https://bugs.openldap.org/show_bug.cgi?id=9204
Bug ID: 9204
Summary: slapo-constraint allows anyone to apply Relax control
Product: OpenLDAP
Version: 2.4.49
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: ryan(a)openldap.org
Target Milestone: ---
slapo-constraint doesn't limit who can use the Relax control, beyond the global
limits applied by slapd. In practice, for many modifications this means any
configured constraints are advisory only.
In my opinion this should be considered a bug, in design if not implementation.
I expect many admins would not read the man page closely enough to realize the
behaviour does technically adhere to the letter of what's written there.
Either slapd should require manage privileges for the Relax control globally,
or slapo-constraint should perform a check for manage privilege itself, like
slapo-unique does.
Quoting ando in https://bugs.openldap.org/show_bug.cgi?id=5705#c4:
> Well, a user with "manage" privileges on related data could bypass
> constraints enforced by slapo-constraint(5) by using the "relax"
> control. The rationale is that a user with manage privileges could be
> able to repair an entry that needs to violate a constraint for good
> reasons. Note that the user:
>
> - must have enough privileges to do it (manage)
>
> - must inform the DSA that intends to violate the constraint (by using
> the control)
but such privileges are currently not being required.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=9211
Bug ID: 9211
Summary: Relax control is not consistently access-restricted
Product: OpenLDAP
Version: 2.4.49
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ryan(a)openldap.org
Target Milestone: ---
The following operations can be performed by anyone having 'write' access (not
even 'manage') using the Relax control:
- modifying/replacing structural objectClass
- adding/modifying OBSOLETE attributes
Some operations are correctly restricted:
- adding/modifying NO-USER-MODIFICATION attributes marked as manageable
(Modification of non-conformant objects doesn't appear to be implemented at
all.)
In the absence of ACLs for controls, I'm of the opinion that all use of the
Relax control should require manage access. The Relax draft clearly and
repeatedly discusses its use cases in terms of directory _administrators_
temporarily relaxing constraints in order to accomplish a specific task.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=10258
Issue ID: 10258
Summary: test050 failure: connection_close race?
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
Created attachment 1032
--> https://bugs.openldap.org/attachment.cgi?id=1032&action=edit
tail of slapd log
Running test050 repeatedly, the slapd managed to get itself into an apparent
inconsistency in the connections structure. The logs suggest that there might
be a race closing the connection. Unfortunately the sanitiser didn't initiate a
core dump in this case.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10234
Issue ID: 10234
Summary: syncrepl does not reset the retrynum
Product: OpenLDAP
Version: 2.6.8
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: hamano(a)osstech.co.jp
Target Milestone: ---
```
syncrepl
retry="5 10 30 +"
```
When replication fails with the above settings, syncrepl retries "10 times at 5
second intervals". Then, the retry count should be reset on the next
replication failure.
In actual, it does not reset. The behavior is as follows:
```
(first time replication failure)
do_syncrepl: rid=001 rc -1 retrying (9 retries left)
do_syncrepl: rid=001 rc -1 retrying (8 retries left)
(resume replication)
(second time replication failure)
do_syncrepl: rid=001 rc -1 retrying (7 retries left)
do_syncrepl: rid=001 rc -1 retrying (6 retries left)
```
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10232
Issue ID: 10232
Summary: assert() at shutdown if a syncrepl session is in
refresh
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
When removing the last one, syncinfo_free() checks that there is no active
refresh on the backend. This works if operating on olcSyncrepl values because
refresh_finished is called where appropriate. However if we're shutting down,
this is skipped to make sure we don't schedule a new task and that could lead
to an assert failure if there indeed was a refresh in progress (the same
probably applies when removing the DB).
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10248
Issue ID: 10248
Summary: translucent + subordinate regression
Product: OpenLDAP
Version: 2.6.8
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: mike(a)nolta.net
Target Milestone: ---
Created attachment 1027
--> https://bugs.openldap.org/attachment.cgi?id=1027&action=edit
translucent + subordinate regression testcase, formatted for
tests/data/regressions/
Hi,
Attached please find a testcase for a regression we noticed in a translucent +
subordinate slapd configuration.
The test works in version 2.4.59, but fails in versions 2.5.5 and 2.6.8.
In a nutshell, search results from the subordinate database aren't being
returned, even though (judging by the logs) they appear to be found.
Thanks,
-Mike
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10249
Issue ID: 10249
Summary: slapo-nestgroup leak with non-nested groups
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
Searching for a member= of a group when no nesting is in place will leak
memory.
It seems to stem from a few `gi.gi_numDNs` tests that should most likely be
against `gi.gi_DNs` instead.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10256
Issue ID: 10256
Summary: Custom attribute disappears after slapd restart
Product: OpenLDAP
Version: 2.4.57
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: backends
Assignee: bugs(a)openldap.org
Reporter: heinrich.blatt(a)googlemail.com
Target Milestone: ---
Hi,
i want to use a custom attribute in my schema. I use that ldif:
dn: cn=schema,cn=config
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 1.2.840.113556.1.4.7000 NAME 'rfidtoken' DESC 'RFID Token'
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
This i inject via ldapmodify. For the session it works, but after restarting
slapd the attribute disappears. If i add it again via ldapmodify it is there
for the session again. My /etc/ldap/slapd.d/cn=config/cn=schema.ldif contains
the change.
This seems related to #9066, however the documentation indicates that i can
make the changes via ldapmodify persistent.
What is the right approach there? What i can do to persist the change?
Thanks in advance for support
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10253
Issue ID: 10253
Summary: Compile failure with GnuTLS and GCC 14 on 32-bit
Product: OpenLDAP
Version: 2.6.7
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: ryan(a)openldap.org
Target Milestone: ---
Debian bug report: https://bugs.debian.org/1078822
tls_g.c fails to compile on 32-bit platforms with GCC 14:
$ gcc --version
gcc (Debian 14.2.0-2) 14.2.0
Copyright (C) 2024 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ gcc -dumpmachine
i686-linux-gnu
$ ./configure --disable-slapd --with-tls=gnutls
[...]
$ make
[...]
libtool: compile: cc -g -O2 -I../../include -I../../include -DLDAP_LIBRARY -c
tls_g.c -fPIC -DPIC -o .libs/tls_g.o
tls_g.c: In function ‘tlsg_session_pinning’:
tls_g.c:971:57: error: passing argument 4 of ‘gnutls_fingerprint’ from
incompatible pointer type [-Wincompatible-pointer-types]
971 | keyhash.bv_val, &keyhash.bv_len
) < 0 ) {
| ^~~~~~~~~~~~~~~
| |
| ber_len_t *
{aka long unsigned int *}
In file included from tls_g.c:44:
/usr/include/gnutls/gnutls.h:2408:32: note: expected ‘size_t *’ {aka ‘unsigned
int *’} but argument is of type ‘ber_len_t *’ {aka ‘long unsigned int *’}
2408 | size_t *result_size);
| ~~~~~~~~^~~~~~~~~~~
make[2]: *** [Makefile:431: tls_g.lo] Error 1
It looks like the warning has always been emitted since the code was originally
committed, but with GCC 14 it became an error. (See
<https://gcc.gnu.org/gcc-14/porting_to.html>. The last successful Debian build
used GCC 13.)
Quoting from the Debian bug report:
> ber_len_t is typedef'ed in openldap as unsigned LBER_LEN_T, which is
> AC_DEFINED as long. I'm not sure what a static AC_DEFINE in configure.ac
> achieves, but that's what we have. On the other side, we have size_t,
> which happens to be 32bit. Bummer. I suggest passing the 4th argument as
> a temporary variable of type size_t and copying it from/to the target
> structure after validating that it fits.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=10233
Issue ID: 10233
Summary: wrong idl intersection
Product: OpenLDAP
Version: 2.6.8
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: backends
Assignee: bugs(a)openldap.org
Reporter: hamano(a)osstech.co.jp
Target Milestone: ---
The `mdb_idl_intersection()` and `wt_idl_intersection()` functions derived from
back-bdb return wrong results.
expect:
[1, 3] ∩ [2] = []
actual:
[1, 3] ∩ [2] = [2]
--
You are receiving this mail because:
You are on the CC list for the issue.