openldap-bugs April 2026

openldap-bugs@openldap.org

1 participants
179 discussions

[Issue 10499] New: Enable test-level tracking in CI
by openldap-its＠openldap.org 12 May '26

12 May '26

https://bugs.openldap.org/show_bug.cgi?id=10499 Issue ID: 10499 Summary: Enable test-level tracking in CI Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: test suite Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Gitlab supports parsing junit-style XML reports. We can emit something like this from our test suite and get a better idea how our tests perform/which test failed at a glance. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10495] New: Environment variable for Systemd is ignored by configure
by openldap-its＠openldap.org 06 May '26

06 May '26

https://bugs.openldap.org/show_bug.cgi?id=10495 Issue ID: 10495 Summary: Environment variable for Systemd is ignored by configure Product: OpenLDAP Version: 2.6.13 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: openldap.aftermost863(a)passinbox.com Target Milestone: --- Hello, When using the configure script to generate the Makefile, the documentation in the --help option states that the environment variable 'systemdsystemunitdir' can be used to override the default system path for Systemd units. However, this does not work: if I export the variable with a valid existing path (e.g. 'export systemdsystemunitdir=/tmp/test') and then run ./configure, the variable is found but is ignored in the output variables and is therefore not used in the Makefile. config.log: ... ## ---------------- ## ## Cache variables. ## ## ---------------- ## ... ac_cv_env_systemdsystemunitdir_set=set ac_cv_env_systemdsystemunitdir_value=/tmp/test ... ## ----------------- ## ## Output variables. ## ## ----------------- ## ... systemdsystemunitdir='/usr/lib/systemd/system' ... The configure script seems to override that variable on line 23942: systemdsystemunitdir= I don’t quite understand why this line is there, and it seems suspicious to me. However, if I remove it and run ./configure again in the exact same shell, config.log now shows the correct path in the output variables, and the Makefile uses it correctly afterward: ... ## ---------------- ## ## Cache variables. ## ## ---------------- ## ... ac_cv_env_systemdsystemunitdir_set=set ac_cv_env_systemdsystemunitdir_value=/tmp/test ... pkg_cv_systemdsystemunitdir=/tmp/test ## ----------------- ## ## Output variables. ## ## ----------------- ## ... systemdsystemunitdir='/tmp/test' I had this issue on both Debian 13 (using bash) and Arch Linux (using zsh). -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10498] New: libldap OpenSSL 4 compatibility
by openldap-its＠openldap.org 06 May '26

06 May '26

https://bugs.openldap.org/show_bug.cgi?id=10498 Issue ID: 10498 Summary: libldap OpenSSL 4 compatibility Product: OpenLDAP Version: 2.6.13 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: rainer.jung(a)kippdata.de Target Milestone: --- Created attachment 1145 --> https://bugs.openldap.org/attachment.cgi?id=1145&action=edit Patch for libldap OpenSSL 4 compatibility libldap uses direct access to struct members made opaque in OpenSSL 4. Alternative getter methods needed to access the struct members seem to be available since OpenSSL 1.1.0, so very long ago. I suggest the attached (trivial) patch to replace direct access with getter methods. The patch is based on OpenLDAP 2.6.13. From visual code inspection it seems the problem also exists in the master branch. I did not try to compile the rest of OpenLDAP with OpenSSL 4, just libldap. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 10496] New: Remove references to Mozilla NSS in lload.conf(5) man page
by openldap-its＠openldap.org 06 May '26

06 May '26

https://bugs.openldap.org/show_bug.cgi?id=10496 Issue ID: 10496 Summary: Remove references to Mozilla NSS in lload.conf(5) man page Product: OpenLDAP Version: 2.6.10 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- We removed Mozilla NSS support in OpenLDAP 2.5, remove references to it from OpenLDAP 2.6 man pages. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10472] New: Detect servers dying during tests
by openldap-its＠openldap.org 06 May '26

06 May '26

https://bugs.openldap.org/show_bug.cgi?id=10472 Issue ID: 10472 Summary: Detect servers dying during tests Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: test suite Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Currently the test suite starts tests as background jobs and ignores when they exit prematurely or with a non-zero exit code. This makes it impossible to detect shutdown time crashes or enable any instrumentation/leak-checking tools. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Bug 9211] New: Relax control is not consistently access-restricted
by openldap-its＠openldap.org 06 May '26

06 May '26

https://bugs.openldap.org/show_bug.cgi?id=9211 Bug ID: 9211 Summary: Relax control is not consistently access-restricted Product: OpenLDAP Version: 2.4.49 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ryan(a)openldap.org Target Milestone: --- The following operations can be performed by anyone having 'write' access (not even 'manage') using the Relax control: - modifying/replacing structural objectClass - adding/modifying OBSOLETE attributes Some operations are correctly restricted: - adding/modifying NO-USER-MODIFICATION attributes marked as manageable (Modification of non-conformant objects doesn't appear to be implemented at all.) In the absence of ACLs for controls, I'm of the opinion that all use of the Relax control should require manage access. The Relax draft clearly and repeatedly discusses its use cases in terms of directory _administrators_ temporarily relaxing constraints in order to accomplish a specific task. -- You are receiving this mail because: You are on the CC list for the bug.

1 14

[Bug 9204] New: slapo-constraint allows anyone to apply Relax control
by openldap-its＠openldap.org 06 May '26

06 May '26

https://bugs.openldap.org/show_bug.cgi?id=9204 Bug ID: 9204 Summary: slapo-constraint allows anyone to apply Relax control Product: OpenLDAP Version: 2.4.49 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ryan(a)openldap.org Target Milestone: --- slapo-constraint doesn't limit who can use the Relax control, beyond the global limits applied by slapd. In practice, for many modifications this means any configured constraints are advisory only. In my opinion this should be considered a bug, in design if not implementation. I expect many admins would not read the man page closely enough to realize the behaviour does technically adhere to the letter of what's written there. Either slapd should require manage privileges for the Relax control globally, or slapo-constraint should perform a check for manage privilege itself, like slapo-unique does. Quoting ando in https://bugs.openldap.org/show_bug.cgi?id=5705#c4: > Well, a user with "manage" privileges on related data could bypass > constraints enforced by slapo-constraint(5) by using the "relax" > control. The rationale is that a user with manage privileges could be > able to repair an entry that needs to violate a constraint for good > reasons. Note that the user: > > - must have enough privileges to do it (manage) > > - must inform the DSA that intends to violate the constraint (by using > the control) but such privileges are currently not being required. -- You are receiving this mail because: You are on the CC list for the bug.

1 16

[Issue 10265] New: Make it possible to change olcBkLloadListen at runtime
by openldap-its＠openldap.org 06 May '26

06 May '26

https://bugs.openldap.org/show_bug.cgi?id=10265 Issue ID: 10265 Summary: Make it possible to change olcBkLloadListen at runtime Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: lloadd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Currently, olcBkLloadListen changes only take effect on lloadd startup: - an added olcBkLloadListen should come online at the end of the modify operation - at the end of the modify operation a removed olcBkLloadListen will stop listening on the sockets associated with it, clients that connected over these are marked CLOSING - to facilitate replacing a value where URIs resolved sockets overlap, olcBkLloadListen should become a MAY in olcBkLloadConfig objectclass Lloadd's startup was modelled upon slapd's, but the requirements have changed considerably when it was turned into a module. Sockets are acquired at module configuration time, which is much later than standalone/slapd's own startup and so the way the URLs are handled also needs to be reworked. This will resolve other related issues. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10488] New: Multiple out-of-bounds reads in servers/slapd/result.c v2ref() function
by openldap-its＠openldap.org 06 May '26

06 May '26

https://bugs.openldap.org/show_bug.cgi?id=10488 Issue ID: 10488 Summary: Multiple out-of-bounds reads in servers/slapd/result.c v2ref() function Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: wangxiaomeng(a)kylinos.cn Target Milestone: --- Created attachment 1142 --> https://bugs.openldap.org/attachment.cgi?id=1142&action=edit Fix two out-of-bounds reads in servers/slapd/result.c v2ref() function The v2ref() function in servers/slapd/result.c is responsible for converting LDAPv3 referrals to an LDAPv2-compatible string format. Two separate out-of-bounds read vulnerabilities exist in this function, both caused by insufficient checks for zero-length data before accessing the last character of the data buffer. Vulnerability 1: Out-of-bounds read in text buffer handling Location: servers/slapd/result.c, line 94 (within the v2ref() function): Vulnerable Code: if ( text != NULL ) { len = strlen( text ); if (text[len-1] != '\n') { i = 1; } } When the 'text' parameter is non-NULL but points to an empty string (""), strlen(text) returns 0. Accessing text[len-1] (i.e., text[-1]) results in an out-of-bounds read of one byte before the start of the 'text' buffer. Vulnerability 2: Out-of-bounds read in BerValue referral handling Location: servers/slapd/result.c, line 115 (within the v2ref() function) Vulnerable Code: len += ref[i].bv_len; if (ref[i].bv_val[ref[i].bv_len-1] != '/') { ++len; } When ref[i].bv_val is non-NULL but ref[i].bv_len is 0 (a valid state per LDAP BerValue semantics, representing an empty string), accessing ref[i].bv_val[ref[i].bv_len-1] (i.e., ref[i].bv_val[-1]) results in an out-of-bounds read of one byte before the start of the ref[i].bv_val buffer. Fix Add checks for zero-length data before accessing the last character of the respective buffers. The fix addresses both vulnerabilities with minimal, targeted changes that preserve the original functionality. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 10494] New: require none still has no effect
by openldap-its＠openldap.org 06 May '26

06 May '26

https://bugs.openldap.org/show_bug.cgi?id=10494 Issue ID: 10494 Summary: require none still has no effect Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Both frontend and DB requires are unconditionally ORed, contrary to what the documentation says. Probably a disconnect between ITS#4574 and ITS#5857 understanding of what should happen. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs April 2026