openldap-bugs

openldap-bugs@openldap.org

1 participants
21065 discussions

(ITS#7889) rwm overlay causes incorrect acl parsing
by alexoz66＠gmail.com 02 Jul '14

02 Jul '14

Full_Name: John Alex. Version: 2.4.39 OS: FreeBSD 9.2-RELEASE URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (62.1.253.119) When enabling the rwm overlay on a database, even without setting any rewrite rules, in certain cases some access rules are not evaluated correctly. My test configuration (without the cn=schema,cn=config entries): dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: slapd.conf olcConfigDir: slapd.d olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcLogLevel: stats acl olcPidFile: /var/run/openldap/slapd.pid olcTLSCRLCheck: none olcTLSVerifyClient: never olcTLSProtocolMin: 0.0 dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/local/libexec/openldap olcModuleLoad: {0}back_mdb dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by * break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSchemaDN: cn=Subschema dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage olcAddContentAcl: TRUE olcRootDN: cn=admin,cn=config olcRootPW:: dGVzdDEyMw== dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/db/openldap-data/main olcSuffix: dc=example,dc=com olcRootDN: cn=admin,dc=example,dc=com olcDbIndex: objectClass eq olcDbIndex: ou,uid eq olcDbMaxSize: 4294967296 olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by * break olcAccess: {1}to dn.one="ou=people,dc=example,dc=com" filter="(ou=someunit)" a ttrs=userPassword by * none olcAccess: {2}to dn.subtree="ou=people,dc=example,dc=com" by dn.base="cn=suser ,ou=admins,dc=example,dc=com" read by * break olcAccess: {3}to attrs=userPassword by anonymous auth olcAccess: {4}to dn.base="dc=example,dc=com" by * read olcAccess: {5}to dn.subtree="ou=people,dc=example,dc=com" by * read olcRootPW:: dGVzdDEyMw== dn: olcOverlay={0}rwm,olcDatabase={1}mdb,cn=config objectClass: olcRwmConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}rwm ------------------------------------------------- And the contents of the main db: dn: dc=example,dc=com objectClass: organization objectClass: top objectClass: dcObject dc: example o: example.com dn: ou=admins,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: admins dn: ou=people,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: people dn: cn=suser,ou=admins,dc=example,dc=com sn: - cn: suser objectClass: person objectClass: top userPassword:: dGVzdDEyMw== dn: uid=jdoe,ou=people,dc=example,dc=com uid: jdoe sn: Doe cn: John Doe objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top ou: someunit userPassword:: dGVzdDEyMw== ------------------------------------------------- The above rules should not allow anyone but the local root user access to the userPassword attribute of entries under "ou=people,dc=example,dc=com" that match the filter (ou=someunit). slapacl confirms that for user 'suser': % slapacl -F /usr/local/etc/openldap/slapd.d/ -v -D "cn=suser,ou=admins,dc=example,dc=com" -b "uid=jdoe,ou=people,dc=example,dc=com" authcDN: "cn=suser,ou=admins,dc=example,dc=com" entry: read(=rscxd) children: read(=rscxd) uid=jdoe: read(=rscxd) sn=Doe: read(=rscxd) cn=John Doe: read(=rscxd) objectClass=inetOrgPerson: read(=rscxd) objectClass=organizationalPerson: read(=rscxd) objectClass=person: read(=rscxd) objectClass=top: read(=rscxd) structuralObjectClass=inetOrgPerson: read(=rscxd) entryUUID=a6478f94-80df-1033-8692-c5a9d2143987: read(=rscxd) creatorsName=cn=admin,dc=example,dc=com: read(=rscxd) createTimestamp=20140605092934Z: read(=rscxd) ou=someunit: read(=rscxd) userPassword=****: none(=0) entryCSN=20140605093709.772129Z#000000#000#000000: read(=rscxd) modifiersName=cn=admin,dc=example,dc=com: read(=rscxd) modifyTimestamp=20140605093709Z: read(=rscxd) % slapacl -F /usr/local/etc/openldap/slapd.d/ -v -D "cn=suser,ou=admins,dc=example,dc=com" -b "uid=jdoe,ou=people,dc=example,dc=com" userPassword/read authcDN: "cn=suser,ou=admins,dc=example,dc=com" read access to userPassword: DENIED ------------------------------------------------- Requesting all attributes of the entry "uid=jdoe,ou=people,dc=example,dc=com" yields the expected result: % ldapsearch -LLL -H ldapi:/// -D "cn=suser,ou=admins,dc=example,dc=com" -W -x -b "ou=people,dc=example,dc=com" "uid=jdoe" dn: uid=jdoe,ou=people,dc=example,dc=com uid: jdoe sn: Doe cn: John Doe objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top ou: someunit However, when requesting the userPassword attribute explicitly, the rule that blocks access to that attribute is somehow ignored: % ldapsearch -LLL -H ldapi:/// -D "cn=suser,ou=admins,dc=example,dc=com" -W -x -b "ou=people,dc=example,dc=com" "uid=jdoe" "userPassword" dn: uid=jdoe,ou=people,dc=example,dc=com userPassword:: dGVzdDEyMw== ------------------------------------------------- Removing either the "filter=(ou=someunit)" or the "attrs=userPassword" part of the corresponding rule results in correct parsing of the ACL in the above cases, but in order for the full rule to work, I had to remove the rwm overlay configuration completely (setting "rwm-rewriteEngine off" did not make a difference). # /usr/local/libexec/slapd -V @(#) $OpenLDAP: slapd 2.4.39 (May 9 2014 09:26:03) $

1 0

(ITS#7888) client configuration---openldap n-way multi-master replication
by idpbg-it-dba＠mail.foxconn.com 30 Jun '14

30 Jun '14

Full_Name: Robert.YQ.Feng Version: 2.4.23-31 OS: redhat linux 6.4 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (218.29.136.228) Hi man: Who can do me a big favor, I has been configuration my LDAP Server with N-way multi-master Mode. The syncronization working good with eachother in 4 masters. My issue is How to right configuration the client's URI and to let my LDAP client have tow ldapservers and to guarantee the authentication have redundancy . Best regards. Robert.YQ.Feng

1 0

Re: (ITS#7877) please make gcrypt optional with newer gnutls
by hyc＠symas.com 30 Jun '14

30 Jun '14

ryan(a)nardis.ca wrote: > On Mon, Jun 30, 2014 at 5:05 AM, Howard Chu <hyc(a)symas.com> wrote: >> The only reason GnuTLS support exists in OpenLDAP is because of Debian. >> Therefore, if Debian no longer uses libgcrypt, I'm happy to rip all of that >> crap out. > > Sounds good to me. So a patch that removes gcrypt entirely looks like: > > ftp://ftp.openldap.org/incoming/20140630_rtandy_0001-ITS-7877-use-nettle-in… > > (I assume the explicit threading setup is important, if not maybe the > gnutls_global_set_mutex part could be removed too...) > > That requires gnutls 2.12.0 or newer, so then I think we can also > remove the compatibility code for older versions: > > ftp://ftp.openldap.org/incoming/20140630_rtandy_0002-assume-gnutls-provides… > ftp://ftp.openldap.org/incoming/20140630_rtandy_0003-assume-gnutls-is-at-le… > >> Just tell us at which version of GnuTLS you switched to nettle and we'll make >> that the minimum supported version. > > Debian builds gnutls with nettle starting from 3.0.0. The API used in > tls_g.c is all backend agnostic though. I tried with 2.12.20 (with > gcrypt backend) and everything looks fine in slapd and clients > including the threading setup. I think 2.12.0 as minimum version would > be fine, and then nettle vs gcrypt only matters for smbk5pwd users. > > Thanks for considering my patches. Committed to master. I've also added a check for 2.12.0 to the configure script. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7877) please make gcrypt optional with newer gnutls
by ryan＠nardis.ca 30 Jun '14

30 Jun '14

On Mon, Jun 30, 2014 at 5:05 AM, Howard Chu <hyc(a)symas.com> wrote: > The only reason GnuTLS support exists in OpenLDAP is because of Debian. > Therefore, if Debian no longer uses libgcrypt, I'm happy to rip all of that > crap out. Sounds good to me. So a patch that removes gcrypt entirely looks like: ftp://ftp.openldap.org/incoming/20140630_rtandy_0001-ITS-7877-use-nettle-in… (I assume the explicit threading setup is important, if not maybe the gnutls_global_set_mutex part could be removed too...) That requires gnutls 2.12.0 or newer, so then I think we can also remove the compatibility code for older versions: ftp://ftp.openldap.org/incoming/20140630_rtandy_0002-assume-gnutls-provides… ftp://ftp.openldap.org/incoming/20140630_rtandy_0003-assume-gnutls-is-at-le… > Just tell us at which version of GnuTLS you switched to nettle and we'll make > that the minimum supported version. Debian builds gnutls with nettle starting from 3.0.0. The API used in tls_g.c is all backend agnostic though. I tried with 2.12.20 (with gcrypt backend) and everything looks fine in slapd and clients including the threading setup. I think 2.12.0 as minimum version would be fine, and then nettle vs gcrypt only matters for smbk5pwd users. Thanks for considering my patches.

1 0

Re: (ITS#7877) please make gcrypt optional with newer gnutls
by hyc＠symas.com 30 Jun '14

30 Jun '14

hyc(a)symas.com wrote: > ryan(a)nardis.ca wrote: >> Full_Name: Ryan Tandy >> Version: HEAD >> OS: Debian unstable >> URL: >> Submission from: (NULL) (142.32.208.235) >> The following changes make gcrypt optional for libldap. For versions where both >> nettle and gcrypt are supported, I assume the default since no mechanism is >> provided for detecting which is actually in use. > > Yet another flaw in GnuTLS design... > >> Tested with GnuTLS 2.8.6 and >> 3.2.15. Just tell us at which version of GnuTLS you switched to nettle and we'll make that the minimum supported version. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7877) please make gcrypt optional with newer gnutls
by hyc＠symas.com 30 Jun '14

30 Jun '14

ryan(a)nardis.ca wrote: > Full_Name: Ryan Tandy > Version: HEAD > OS: Debian unstable > URL: > Submission from: (NULL) (142.32.208.235) > > > Debian bug report: https://bugs.debian.org/745231 > > Quoting Andreas Metzler: > > "given that gmp has been dual-licensed LGPLv3+/GPLv2+ it should be possible to > switch openldap over to the newer version of gnutls. > > Upstream's 0205e83f4670d10ad3c6ae4b8fc5ec1d0c7020c0 lets the Debian package > build successfully (including testsuite). The only reason GnuTLS support exists in OpenLDAP is because of Debian. Therefore, if Debian no longer uses libgcrypt, I'm happy to rip all of that crap out. There's no reason for us to even keep optional support for it because that gives the mistaken impression that we endorse its use. Which we most vehemently do not. > However even with patch there is still some work to be done. > libraries/libldap/tls_g.c has some gcrypt related code that should be simply > unnecessary with gnutls3, therefore it should not link against libgcrypt either. > (Except for contrib/slapd-modules/smbk5pwd/smbk5pwd.c)." > > The following changes make gcrypt optional for libldap. For versions where both > nettle and gcrypt are supported, I assume the default since no mechanism is > provided for detecting which is actually in use. Yet another flaw in GnuTLS design... > Tested with GnuTLS 2.8.6 and > 3.2.15. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7885) [PATCH] wrong RPATH in contrib/passwd/Makefile
by hyc＠symas.com 30 Jun '14

30 Jun '14

ryan(a)nardis.ca wrote: > Full_Name: Ryan Tandy > Version: master > OS: Debian unstable > URL: > Submission from: (NULL) (24.68.121.206) > > > Similar to #7858, another easy patch. Thanks, committed to master. > > >>From 3047469eb717018e5b292352626cd084477faf12 Mon Sep 17 00:00:00 2001 > From: Ryan Tandy <ryan(a)nardis.ca> > Date: Fri, 27 Jun 2014 11:15:26 -0700 > Subject: [PATCH] fix contrib/passwd RPATH > > --- > contrib/slapd-modules/passwd/Makefile | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/contrib/slapd-modules/passwd/Makefile > b/contrib/slapd-modules/passwd/Makefile > index ba41304..c240366 100644 > --- a/contrib/slapd-modules/passwd/Makefile > +++ b/contrib/slapd-modules/passwd/Makefile > @@ -33,19 +33,19 @@ all: $(PROGRAMS) > > pw-kerberos.la: kerberos.lo > $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ > - -rpath $(PREFIX)/lib -module -o $@ $? -lkrb5 > + -rpath $(moduledir) -module -o $@ $? -lkrb5 > > pw-netscape.la: netscape.lo > $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ > - -rpath $(PREFIX)/lib -module -o $@ $? > + -rpath $(moduledir) -module -o $@ $? > > pw-radius.la: radius.lo > $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ > - -rpath $(PREFIX)/lib -module -o $@ $? -lradius > + -rpath $(moduledir) -module -o $@ $? -lradius > > pw-apr1.la: apr1.lo > $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ > - -rpath $(PREFIX)/lib -module -o $@ $? > + -rpath $(moduledir) -module -o $@ $? > > clean: > rm -rf *.o *.lo *.la .libs > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

ITS#7884 Not able to communicate with secure ldap
by hyc＠symas.com 30 Jun '14

30 Jun '14

The version of OpenLDAP you're using is 6 years old and no longer supported by the OpenLDAP Project. The configuration you're using is invalid, read the ldap.conf(5) manpage. There is no bug in OpenLDAP Software here, this ITS will be closed. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7886) mdb_ovpage_free() can break mdb_copy
by hyc＠symas.com 30 Jun '14

30 Jun '14

h.b.furuseth(a)usit.uio.no wrote: > Full_Name: Hallvard B Furuseth > Version: LMDB_0.9.13 > OS: Linux x86_64 > URL: > Submission from: (NULL) (81.191.45.35) > Submitted by: hallvard > > > Allocate an ovpage from mt_next_pgno, mdb_ovpage_free() it > and commit: The datafile may end before MDB_meta.mm_last_pg > since the ovpage was never written. mdb_env_copyfd() & co > break when they read the file to mm_last_pg. fixed in mdb.master > > Same with loose pages if mdb_page_flush() skipped them, > which it could: ecde3a4008f5080d8264926f49680db27804787f > in my branch mdb/loose3. > > Bug demo: > > rm data.mdb; ./a.out && ./mdb_copy . > copy.mdb > ./mdb_copy: copying failed, error 14 (Bad address) > > (Piping it to /dev/null succeeds on Linux, apparently > it doesn't read anything.) > > #include "lmdb.h" > #include <stdio.h> > #include <stdlib.h> > #define E(expr) CHECK((rc = (expr)) == MDB_SUCCESS, #expr) > #define CHECK(test, msg) ((test) ? (void)0 : ((void)fprintf(stderr, \ > "%s:%d: %s: %s\n", __FILE__, __LINE__, msg, mdb_strerror(rc)), abort())) > > int main(void) > { > int rc; > unsigned sz; > MDB_env *env; > MDB_txn *txn; > MDB_dbi dbi; > static char buf[20000]; > E(mdb_env_create(&env)); > E(mdb_env_open(env, ".", 0, 0664)); > for (sz = 0; sz<=sizeof(buf); sz = (sz==2 ? sizeof(buf) : sz+1)) { > E(mdb_txn_begin(env, NULL, 0, &txn)); > E(mdb_dbi_open(txn, NULL, 0, &dbi)); > E(mdb_put(txn, dbi, &(MDB_val){4,&sz}, &(MDB_val){sz,buf}, 0)); > if (sz) > E(mdb_del(txn, dbi, &(MDB_val){4,&sz}, NULL)); > E(mdb_txn_commit(txn)); > } > mdb_env_close(env); > return 0; > } > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7887) mkrelease breaks on building guide.html
by hyc＠symas.com 30 Jun '14

30 Jun '14

openldap(a)semyon.org wrote: > Full_Name: Semyon Chaichenets > Version: 2.4.39 > OS: Linux 3.2.0-64-generic #97-Ubuntu SMP Wed Jun 4 22:04:21 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > URL: https://gist.githubusercontent.com/leveche/307be9cb9de55c4085d8/raw/9a1ce68… > Submission from: (NULL) (69.165.226.82) > > > Trivial typo in doc/guide/admin/install.sdf breaks mkrelease in current HEAD > (f6eacdb). Trivial fix included. > > Fixed now in master, thanks. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs