Full_Name: Clement Oudot
Version: 2.4.44
OS: GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (193.248.50.71)
Hello,
with a simple olcAuthzRegexp configuration like:
olcAuthzRegexp: {0}uid=(.*),cn=gssapi,cn=auth
ldap:///dc=example,dc=com???(uid=$1)
And ppolicy overlay configured, for example like:
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
We have a segfault when running this command:
$ /usr/local/openldap/sbin/slapauth -F
/home/clement/configuration/openldap/example /slapd.d/ -v coudot -M GSSAPI
Here is the GDB backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x000000000055644f in ppolicy_restrict (op=0x7fffffffd0e0, rs=0x7fffffffd070) at
ppolicy.c:1379
1379 ppolicy.c: Aucun fichier ou dossier de ce type.
(gdb) bt
#0 0x000000000055644f in ppolicy_restrict (op=0x7fffffffd0e0,
rs=0x7fffffffd070) at ppolicy.c:1379
#1 0x00000000004a55ca in overlay_op_walk (op=op@entry=0x7fffffffd0e0,
rs=0x7fffffffd070, which=op_search, oi=0xa59ef0, on=0xa571d0) at backover.c:661
#2 0x00000000004a574e in over_op_func (op=0x7fffffffd0e0, rs=<optimized out>,
which=<optimized out>) at backover.c:730
#3 0x0000000000487375 in slap_sasl2dn (opx=0x7fffffffd710, saslname=0x0,
sasldn=0x7fffffffd310, flags=-16, flags@entry=2) at saslauthz.c:2008
#4 0x000000000048e42b in slap_sasl_getdn (conn=conn@entry=0x7fffffffd450,
op=op@entry=0x7fffffffd710, id=id@entry=0x7fffffffd440, user_realm=0x0,
dn=dn@entry=0x7fffffffd410, flags=flags@entry=2) at sasl.c:1891
#5 0x00000000004aba73 in do_check (c=c@entry=0x7fffffffd450,
op=op@entry=0x7fffffffd710, id=id@entry=0x7fffffffd440) at slapauth.c:44
#6 0x00000000004abe54 in slapauth (argc=<optimized out>, argv=0x7fffffffdcc8)
at slapauth.c:161
#7 0x0000000000425e98 in main (argc=7, argv=0x7fffffffdc98) at main.c:664
Note that there is no bug if one of this condition is true:
* overlay ppolicy is not configured
* olcAuthRegexp does not use internal LDAP search
* GSSAPI schema is not requested in slapauth
Hope you have enough information in this report. Feel free to ask more if
needed.
On Tue, Sep 22, 2015 at 08:45:12PM +0000, ondra(a)mistotebe.net wrote:
> On Tue, Sep 22, 2015 at 09:01:59AM +0000, geert(a)hendrickx.be wrote:
>> For clarity I do agree that a control should exist to bypass uniqueness
>> (and other) constraints. However I think manageDSAit is not the
>> appropriate control by its definition, and also in practice given the
>> fact it's set per default by popular client libs.
>>
>> Relax Rules seems much more appropriate for this use case, as it's intended
>> to temporarily relax database constraints, for administrative use only.
>
> Yes, Relax control is better for manual bypass. We just need to make
> sure the original issue that this code was created to address is not
> reintroduced. ITS#6641 was put up to allow replication to bypass this
> overlay and anything that was already loaded to one master should
> happily replicate everywhere else. At that point, manageDSAit was the
> only way I could find to distinguish an operation coming from syncrepl,
> it seems that the constraint overlay has a more reliable check so that
> might be a better idea.
>
> Patch to that effect is here:
> ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20150922-ITS-8245-unique-rela…
Given that relax control is still allowed for everyone (and no ACL
support for controls exists yet), this patch will buy us little. I have
updated the test suite accordingly so that this can be merged when
OpenLDAP is ready:
ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330-ITS-8245-unique-rela…
--
OndÅ™ej KuznÃk
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
On Thu, Mar 30, 2017 at 12:00:41 +0200, OndÅ™ej KuznÃk wrote:
> Hi Geert,
> the following patch should fix the issue.
> ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330a-ITS-8266-Allow-empt…
Hi Ondřej,
I verified your patch on 2.4.x and it works for me!
Thanks,
Geert
--
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
On Thu, Oct 08, 2015 at 03:33:28PM +0000, geert(a)hendrickx.be wrote:
> When slapo-unique constraints are in effect, it seems empty updates are
> no longer allowed:
>
> $ ldapmodify -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret
> dn: cn=test1,dc=my-domain,dc=com
> changetype: modify
> modifying entry "cn=test1,dc=my-domain,dc=com"
> ldap_modify: Invalid syntax (21)
> additional info: unique_modify() got null op.orm_modlist
>
> Why is this considered invalid syntax? Without slapo-unique constraint,
> empty updates like these are accepted.
Hi Geert,
the following patch should fix the issue.
ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330a-ITS-8266-Allow-empt…
Regards,
--
OndÅ™ej KuznÃk
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
Full_Name: Peter Marschall
Version: 2.4.44
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (80.130.171.22)
Hi,
the patches
* Peter-Marschall-170330.0001-contrib-smbk5pwd-add-man-page-install-it-too.patch
* Peter-Marschall-170330.0002-contrib-lastbind-install-man-page.patch
* Peter-Marschall-170330.0003-contrib-passwd-sha2-add-man-page-install-it-too.patch
* Peter-Marschall-170330.0004-contrib-adremap-install-man-page.patch
* Peter-Marschall-170330.0005-contrib-allop-install-man-page.patch
* Peter-Marschall-170330.0006-contrib-cloak-install-man-page.patch
* Peter-Marschall-170330.0007-contrib-lastmod-install-man-page.patch
* Peter-Marschall-170330.0008-contrib-nops-install-man-page.patch
* Peter-Marschall-170330.0009-contrib-nssov-install-man-page.patch
* Peter-Marschall-170330.0010-contrib-passwd-add-man-page-slapd-pw-radius.5-instal.patch
* Peter-Marschall-170330.0011-contrib-passwd-totp-add-man-page-install-it-too.patch
* Peter-Marschall-170330.0012-contrib-passwd-pbkdf2-add-man-page-install-it-too.patch
* Peter-Marschall-170330.0013-contrib-passwd-totp-new-Makefile-variables-SSL_LIB-S.patch
* Peter-Marschall-170330.0014-contrib-passwd-pbkdf2-new-Makefile-variables-SSL_LIB.patch
make sure that
* existing man pages for modules in contrib/ are installed with the module
* some missing man pages are added to modules in contrib/
* Makefiles in contrib/ use the new Makefile variables SSL_INC & SSL_LIB
The attached/mentioned patch files are derived from OpenLDAP Software. All of
the modifications to OpenLDAP Software represented in the following patch(es)
were developed by Peter Marschall <peter(a)adpm.de>. I have not assigned rights
and/or interest in this work to any party.
Copyright 2015-2017 Peter Marschall-
Redistribution and use in source and binary forms, with or without modification,
are permitted only as authorized by the OpenLDAP Public License.
Please consider them for inclusion in the next version of OpenLDAP
The patches have been uploaded here:
ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330-ITS7100-dds-entryttl…
The attached patch file is derived from OpenLDAP Software. All of the
modifications to OpenLDAP Software represented in the following
patch(es) were developed by OndÅ™ej KuznÃk <ondra(a)mistotebe.net>. I have
not assigned rights and/or interest in this work to any party.
I, OndÅ™ej KuznÃk, hereby place the following modifications to OpenLDAP
Software (and only these modifications) into the public domain. Hence,
these modifications may be freely used and/or redistributed for any
purpose with or without attribution and/or other notice.
--
OndÅ™ej KuznÃk
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
Hello Philippe,
Thanks for looking to contribute to the OpenLDAP project. Your submission
does not appear to have followed the submission guidelines for the project,
located at:
<http://www.openldap.org/devel/contributing.html>
In addition, I would note the following:
a) How does this submission differ from, or improve upon, the ldapc++ API
that is already shipped with OpenLDAP?
b) Your chosen license may cause your contribution to be rejected (See
contribution guidelines).
If you would still like your work to be included with the OpenLDAP project,
please review the contribution guidelines and follow up to the ITS with the
proper format, etc.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
Hi Soichi,
I was curious if you still encounter this issue using current OpenLDAP and
back-mdb. I would note the back-bdb/hdb backends are now deprecated. It
also occurred to me that the issue may have been related to lack of lock
resources, etc (which are generally set in DB_CONFIG).
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>