openldap-bugs

openldap-bugs@openldap.org

1 participants
21001 discussions

Re: (ITS#5856) adauth overlay contribution
by andrew.findlay＠skills-1st.co.uk 15 Dec '08

15 Dec '08

On Fri, Dec 12, 2008 at 07:31:47PM +0000, kartik_subbarao(a)hp.com wrote: > As discussed with Howard Chu, HP is contributing the code for an Active > Directory Authentication overlay (written by Neil Dunbar) to OpenLDAP. > > The adauth overlay provides passthrough authentication to Active Directory for > LDAP simple bind operations. The local LDAP entry referenced in the bind > operation is mapped to its counterpart in the Active Directory, an LDAP bind > operation is performed against Active Directory, and results are returned based > on the results of that remote operation. If a local userPassword attribute is > populated for the entry, it is used instead of the AD authentication. This is very good news, as it deals with a common requirement without having to configure saslauthd. One suggestion following a very quick scan of the code: I think it would be worth bringing the warning about turning off TLS checks into the manual page. It is worth noting that this overlay raises issues similar to those raised by the contributed adpwc/extpwc module - see ITS#5042. In this case the access to AD is via LDAP rather than Kerberos, but most of the arguments are similar. In particular, there is no reason for this to be AD-specific and it should be easy to adapt it to authenticate against any [collection of] remote LDAP servers. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

1 0

Re: (ITS#5859) back-hdb entrycache problem
by quanah＠OpenLDAP.org 15 Dec '08

15 Dec '08

--On Monday, December 15, 2008 4:16 PM +0000 openldap-its(a)OpenLDAP.org wrote: Appears to be broken in 2.4.13 as well. Search prior to adding zimbra-3 entry: [zimbra@freelancer ~]$ ldapsearch -x -h freelancer -b "cn=zimbra" -D "uid=zimbra,cn=admins,cn=zimbra" -W # com_zimbra_license, zimlets, zimbra dn: cn=com_zimbra_license,cn=zimlets,cn=zimbra zimbraZimletTarget: admin-main zimbraZimletDescription: License Management for Admin UI zimbraZimletVersion: 5.2 objectClass: zimbraZimletEntry zimbraZimletIndexingEnabled: TRUE zimbraZimletKeyword: com_zimbra_license cn: com_zimbra_license zimbraZimletIsExtension: TRUE zimbraZimletPriority: 1 zimbraZimletEnabled: TRUE # zimbra-2, zimlets, zimbra dn: cn=zimbra-2,cn=zimlets,cn=zimbra cn: zimbra-2 objectClass: zimbraZimletEntry zimbraZimletVersion: 1.0 zimbraZimletEnabled: TRUE # search result search: 2 result: 0 Success # numResponses: 46 # numEntries: 45 Then we add the new entry: [zimbra@freelancer ~]$ ldapadd -f /tmp/test.ldif -x -h freelancer -D "uid=zimbra,cn=admins,cn=zimbra" -W Enter LDAP Password: adding new entry "cn=zimbra-3,cn=zimlets,cn=zimbra" Now we search again: # com_zimbra_license, zimlets, zimbra dn: cn=com_zimbra_license,cn=zimlets,cn=zimbra zimbraZimletTarget: admin-main zimbraZimletDescription: License Management for Admin UI zimbraZimletVersion: 5.2 objectClass: zimbraZimletEntry zimbraZimletIndexingEnabled: TRUE zimbraZimletKeyword: com_zimbra_license cn: com_zimbra_license zimbraZimletIsExtension: TRUE zimbraZimletPriority: 1 zimbraZimletEnabled: TRUE # zimbra-2, zimlets, zimbra dn: cn=zimbra-2,cn=zimlets,cn=zimbra cn: zimbra-2 objectClass: zimbraZimletEntry zimbraZimletVersion: 1.0 zimbraZimletEnabled: TRUE # search result search: 2 result: 0 Success # numResponses: 46 # numEntries: 45 Same result, this is bad. Now we stop/restart slapd: [zimbra@freelancer ~]$ ldap stop Killing slapd with pid 15613 done. [zimbra@freelancer ~]$ ldap start Started slapd: pid 20224 search again: # zimbra-2, zimlets, zimbra dn: cn=zimbra-2,cn=zimlets,cn=zimbra cn: zimbra-2 objectClass: zimbraZimletEntry zimbraZimletVersion: 1.0 zimbraZimletEnabled: TRUE # zimbra-3, zimlets, zimbra dn: cn=zimbra-3,cn=zimlets,cn=zimbra cn: zimbra-3 objectClass: zimbraZimletEntry zimbraZimletVersion: 1.0 zimbraZimletEnabled: TRUE # search result search: 2 result: 0 Success # numResponses: 46 # numEntries: 45 And there is our missing entry. --Quanah -- Quanah Gibson-Mount Release and QA Engineer <http://www.openldap.org>

1 0

(ITS#5859) back-hdb entrycache problem
by quanah＠OpenLDAP.org 15 Dec '08

15 Dec '08

Full_Name: Quanah Gibson-Mount Version: 2.4.13+patches OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.29.239) In using 2.4.13 + the slapadd fix from Ralf, ITS#5841, ITS#5842,ITS#5849,ITS#5850, ITS#5854, I found the following: Create an database with back-hdb with a few subtrees, with several entries under that subtree (My database is rooted at "". I have a "cn=zimbra" tree, with "cn=zimlets,cn=zimbra" underneath it). Now, create a brand new entry under one of those subtrees. The new entry will not be returned in queries rooted at the upper level ("cn=zimbra"). It will show up at its level ("cn=zimlets,cn=zimbra"). If you stop/restart slapd to flush the entry/idl cache, things work correctly.

1 0

Re: (ITS#5858) Segfault with overlay ppolicy
by maniac＠maniac.nl 15 Dec '08

15 Dec '08

This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_server11-3551-1229353986-0001-2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I spoke too soon, both on Solaris and on Linux I still get reproducable segfaults with 2.4.13 as soon as I use a ppolicy overlay in my configuration and query the directory. I have a public shellbox available which has the config loaded Mark --=_server11-3551-1229353986-0001-2 Content-Type: application/pgp-signature; name="signature.asc" Content-Transfer-Encoding: 7bit Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJRnQBb6urvDV9IXgRAt7aAKCC3GveYtw6mHaWWi/EkStXn6YtFwCeIKNx mFaCqgogqL0dkjGJQ6mul4s= =ADsB -----END PGP SIGNATURE----- --=_server11-3551-1229353986-0001-2--

1 0

Re: (ITS#5858) Segfault with overlay ppolicy
by maniac＠maniac.nl 15 Dec '08

15 Dec '08

This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_server11-2243-1229351458-0001-2 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I can reproduce this problem also on Linux/amd64 (Debian Testing) with OpenLDAP 2.4.11. I can confirm that it is FIXED on OpenLDAP 2.4.13 on Linux (and am now compiling it on Solaris) Mark --=_server11-2243-1229351458-0001-2 Content-Type: application/pgp-signature; name="signature.asc" Content-Transfer-Encoding: 7bit Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEABECAAYFAklGaiIACgkQb6urvDV9IXiCRQCgoNI6qsFg+gORmzPaYtWLSmmE higAoI2Cq0G0HQevFuC6Q7y1L/62geES =FKcN -----END PGP SIGNATURE----- --=_server11-2243-1229351458-0001-2--

1 0

(ITS#5858) Segfault with overlay ppolicy
by maniac-openldap＠maniac.nl 15 Dec '08

15 Dec '08

Full_Name: Mark Janssen Version: 2.4.11 OS: Solaris 10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (80.64.241.2) Program received signal SIGSEGV, Segmentation fault. [Switching to LWP 3] over_entry_get_rw (op=0x403648, dn=0x403664, oc=0x0, ad=0x0, rw=0, e=0xfd3ff4d4) at backover.c:394 394 return overlay_entry_get_ov( op, dn, oc, ad, rw, e, on ); (gdb) bt full #0 over_entry_get_rw (op=0x403648, dn=0x403664, oc=0x0, ad=0x0, rw=0, e=0xfd3ff4d4) at backover.c:394 oi = (slap_overinfo *) 0x293788 on = (slap_overinst *) 0x275148 #1 0x0009b8a8 in fe_entry_get_rw (op=Cannot access memory at address 0xfcfffec0 ) at frontend.c:62 bd = Cannot access memory at address 0xfcfffe88 (gdb) info threads 4 LWP 4 0xfe3c4a9c in __lwp_park () from /lib/libc.so.1 * 3 LWP 3 over_entry_get_rw (op=0x403648, dn=0x403664, oc=0x0, ad=0x0, rw=0, e=0xfd3ff4d4) at backover.c:394 2 LWP 2 0xfe3c57c8 in __pollsys () from /lib/libc.so.1 1 LWP 1 0xfe3c5c1c in __lwp_wait () from /lib/libc.so.1 (gdb) As soon as I enable 'ppolicy' I get a segfault when I login (with lbe) to the ldap server. Repeatable 100% (goes away when I remove ppolicy overlay from slapd.conf) Config snippet: overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=domain,dc=tld" ppolicy_hash_cleartext

1 0

(ITS#5856) adauth overlay contribution
by kartik_subbarao＠hp.com 12 Dec '08

12 Dec '08

Full_Name: Kartik Subbarao Version: 2.4 OS: Red Hat Enterprise Linux URL: ftp://ftp.openldap.org/incoming/adauth.tar.gz Submission from: (NULL) (76.99.180.78) As discussed with Howard Chu, HP is contributing the code for an Active Directory Authentication overlay (written by Neil Dunbar) to OpenLDAP. The adauth overlay provides passthrough authentication to Active Directory for LDAP simple bind operations. The local LDAP entry referenced in the bind operation is mapped to its counterpart in the Active Directory, an LDAP bind operation is performed against Active Directory, and results are returned based on the results of that remote operation. If a local userPassword attribute is populated for the entry, it is used instead of the AD authentication.

1 0

(ITS#5855) slapd crash at hang or shutdown
by carlcarl＠comcast.net 12 Dec '08

12 Dec '08

Full_Name: Carl Traub Version: all ? OS: Windows URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (141.202.248.52) On Windows,I have found that by simply starting slapd, waiting a few minutes for it to get fully loaded, and then hitting Ctrl-C, slapd will often hang and not terminate properly. It occasionally crashed, and that may been related. The problem is that in slapd_daemon_destroy(), tcp_close() was being called for both wake_sds[1] and wake_sds[0], and the 2 values were always the same. This meant that Windows was being asked to close a connection that had already been closed and was no longer valid. A coworker stated that on Windows, these 2 values are always the same, but he thought that on Unix they would always be different. I uploaded the diff file "carlTraub-121208.diff". I wasn't clear on using the diff tool. Below is the diff. --- P:\temp\daemon.c_bef Fri Dec 12 10:05:38 2008 +++ P:\temp\daemon.c_after Fri Dec 12 10:24:30 2008 @@ -1645,14 +1645,10 @@ slapd_daemon_destroy( void ) { connections_destroy(); + // If the 2 connections are actually the same, closing it twice can cause bad things, like hangs or crashes. + // It may be that they are always the same on Windows, always different on Unix. + if (wake_sds[1] != wake_sds[0] ) { #ifdef HAVE_WINSOCK + if ( wake_sds[1] != INVALID_SOCKET ) - if ( wake_sds[1] != INVALID_SOCKET ) #endif /* HAVE_WINSOCK */ + tcp_close( SLAP_FD2SOCK(wake_sds[1]) ); + } - tcp_close( SLAP_FD2SOCK(wake_sds[1]) ); #ifdef HAVE_WINSOCK if ( wake_sds[0] != INVALID_SOCKET ) #endif /* HAVE_WINSOCK */

1 0

Re: (ITS#5854) Double send response in meta backend
by ando＠sys-net.it 12 Dec '08

12 Dec '08

jorge.perez(a)adaptia.net wrote: > Full_Name: Jorge Perez Burgos > Version: 2.4.11 > OS: SLES 10 > URL: ftp://ftp.openldap.org/incoming/back-meta_changes.diff.gz > Submission from: (NULL) (194.237.142.20) > > > Meta backend send two response codes when trying to reconnect to other slapd. > > Steps to reproduce: > Configure two slapds, slapd_A and slapd_B. slapd_A connects to slapd_B trough > meta backend. Do some traffic operations. Restart slapd_B and do some modify, > delete or add operation, response code 52 is received although the operation is > sucessful. Using a tcpdump you can see two response codes for the request. > > I attach a possible patch for this issue. Thanks. I've committed an alternative fix to this issue, in line with the analogous code in back-ldap. It makes use of the specific bit of the ldap_back_send_t mask instead of an additional argument. Please test. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5768) [enhancement] add support for Dereference Control
by ando＠sys-net.it 11 Dec '08

11 Dec '08

Andrew Bartlett wrote: > On Thu, 2008-12-11 at 23:17 +0100, Pierangelo Masarati wrote: >> Andrew Bartlett wrote: >>> On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote: >>>> A tentative implementation is in HEAD, please test. You need to: >>> Thankyou very much. I downloaded CVS HEAD and tested it out (finally - >>> the Samba4 side of the implementation took far longer than I expected). >>> >>>> - configure as --enable-deref >>>> >>>> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't >>>> work as global overlay yet, sorry). >>> This is something Samba4 will need, as many of our links are >>> cross-database. But fixing this for a single DB is a big help in any >>> case. >>> >>>> - run searches like >>>> >>>> $ ldapsearch -x -b dc=example,dc=com -E 'deref=member:entryUUID' >>>> >>>> you'll see results like >>> When using Samba4's client, it seems to work, but it is as if it extends >>> the control to the full expected length, but not the data. Ie, attached >>> this is the control response I got back from the 'make testenv' >>> environment in Samba4. I've also attached the full LDAP request. >>> >>> The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4 >>> parsing bug). >> I've found the bug (erroneous manipulation of octet strings containing >> '\0' octets). The objectSid is octet string-valued. Should be fixed >> now; please test. > > While I'm mostly at sea on ASN.1, I don't think the OpenLDAP's > implementation matches your IETF draft (if not, an education on subtle > details of ASN.1 will be appreciated) > > draft-masarati-ldap-deref-00 > > >> 2.3. Control Response >> >> >> The control type is deref-oid (IANA assigned; see Section 6). The >> specification of the Dereference Control response is: >> >> controlValue ::= SEQUENCE OF derefRes DerefRes >> >> DerefRes ::= SEQUENCE { >> derefAttr AttributeDescription, >> derefVal LDAPDN, >> attrVals [0] PartialAttributeList OPTIONAL } >> >> PartialAttributeList ::= SEQUENCE OF >> partialAttribute PartialAttribute >> >> PartialAttribute is defined in [RFC4511]; the definition is reported >> here for clarity: >> >> PartialAttribute ::= SEQUENCE { >> type AttributeDescription, >> vals SET OF value AttributeValue } >> > > the output of dumpasn1 on the control: > >> 0 983: SEQUENCE { >> 4 168: SEQUENCE { >> 7 8: OCTET STRING 'memberOf' >> 17 56: OCTET STRING >> : 'cn=Enterprise Admins,cn=Users,dc=samba,dc=exampl' >> : 'e,dc=com' >> 75 98: [0] { >> 77 51: SEQUENCE { > > Shouldn't there be another SEQUENCE { here? Well, that was my intention when I ber_printf("{{OOt{{O[W]}{O[W]}}}}"), which, AFAIK, means: "{" SEQUENCE "{" SEQUENCE "OO" derefAttr, derefVal "t" [0] "{" SEQUENCE "{O[W]}" SEQUENCE, type, SET OF vals Am I missing anything? Couldn't "[0] {" be a shortcut in dumpasn1 to indicate SEQUENCE OF and the presence of a context+constructed tag? Looking at the raw data of an example, I see a sequence 240 126 060 063 004 011 which means: 240 context + constructed 126 (the length, 86 octets) 060 sequence 063 (the length, 51 octets) 004 octet string 011 (the length, 9 octets: "entryUUID") I'm not an expert in ASN.1, but from what I infer by looking at LDAP specs and at OpenLDAP implementation, this is consistent with the way similar cases are dealt with (e.g. the "Controls" at the end of a request message). p. > >> 79 9: OCTET STRING 'entryUUID' >> 90 38: SET { >> 92 36: OCTET STRING >> '24476f18-5c24-102d-9945-7320c1040f54' >> : } >> : } >> 130 43: SEQUENCE { >> 132 9: OCTET STRING 'objectSid' >> 143 30: SET { >> 145 28: OCTET STRING >> : 01 05 00 00 00 00 00 05 15 00 00 00 AB BE DB 7B >> : 16 72 AE E6 53 BE 65 6F 07 02 00 00 >> : } >> : } >> : } >> : } >> > > Thanks, > > Andrew Bartlett > Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs