openldap-bugs August 2025

openldap-bugs@openldap.org

1 participants
46 discussions

[Issue 10358] New: syncrepl can revert an entry's CSN
by openldap-its＠openldap.org 11 Sep '25

11 Sep '25

https://bugs.openldap.org/show_bug.cgi?id=10358 Issue ID: 10358 Summary: syncrepl can revert an entry's CSN Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Created attachment 1080 --> https://bugs.openldap.org/attachment.cgi?id=1080&action=edit Debug log of an instance of this happening There is a sequence of operations which can force a MPR node to apply changes out of order (essentially reverting an operation). Currently investigating which part of the code that should have prevented this has let it slip. A sample log showing how this happened is attached. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10360] New: delta-sync can apply old mods
by openldap-its＠openldap.org 08 Sep '25

08 Sep '25

https://bugs.openldap.org/show_bug.cgi?id=10360 Issue ID: 10360 Summary: delta-sync can apply old mods Product: OpenLDAP Version: 2.6.9 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: hyc(a)openldap.org Target Milestone: --- This might be related to #10358, but not sure. In delta MPR, if an older mod is received on an entry after a newer mod has already been applied by a local user, the older mod is applied and the newer mod is lost. The incoming replication ops are checked for freshness by check_csn_age() but that only checks the incoming cookieCSN against contextCSNs of the same SID. I.e., that check only prevents duplicate mods being replicated multiple times from the same remote provider. If check_csn_age() passes, then syncrepl_message_to_op() is invoked which just applies the mod. It doesn't check the mod or cookieCSN against the entry's current entryCSN. The code in syncrepl_op_mod() performs the checks we need. The code just needs to be pulled into a new function so it can be used in both places. -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 10369] New: Error when trying to modify the olcDbCheckpoint attr: 'olcMultiProvider' cannot have multiple values
by openldap-its＠openldap.org 08 Sep '25

08 Sep '25

https://bugs.openldap.org/show_bug.cgi?id=10369 Issue ID: 10369 Summary: Error when trying to modify the olcDbCheckpoint attr: 'olcMultiProvider' cannot have multiple values Product: OpenLDAP Version: 2.6.10 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: elecharny(a)apache.org Target Milestone: --- When trying to modify the olcDbCheckpoint, I get an error on the olcMultiProvider attribute Here are the logs I get: juil. 17 13:03:32 openldap1 slapd[17224]: conn=1012 op=3 MOD dn="olcDatabase={3}mdb,cn=config" juil. 17 13:03:32 openldap1 slapd[17224]: conn=1012 op=3 MOD attr=olcDbCheckpoint juil. 17 13:03:32 openldap1 slapd[17224]: slap_get_csn: conn=1012 op=3 generated new csn=20250717130332.671384Z#000000#00b#000000 manage=1 juil. 17 13:03:32 openldap1 slapd[17224]: slap_queue_csn: queueing 0x7f02cc104b80 20250717130332.671384Z#000000#00b#000000 juil. 17 13:03:32 openldap1 slapd[17224]: Entry (olcDatabase={3}mdb,cn=config), attribute 'olcMultiProvider' cannot have multiple values juil. 17 13:03:32 openldap1 slapd[17224]: conn=1012 op=3 RESULT tag=103 err=19 qtime=0.000008 etime=0.000185 text=attribute 'olcMultiProvider' cannot > juil. 17 13:03:32 openldap1 slapd[17224]: slap_graduate_commit_csn: removing 0x7f02cc104b80 20250717130332.671384Z#000000#00b#000000 juil. 17 13:03:32 openldap1 slapd[17224]: conn=1012 op=4 UNBIND Here is the content of the olcDatabase={3}mdb,cn=config entry: "olcDatabase={3}mdb,cn=config", { "objectClass":[ "olcDatabaseConfig", "olcMdbConfig" ], "olcDatabase":"{3}mdb", "olcDbDirectory":"/usr/local/openldap/data/worteks/", "olcSuffix":[ "o=service,o=worteks" ], "olcAccess":[ "{0}to * by dn=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" read by dn=\"uid=repl,ou=security,o=service,o=worteks\" read by anonymous auth by * none break", "{1}to attrs=userPassword by * none", "{2}to dn.subtree=\"ou=security,o=service,o=worteks\" by * none", "{3}to * by * none" ], "olcAddContentAcl":true, "olcLimits":[ "{0}dn=\"uid=repl,ou=security,o=service,o=worteks\" size=unlimited time=unlimited", "{1}dn=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" size=unlimited time=unlimited" ], "olcRootDN":"cn=admin,o=service,o=worteks", "olcRootPW":"secret", "olcSyncrepl":[ "{0}rid=012 provider=ldap://openldap1:10389 binddn=\"uid=repl,ou=security,o=service,o=worteks\" bindmethod=simple credentials=\"secret\" searchbase=\"o=service,o=worteks\" logbase=\"cn=accesslog\" logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" type=refreshAndPersist retry=\"5 +\" timeout=1 syncdata=accesslog", "{1}rid=011 provider=ldap://openldap2:10389 binddn=\"uid=repl,ou=security,o=service,o=worteks\" bindmethod=simple credentials=\"secret\" searchbase=\"o=service,o=worteks\" logbase=\"cn=accesslog\" logfilter=\"(&(objectClass=auditWriteObject)(reqResult=0))\" type=refreshAndPersist retry=\"5 +\" timeout=1 syncdata=accesslog" ], "olcMultiProvider":true, "olcDbCheckpoint":"1024 1", "olcDbNoSync":true, "olcDbIndex":[ "entryUUID eq", "objectClass eq", "entryCSN eq", "uid eq", "mailboxServiceIMAP eq", "mailboxServicePOP eq", "mailPrimaryAddress eq", "mailAlternativeAddress eq", "mailboxHiddenAlias eq" ], "olcDbMaxSize":137438953472 } In this context, I'm trying to modify the incorrect olcDbCheckpoint value from '1024 1' to '0 1', and the olcMultiProvider has only one value. -- You are receiving this mail because: You are on the CC list for the issue.

1 15

[Issue 10384] New: str2entry2() leaks attributes on error
by openldap-its＠openldap.org 08 Sep '25

08 Sep '25

https://bugs.openldap.org/show_bug.cgi?id=10384 Issue ID: 10384 Summary: str2entry2() leaks attributes on error Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- If there's error processing attribute values, the attribute list in ahead is not freed. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10380] New: file logger doesn't emit slapd startup/version info
by openldap-its＠openldap.org 08 Sep '25

08 Sep '25

https://bugs.openldap.org/show_bug.cgi?id=10380 Issue ID: 10380 Summary: file logger doesn't emit slapd startup/version info Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- When using syslog, a startup message is emitted which is useful in many different contexts: - signals a slapd restart to the admin - shows the actual version used - if a crash happened just before, there is no "stopped" message, this is a hint to anyone looking that something was not right and the slapd is not the same process - people writing log processing scripts (incident response) know when it's necessary to reset their state, again as it's a new process Because of the above, it feels like a regression to me. I guess we can just emit this info on logfile config handlers? This means startups and logfile switches are still handled as they used to in syslog and log rotation doesn't emit anything (making it easy and safe to just concatenate files). Yes, slapd logs its PID in most formats so restarts can be detected that way, but that's considerably harder to search for. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10379] New: lastbind change prevents ppolicy response from reaching accesslog
by openldap-its＠openldap.org 08 Sep '25

08 Sep '25

https://bugs.openldap.org/show_bug.cgi?id=10379 Issue ID: 10379 Summary: lastbind change prevents ppolicy response from reaching accesslog Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- When "lastbind on" and ppolicy are configured together, the pwdLastSuccess update triggers an accesslog entry (using op->o_time, op->o_tincr), then ppolicy_bind_response issues its own modification and since the time was copied in lastbind, an entry of the same name already exists. This means the ppolicy change is lost (and e.g. won't replicate). Note that slapo-lastbind (=the contrib overlay) probably has the same impact. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10385] New: syncprov should use accesslog's rootDN when reading it
by openldap-its＠openldap.org 08 Sep '25

08 Sep '25

https://bugs.openldap.org/show_bug.cgi?id=10385 Issue ID: 10385 Summary: syncprov should use accesslog's rootDN when reading it Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- When replaying accesslog, syncprov runs a be_search, it should switch to using the appropriate rootDN for the database. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10387] New: Reverse lookup does not work for IPv6 addresses proxied over IPv4
by openldap-its＠openldap.org 08 Sep '25

08 Sep '25

https://bugs.openldap.org/show_bug.cgi?id=10387 Issue ID: 10387 Summary: Reverse lookup does not work for IPv6 addresses proxied over IPv4 Product: OpenLDAP Version: 2.6.10 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: +openldap(a)Eero.xn--Hkkinen-5wa.fi Target Milestone: --- I have an IPv4/IPv6 reverse proxy server which listens for ldap[s]:// connections and forwards them using the proxy procotol to an IPv4-only slapd server which listens for pldap[s]:// connections. The slapd server has the global olcReverseLookup setting set to TRUE. The reverse lookup works as expected if an LDAP client connects to the reverse proxy using IPv4. However, if the LDAP client connects to the reverse proxy using IPv6, the reverse lookup does not work. The slap_listener function in the servers/slapd/daemon.c file accepts a connection (https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_6_10/s…). Because the reverse proxy connects to the slapd server using the proxy protocol over IPv4, this fills the from variable with an IPv4 address and sets the len variable to the size of the struct sockaddr_in. This is correct. The slap_listener function detects that the connection is proxied (https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_6_10/s…) and uses the proxyp function to get the address of the LDAP client. This fills the from variable with an IPv4 or an IPv6 address (depending on whether the LDAP client used IPv4 or IPv6 to connect the reverse proxy) but does not update the len variable. The slap_listener function detects that reverse lookup is to be used (https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_6_10/s…) and used the ldap_pvt_get_hname function to get the reverse name (https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_6_10/s…) passing the address of the from variable, which may contain either an IPv4 or an IPv6 address, and the value of the len variable, which is equal to the size of the struct sockaddr_in. This is correct for IPv4 but not for IPv6. Either the slap_listener function or the proxyp function should update the value of the len variable. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10254] New: Allow upgrading password hash on bind
by openldap-its＠openldap.org 08 Sep '25

08 Sep '25

https://bugs.openldap.org/show_bug.cgi?id=10254 Issue ID: 10254 Summary: Allow upgrading password hash on bind Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: me(a)floriswesterman.nl Target Milestone: --- Many OpenLDAP installations are likely to contain relatively old password hashes such as SSHA and CRYPT, as modern alternatives such as Argon are only recent additions. Due to the nature of password hashes, it is of course not possible to "unhash" the old values and rehash them with a more modern algorithm. The presence of these old password hashes poses a liability in case of information leaks or hacks. Currently, the only way to upgrade a password hash is to wait for the user to change their password. This can be sped up by expiring passwords and forcing users to change them. However, this can be slow and frequent password rotation is no longer considered a best practice. It would be a very helpful addition to add support for upgrading a password hash on bind. This is implemented in the 389 directory server: https://www.port389.org/docs/389ds/design/pwupgrade-on-bind.html Essentially, when a user binds, the password is checked like normal. In case of a successful bind, the proposed feature would check the hash algorithm used for the password; and in case it is not equal to the current `olcPasswordHash` value, the user-provided password is rehashed using the new algorithm and stored. This way, the old hashes are phased out more quickly, without being a disturbance to users. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9343] New: Expand ppolicy policy configuration to allow URL filter
by openldap-its＠openldap.org 08 Sep '25

08 Sep '25

https://bugs.openldap.org/show_bug.cgi?id=9343 Issue ID: 9343 Summary: Expand ppolicy policy configuration to allow URL filter Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- Currently, ppolicy only supports a single global default policy, and past that any policies must be manually added to a given user entry if they are supposed to have something other than the default policy. Also, some sites want no default policy, and only a specific subset to have a policy applied to them. For both of these cases, it would be helpful if it were possible to configure a policy to apply to a set of users via a URL similar to the way we handle creating groups of users in dynlist -- You are receiving this mail because: You are on the CC list for the issue.

1 17

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs August 2025