.
Thus there is no longer a reason to maintain support for GnuTLS and given the
long standing concerns over the security and quality of the GnuTLS bridge in
addition to the extra cost of maintaining that code, it should be marked as
deprecated and removed in a future release.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10252
Issue ID: 10252
Summary: Unable to fetch groups and users at duo admin panel
for enabling MFA for Ldap users
Product: OpenLDAP
Version: 2.5.18
Hardware: All
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: ajay41.kumar(a)airtel.com
Target Milestone: ---
Hi Team,
I got stuck at configuring openldap server with member of overlay for
groups with below requirement.We are trying to enable Multifactor
authentication using duo auth proxy & duo admin panel configuration for ldap
users.
Ldap server is getting synced successfully with Duo admin portal but
groups and users details not fetching at duo admin portal. Duo support team
mentioned to change ldap configuration as mention article. Can someone help me,
How i can make these changes.
https://duo.my.site.com/s/article/4529?language=en_US
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10251
Issue ID: 10251
Summary: wrong type passed to getsockname
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: client tools
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
New compilers don't allow passing sockaddr_storage * to getsockname() so
clients/tools/common.c no longer compiles. Fix is coming.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10250
Issue ID: 10250
Summary: syncrepl_diff_entry assumes attributes come in the
same order
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
When trying to diff an entry, syncrepl_diff_entry explicitly assumes attribute
come in the same order. That's not always the case and could cause it to report
a spurious rewrite of the attribute.
Normally this is ok, unless the rewrite itself (not) occurring has other
side-effects, when it could cause issues. (e.g. a DB with memberof
inconsistencies being mysteriously repaired in some scenarios, which is how it
was found).
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10244
Issue ID: 10244
Summary: Fix pointer type
Product: LMDB
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: liblmdb
Assignee: bugs(a)openldap.org
Reporter: zanaviska(a)tutanota.com
Target Milestone: ---
Created attachment 1026
--> https://bugs.openldap.org/attachment.cgi?id=1026&action=edit
passed temprorary variable
Hi I am trying to add MINGW support for another project, But each time I get an
error
```
mdb.c:3921:76: error: passing argument 3 of 'GetOverlappedResult' from
incompatible pointer type [-Wincompatible-pointer-types]
note: expected 'LPDWORD' {aka 'long unsigned int *'} but argument is of type
'ssize_t *' {aka 'long long int *'}
```
So I came up with a fix for your software, with I attach in attachment
--
You are receiving this mail because:
You are on the CC list for the issue.