openldap-bugs

openldap-bugs@openldap.org

1 participants
21065 discussions

Re: (ITS#7786) Impossible to modify cn=config if olcDbDirectory doesn't exist
by pierangelo.masarati＠polimi.it 15 Jan '14

15 Jan '14

On 01/15/2014 09:59 AM, raphael.ouazana(a)linagora.com wrote: > Full_Name: Raphael Ouazana > Version: 2.4.38 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (88.173.78.196) > > > Hi, > > I have an old configuration that I would like to export/reimport. The > olcDbDirectory item of this configuration contains a directory that does not > longer exist. > It it then impossible to modify the parameter: > - I was told not to edit directly LDIF config files > - if i try a slapcat -n0 I get: > 52d64c91 olcDbDirectory: value #0: invalid path: No such file or directory > 52d64c91 config error processing olcDatabase={2}hdb,cn=config: olcDbDirectory: > value #0: invalid path: No such file or directory > slapcat: bad configuration directory! > > I think slapcat should always allow to export a configuration. I see the point; slapcat is failing because to export the configuration (c->op == SLAP_CONFIG_EMIT) it needs to read the configuration first, and it reads the whole config tree. Perhaps when slapcat of only the config database is requested, config parsing should skip other databases, or at least ignore errors, if possible. p. -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano

1 0

(ITS#7786) Impossible to modify cn=config if olcDbDirectory doesn't exist
by raphael.ouazana＠linagora.com 15 Jan '14

15 Jan '14

Full_Name: Raphael Ouazana Version: 2.4.38 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (88.173.78.196) Hi, I have an old configuration that I would like to export/reimport. The olcDbDirectory item of this configuration contains a directory that does not longer exist. It it then impossible to modify the parameter: - I was told not to edit directly LDIF config files - if i try a slapcat -n0 I get: 52d64c91 olcDbDirectory: value #0: invalid path: No such file or directory 52d64c91 config error processing olcDatabase={2}hdb,cn=config: olcDbDirectory: value #0: invalid path: No such file or directory slapcat: bad configuration directory! I think slapcat should always allow to export a configuration. Regards, Raphaël Ouazana.

1 0

Re: (ITS#7785) ContextCSN not updated
by michael＠stroeder.com 14 Jan '14

14 Jan '14

badguy9588(a)hotmail.com wrote: > Full_Name: > Version: 2.4.11 > OS: Redhat Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (202.82.28.193) > > > We are using 4 ways multimaster openldap 2.4.11 for more than 5 years. > > On Jan 3, 2014, one of the openldap contextCSN is not updated, always stay at > Jan 3 01:xx:xx, all the other servers are already updated to Jan 6. Any reason why you insist on using such an ancient release? In 5,5 years since 2.4.11 release there have been numerous important contextCSN related fixes to OpenLDAP 2.4.x code. You should definitely upgrade! Everything else is wasting your own time and the OpenLDAP project people's resources. Ciao, Michael.

1 0

(ITS#7785) ContextCSN not updated
by badguy9588＠hotmail.com 13 Jan '14

13 Jan '14

Full_Name: Version: 2.4.11 OS: Redhat Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (202.82.28.193) We are using 4 ways multimaster openldap 2.4.11 for more than 5 years. On Jan 3, 2014, one of the openldap contextCSN is not updated, always stay at Jan 3 01:xx:xx, all the other servers are already updated to Jan 6. So, this introduce large amount of sync data between the 4 openldap servers finally, cause the slapd process memory increase from 500mb to 4Gb and finally, all memory used up and all 4 servers hanged and error message in KVM shows "Kernel panic, out of memory". The servers needed to reboot in order to resume access. However, after some time, it will happen again. We finally find that the contextCSN in one server is not updated. What we do is stop the slapd process in that server, delete the data files and the do a backup in other 3 servers. Then restore the backup in the problem server from the backup using slapadd and finally, all the data is synced. What's the root cause of this problem ? We have been using it for over 5 years already and this is the first time that this problem occurs. Thanks

1 0

Re: (ITS#7784) Client stores bindpw in cleartext
by fumiyas＠osstech.co.jp 13 Jan '14

13 Jan '14

At Tue, 14 Jan 2014 01:12:55 GMT, ylau(a)huawei.com wrote: > When nss_ldap uses LDAP authentication with binding method, the bindpw stored in > ldap.conf is clear text. > However on Solaris NS_LDAP_BINDPASSWD could be stored in encrypted string. There > is no password obfuscation with nss_ldap. > So we considered it is a security issue and will affect the result of security > audit. {NS1} format is not safe. You can decrypt it without any other secret. http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/ -- -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/ -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA

1 0

Re: (ITS#7784) Client stores bindpw in cleartext
by hyc＠symas.com 13 Jan '14

13 Jan '14

ylau(a)huawei.com wrote: > Full_Name: Yo Lau > Version: 2.3.32 > OS: SUSE Linux Enterprise Server 10 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (12.130.146.228) > OpenLDAP 2.3.32 is over 6 years old and long since unsupported. nss_ldap is not a piece of OpenLDAP software. Contact SuSE for support, this ITS will be closed. > When nss_ldap uses LDAP authentication with binding method, the bindpw stored in > ldap.conf is clear text. > However on Solaris NS_LDAP_BINDPASSWD could be stored in encrypted string. There > is no password obfuscation with nss_ldap. > So we considered it is a security issue and will affect the result of security > audit. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7784) Client stores bindpw in cleartext
by ylau＠huawei.com 13 Jan '14

13 Jan '14

Full_Name: Yo Lau Version: 2.3.32 OS: SUSE Linux Enterprise Server 10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (12.130.146.228) When nss_ldap uses LDAP authentication with binding method, the bindpw stored in ldap.conf is clear text. However on Solaris NS_LDAP_BINDPASSWD could be stored in encrypted string. There is no password obfuscation with nss_ldap. So we considered it is a security issue and will affect the result of security audit.

1 0

Re: (ITS#7778) Index and derived attribute bug
by hyc＠symas.com 13 Jan '14

13 Jan '14

yann.cezard(a)univ-pau.fr wrote: > Full_Name: Yann Cezard > Version: 2.4.38 > OS: Debian GNU/Linux Wheezy / amd64 > URL: ftp://ftp.openldap.org/incoming/Yann-Cezard-130109.tgz > Submission from: (NULL) (2001:660:6701:14:225:64ff:fe92:685b) > > > Hello, > > I hit a bug with the latest version of OpenLDAP (2.4.38) that was not present, > at least in 2.4.17 (made a test on an older server that we were using before I > discovered this). > This happens on both lmdb and bdb backend (as we were using BDB before upgrading > to 2.4.38, I tested with both on 2.4.38 to ensure that the problem was not LMDB > related). > The only ways to make the '(mail=*)' filter matches again the modified entry, is > to modify the mail attribute, or to run slapindex. > If you remove the index on the mail attribute, then there is no such problem. > It only happens when deleting all/the last derived attributes (supannAutreMail > here) from the entry. > > Sounds to me like a bug, isn't it ? Thanks for the report, fixed now in git master. > > Regards. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7783) tlsm_ctx_free crashes if ctx->tc_pin_file is null
by hyc＠symas.com 12 Jan '14

12 Jan '14

chris.w.martin(a)oracle.com wrote: > Full_Name: Chris Martin > Version: 2.4.23-32.el6_4.1 but also present in git repository version > OS: Oracle Linux 6 > URL: > Submission from: (NULL) (148.87.19.206) > > > If tlsm_ctx_free is entered with ctx->tc_pin_file null it will crash when it > calls PL_strfree with that null pointer. > > http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/… > 2039 static void > 2040 tlsm_ctx_free ( tls_ctx *ctx ) > 2041 { > ... > 2069 PL_strfree( c->tc_pin_file ) > > I propose that an "if ( c->tc_pin_file )" be added before this line to protect > against this. > > > The specific use case when we hit this involves automount calling openldap > ldap_start_tls_s which fails with LDAP_CONNECT_ERROR. automount then calls > openldap ldap_unbind_ext which calls ldap_ld_free which calls > ldap_int_tls_destroy which triggers this crash above. Thanks for the report. This is now fixed in git master, plus another potential instance of the same issue. You guys are crazy to even be using this MozNSS POS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7778) Index and derived attribute bug
by quanah＠zimbra.com 10 Jan '14

10 Jan '14

--On Thursday, January 09, 2014 2:55 PM +0000 yann.cezard(a)univ-pau.fr wrote: > Full_Name: Yann Cezard > Version: 2.4.38 > OS: Debian GNU/Linux Wheezy / amd64 > URL: ftp://ftp.openldap.org/incoming/Yann-Cezard-130109.tgz > Submission from: (NULL) (2001:660:6701:14:225:64ff:fe92:685b) > > > Hello, > > I hit a bug with the latest version of OpenLDAP (2.4.38) that was not > present, at least in 2.4.17 (made a test on an older server that we were > using before I discovered this). > This happens on both lmdb and bdb backend (as we were using BDB before > upgrading to 2.4.38, I tested with both on 2.4.38 to ensure that the > problem was not LMDB related). <hbf> ITS#7778: Broken in 2.4.37 by 96f35c08944a "ITS#7329 optimize index update for simple add". -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs