openldap-bugs

openldap-bugs@openldap.org

1 participants
21065 discussions

Re: (ITS#7789) Unreliable mdb_env_set_mapsize()
by hyc＠symas.com 23 Jan '14

23 Jan '14

h.b.furuseth(a)usit.uio.no wrote: > Full_Name: Hallvard B Furuseth > Version: LMDB 0.9.11 > OS: Linux x86_64 > URL: > Submission from: (NULL) (129.240.6.254) > Submitted by: hallvard > > > Mapsize changes do not work as described, do not reliably store the > mapsize in the map, and it's hard to see how it is supposed to work. > E.g.: > - Open an environment twice, in processes X and Y. > - X grows the map and writes (commits) something to the DB. That > MDB_meta gets the new mapsize. > - Y writes to the DB. It does not get MDB_MAP_RESIZED like the doc > says, nor does it carry forward X's MDB_meta.mm_mapsize change. The doc says the caller of set_mapsize is required to make sure there are no active transactions when it is called. As such, X failed this requirement, and this sequence of events is explicitly unsupported. If Y doesn't start its write txn until after X finishes, then Y will see the new size. > - Process Z opens the environment without doing set_mapsize(), > and gets the original mapsize from the MDB_meta written by Y. > > For that matter, from reading the doc I'd expect a mapsize change to > commit a txn with the new mapsize. There's no mention that the change > (and the MDB_MAP_RESIZED) will wait for something to be committed. > > mdb_txn_commit() writes nothing if the txn didn't change anything. > It needs to notice that there is a mapsize change to write. > > The doc talks about shrinking the map, but reduced mapsizes are not > written to the datafile. Only increases are written. > > All in all, it looks to me like _changing_ the mapsize should be an > operation on a write transaction or invoke a write transaction, while > setting the size or catching up with a mapsize change can be an > environment operation. That way it would be possible to make sense of > it. A txn can do it when it has no cursors and no dirty WRITEMAP > pages (or WRITEMAP could spill all pages first). > > BTW, I don't see the point of conditionally avoiding to write the > mapsize in mdb_env_write_meta() when full page gets written to disk > anyway - as long as txn_begin() stashes the mapsize from the original > meta so it knows what to write. (It need not obey the mapsize at that > point, but it must carry a change forward.) > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7790) config.h filename clash. include path broken.
by mark＠ibiblio.org 23 Jan '14

23 Jan '14

Full_Name: Mark Version: 2.4.35 OS: Solaris 11 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (203.63.89.15) openldap-2.4.35/servers/slapd/back-ldif root# cc -I/usr/local/include -I../../../include -I../../../include -I.. -I./.. -I/usr/local/include -c ldif.c -o ldif.o "ldif.c", line 166: warning: no explicit type given "ldif.c", line 166: syntax error before or at: ldifcfg This happens because there is a /usr/local/include/config.h from libstdc++ which is included before openldap-2.4.35/servers/slapd/config.h, according to the -I include path order. The Makefile sets CFLAGS to "AC_CFLAGS DEFS". DEFS includes XINCPATH which should precede AC_CFLAGS, not succeed it. Either the order needs to be fixed, or more usefully config.h renamed to slapd_config.h To have configure work correctly, CPPFLAGS needs to be set to "-I/usr/local/include" otherwise /usr/local/include isn't searched for db.h, it picks up /usr/include/db.h which is not the one it needs to link against. + print -r -- 'configure:20296: checking for Berkeley DB major version in db.h' [...] 1> conftest.c + /bin/ggrep -E __db_version + eval '$CPP $CPPFLAGS conftest.c' + cc -E conftest.c + set X __db_version 5 none none + ol_cv_bdb_major=5 You can see it's only using CPP and CPPFLAGS in the eval command. Not CFLAGS which has the path for the correct db.h to use. To fix that, CPPFLAGS also needs to point to /usr/local/include. I'm using these fixes to move past both problems and get a properly working build: ./configure --prefix=/usr/local \ --with-cyrus-sasl \ --enable-bdb=yes \ --enable-spasswd=yes \ --enable-modules \ --enable-wrappers \ --enable-shared \ --with-tls=openssl \ ol_cv_berkeley_db_version=4.8.30 mv servers/slapd/config.h servers/slapd/slapd_config.h perl -pe 's#config.h#slapd_config.h#' -i servers/slapd/*.c perl -pe 's#"config.h"#"slapd_config.h"#' -i servers/slapd/*/*.c gmake depend gmake

1 0

(ITS#7789) Unreliable mdb_env_set_mapsize()
by h.b.furuseth＠usit.uio.no 22 Jan '14

22 Jan '14

Full_Name: Hallvard B Furuseth Version: LMDB 0.9.11 OS: Linux x86_64 URL: Submission from: (NULL) (129.240.6.254) Submitted by: hallvard Mapsize changes do not work as described, do not reliably store the mapsize in the map, and it's hard to see how it is supposed to work. E.g.: - Open an environment twice, in processes X and Y. - X grows the map and writes (commits) something to the DB. That MDB_meta gets the new mapsize. - Y writes to the DB. It does not get MDB_MAP_RESIZED like the doc says, nor does it carry forward X's MDB_meta.mm_mapsize change. - Process Z opens the environment without doing set_mapsize(), and gets the original mapsize from the MDB_meta written by Y. For that matter, from reading the doc I'd expect a mapsize change to commit a txn with the new mapsize. There's no mention that the change (and the MDB_MAP_RESIZED) will wait for something to be committed. mdb_txn_commit() writes nothing if the txn didn't change anything. It needs to notice that there is a mapsize change to write. The doc talks about shrinking the map, but reduced mapsizes are not written to the datafile. Only increases are written. All in all, it looks to me like _changing_ the mapsize should be an operation on a write transaction or invoke a write transaction, while setting the size or catching up with a mapsize change can be an environment operation. That way it would be possible to make sense of it. A txn can do it when it has no cursors and no dirty WRITEMAP pages (or WRITEMAP could spill all pages first). BTW, I don't see the point of conditionally avoiding to write the mapsize in mdb_env_write_meta() when full page gets written to disk anyway - as long as txn_begin() stashes the mapsize from the original meta so it knows what to write. (It need not obey the mapsize at that point, but it must carry a change forward.)

1 0

(ITS#7788) pwdFailureTime and pwdChangedTime registered in user entry even if no ppolicy associated with the entry
by coudot＠linagora.com 16 Jan '14

16 Jan '14

Full_Name: Clement OUDOT Version: 2.4.38 OS: GNU/Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (83.145.72.122) Hi, I have configured a ppolicy overlay without olcPPolicyDefault value. So I use pwdPolicySubentry in user entries to bind them to their policy configuration entry. Overlay ppolicy is compiled in slapd, not as module. I use LTB package. If I create an account without pwdPolicySubentry, the attributes pwdChangedTime and pwdFailureTime are generated for this entry. And as the entry is never locked (which is a normal behavior, fixed in http://www.openldap.org/its/index.cgi?findid=6168), the number of values in pwdFailureTime can grow indefinitely. IMHO, no ppolicy operational attributes should be present in an entry not linked to a password policy.

1 0

Re: (ITS#7787) Authentication success if password is expired and password must be changed
by coudot＠linagora.com 16 Jan '14

16 Jan '14

Le 16/01/2014 16:42, Howard Chu a écrit : > coudot(a)linagora.com wrote: >> >> >> Le 16/01/2014 15:31, Howard Chu a écrit : >>> coudot(a)linagora.com wrote: >>>> Full_Name: Clement OUDOT >>>> Version: 2.4.38 >>>> OS: GNU/Linux >>>> URL: ftp://ftp.openldap.org/incoming/ >>>> Submission from: (NULL) (83.145.72.122) >>>> >>>> >>>> Here is the situation : a user account is >>>> 1/ expired (the password age is more that the one configured in >>>> pwdMaxGae) >>>> 2/ must be reset (pwdReset is TRUE and pwdMustChange in ppolicy >>>> configuration >>>> object is TRUE) >>>> >>>> In this case, when doing a BIND, the result code is 0: >>>> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret >>>> -e >>>> ppolicy >>>> ldap_bind: Success (0); Password must be changed (Password expires >>>> in >>>> 0 >>>> seconds) >>>> dn: uid=coudot,ou=users,dc=example,dc=com >>>> >>>> If I remove pwdReset attribute, then: >>>> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret >>>> -e >>>> ppolicy >>>> ldap_bind: Invalid Credentials (49); Password expired >>>> >>>> According to password policy draft, the password must change flag >>>> should not >>>> affect the BIND result code. >>> >>> The draft specifies the policy checks in the order in which they are >>> to be performed. The PasswordMustBeChanged check occurs before the >>> PasswordExpired check. >>> >>> The code works as designed. >> >> >> Well, I understand. If this is not a bug in the OpenLDAP >> implementation, it is maybe a point to discuss in the draft. Indeed, >> a >> simple LDAP client (that don't use ppolicy control) will get a >> successful BIND response even if the password is expired. > > How can the password be expired if the admin has just reset it? > I never said it was *just* reset, we can imagine the password was reset a year ago and that the user never changed it. What I point here is that a reset password never expires, whatever you configure in pwdMaxAge. People using the password reset feature must be aware of this, and be sure to have an application that will force the user to change its password. >> Maybe it is the wanted behavior, maybe not. > >> The fact is that if an administator reset the password (by changing >> password value and setting pwdReset to TRUE), this reseted password >> will >> never expire. From my point of view, this is a security flaw in the >> password policy system, as a lot of applications just use the BIND >> operation on LDAP server (searches and other operations are done by >> application LDAP accounts). > > I agree that the MustChange feature doesn't mesh well with > applications that simply perform a Bind and then do nothing else. Feel > free to raise this point on the ldapext mailing list. Yes I will give a try. You can close this ITS, thanks for the answers. Clement.

1 0

Re: (ITS#7787) Authentication success if password is expired and password must be changed
by hyc＠symas.com 16 Jan '14

16 Jan '14

coudot(a)linagora.com wrote: > > > Le 16/01/2014 15:31, Howard Chu a écrit : >> coudot(a)linagora.com wrote: >>> Full_Name: Clement OUDOT >>> Version: 2.4.38 >>> OS: GNU/Linux >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (83.145.72.122) >>> >>> >>> Here is the situation : a user account is >>> 1/ expired (the password age is more that the one configured in >>> pwdMaxGae) >>> 2/ must be reset (pwdReset is TRUE and pwdMustChange in ppolicy >>> configuration >>> object is TRUE) >>> >>> In this case, when doing a BIND, the result code is 0: >>> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e >>> ppolicy >>> ldap_bind: Success (0); Password must be changed (Password expires in >>> 0 >>> seconds) >>> dn: uid=coudot,ou=users,dc=example,dc=com >>> >>> If I remove pwdReset attribute, then: >>> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e >>> ppolicy >>> ldap_bind: Invalid Credentials (49); Password expired >>> >>> According to password policy draft, the password must change flag >>> should not >>> affect the BIND result code. >> >> The draft specifies the policy checks in the order in which they are >> to be performed. The PasswordMustBeChanged check occurs before the >> PasswordExpired check. >> >> The code works as designed. > > > Well, I understand. If this is not a bug in the OpenLDAP > implementation, it is maybe a point to discuss in the draft. Indeed, a > simple LDAP client (that don't use ppolicy control) will get a > successful BIND response even if the password is expired. How can the password be expired if the admin has just reset it? > Maybe it is the wanted behavior, maybe not. > The fact is that if an administator reset the password (by changing > password value and setting pwdReset to TRUE), this reseted password will > never expire. From my point of view, this is a security flaw in the > password policy system, as a lot of applications just use the BIND > operation on LDAP server (searches and other operations are done by > application LDAP accounts). I agree that the MustChange feature doesn't mesh well with applications that simply perform a Bind and then do nothing else. Feel free to raise this point on the ldapext mailing list. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7787) Authentication success if password is expired and password must be changed
by coudot＠linagora.com 16 Jan '14

16 Jan '14

Le 16/01/2014 15:31, Howard Chu a écrit : > coudot(a)linagora.com wrote: >> Full_Name: Clement OUDOT >> Version: 2.4.38 >> OS: GNU/Linux >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (83.145.72.122) >> >> >> Here is the situation : a user account is >> 1/ expired (the password age is more that the one configured in >> pwdMaxGae) >> 2/ must be reset (pwdReset is TRUE and pwdMustChange in ppolicy >> configuration >> object is TRUE) >> >> In this case, when doing a BIND, the result code is 0: >> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e >> ppolicy >> ldap_bind: Success (0); Password must be changed (Password expires in >> 0 >> seconds) >> dn: uid=coudot,ou=users,dc=example,dc=com >> >> If I remove pwdReset attribute, then: >> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e >> ppolicy >> ldap_bind: Invalid Credentials (49); Password expired >> >> According to password policy draft, the password must change flag >> should not >> affect the BIND result code. > > The draft specifies the policy checks in the order in which they are > to be performed. The PasswordMustBeChanged check occurs before the > PasswordExpired check. > > The code works as designed. Well, I understand. If this is not a bug in the OpenLDAP implementation, it is maybe a point to discuss in the draft. Indeed, a simple LDAP client (that don't use ppolicy control) will get a successful BIND response even if the password is expired. Maybe it is the wanted behavior, maybe not. The fact is that if an administator reset the password (by changing password value and setting pwdReset to TRUE), this reseted password will never expire. From my point of view, this is a security flaw in the password policy system, as a lot of applications just use the BIND operation on LDAP server (searches and other operations are done by application LDAP accounts). Clément.

1 0

Re: (ITS#7787) Authentication success if password is expired and password must be changed
by hyc＠symas.com 16 Jan '14

16 Jan '14

coudot(a)linagora.com wrote: > Full_Name: Clement OUDOT > Version: 2.4.38 > OS: GNU/Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (83.145.72.122) > > > Here is the situation : a user account is > 1/ expired (the password age is more that the one configured in pwdMaxGae) > 2/ must be reset (pwdReset is TRUE and pwdMustChange in ppolicy configuration > object is TRUE) > > In this case, when doing a BIND, the result code is 0: > $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy > ldap_bind: Success (0); Password must be changed (Password expires in 0 > seconds) > dn: uid=coudot,ou=users,dc=example,dc=com > > If I remove pwdReset attribute, then: > $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy > ldap_bind: Invalid Credentials (49); Password expired > > According to password policy draft, the password must change flag should not > affect the BIND result code. The draft specifies the policy checks in the order in which they are to be performed. The PasswordMustBeChanged check occurs before the PasswordExpired check. The code works as designed. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7787) Authentication success if password is expired and password must be changed
by coudot＠linagora.com 16 Jan '14

16 Jan '14

Full_Name: Clement OUDOT Version: 2.4.38 OS: GNU/Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (83.145.72.122) Here is the situation : a user account is 1/ expired (the password age is more that the one configured in pwdMaxGae) 2/ must be reset (pwdReset is TRUE and pwdMustChange in ppolicy configuration object is TRUE) In this case, when doing a BIND, the result code is 0: $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy ldap_bind: Success (0); Password must be changed (Password expires in 0 seconds) dn: uid=coudot,ou=users,dc=example,dc=com If I remove pwdReset attribute, then: $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy ldap_bind: Invalid Credentials (49); Password expired According to password policy draft, the password must change flag should not affect the BIND result code.

1 0

Re: (ITS#7786) Impossible to modify cn=config if olcDbDirectory doesn't exist
by hyc＠symas.com 15 Jan '14

15 Jan '14

pierangelo.masarati(a)polimi.it wrote: > On 01/15/2014 09:59 AM, raphael.ouazana(a)linagora.com wrote: >> Full_Name: Raphael Ouazana >> Version: 2.4.38 >> OS: Linux >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (88.173.78.196) >> >> >> Hi, >> >> I have an old configuration that I would like to export/reimport. The >> olcDbDirectory item of this configuration contains a directory that does not >> longer exist. >> It it then impossible to modify the parameter: >> - I was told not to edit directly LDIF config files >> - if i try a slapcat -n0 I get: >> 52d64c91 olcDbDirectory: value #0: invalid path: No such file or directory >> 52d64c91 config error processing olcDatabase={2}hdb,cn=config: olcDbDirectory: >> value #0: invalid path: No such file or directory >> slapcat: bad configuration directory! >> >> I think slapcat should always allow to export a configuration. > > I see the point; slapcat is failing because to export the configuration > (c->op == SLAP_CONFIG_EMIT) it needs to read the configuration first, > and it reads the whole config tree. > > Perhaps when slapcat of only the config database is requested, config > parsing should skip other databases, or at least ignore errors, if possible. Agreed, we definitely need this. > > p. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs