openldap-bugs

openldap-bugs@openldap.org

1 participants
21004 discussions

Re: (ITS#5696) Patch - support Mozilla NSS for crypto operations
by hyc＠symas.com 11 Sep '08

11 Sep '08

hyc(a)symas.com wrote: > rmeggins(a)redhat.com wrote: >> Full_Name: Rich Megginson >> Version: 2.4.11 and current HEAD >> OS: Fedora >> URL: ftp://ftp.openldap.org/incoming/openldap-2.4.11-nss-20080911.patch >> Submission from: (NULL) (76.113.59.19) >> This patch allows OpenLDAP to use Mozilla NSS for crypto. The approach uses the >> nss_compat_ossl library. This library allows the code to use the current >> OpenSSL API so that the changes to the actual OpenLDAP code are minimized. This >> is the same approach that has been used to port several other packages to use >> NSS instead of OpenSSL as part of the Fedora Crypto Consolidation project. > Thanks for the patch. Some notes - for future reference, don't include diffs > to generated files (e.g. configure), just include the diffs to the source > (e.g. configure.in). Since "NSS" already has a well-established meaning in > POSIX environments (Name Service Switch), I've been referring to this as > MozNSS (Mozilla NSS) to avoid confusion. Also please read http://www.openldap.org/devel/contributing.html ; you haven't provided any of the required IPR notices. We can't touch the submission without them. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5696) Patch - support Mozilla NSS for crypto operations
by hyc＠symas.com 11 Sep '08

11 Sep '08

rmeggins(a)redhat.com wrote: > Full_Name: Rich Megginson > Version: 2.4.11 and current HEAD > OS: Fedora > URL: ftp://ftp.openldap.org/incoming/openldap-2.4.11-nss-20080911.patch > Submission from: (NULL) (76.113.59.19) > > > This patch allows OpenLDAP to use Mozilla NSS for crypto. The approach uses the > nss_compat_ossl library. This library allows the code to use the current > OpenSSL API so that the changes to the actual OpenLDAP code are minimized. This > is the same approach that has been used to port several other packages to use > NSS instead of OpenSSL as part of the Fedora Crypto Consolidation project. > > The nss_compat_ossl library is here - > http://svn.fedorahosted.org/svn/identity/common/trunk/nss_compat_ossl/ - it is > also included with Fedora Thanks for the patch. Some notes - for future reference, don't include diffs to generated files (e.g. configure), just include the diffs to the source (e.g. configure.in). Since "NSS" already has a well-established meaning in POSIX environments (Name Service Switch), I've been referring to this as MozNSS (Mozilla NSS) to avoid confusion. Also, there's already a working implementation of Mozilla NSS support in HEAD, but your patch covers a lot of areas I didn't look at yet (SHA1 hashing, etc) so we'll probably cherrypick pieces of your patch to merge. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5668) Invalid entryCSN generated, and slapd will not restart
by hyc＠symas.com 11 Sep '08

11 Sep '08

Hallvard B Furuseth wrote: > Looking at liblutil/utils.c:lutil_gettime() led me to > > Beware of QueryPerformanceCounter() > http://www.virtualdub.org/blog/pivot/entry.php?id=106 > > Is warning relevant to slapd? I don't know Windows programming at all. > Yes, it's relevant. People running on Windows should probably boot with /usepmtimer to make sure the ACPI timer is used (which runs at 3.5MHz). Then again, the simplest solution is "don't run mission-critical servers on Windows" because the platform is so completely inadequate, for this and many other reasons. Probably should read this as well http://support.microsoft.com/kb/895980 Of course, not all of this uncertainty is Microsoft's fault - AMD documented that their dual-core processors would keep their TSCs in sync between both cores, but in reality the TSCs never stay in sync. So if you happen to be running an old-enough Windows release, written when the TSC was still believed to be a reliable clock source, you may have problems unless you explicitly tell Windows to use the ACPI PM timer. If you're running on a very old motherboard that doesn't support ACPI, you won't have a PM timer to use; but in that case you're probably also running with a processor that doesn't have TSC issues. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5695) AC syntax in OpenLDAP
by ando＠sys-net.it 11 Sep '08

11 Sep '08

bash-3.2$ wget ftp://ftp.openldap.org/incoming/Tamburo-Luca-AC-08-09-11.tgz --19:53:57-- ftp://ftp.openldap.org/incoming/Tamburo-Luca-AC-08-09-11.tgz => `Tamburo-Luca-AC-08-09-11.tgz' Resolving ftp.openldap.org... 204.152.186.57, 2001:4f8:3:ba:2e0:18ff:fe02:efec Connecting to ftp.openldap.org|204.152.186.57|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /incoming ... done. ==> SIZE Tamburo-Luca-AC-08-09-11.tgz ... done. ==> PASV ... done. ==> RETR Tamburo-Luca-AC-08-09-11.tgz ... No such file `Tamburo-Luca-AC-08-09-11.tgz'. Could you please provide a pointer to the exact link? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

(ITS#5696) Patch - support Mozilla NSS for crypto operations
by rmeggins＠redhat.com 11 Sep '08

11 Sep '08

Full_Name: Rich Megginson Version: 2.4.11 and current HEAD OS: Fedora URL: ftp://ftp.openldap.org/incoming/openldap-2.4.11-nss-20080911.patch Submission from: (NULL) (76.113.59.19) This patch allows OpenLDAP to use Mozilla NSS for crypto. The approach uses the nss_compat_ossl library. This library allows the code to use the current OpenSSL API so that the changes to the actual OpenLDAP code are minimized. This is the same approach that has been used to port several other packages to use NSS instead of OpenSSL as part of the Fedora Crypto Consolidation project. The nss_compat_ossl library is here - http://svn.fedorahosted.org/svn/identity/common/trunk/nss_compat_ossl/ - it is also included with Fedora

1 0

(ITS#5695) AC syntax in OpenLDAP
by tamburo＠studenti.unina.it 11 Sep '08

11 Sep '08

Full_Name: Tamburo Luca Version: cvs OS: URL: ftp://ftp.openldap.org/incoming/Tamburo-Luca-AC-08-09-11.tgz Submission from: (NULL) (82.51.134.108) Hi, I'm a student at University "Federico II" (Napoli, Italy). For my bachelor degree I have worked on LDAP and Attribute Certicates. My main source has been Standard X.509 (2000). More precisely I have implemented a function to validate AC syntax, and the equality matching rule "attribute Certificate Exact Match" as defined in Internet Draft: "Internet X.509 Public Key Infrastructure LDAP Schema and Syntaxes for PMIs" (by D. Chadwick and S.Legg, 27 June 2002). I have changed the file servers/slapd/schema_init.c; I needed to create a new schema file called guest.schema which contains the definitions of objectclass pmiUser and the attribute type attributeCertificateAttribute. Link for the archive is ftp://ftp.openldap.org/incoming/Tamburo-Luca-AC-08-09-11.tgz Thanks in advance for your attention. Best regards, Luca Tamburo

1 0

RE: (ITS#5668) Invalid entryCSN generated, and slapd will not restart
by emmanuel.duru＠atosorigin.com 11 Sep '08

11 Sep '08

OK, it works.

1 0

Re: (ITS#5668) Invalid entryCSN generated, and slapd will not restart
by h.b.furuseth＠usit.uio.no 11 Sep '08

11 Sep '08

Looking at liblutil/utils.c:lutil_gettime() led me to Beware of QueryPerformanceCounter() http://www.virtualdub.org/blog/pivot/entry.php?id=106 Is warning relevant to slapd? I don't know Windows programming at all. -- Hallvard

1 0

Re: (ITS#5668) Invalid entryCSN generated, and slapd will not restart
by hyc＠symas.com 10 Sep '08

10 Sep '08

emmanuel.duru(a)atosorigin.com wrote: > I am running windows 32 bits. > Here is what I get from my debugging session: > After QueryPerformanceCounter(&count ), count.QuadPart is worth > 4243738405535005 > So the overflow comes from count.QuadPart *= 1000000; I see. There's no reason we should be computing against the full value of the count; since we're only looking for the microsecond portion we should have stripped off everything greater. (E.g., count.QuadPart %= cFreq.QuadPart). I'll have to play with this code a bit more, there's probably a better way to isolate the microseconds. PS: I guess that means your Windows machine had an uptime of several days. Quite impressive, for Windows... ;) > > >> -----Message d'origine----- >> De : Howard Chu [mailto:hyc@symas.com] >> Envoyé : mercredi 27 août 2008 13:08 >> À : openldap-its(a)openldap.org; Emmanuel Duru >> Objet : Re: (ITS#5668) Invalid entryCSN generated, and slapd will not >> restart >> >> ando(a)sys-net.it wrote: >>> emmanuel.duru(a)atosorigin.com wrote: >>>> I see that tm->tm_usub is negative, there seems to be overflows between >>>> LARGE_INTEGER and int variables. >> It would take over 4 billion operations in a single timer tick (on the >> order >> of nanoseconds) to make tm_usub overflow. That seems pretty unlikely. >> >>> If the problem disappears by initializing the static variables in >>> lutil_gettime(), then it might be a compiler issue. >> I suppose that's always possible... >> >> The original post shows that the tm_usec field is negative. That could >> happen >> if the offset we computed between the SYSTEMTIME and the >> PerformanceCounter >> was wrong, or if the SYSTEMTIME was adjusted while the process was >> running. >> >> What version of Windows are you running? 32 or 64 bit? Can you singlestep >> through this function with a debugger and verify all of the values? I >> haven't >> run this code on Windows in a long time, would take a bit of effort to >> resurrect my build environment. >> >> -- >> -- Howard Chu >> CTO, Symas Corp. http://www.symas.com >> Director, Highland Sun http://highlandsun.com/hyc/ >> Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5694)
by ando＠sys-net.it 10 Sep '08

10 Sep '08

Works for me, after Howard's fix. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs