openldap-bugs

openldap-bugs@openldap.org

1 participants
20964 discussions

Re: (ITS#8908) LMDB Documentation for MDB_XXX_MULTIPLE
by hyc＠symas.com 29 Aug '18

29 Aug '18

karl(a)waclawek.net wrote: > --00000000000018b43a057492d87f > Content-Type: text/plain; charset="UTF-8" > > As far as point 2 is concerned I was basing it on this piece of code, where > it looks like MDB_GET_MULTIPLE just checks some flags and then goes to the > fetchm label where the code does nothing but retrieve data: You're not reading the code correctly. See below. > > case MDB_GET_MULTIPLE: > if (data == NULL || !(mc->mc_flags & C_INITIALIZED)) { > rc = EINVAL; > break; > } > if (!(mc->mc_db->md_flags & MDB_DUPFIXED)) { > rc = MDB_INCOMPATIBLE; > break; > } > rc = MDB_SUCCESS; > if (!(mc->mc_xcursor->mx_cursor.mc_flags & C_INITIALIZED) || > (mc->mc_xcursor->mx_cursor.mc_flags & C_EOF)) > break; > goto fetchm; > case MDB_NEXT_MULTIPLE: > if (data == NULL) { > rc = EINVAL; > break; > } > if (!(mc->mc_db->md_flags & MDB_DUPFIXED)) { > rc = MDB_INCOMPATIBLE; > break; > } > rc = mdb_cursor_next(mc, key, data, MDB_NEXT_DUP); > if (rc == MDB_SUCCESS) { > if (mc->mc_xcursor->mx_cursor.mc_flags & C_INITIALIZED) { > MDB_cursor *mx; > fetchm: > mx = &mc->mc_xcursor->mx_cursor; > data->mv_size = NUMKEYS(mx->mc_pg[mx->mc_top]) * > mx->mc_db->md_pad; > data->mv_data = METADATA(mx->mc_pg[mx->mc_top]); > mx->mc_ki[mx->mc_top] = NUMKEYS(mx->mc_pg[mx->mc_top])-1; ^^^ this line advances the cursor. > } else { > rc = MDB_NOTFOUND; > } > } > break; > > > On Tue, Aug 28, 2018 at 8:26 PM Howard Chu <openldap-its(a)openldap.org> > wrote: > >>> Full_Name: Karl Waclawek >>> Version: LMDB 0.9.22 >>> OS: Windows 10 >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (2607:fea8:7a80:814:3ca9:e8f6:801c:d6f8) >>> >>> >>> The documentation in lmdb.h for MDB_GET_MULTIPLE, MDB_NEXT_MULTIPLE and >>> MDB_PREV_MULTIPLE seems to have two issues: >>> >>> 1) The documentation indicates that both, the key and data, are >> returned, but >> in >>> reality only the data is returned. >> >> Looks like you're right. Since these are DUPs the key would be the same >> every time so there's no need to return it on each call. >> Doc fixed in git mdb.master. >> >>> 2) The documentation states that MDB_GET_MULTIPLE moves the cursor. This >> does >>> not seem to be true. >> >> The doc is correct here. The cursor is advanced far enough that a >> MDB_NEXT_MULTIPLE will return the following data, as opposed to just >> returning the same data again. >> > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8908) LMDB Documentation for MDB_XXX_MULTIPLE
by karl＠waclawek.net 29 Aug '18

29 Aug '18

--00000000000018b43a057492d87f Content-Type: text/plain; charset="UTF-8" As far as point 2 is concerned I was basing it on this piece of code, where it looks like MDB_GET_MULTIPLE just checks some flags and then goes to the fetchm label where the code does nothing but retrieve data: case MDB_GET_MULTIPLE: if (data == NULL || !(mc->mc_flags & C_INITIALIZED)) { rc = EINVAL; break; } if (!(mc->mc_db->md_flags & MDB_DUPFIXED)) { rc = MDB_INCOMPATIBLE; break; } rc = MDB_SUCCESS; if (!(mc->mc_xcursor->mx_cursor.mc_flags & C_INITIALIZED) || (mc->mc_xcursor->mx_cursor.mc_flags & C_EOF)) break; goto fetchm; case MDB_NEXT_MULTIPLE: if (data == NULL) { rc = EINVAL; break; } if (!(mc->mc_db->md_flags & MDB_DUPFIXED)) { rc = MDB_INCOMPATIBLE; break; } rc = mdb_cursor_next(mc, key, data, MDB_NEXT_DUP); if (rc == MDB_SUCCESS) { if (mc->mc_xcursor->mx_cursor.mc_flags & C_INITIALIZED) { MDB_cursor *mx; fetchm: mx = &mc->mc_xcursor->mx_cursor; data->mv_size = NUMKEYS(mx->mc_pg[mx->mc_top]) * mx->mc_db->md_pad; data->mv_data = METADATA(mx->mc_pg[mx->mc_top]); mx->mc_ki[mx->mc_top] = NUMKEYS(mx->mc_pg[mx->mc_top])-1; } else { rc = MDB_NOTFOUND; } } break; On Tue, Aug 28, 2018 at 8:26 PM Howard Chu <openldap-its(a)openldap.org> wrote: > > Full_Name: Karl Waclawek > > Version: LMDB 0.9.22 > > OS: Windows 10 > > URL: ftp://ftp.openldap.org/incoming/ > > Submission from: (NULL) (2607:fea8:7a80:814:3ca9:e8f6:801c:d6f8) > > > > > > The documentation in lmdb.h for MDB_GET_MULTIPLE, MDB_NEXT_MULTIPLE and > > MDB_PREV_MULTIPLE seems to have two issues: > > > > 1) The documentation indicates that both, the key and data, are > returned, but > in > > reality only the data is returned. > > Looks like you're right. Since these are DUPs the key would be the same > every time so there's no need to return it on each call. > Doc fixed in git mdb.master. > > > 2) The documentation states that MDB_GET_MULTIPLE moves the cursor. This > does > > not seem to be true. > > The doc is correct here. The cursor is advanced far enough that a > MDB_NEXT_MULTIPLE will return the following data, as opposed to just > returning the same data again. > --00000000000018b43a057492d87f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr">As far as point 2 is concerned I was basi= ng it on this piece of code, where it looks like MDB_GET_MULTIPLE just chec= ks some flags and then goes to the fetchm label where the code does nothing= but retrieve data:<div><br></div><div><div><font face=3D"monospace, monosp= ace"><span style=3D"white-space:pre"> </span>case MDB_GET_MULTIPLE:</font><= /div><div><font face=3D"monospace, monospace"><span style=3D"white-space:pr= e"> </span>if (data =3D=3D NULL || !(mc->mc_flags & C_INITIALIZED))= {</font></div><div><font face=3D"monospace, monospace"><span style=3D"whit= e-space:pre"> </span>rc =3D EINVAL;</font></div><div><font face=3D"monosp= ace, monospace"><span style=3D"white-space:pre"> </span>break;</font></di= v><div><font face=3D"monospace, monospace"><span style=3D"white-space:pre">= </span>}</font></div><div><font face=3D"monospace, monospace"><span style= =3D"white-space:pre"> </span>if (!(mc->mc_db->md_flags & MDB_DUP= FIXED)) {</font></div><div><font face=3D"monospace, monospace"><span style= =3D"white-space:pre"> </span>rc =3D MDB_INCOMPATIBLE;</font></div><div><f= ont face=3D"monospace, monospace"><span style=3D"white-space:pre"> </span= >break;</font></div><div><font face=3D"monospace, monospace"><span style=3D= "white-space:pre"> </span>}</font></div><div><font face=3D"monospace, mono= space"><span style=3D"white-space:pre"> </span>rc =3D MDB_SUCCESS;</font><= /div><div><font face=3D"monospace, monospace"><span style=3D"white-space:pr= e"> </span>if (!(mc->mc_xcursor->mx_cursor.mc_flags & C_INITIALI= ZED) ||</font></div><div><font face=3D"monospace, monospace"><span style=3D= "white-space:pre"> </span>(mc->mc_xcursor->mx_cursor.mc_flags &= C_EOF))</font></div><div><font face=3D"monospace, monospace"><span style= =3D"white-space:pre"> </span>break;</font></div><div><font face=3D"monosp= ace, monospace"><span style=3D"white-space:pre"> </span>goto fetchm;</font= ></div><div><font face=3D"monospace, monospace"><span style=3D"white-space:= pre"> </span>case MDB_NEXT_MULTIPLE:</font></div><div><font face=3D"monospa= ce, monospace"><span style=3D"white-space:pre"> </span>if (data =3D=3D NUL= L) {</font></div><div><font face=3D"monospace, monospace"><span style=3D"wh= ite-space:pre"> </span>rc =3D EINVAL;</font></div><div><font face=3D"mono= space, monospace"><span style=3D"white-space:pre"> </span>break;</font></= div><div><font face=3D"monospace, monospace"><span style=3D"white-space:pre= "> </span>}</font></div><div><font face=3D"monospace, monospace"><span sty= le=3D"white-space:pre"> </span>if (!(mc->mc_db->md_flags & MDB_D= UPFIXED)) {</font></div><div><font face=3D"monospace, monospace"><span styl= e=3D"white-space:pre"> </span>rc =3D MDB_INCOMPATIBLE;</font></div><div><= font face=3D"monospace, monospace"><span style=3D"white-space:pre"> </spa= n>break;</font></div><div><font face=3D"monospace, monospace"><span style= =3D"white-space:pre"> </span>}</font></div><div><font face=3D"monospace, m= onospace"><span style=3D"white-space:pre"> </span>rc =3D mdb_cursor_next(m= c, key, data, MDB_NEXT_DUP);</font></div><div><font face=3D"monospace, mono= space"><span style=3D"white-space:pre"> </span>if (rc =3D=3D MDB_SUCCESS) = {</font></div><div><font face=3D"monospace, monospace"><span style=3D"white= -space:pre"> </span>if (mc->mc_xcursor->mx_cursor.mc_flags & C_= INITIALIZED) {</font></div><div><font face=3D"monospace, monospace"><span s= tyle=3D"white-space:pre"> </span>MDB_cursor *mx;</font></div><div><font = face=3D"monospace, monospace">fetchm:</font></div><div><font face=3D"monosp= ace, monospace"><span style=3D"white-space:pre"> </span>mx =3D &mc-&= gt;mc_xcursor->mx_cursor;</font></div><div><font face=3D"monospace, mono= space"><span style=3D"white-space:pre"> </span>data->mv_size =3D NUMK= EYS(mx->mc_pg[mx->mc_top]) *</font></div><div><font face=3D"monospace= , monospace"><span style=3D"white-space:pre"> </span>mx->mc_db->m= d_pad;</font></div><div><font face=3D"monospace, monospace"><span style=3D"= white-space:pre"> </span>data->mv_data =3D METADATA(mx->mc_pg[mx-&= gt;mc_top]);</font></div><div><font face=3D"monospace, monospace"><span sty= le=3D"white-space:pre"> </span>mx->mc_ki[mx->mc_top] =3D NUMKEYS(m= x->mc_pg[mx->mc_top])-1;</font></div><div><font face=3D"monospace, mo= nospace"><span style=3D"white-space:pre"> </span>} else {</font></div><di= v><font face=3D"monospace, monospace"><span style=3D"white-space:pre"> <= /span>rc =3D MDB_NOTFOUND;</font></div><div><font face=3D"monospace, monosp= ace"><span style=3D"white-space:pre"> </span>}</font></div><div><font fac= e=3D"monospace, monospace"><span style=3D"white-space:pre"> </span>}</font= ></div><div><font face=3D"monospace, monospace"><span style=3D"white-space:= pre"> </span>break;</font></div></div><div><br></div></div></div><br><div = class=3D"gmail_quote"><div dir=3D"ltr">On Tue, Aug 28, 2018 at 8:26 PM Howa= rd Chu <<a href=3D"mailto:openldap-its@openldap.org">openldap-its@openld= ap.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"m= argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">> Full_Nam= e: Karl Waclawek<br> > Version: LMDB 0.9.22<br> > OS: Windows 10<br> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" rel=3D"noreferrer" t= arget=3D"_blank">ftp://ftp.openldap.org/incoming/</a><br> > Submission from: (NULL) (2607:fea8:7a80:814:3ca9:e8f6:801c:d6f8)<br> > <br> > <br> > The documentation in lmdb.h for MDB_GET_MULTIPLE, MDB_NEXT_MULTIPLE an= d<br> > MDB_PREV_MULTIPLE seems to have two issues:<br> > <br> > 1) The documentation indicates that both, the key and data, are return= ed, but<br> in<br> > reality only the data is returned.<br> <br> Looks like you're right. Since these are DUPs the key would be the same= <br> every time so there's no need to return it on each call.<br> Doc fixed in git mdb.master.<br> <br> > 2) The documentation states that MDB_GET_MULTIPLE moves the cursor. Th= is does<br> > not seem to be true.<br> <br> The doc is correct here. The cursor is advanced far enough that a<br> MDB_NEXT_MULTIPLE will return the following data, as opposed to just<br> returning the same data again.<br> </blockquote></div> --00000000000018b43a057492d87f--

1 0

(ITS#8910) Open Ldap back sql installation Query
by nagalakshmibatchu345＠gmail.com 29 Aug '18

29 Aug '18

Full_Name: Nagalakshmi Batchu Version: 2.4.44 OS: Windows URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (183.82.124.72) Hi, I have doubt in Back sql Configuration.In the document /etc/odbc.ini mentioned like this. Here where i need to find the above mentioned file path.

1 0

Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
by hyc＠symas.com 28 Aug '18

28 Aug '18

Guilhem Moulin wrote: > On Wed, 29 Aug 2018 at 01:14:51 +0100, Howard Chu wrote: >> Thanks for the report. Looks like this has been present since commit >> 113727ba. Fixed now in git master > > Thanks for the quick fix! Not sure why rc's value is preserved here but > set to LDAP_INAPPROPRIATE_AUTH in all other failing cases, though. But > that doesn't seem to matter beside debug logs now showing a return value > other than 48, disclosing the actual reason of the failure; for instance > > <== slap_sasl_authorized: return 16 > SASL Proxy Authorize [conn=1022]: proxy authorization disallowed (16) > > for a missing authTo under authz-policy "all". > Probably not a bad thing overall, but for consistency it's now patched to set INAPPROPRIATE_AUTH as with the other cases. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
by guilhem＠fripost.org 28 Aug '18

28 Aug '18

On Wed, 29 Aug 2018 at 01:14:51 +0100, Howard Chu wrote: > Thanks for the report. Looks like this has been present since commit > 113727ba. Fixed now in git master Thanks for the quick fix! Not sure why rc's value is preserved here but set to LDAP_INAPPROPRIATE_AUTH in all other failing cases, though. But that doesn't seem to matter beside debug logs now showing a return value other than 48, disclosing the actual reason of the failure; for instance <== slap_sasl_authorized: return 16 SASL Proxy Authorize [conn=1022]: proxy authorization disallowed (16) for a missing authTo under authz-policy "all". -- Guilhem.

1 0

Re: (ITS#8906) Fail to download package in yocto project
by Howard Chu 28 Aug '18

28 Aug '18

> Full_Name: Yong Zhang > Version: 2.4.43 > OS: linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (180.166.53.43) > > > ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz is not available ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.43.tgz Looks fine to me.

1 0

Re: (ITS#8908) LMDB Documentation for MDB_XXX_MULTIPLE
by Howard Chu 28 Aug '18

28 Aug '18

> Full_Name: Karl Waclawek > Version: LMDB 0.9.22 > OS: Windows 10 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2607:fea8:7a80:814:3ca9:e8f6:801c:d6f8) > > > The documentation in lmdb.h for MDB_GET_MULTIPLE, MDB_NEXT_MULTIPLE and > MDB_PREV_MULTIPLE seems to have two issues: > > 1) The documentation indicates that both, the key and data, are returned, but in > reality only the data is returned. Looks like you're right. Since these are DUPs the key would be the same every time so there's no need to return it on each call. Doc fixed in git mdb.master. > 2) The documentation states that MDB_GET_MULTIPLE moves the cursor. This does > not seem to be true. The doc is correct here. The cursor is advanced far enough that a MDB_NEXT_MULTIPLE will return the following data, as opposed to just returning the same data again.

1 0

Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
by hyc＠symas.com 28 Aug '18

28 Aug '18

guilhem(a)fripost.org wrote: > Full_Name: Guilhem Moulin > Version: 2.4.44 > OS: Debian GNU/Linux (Stretch) > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (109.225.112.70) >=20 >=20 > slapd.conf(5) manpage (in both 2.4.44 and in current =E2=80=94 0f320b3 = =E2=80=94 master) > mentions that authz-policy's "all" flag requires both source and destin= ations > authorizations rules to succeed. However if the source rule (the authe= ntication > identity's "authzTo" attribute) fails but the destination rule (the > authorization identity's "authzFrom" attribute) succeeds, then the auth= orization > is granted, violating the intended semantics and possibly yielding unau= thorized > access. See the following log excerpt: Thanks for the report. Looks like this has been present since commit 1137= 27ba. Fixed now in git master >=20 > SASL proxy authorize [conn=3D1019]: authcid=3D"authcid" > authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet" > =3D=3D>slap_sasl_authorized: can uid=3Dauthcid,dc=3Dexample,dc=3Dnet be= come > uid=3Dauthzid,dc=3Dexample,dc=3Dnet? > =3D=3D>slap_sasl_check_authz: does uid=3Dauthzid,dc=3Dexample,dc=3Dnet = match authzTo rule > in uid=3Dauthcid,dc=3Dexample,dc=3Dnet? > <=3D=3Dslap_sasl_check_authz: authzTo check returning 50 > =3D=3D>slap_sasl_check_authz: does uid=3Dauthcid,dc=3Dexample,dc=3Dnet = match authzFrom > rule in uid=3Dauthzid,dc=3Dexample,dc=3Dnet? > <=3D=3D=3Dslap_sasl_match: comparison returned 0 > <=3D=3Dslap_sasl_check_authz: authzFrom check returning 0 > <=3D=3D slap_sasl_authorized: return 0 > conn=3D1019 op=3D1 BIND authcid=3D"authcid" > authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet" > SASL Authorize [conn=3D1019]: proxy authorization allowed > authzDN=3D"uid=3Dauthzid,dc=3Dexample,dc=3Dnet" >=20 > AFAICT the problem is in servers/slapd/saslauthz.c:slap_sasl_authorized= (), and > is also present in master. Here is a naive patch that fails the author= ization > if the source rules doesn't verify and SASL_AUTHZ_AND is set in authz_p= olicy. >=20 > --- a/servers/slapd/saslauthz.c > +++ b/servers/slapd/saslauthz.c > @@ -2077,6 +2077,10 @@ int slap_sasl_authorized( Operation *op, > if( rc =3D=3D LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND)= ) { > goto DONE; > } > + else if( rc !=3D LDAP_SUCCESS && (authz_policy & SASL_AUTHZ_AN= D) ) { > + rc =3D LDAP_INAPPROPRIATE_AUTH; > + goto DONE; > + } > } > =20 > /* Check destination rules */ >=20 >=20 --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
by guilhem＠fripost.org 28 Aug '18

28 Aug '18

Full_Name: Guilhem Moulin Version: 2.4.44 OS: Debian GNU/Linux (Stretch) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (109.225.112.70) slapd.conf(5) manpage (in both 2.4.44 and in current 0f320b3 master) mentions that authz-policy's "all" flag requires both source and destinations authorizations rules to succeed. However if the source rule (the authentication identity's "authzTo" attribute) fails but the destination rule (the authorization identity's "authzFrom" attribute) succeeds, then the authorization is granted, violating the intended semantics and possibly yielding unauthorized access. See the following log excerpt: SASL proxy authorize [conn=1019]: authcid="authcid" authzid="dn:uid=authzid,dc=example,dc=net" ==>slap_sasl_authorized: can uid=authcid,dc=example,dc=net become uid=authzid,dc=example,dc=net? ==>slap_sasl_check_authz: does uid=authzid,dc=example,dc=net match authzTo rule in uid=authcid,dc=example,dc=net? <==slap_sasl_check_authz: authzTo check returning 50 ==>slap_sasl_check_authz: does uid=authcid,dc=example,dc=net match authzFrom rule in uid=authzid,dc=example,dc=net? <===slap_sasl_match: comparison returned 0 <==slap_sasl_check_authz: authzFrom check returning 0 <== slap_sasl_authorized: return 0 conn=1019 op=1 BIND authcid="authcid" authzid="dn:uid=authzid,dc=example,dc=net" SASL Authorize [conn=1019]: proxy authorization allowed authzDN="uid=authzid,dc=example,dc=net" AFAICT the problem is in servers/slapd/saslauthz.c:slap_sasl_authorized(), and is also present in master. Here is a naive patch that fails the authorization if the source rules doesn't verify and SASL_AUTHZ_AND is set in authz_policy. --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -2077,6 +2077,10 @@ int slap_sasl_authorized( Operation *op, if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) { goto DONE; } + else if( rc != LDAP_SUCCESS && (authz_policy & SASL_AUTHZ_AND) ) { + rc = LDAP_INAPPROPRIATE_AUTH; + goto DONE; + } } /* Check destination rules */

1 0

Re: (ITS#8650) EAGAIN from gnutls_handshake not respected
by subbarao＠computer.org 27 Aug '18

27 Aug '18

On 08/26/2018 03:07 PM, Ryan Tandy wrote: > If I create a patch to log some additional debug info about the GnuTLS > setup, would you be willing to run it in your environment? For example > I'm curious whether EAGAIN is being returned from the read side or > write side (guessing read, but would be nice to confirm). Sure, send me the patch. If the patch just does some additional GnuTLS logging, then I don't see a problem with running it in the production environment and sending you the results. Regards, -Kartik

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs