openldap-bugs

openldap-bugs@openldap.org

1 participants
21003 discussions

(ITS#8629) slapauth segfault with GSSAPI + olcAuthzRegexp using internal LDAP search + ppolicy overlay
by clement.oudot＠savoirfairelinux.com 30 Mar '17

30 Mar '17

Full_Name: Clement Oudot Version: 2.4.44 OS: GNU/Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (193.248.50.71) Hello, with a simple olcAuthzRegexp configuration like: olcAuthzRegexp: {0}uid=(.*),cn=gssapi,cn=auth ldap:///dc=example,dc=com???(uid=$1) And ppolicy overlay configured, for example like: dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE We have a segfault when running this command: $ /usr/local/openldap/sbin/slapauth -F /home/clement/configuration/openldap/example /slapd.d/ -v coudot -M GSSAPI Here is the GDB backtrace: Program received signal SIGSEGV, Segmentation fault. 0x000000000055644f in ppolicy_restrict (op=0x7fffffffd0e0, rs=0x7fffffffd070) at ppolicy.c:1379 1379 ppolicy.c: Aucun fichier ou dossier de ce type. (gdb) bt #0 0x000000000055644f in ppolicy_restrict (op=0x7fffffffd0e0, rs=0x7fffffffd070) at ppolicy.c:1379 #1 0x00000000004a55ca in overlay_op_walk (op=op@entry=0x7fffffffd0e0, rs=0x7fffffffd070, which=op_search, oi=0xa59ef0, on=0xa571d0) at backover.c:661 #2 0x00000000004a574e in over_op_func (op=0x7fffffffd0e0, rs=<optimized out>, which=<optimized out>) at backover.c:730 #3 0x0000000000487375 in slap_sasl2dn (opx=0x7fffffffd710, saslname=0x0, sasldn=0x7fffffffd310, flags=-16, flags@entry=2) at saslauthz.c:2008 #4 0x000000000048e42b in slap_sasl_getdn (conn=conn@entry=0x7fffffffd450, op=op@entry=0x7fffffffd710, id=id@entry=0x7fffffffd440, user_realm=0x0, dn=dn@entry=0x7fffffffd410, flags=flags@entry=2) at sasl.c:1891 #5 0x00000000004aba73 in do_check (c=c@entry=0x7fffffffd450, op=op@entry=0x7fffffffd710, id=id@entry=0x7fffffffd440) at slapauth.c:44 #6 0x00000000004abe54 in slapauth (argc=<optimized out>, argv=0x7fffffffdcc8) at slapauth.c:161 #7 0x0000000000425e98 in main (argc=7, argv=0x7fffffffdc98) at main.c:664 Note that there is no bug if one of this condition is true: * overlay ppolicy is not configured * olcAuthRegexp does not use internal LDAP search * GSSAPI schema is not requested in slapauth Hope you have enough information in this report. Feel free to ask more if needed.

1 0

Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?
by ondra＠mistotebe.net 30 Mar '17

30 Mar '17

On Tue, Sep 22, 2015 at 08:45:12PM +0000, ondra(a)mistotebe.net wrote: > On Tue, Sep 22, 2015 at 09:01:59AM +0000, geert(a)hendrickx.be wrote: >> For clarity I do agree that a control should exist to bypass uniqueness >> (and other) constraints. However I think manageDSAit is not the >> appropriate control by its definition, and also in practice given the >> fact it's set per default by popular client libs. >> >> Relax Rules seems much more appropriate for this use case, as it's intended >> to temporarily relax database constraints, for administrative use only. > > Yes, Relax control is better for manual bypass. We just need to make > sure the original issue that this code was created to address is not > reintroduced. ITS#6641 was put up to allow replication to bypass this > overlay and anything that was already loaded to one master should > happily replicate everywhere else. At that point, manageDSAit was the > only way I could find to distinguish an operation coming from syncrepl, > it seems that the constraint overlay has a more reliable check so that > might be a better idea. > > Patch to that effect is here: > ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20150922-ITS-8245-unique-rela… Given that relax control is still allowed for everyone (and no ACL support for controls exists yet), this patch will buy us little. I have updated the test suite accordingly so that this can be merged when OpenLDAP is ready: ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330-ITS-8245-unique-rela… -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8266) empty ldapmodify refused with slapo-unique
by geert＠hendrickx.be 30 Mar '17

30 Mar '17

On Thu, Mar 30, 2017 at 12:00:41 +0200, Ondřej Kuzník wrote: > Hi Geert, > the following patch should fix the issue. > ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330a-ITS-8266-Allow-empt… Hi Ondřej, I verified your patch on 2.4.x and it works for me! Thanks, Geert -- geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages!

1 0

Re: (ITS#8266) empty ldapmodify refused with slapo-unique
by ondra＠mistotebe.net 30 Mar '17

30 Mar '17

On Thu, Oct 08, 2015 at 03:33:28PM +0000, geert(a)hendrickx.be wrote: > When slapo-unique constraints are in effect, it seems empty updates are > no longer allowed: > > $ ldapmodify -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret > dn: cn=test1,dc=my-domain,dc=com > changetype: modify > modifying entry "cn=test1,dc=my-domain,dc=com" > ldap_modify: Invalid syntax (21) > additional info: unique_modify() got null op.orm_modlist > > Why is this considered invalid syntax? Without slapo-unique constraint, > empty updates like these are accepted. Hi Geert, the following patch should fix the issue. ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330a-ITS-8266-Allow-empt… Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

(ITS#8628) man pages & Makfile updaes for contrib
by peter＠adpm.de 30 Mar '17

30 Mar '17

Full_Name: Peter Marschall Version: 2.4.44 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (80.130.171.22) Hi, the patches * Peter-Marschall-170330.0001-contrib-smbk5pwd-add-man-page-install-it-too.patch * Peter-Marschall-170330.0002-contrib-lastbind-install-man-page.patch * Peter-Marschall-170330.0003-contrib-passwd-sha2-add-man-page-install-it-too.patch * Peter-Marschall-170330.0004-contrib-adremap-install-man-page.patch * Peter-Marschall-170330.0005-contrib-allop-install-man-page.patch * Peter-Marschall-170330.0006-contrib-cloak-install-man-page.patch * Peter-Marschall-170330.0007-contrib-lastmod-install-man-page.patch * Peter-Marschall-170330.0008-contrib-nops-install-man-page.patch * Peter-Marschall-170330.0009-contrib-nssov-install-man-page.patch * Peter-Marschall-170330.0010-contrib-passwd-add-man-page-slapd-pw-radius.5-instal.patch * Peter-Marschall-170330.0011-contrib-passwd-totp-add-man-page-install-it-too.patch * Peter-Marschall-170330.0012-contrib-passwd-pbkdf2-add-man-page-install-it-too.patch * Peter-Marschall-170330.0013-contrib-passwd-totp-new-Makefile-variables-SSL_LIB-S.patch * Peter-Marschall-170330.0014-contrib-passwd-pbkdf2-new-Makefile-variables-SSL_LIB.patch make sure that * existing man pages for modules in contrib/ are installed with the module * some missing man pages are added to modules in contrib/ * Makefiles in contrib/ use the new Makefile variables SSL_INC & SSL_LIB The attached/mentioned patch files are derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Peter Marschall <peter(a)adpm.de>. I have not assigned rights and/or interest in this work to any party. Copyright 2015-2017 Peter Marschall- Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License. Please consider them for inclusion in the next version of OpenLDAP

1 0

Re: (ITS#7100) slapo-dds: entryTTL not decreasing
by ondra＠mistotebe.net 30 Mar '17

30 Mar '17

The patches have been uploaded here: ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330-ITS7100-dds-entryttl… The attached patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Ondřej Kuzník <ondra(a)mistotebe.net>. I have not assigned rights and/or interest in this work to any party. I, Ondřej Kuzník, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

ITS#8626 : TLS trace: SSL3 alert write:fatal:certificate unknown
by Anitha.Seshadri＠dell.com 30 Mar '17

30 Mar '17

--_000_15687A439BFEE848B596FFB9FB92A77B627F577AMX101CL01corpem_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable HI We are using Openldap 2.4.33 (Linux 64 bit built with RSA MES 3.2.4.3 ) in= our application for LDAP synchronization. We have a customer case where the customer is using a certificate chain. Th= ey have converted the root and intermediate certificates into pem and are u= sing the pem to connect to the lDAP server. We are getting the below error : TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS trace: SSL_connect:SSLv3 process tls extension TLS trace: SSL_connect:SSL3 post/by-pass tls extension processing TLS trace: SSL_connect:SSLv3 read server certificate A TLS certificate verification: depth: 0, err: 0, subject: /CN=3DITSUSRANADC5= 5.na.jnj.com, issuer: /DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA C2 TLS certificate verification: depth: 1, err: 0, subject: /DC=3Dcom/DC=3Djnj= /CN=3DJNJ Internal Online CA C2, issuer: /DC=3DCOM/DC=3DJNJ/CN=3DJNJ Intern= al Root Certification Authority TLS certificate verification: depth: 2, err: 0, subject: /DC=3DCOM/DC=3DJNJ= /CN=3DJNJ Internal Root Certification Authority, issuer: /DC=3DCOM/DC=3DJNJ= /CN=3DJNJ Internal Root Certification Authority TLS trace: SSL3 alert write:fatal:certificate unknown TLS trace: SSL_connect:error in SSL3 certificate verify A TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE= :certificate verify failed (ok). After Calling ldap_int_open_connection rc =3D 0 LDAP_SERVER_DOWN The same certificate (pem) connects perfectly with openssl commands. [dmfs4adm@itsusral00157 ldapdb]$ openssl s_client -CAfile /dmfs4/apps/docum= entum/dba/secure/ldapdb/INT-PROD-Root-Intermedia_0320.pem -connect ITSUSRAN= ADC41.na.j nj.com:3269 CONNECTED(00000003) depth=3D2 DC =3D COM, DC =3D JNJ, CN =3D JNJ Internal Root Certification Au= thority verify return:1 depth=3D1 DC =3D com, DC =3D jnj, CN =3D JNJ Internal Online CA A2 verify return:1 depth=3D0 CN =3D ITSUSRANADC41.na.jnj.com verify return:1 - Certificate chain 0 s:/CN=3DITSUSRANADC41.na.jnj.com i:/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA A2 1 s:/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA A2 i:/DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certification Authority - Server certificate ----BEGIN CERTIFICATE---- MIIG0zCCBbugAwIBAgIKNPjZjAAAANPqDjANBgkqhkiG9w0BAQUFADBOMRMwEQYK CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDam5qMSIwIAYDVQQDExlK TkogSW50ZXJuYWwgT25saW5lIENBIEEyMB4XDTE2MDkwNjIzMTI0M1oXDTE3MDkw NjIzMTI0M1owIzEhMB8GA1UEAxMYSVRTVVNSQU5BREM0MS5uYS5qbmouY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlmJd7MNGtotF5zXbWJdSaezG LDk1ty98yceBIDz6P1JIYAP84QtEMA+xO3GW7Y+oPjBtMjoEd7P1gLmCVxC9zf69 GNOgYjMsjo4QbynPcgcxMGnpwj8yHQVPLkRe7Do2qpfDz3jhVRT7cJ+u3xu+z66x /JbhCrySeekqL9O6O96YpqMFi+897Lgg9QPphjgrvrD5VmxHfH0V7p7sc/DcIufJ Ifjj7DGotaffcc90VZxj+vQd1iO5AchaDkIUiPLES9AsbcXei8Fau6pcFKpQBh5l fynm73EU01FP+RN//6WpyoIVXVc5uTE9ua7q+O2nGb46FnKlegGpI3iJCh5NJwID AQABo4ID3DCCA9gwOwYJKwYBBAGCNxUHBC4wLAYkKwYBBAGCNxUIgtGfI5rtGIad nTSHnpIqh8HUUmmEo+JQuZUUAgFkAgEFMDMGA1UdJQQsMCoGCCsGAQUFCAICBgor BgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMBgG A1UdIAQRMA8wDQYLYIZIAYb4AgMCAQowQQYJKwYBBAGCNxUKBDQwMjAKBggrBgEF BQgCAjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMIGjBgNV HREEgZswgZiCGElUU1VTUkFOQURDNDEubmEuam5qLmNvbYIKbmEuam5qLmNvbYIN bmFkaXIuam5qLmNvbYITbmFsZWdhY3lkaXIuam5qLmNvbYITbmFuZXh0b3NkaXIu am5qLmNvbYIQbmFpY2VkaXIuam5qLmNvbYIUbmFzcGVjaWFsZGlyLmpuai5jb22C D25hZndkaXIuam5qLmNvbTAdBgNVHQ4EFgQU11fVbuyGZpo8ApfMelvW1TFrH3ow HwYDVR0jBBgwFoAUhlNccpOupTSpisgGUUr+XzVQOeEwggEJBgNVHR8EggEAMIH9 MIH6oIH3oIH0hoHKbGRhcDovLy9DTj1KTkolMjBJbnRlcm5hbCUyME9ubGluZSUy MENBJTIwQTIsQ049SVRTVVNSQUpOSkNBMyxDTj1DRFAsQ049UHVibGljJTIwS2V5 JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1qbmos REM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFz cz1jUkxEaXN0cmlidXRpb25Qb2ludIYlaHR0cDovL2ludHByb2Rjcmwuam5qLmNv bS9pbnRjYWEyLmNybDCCAQIGCCsGAQUFBwEBBIH1MIHyMIG8BggrBgEFBQcwAoaB r2xkYXA6Ly8vQ049Sk5KJTIwSW50ZXJuYWwlMjBPbmxpbmUlMjBDQSUyMEEyLENO PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D b25maWd1cmF0aW9uLERDPWpuaixEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMQYIKwYBBQUHMAKGJWh0 dHA6Ly9pbnRwcm9kcGtpLmpuai5jb20vaW50Y2FhMi5wN2MwDQYJKoZIhvcNAQEF BQADggEBAE1hMzal6XiA0Rz1zsTlqAvZiXJg9urK/FcoeL4kiSGCVXQFPYZPRRG7 cwVBTkqABfNvTr2L7WTr2wqZL25HjY4hphK97I4BvCydpQLCEYPiSatY8kFN8Mpu rDTqNlzTEKt7qId9yDrsKmOI+Gs3hHrWPri1fdOeSlkwIUN5gKCwdH/h44LYU8Z5 4tSjWAkh0hkOU0pija45i7tkBzTholXoOEmAmv7G9UlhLuk950yLzu58yW4aBda1 rev0YtUsKjpfSbTWRwcxeYhspcEq2oGYsWD47wLxQJXHUiRWcXyYuOKiQiu4gjZ7 hS9/xvPvJ3zvxHoI7qF4A8VBgF8c4lQ=3D ----END CERTIFICATE---- subject=3D/CN=3DITSUSRANADC41.na.jnj.com issuer=3D/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA A2 - Acceptable client certificate CA names /CN=3DITSUSRANADC41.na.jnj.com /C=3DSE/O=3DAddTrust AB/OU=3DAddTrust External TTP Network/CN=3DAddTrust Ex= ternal CA Roo t /C=3DUS/O=3DJNJ/OU=3DJNJ Public Key Authorities/CN=3DJNJ 2048bit Root Certi= fication Auth ority /C=3DUS/O=3DJNJ/OU=3DJNJ Public Key Authorities/CN=3DJNJ Root Certification= Authority /DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certification Authority /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3D(c) 2008 VeriSi= gn, Inc. - Fo r authorized use only/CN=3DVeriSign Universal Root Certificat= ion Authority /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3D(c) 2006 VeriSi= gn, Inc. - Fo r authorized use only/CN=3DVeriSign Class 3 Public Primary Ce= rtification Authority - G5 /C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary Certification Author= ity /C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary Certification Author= ity - G2/OU =3D(c) 1998 VeriSign, Inc. - For authorized use only/OU=3DVeriS= ign Trust Network /C=3DUS/ST=3DWashington/L=3DRedmond/O=3DMicrosoft Corporation/CN=3DMicrosof= t Root Certific ate Authority 2011 /C=3DUS/O=3DGTE Corporation/OU=3DGTE CyberTrust Solutions, Inc./CN=3DGTE Cy= berTrust Glob al Root /C=3DIE/O=3DBaltimore/OU=3DCyberTrust/CN=3DBaltimore CyberTrust Root /C=3DUS/ST=3DWashington/L=3DRedmond/O=3DMicrosoft Corporation/CN=3DMicrosof= t Root Certific ate Authority 2010 /O=3DSymantec Corporation/CN=3DSymantec Root CA /OU=3DCopyright (c) 1997 Microsoft Corp./OU=3DMicrosoft Corporation/CN=3DMi= crosoft Roo t Authority /C=3DUS/O=3DSymantec Corporation/CN=3DSymantec Root 2005 CA /DC=3Dcom/DC=3Dmicrosoft/CN=3DMicrosoft Root Certificate Authority /CN=3DNT AUTHORITY - SSL handshake has read 5700 bytes and written 619 bytes - New, TLSv1/SSLv3, Cipher is AES128-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA256 Session-ID: 743C00003D9B50EAA53C45E670C3E9682DBE86BA873CEA5B35BFB16B7CE5A62= 5 Session-ID-ctx: Master-Key: 0DB1DB6C4E9B3BE57E6E3A38B3A68EACAF96A78650EA978B4A8860B35BBDCCB= 4 61DA777F8C0D83ED53CCFE82748D3F86 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1490103903 Timeout : 300 (sec) Verify return code: 0 (ok) - Could you let us know what we could be missing here? The pem contains certificates JNJ Internal Root Certification Authority and= CN=3DJNJ Internal Online CA C2 .Are we missing anything here? Any help would be greatly appreciated. Thanks Anitha --_000_15687A439BFEE848B596FFB9FB92A77B627F577AMX101CL01corpem_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr= osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:= //www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"= > <meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)"> <style></style> </head> <body lang=3D"EN-US" link=3D"blue" vlink=3D"purple"> <div class=3D"WordSection1"> HI<o:p></o:p> <o:p> </o:p> We are using Openldap 2.4.33 (Linux 64 bit  bui= lt with RSA MES 3.2.4.3 ) in our application for LDAP synchronization.<o:p>= </o:p> We have a customer case where the customer is using = a certificate chain. They have converted the root and intermediate certific= ates into pem and are using the pem to connect to the lDAP server.<o:p></o:= p> We are getting the below error :<o:p></o:p> <o:p> </o:p> TLS trace: SSL_connect:before/connect initialization= <o:p></o:p> TLS trace: SSL_connect:SSLv3 write client hello A<o:= p></o:p> TLS trace: SSL_connect:SSLv3 read server hello A<o:p= ></o:p> TLS trace: SSL_connect:SSLv3 process tls extension<o= :p></o:p> TLS trace: SSL_connect:SSL3 post/by-pass tls extensi= on processing<o:p></o:p> TLS trace: SSL_connect:SSLv3 read server certificate= A<o:p></o:p> TLS certificate verification: depth: 0, err: 0, subj= ect: /CN=3DITSUSRANADC55.na.jnj.com, issuer: /DC=3Dcom/DC=3Djnj/CN=3DJNJ In= ternal Online CA C2<o:p></o:p> TLS certificate verification: depth: 1, err: 0, subj= ect: /DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA C2, issuer: /DC=3DCOM/D= C=3DJNJ/CN=3DJNJ Internal Root Certification Authority<o:p></o:p> TLS certificate verification: depth: 2, err: 0, subj= ect: /DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certification Authority, iss= uer: /DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certification Authority<o:p>= </o:p> TLS trace: SSL3 alert write:fatal:certificate unknown<o:p></o:p><= /p> TLS trace: SSL_connect:error in SSL3 certificate verify A<o:p></o:p></sp= an> TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFIC= ATE:certificate verify failed (ok).<o:p></o:p> After Calling ldap_int_open_connection rc =3D 0<o:p>= </o:p> LDAP_SERVER_DOWN<o:p></o:p> <o:p> </o:p> The same certificate (pem) connects perfectly with o= penssl commands.<o:p></o:p> <o:p> </o:p> [dmfs4adm@itsusral00157 ldapdb]$ openssl s_client -CAfile /dmfs4/apps/do= cumentum/dba/secure/ldapdb/INT-PROD-Root-Intermedia_0320.pem -connect ITSUS= RANADC41.na.j nj.com:3269<o:p></o:p> CONNECTED(00000003)<o:p></o:p> depth=3D2 DC =3D COM, DC =3D JNJ, CN =3D JNJ Interna= l Root Certification Authority<o:p></o:p> verify return:1<o:p></o:p> depth=3D1 DC =3D com, DC =3D jnj, CN =3D JNJ Interna= l Online CA A2<o:p></o:p> verify return:1<o:p></o:p> depth=3D0 CN =3D ITSUSRANADC41.na.jnj.com<o:p></o:p>= verify return:1<o:p></o:p> —<o:p></o:p> Certificate chain<o:p></o:p> 0 s:/CN=3DITSUSRANADC41.na.jnj.com<o:p></o:p> i:/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA A2<= o:p></o:p> 1 s:/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA A= 2<o:p></o:p> i:/DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certific= ation Authority<o:p></o:p> —<o:p></o:p> Server certificate<o:p></o:p> ----BEGIN CERTIFICATE----<o:p></o:p> MIIG0zCCBbugAwIBAgIKNPjZjAAAANPqDjANBgkqhkiG9w0BAQUF= ADBOMRMwEQYK<o:p></o:p> CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDam5qMSIw= IAYDVQQDExlK<o:p></o:p> TkogSW50ZXJuYWwgT25saW5lIENBIEEyMB4XDTE2MDkwNjIzMTI0= M1oXDTE3MDkw<o:p></o:p> NjIzMTI0M1owIzEhMB8GA1UEAxMYSVRTVVNSQU5BREM0MS5uYS5q= bmouY29tMIIB<o:p></o:p> IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlmJd7MNGtotF= 5zXbWJdSaezG<o:p></o:p> LDk1ty98yceBIDz6P1JIYAP84QtEMA+xO3GW7Y+oPjBt= MjoEd7P1gLmCVxC9zf69<o:p></o:p> GNOgYjMsjo4QbynPcgcxMGnpwj8yHQVPLkRe7Do2qpfDz3jhVRT7= cJ+u3xu+z66x<o:p></o:p> /JbhCrySeekqL9O6O96YpqMFi+897Lgg9QPphjgrvrD5VmxH= fH0V7p7sc/DcIufJ<o:p></o:p> Ifjj7DGotaffcc90VZxj+vQd1iO5AchaDkIUiPLES9AsbcXe= i8Fau6pcFKpQBh5l<o:p></o:p> fynm73EU01FP+RN//6WpyoIVXVc5uTE9ua7q+O2nGb46= FnKlegGpI3iJCh5NJwID<o:p></o:p> AQABo4ID3DCCA9gwOwYJKwYBBAGCNxUHBC4wLAYkKwYBBAGCNxUI= gtGfI5rtGIad<o:p></o:p> nTSHnpIqh8HUUmmEo+JQuZUUAgFkAgEFMDMGA1UdJQQsMCoG= CCsGAQUFCAICBgor<o:p></o:p> BgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/= BAQDAgWgMBgG<o:p></o:p> A1UdIAQRMA8wDQYLYIZIAYb4AgMCAQowQQYJKwYBBAGCNxUKBDQw= MjAKBggrBgEF<o:p></o:p> BQgCAjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUF= BwMCMIGjBgNV<o:p></o:p> HREEgZswgZiCGElUU1VTUkFOQURDNDEubmEuam5qLmNvbYIKbmEu= am5qLmNvbYIN<o:p></o:p> bmFkaXIuam5qLmNvbYITbmFsZWdhY3lkaXIuam5qLmNvbYITbmFu= ZXh0b3NkaXIu<o:p></o:p> am5qLmNvbYIQbmFpY2VkaXIuam5qLmNvbYIUbmFzcGVjaWFsZGly= Lmpuai5jb22C<o:p></o:p> D25hZndkaXIuam5qLmNvbTAdBgNVHQ4EFgQU11fVbuyGZpo8ApfM= elvW1TFrH3ow<o:p></o:p> HwYDVR0jBBgwFoAUhlNccpOupTSpisgGUUr+XzVQOeEwggEJ= BgNVHR8EggEAMIH9<o:p></o:p> MIH6oIH3oIH0hoHKbGRhcDovLy9DTj1KTkolMjBJbnRlcm5hbCUy= ME9ubGluZSUy<o:p></o:p> MENBJTIwQTIsQ049SVRTVVNSQUpOSkNBMyxDTj1DRFAsQ049UHVi= bGljJTIwS2V5<o:p></o:p> JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv= bixEQz1qbmos<o:p></o:p> REM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v= YmplY3RDbGFz<o:p></o:p> cz1jUkxEaXN0cmlidXRpb25Qb2ludIYlaHR0cDovL2ludHByb2Rj= cmwuam5qLmNv<o:p></o:p> bS9pbnRjYWEyLmNybDCCAQIGCCsGAQUFBwEBBIH1MIHyMIG8Bggr= BgEFBQcwAoaB<o:p></o:p> r2xkYXA6Ly8vQ049Sk5KJTIwSW50ZXJuYWwlMjBPbmxpbmUlMjBD= QSUyMEEyLENO<o:p></o:p> PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2= aWNlcyxDTj1D<o:p></o:p> b25maWd1cmF0aW9uLERDPWpuaixEQz1jb20/Y0FDZXJ0aWZpY2F0= ZT9iYXNlP29i<o:p></o:p> amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMQYIKwYB= BQUHMAKGJWh0<o:p></o:p> dHA6Ly9pbnRwcm9kcGtpLmpuai5jb20vaW50Y2FhMi5wN2MwDQYJ= KoZIhvcNAQEF<o:p></o:p> BQADggEBAE1hMzal6XiA0Rz1zsTlqAvZiXJg9urK/FcoeL4kiSGC= VXQFPYZPRRG7<o:p></o:p> cwVBTkqABfNvTr2L7WTr2wqZL25HjY4hphK97I4BvCydpQLCEYPi= SatY8kFN8Mpu<o:p></o:p> rDTqNlzTEKt7qId9yDrsKmOI+Gs3hHrWPri1fdOeSlkwIUN5= gKCwdH/h44LYU8Z5<o:p></o:p> 4tSjWAkh0hkOU0pija45i7tkBzTholXoOEmAmv7G9UlhLuk950yL= zu58yW4aBda1<o:p></o:p> rev0YtUsKjpfSbTWRwcxeYhspcEq2oGYsWD47wLxQJXHUiRWcXyY= uOKiQiu4gjZ7<o:p></o:p> hS9/xvPvJ3zvxHoI7qF4A8VBgF8c4lQ=3D<o:p></o:p> ----END CERTIFICATE----<o:p></o:p> subject=3D/CN=3DITSUSRANADC41.na.jnj.com<o:p></o:p><= /p> issuer=3D/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online= CA A2<o:p></o:p> —<o:p></o:p> Acceptable client certificate CA names<o:p></o:p></p= > /CN=3DITSUSRANADC41.na.jnj.com<o:p></o:p> /C=3DSE/O=3DAddTrust AB/OU=3DAddTrust External TTP N= etwork/CN=3DAddTrust External CA Roo t<o:p></o:p> /C=3DUS/O=3DJNJ/OU=3DJNJ Public Key Authorities/CN= =3DJNJ 2048bit Root Certification Auth ority<o:p></o:p> /C=3DUS/O=3DJNJ/OU=3DJNJ Public Key Authorities/CN= =3DJNJ Root Certification Authority<o:p></o:p> /DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certificat= ion Authority<o:p></o:p> /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Netwo= rk/OU=3D(c) 2008 VeriSign, Inc. - Fo r authorized use only/CN=3DVeriSign Un= iversal Root Certification Authority<o:p></o:p> /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Netwo= rk/OU=3D(c) 2006 VeriSign, Inc. - Fo r authorized use only/CN=3DVeriSign Cl= ass 3 Public Primary Certification Authority - G5<o:p></o:p> /C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Prima= ry Certification Authority<o:p></o:p> /C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Prima= ry Certification Authority - G2/OU =3D(c) 1998 VeriSign, Inc. - For authori= zed use only/OU=3DVeriSign Trust Network<o:p></o:p> /C=3DUS/ST=3DWashington/L=3DRedmond/O=3DMicrosoft Co= rporation/CN=3DMicrosoft Root Certific ate Authority 2011<o:p></o:p> /C=3DUS/O=3DGTE Corporation/OU=3DGTE CyberTrust Solu= tions, Inc./CN=3DGTE CyberTrust Glob al Root<o:p></o:p> /C=3DIE/O=3DBaltimore/OU=3DCyberTrust/CN=3DBaltimore= CyberTrust Root<o:p></o:p> /C=3DUS/ST=3DWashington/L=3DRedmond/O=3DMicrosoft Co= rporation/CN=3DMicrosoft Root Certific ate Authority 2010<o:p></o:p> /O=3DSymantec Corporation/CN=3DSymantec Root CA<o:p>= </o:p> /OU=3DCopyright (c) 1997 Microsoft Corp./OU=3DMicros= oft Corporation/CN=3DMicrosoft Roo t Authority<o:p></o:p> /C=3DUS/O=3DSymantec Corporation/CN=3DSymantec Root = 2005 CA<o:p></o:p> /DC=3Dcom/DC=3Dmicrosoft/CN=3DMicrosoft Root Certifi= cate Authority<o:p></o:p> /CN=3DNT AUTHORITY<o:p></o:p> —<o:p></o:p> SSL handshake has read 5700 bytes and written 619 by= tes<o:p></o:p> —<o:p></o:p> New, TLSv1/SSLv3, Cipher is AES128-SHA256<o:p></o:p>= Server public key is 2048 bit<o:p></o:p> Secure Renegotiation IS supported<o:p></o:p> Compression: NONE<o:p></o:p> Expansion: NONE<o:p></o:p> SSL-Session:<o:p></o:p> Protocol : TLSv1.2<o:p></o:p> Cipher : AES128-SHA256<o:p></o:p> Session-ID: 743C00003D9B50EAA53C45E670C3E9682DBE86BA= 873CEA5B35BFB16B7CE5A625<o:p></o:p> Session-ID-ctx:<o:p></o:p> Master-Key: 0DB1DB6C4E9B3BE57E6E3A38B3A68EACAF96A786= 50EA978B4A8860B35BBDCCB4 61DA777F8C0D83ED53CCFE82748D3F86<o:p></o:p> Key-Arg : None<o:p></o:p> Krb5 Principal: None<o:p></o:p> PSK identity: None<o:p></o:p> PSK identity hint: None<o:p></o:p> Start Time: 1490103903<o:p></o:p> Timeout : 300 (sec)<o:p></o:p> Verify return code: 0 (ok)<o:p></o:p> —<o:p></o:p> <o:p> </o:p> <o:p> </o:p> <o:p> </o:p> Could you let us know what we could be missing here?= <o:p></o:p> <o:p> </o:p> The pem contains certificates JNJ Internal Root Cert= ification Authority and CN=3DJNJ Internal Online CA C2 .Are we missing &nbs= p;anything here?<o:p></o:p> Any help would be greatly appreciated.<o:p></o:p></p= > <o:p> </o:p> Thanks<o:p></o:p> Anitha<o:p></o:p> <o:p> </o:p> <o:p> </o:p> </div> </body> </html> --_000_15687A439BFEE848B596FFB9FB92A77B627F577AMX101CL01corpem_--

1 0

Re: (ITS#8291) ./run -b hdb test007 fails
by ondra＠mistotebe.net 30 Mar '17

30 Mar '17

The patches are available at ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330-slapmodify-BerkeleyD… -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#7387) ldapcppei contribution
by quanah＠symas.com 29 Mar '17

29 Mar '17

Hello Philippe, Thanks for looking to contribute to the OpenLDAP project. Your submission does not appear to have followed the submission guidelines for the project, located at: <http://www.openldap.org/devel/contributing.html> In addition, I would note the following: a) How does this submission differ from, or improve upon, the ldapc++ API that is already shipped with OpenLDAP? b) Your chosen license may cause your contribution to be rejected (See contribution guidelines). If you would still like your work to be included with the OpenLDAP project, please review the contribution guidelines and follow up to the ITS with the proper format, etc. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#7085) mutex lockup issue
by quanah＠symas.com 29 Mar '17

29 Mar '17

Hi Soichi, I was curious if you still encounter this issue using current OpenLDAP and back-mdb. I would note the back-bdb/hdb backends are now deprecated. It also occurred to me that the issue may have been related to lack of lock resources, etc (which are generally set in DB_CONFIG). Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs