openldap-bugs

openldap-bugs@openldap.org

1 participants
20959 discussions

[Issue 6198] Authorization for extensions
by openldap-its＠openldap.org 12 Sep '24

12 Sep '24

https://bugs.openldap.org/show_bug.cgi?id=6198 --- Comment #6 from Ondřej Kuzník <ondra(a)mistotebe.net> --- A few open questions I can't resolve yet: - Do we rely on OID macros from schema or let slap_control/load_extop2 register it? The suggestions above tend to prefer OID macros but they have to be defined in the schema (there's only one) and they're currently case-sensitive For controls: - Do we want to be able to use ACLs to turn non-critical controls to ignored? - Do we want to be able to use ACLs to refuse control combinations? - Apart from the 'to' clause, do we want it allowed in the 'by' clause as well (when would it be useful? There's control combinations, anything else?) I'll start with "no" to all 3 of the above for now. As for combination with other specifiers (especially for exops), ACL checks are issued with the operation and an entry right now, they do make sense in that scope so password modify/DDS refresh should be in the clear. Other extops are more of a problem: - whoami: technically there is a DN but it doesn't have to correspond to an entry - verify credentials: tricky, since it's processed as a bind - cancel: abandon can't be restricted, so probably the same - turn: no idea - ChainedRequest: even less of one Probably happy for those to be impossible to restrict in this way, at least for now. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9305] New: ldap_connect_to_host: Return code from getaddrinfo() discarded, troubleshooting difficult
by openldap-its＠openldap.org 10 Sep '24

10 Sep '24

https://bugs.openldap.org/show_bug.cgi?id=9305 Issue ID: 9305 Summary: ldap_connect_to_host: Return code from getaddrinfo() discarded, troubleshooting difficult Product: OpenLDAP Version: 2.4.46 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: minfrin(a)sharp.fm Target Milestone: --- When the ldap_connect_to_host() function sees a failure from getaddrinfo(), the meaningless return code -1 is returned. This makes troubleshooting difficult on a webserver, where the low level printf debugging is not practical. (gdb) step ldap_connect_to_host (ld=ld@entry=0x7fffc4002e10, sb=0x7fffc400b240, proto=1, srv=srv@entry=0x7fffc400b2f0, async=async@entry=0) at os-ip.c:543 543 { (gdb) next 546 ber_socket_t s = AC_SOCKET_INVALID; (gdb) 562 if ( srv->lud_host == NULL || *srv->lud_host == 0 ) { (gdb) 568 port = srv->lud_port; (gdb) 570 if( !port ) { (gdb) 578 switch(proto) { (gdb) 580 osip_debug( ld, (gdb) warning: Source file is more recent than executable. 71 return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest)); (gdb) 598 hints.ai_flags = AI_ADDRCONFIG; (gdb) 601 hints.ai_socktype = socktype; (gdb) 602 snprintf(serv, sizeof serv, "%d", port ); (gdb) 605 LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex); (gdb) 607 err = getaddrinfo( host, serv, &hints, &res ); (gdb) 609 LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex); (gdb) 611 if ( err != 0 ) { (gdb) 612 osip_debug(ld, "ldap_connect_to_host: getaddrinfo failed: %s\n", (gdb) print host $3 = <optimized out> (gdb) print serv $4 = "636\000\000\000" (gdb) next 614 return -1; (gdb) The ldap_connect_to_host() function needs to return proper error codes. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 8905] Client side debug log should include timestamps
by openldap-its＠openldap.org 10 Sep '24

10 Sep '24

https://bugs.openldap.org/show_bug.cgi?id=8905 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |gnoe(a)symas.com -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7982] Add tls cipher suite, protocol to ldapsearch debug logging
by openldap-its＠openldap.org 10 Sep '24

10 Sep '24

https://bugs.openldap.org/show_bug.cgi?id=7982 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9398] New: Stale accesslog cookie due to unclean shutdown
by openldap-its＠openldap.org 10 Sep '24

10 Sep '24

https://bugs.openldap.org/show_bug.cgi?id=9398 Issue ID: 9398 Summary: Stale accesslog cookie due to unclean shutdown Product: OpenLDAP Version: 2.4.56 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- If slapd terminates uncleanly, a checkpoint will be lost on the accesslog db. Depending on the syncprov overlay checkpoint settings (usually no checkpointing is enabled on the accesslog db) this can cause the system to refuse engage in replication at startup. -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Bug 9225] New: back-mdb: Add support for PREPARE/2-phase commit
by openldap-its＠openldap.org 10 Sep '24

10 Sep '24

https://bugs.openldap.org/show_bug.cgi?id=9225 Bug ID: 9225 Summary: back-mdb: Add support for PREPARE/2-phase commit Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- Add support for PREPARE/2-phase commit in back-mdb -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Issue 8943] back-mdb: speed up parallel add/delete
by openldap-its＠openldap.org 10 Sep '24

10 Sep '24

https://bugs.openldap.org/show_bug.cgi?id=8943 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |SUSPENDED --- Comment #6 from Howard Chu <hyc(a)openldap.org> --- One major problem here is that overlays assume they all execute in the same thread for the duration of an operation. Putting the response in the worker thread would break overlay response callbacks. It would be quite a lot of refactoring to make overlays thread-independent, and that's not going to happen soon. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10255] New: OpenLDAP should leak the SSL ctx and not try to free it in an atexit() handler
by openldap-its＠openldap.org 03 Sep '24

03 Sep '24

https://bugs.openldap.org/show_bug.cgi?id=10255 Issue ID: 10255 Summary: OpenLDAP should leak the SSL ctx and not try to free it in an atexit() handler Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: simon.pichugin(a)gmail.com Target Milestone: --- As mentioned in the subject, OpenLDAP incorrectly handles OpenSSL in its destructor. Сomprehensive information can be found here (along with a possible solution): https://github.com/openssl/openssl/issues/25294 -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9796] New: Deprecate GnuTLS support
by openldap-its＠openldap.org 20 Aug '24

20 Aug '24

https://bugs.openldap.org/show_bug.cgi?id=9796 Issue ID: 9796 Summary: Deprecate GnuTLS support Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- Support for GnuTLS was added specifically for the Debian (and thus Ubuntu) due to the license objections at the time that the Debian project had for the OpenSSL license. Since that time, Debian has reclassified OpenSSL as a core library and the OpenSSL project has resolved the original complaint by licensing OpenSSL 3 and later under the Apache License v2. Thus there is no longer a reason to maintain support for GnuTLS and given the long standing concerns over the security and quality of the GnuTLS bridge in addition to the extra cost of maintaining that code, it should be marked as deprecated and removed in a future release. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10252] New: Unable to fetch groups and users at duo admin panel for enabling MFA for Ldap users
by openldap-its＠openldap.org 14 Aug '24

14 Aug '24

https://bugs.openldap.org/show_bug.cgi?id=10252 Issue ID: 10252 Summary: Unable to fetch groups and users at duo admin panel for enabling MFA for Ldap users Product: OpenLDAP Version: 2.5.18 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ajay41.kumar(a)airtel.com Target Milestone: --- Hi Team, I got stuck at configuring openldap server with member of overlay for groups with below requirement.We are trying to enable Multifactor authentication using duo auth proxy & duo admin panel configuration for ldap users. Ldap server is getting synced successfully with Duo admin portal but groups and users details not fetching at duo admin portal. Duo support team mentioned to change ldap configuration as mention article. Can someone help me, How i can make these changes. https://duo.my.site.com/s/article/4529?language=en_US -- You are receiving this mail because: You are on the CC list for the issue.

1 4

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs