- openldap-bugs - openldap.org

[Issue 9852] New: Error
by openldap-its＠openldap.org 24 May '22

24 May '22

https://bugs.openldap.org/show_bug.cgi?id=9852 Issue ID: 9852 Summary: Error Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: aarounsmind03(a)gmail.com Target Milestone: --- -- You are receiving this mail because: You are on the CC list for the issue.

1 1

[Issue 9851] New: Register Problem
by openldap-its＠openldap.org 23 May '22

23 May '22

https://bugs.openldap.org/show_bug.cgi?id=9851 Issue ID: 9851 Summary: Register Problem Product: website Version: unspecified Hardware: All OS: Other Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: iampupdate(a)gmail.com Target Milestone: --- https://www.bharatpostlive.com/approval-of-amendment-in-national-bio-fuel-p… -- You are receiving this mail because: You are on the CC list for the issue.

1 1

[Issue 9848] New: Test 022-ppolicy fails on master if slapd has only --enable-overlays and --with-tls=openssl
by openldap-its＠openldap.org 16 May '22

16 May '22

https://bugs.openldap.org/show_bug.cgi?id=9848 Issue ID: 9848 Summary: Test 022-ppolicy fails on master if slapd has only --enable-overlays and --with-tls=openssl Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: dstoychev(a)symas.com Target Milestone: --- **Steps to reproduce: - Checkout master ./configure --enable-overlays --with-tls=openssl make depend make make test **Current result: Test fails, here is the output: ./run test022-ppolicy Cleaning up test run directory leftover from previous run. Running ./scripts/test022-ppolicy for mdb... running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to check that slapd is running... Testing redundant ppolicy instance... Using ldapadd to populate the database... Testing account lockout... Waiting 13 seconds for lockout to reset... Testing password expiration Waiting 10 seconds for password to expire... Resetting password to clear expired status Filling password history... Testing password history... Testing failed logins when password/policy missing... Testing forced reset... Clearing forced reset... Testing Safe modify... Testing length requirement... Testing hashed length requirement... Testing multiple password add/modify checks... Testing idle password expiration Switching to a policy with idle expiration... Waiting 15 seconds for password to expire... Reverting to Standard policy... Testing obsolete Netscape ppolicy controls... Enabling Netscape controls... Reconfiguring policy to remove grace logins... ldapmodify failed (255)! **Expected result: Test passed **Notes: - Reproducible on master branch only. - Same test passes on 2.6 branch (with the same slapd config) - Test could pass on master if other "configure" options are enabled, so make sure to use only "--enable-overlays" and "--with-tls=openssl" to reproduce -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 7165] Killing slap tools breaks the running mdb
by openldap-its＠openldap.org 16 May '22

16 May '22

https://bugs.openldap.org/show_bug.cgi?id=7165 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #7 from Quanah Gibson-Mount <quanah(a)openldap.org> --- HEAD: • 205e2f1a by Howard Chu at 2022-05-16T13:54:08+00:00 ITS#7165 back-mdb: check for stale readers on MDB_READERS_FULL RE26: • 7e7f01c3 by Howard Chu at 2022-05-16T15:09:08+00:00 ITS#7165 back-mdb: check for stale readers on MDB_READERS_FULL RE25: • f3d89d62 by Howard Chu at 2022-05-16T15:11:51+00:00 ITS#7165 back-mdb: check for stale readers on MDB_READERS_FULL -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7165] Killing slap tools breaks the running mdb
by openldap-its＠openldap.org 16 May '22

16 May '22

https://bugs.openldap.org/show_bug.cgi?id=7165 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Target Milestone|--- |2.5.13 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9838] New: Add decoding of the RFC 4517 Postal Address format
by openldap-its＠openldap.org 16 May '22

16 May '22

https://bugs.openldap.org/show_bug.cgi?id=9838 Issue ID: 9838 Summary: Add decoding of the RFC 4517 Postal Address format Product: JLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: JDBC Assignee: bugs(a)openldap.org Reporter: fredrik(a)roubert.name Target Milestone: --- No software connecting to an LDAP database through JDBC can be expected to know anything at all about LDAP, so no such software can be expected to be able to decode the RFC 4517 Postal Address format (1.3.6.1.4.1.1466.115.121.1.41). -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 7165] Killing slap tools breaks the running mdb
by openldap-its＠openldap.org 16 May '22

16 May '22

https://bugs.openldap.org/show_bug.cgi?id=7165 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7165] Killing slap tools breaks the running mdb
by openldap-its＠openldap.org 16 May '22

16 May '22

1 0

[Issue 9385] New: Opening an env with MDB_NOSUBDIR with no existing file returns error
by openldap-its＠openldap.org 13 May '22

13 May '22

https://bugs.openldap.org/show_bug.cgi?id=9385 Issue ID: 9385 Summary: Opening an env with MDB_NOSUBDIR with no existing file returns error Product: LMDB Version: unspecified Hardware: All OS: Mac OS Status: UNCONFIRMED Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: kriszyp(a)gmail.com Target Milestone: --- Created attachment 776 --> https://bugs.openldap.org/attachment.cgi?id=776&action=edit A fix to tolerate stat call on non-existing file Calling mdb_env_open with a file path to a file that doesn't exist yet, with MDB_NOSUBDIR on a non-Windows OS will return an error indicating that the file doesn't exist. This is supposed to create a new file, and works properly on the mdb.master branch, and still functions properly on Windows. The error is due to the stat() call in mdb_env_open prior to the file existing. I attached a patch that tolerates the absence of the file before checking if the file is on a block device. I am not sure if this is the appropriate fix, or if would be better to move this check later in mdb_env_open after the file is created, or alternately, determining the parent directory and calling stat on that. -- You are receiving this mail because: You are on the CC list for the issue.

1 1

[Issue 8165] Add proper versioning to liblmdb
by openldap-its＠openldap.org 13 May '22

13 May '22

https://bugs.openldap.org/show_bug.cgi?id=8165 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7754] Unaligned MDB_DUPSORT sub-pages
by openldap-its＠openldap.org 13 May '22

13 May '22

https://bugs.openldap.org/show_bug.cgi?id=7754 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |IN_PROGRESS --- Comment #3 from Howard Chu <hyc(a)openldap.org> --- mdb.master was changed long ago to pad odd-sized keys to fix this issue. Fix is still unreleased due to the resulting on-disk format change. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7364] mdb: clean up POSIX semaphores on environment close.
by openldap-its＠openldap.org 13 May '22

13 May '22

https://bugs.openldap.org/show_bug.cgi?id=7364 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |trivial Priority|--- |Lowest -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7165] Killing slap tools breaks the running mdb
by openldap-its＠openldap.org 13 May '22

13 May '22

https://bugs.openldap.org/show_bug.cgi?id=7165 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1 --- Comment #6 from Howard Chu <hyc(a)openldap.org> --- > At this point the only potential action I see is to add a check for MDB_READERS_FULL as noted at the beginning of this reply. https://git.openldap.org/openldap/openldap/-/merge_requests/526 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8165] Add proper versioning to liblmdb
by openldap-its＠openldap.org 13 May '22

13 May '22

https://bugs.openldap.org/show_bug.cgi?id=8165 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|UNCONFIRMED |RESOLVED --- Comment #1 from Howard Chu <hyc(a)openldap.org> --- *** This issue has been marked as a duplicate of issue 7794 *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7794] RFE: Versioned LMDB shared library
by openldap-its＠openldap.org 13 May '22

13 May '22

https://bugs.openldap.org/show_bug.cgi?id=7794 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |quanah(a)openldap.org --- Comment #2 from Howard Chu <hyc(a)openldap.org> --- *** Issue 8165 has been marked as a duplicate of this issue. *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9839] New: Undocumented behavior of ldap_url_parse() when port is 0 in URL string
by openldap-its＠openldap.org 13 May '22

13 May '22

https://bugs.openldap.org/show_bug.cgi?id=9839 Issue ID: 9839 Summary: Undocumented behavior of ldap_url_parse() when port is 0 in URL string Product: OpenLDAP Version: unspecified Hardware: Other OS: Other Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: jiaqing.zhao(a)linux.intel.com Target Milestone: --- In ldap_url_parse(), when the port in URL string is set to 0 like "ldap://example.com:0", the output value of lud_port will be the default port (389 for LDAP, 636 for LDAPs). This behavior is undocumented. I created a patch to illustrate this behavior. As my gitlab account is pending confirmation, I put it in the attachments. This affects OpenLDAP 2.5.x and 2.6.x, but it is already been fixed in master branch https://git.openldap.org/openldap/openldap/-/commit/e3905c989821f6c09576988… for issue #9596. Will it be included in 2.7.0? If so, I may need to add something like "(Until OpenLDAP 2.7.0)" before the line I added. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 8882] Empty Directory String Overlay
by openldap-its＠openldap.org 12 May '22

12 May '22

https://bugs.openldap.org/show_bug.cgi?id=8882 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #16 from Quanah Gibson-Mount <quanah(a)openldap.org> --- head: • d2057745 by Ondřej Kuzník at 2022-05-10T14:24:49+00:00 ITS#8882 Add slapo-emptyds to contrib RE26: • edc67c6d by Ondřej Kuzník at 2022-05-12T15:45:18+00:00 ITS#8882 Add slapo-emptyds to contrib RE25: • 6c9cb00f by Ondřej Kuzník at 2022-05-12T15:46:13+00:00 ITS#8882 Add slapo-emptyds to contrib -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9843] New: slapcat and slapadd have no -r option
by openldap-its＠openldap.org 12 May '22

12 May '22

https://bugs.openldap.org/show_bug.cgi?id=9843 Issue ID: 9843 Summary: slapcat and slapadd have no -r option Product: OpenLDAP Version: 2.5.12 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- I run openldap in a chrooted environment, by calling /usr/local/libexec/slapd -d0 -u openldap -r /home/openldap -F /etc/openldap/ -h 'ldap://zzz' I want to migrate 2.5 → 2.6. The manual says first to call slapcat on the databases. In the /home/openldap/etc/openldap directory are the configurations of the databases. The path there: olcDbDirectory: /var/openldap-data/yyy obviously references the path within the chrooted environment, the path is /home/openldap/var/openldap-data/yyy outside the chrooted environment. Slapcat has no -r option. So there is no way to export the databases by using slapcat -n 0 -F /home/openldap/etc/openldap/ . Strace(1) shows that the file openat(AT_FDCWD, "/var/openldap-data/yyy/DUMMY" is missing and the error message is slapcat: bad configuration directory! In fact there is a way: symlinking /var/openldap-data outside the chrooted environment to /var/openldap-data inside the chrooted environment. This way does work, but it requires expert magic like using strace. Please add -r option to slapcat and slapadd, which performs chroot to the directory, after opening the file specified by the -l parameter. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9702] New: slapadd is missing -r chroot option
by openldap-its＠openldap.org 12 May '22

12 May '22

https://bugs.openldap.org/show_bug.cgi?id=9702 Issue ID: 9702 Summary: slapadd is missing -r chroot option Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- I want to run slapd under chroot with the -r option. In order to initialize the setup, I want to use `slapadd -n0 configuration.ldif`. The configuration file contains mdb databases and these databases have `olcDbDirectory: ` paths. Since slapd will load the databases from the chroot environment, the directory names must be submitted to slapadd to be correct in the chroot environment. This means, that outside the chroot environment the directory paths are not correct. When I call `slapadd -n0 ` I get the error olcDbDirectory: value #0: invalid path: No such file or directory slapadd: could not add entry dn="olcDatabase={1}mdb,cn=config" (line=909): Closing DB... which means, that slapadd cannot open (outside the chrooted environment) the olcDbDirectory path. Thus slapadd shall first enter the chrooted environment, but it lacks option for this. Probably slapcat will also need this option to dump the databases. The chrooted environment is created specially for openldap, so it contains no tools. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9845] New: slapd Deamon is Crashed on OpenVMS_x86
by openldap-its＠openldap.org 12 May '22

12 May '22

https://bugs.openldap.org/show_bug.cgi?id=9845 Issue ID: 9845 Summary: slapd Deamon is Crashed on OpenVMS_x86 Product: OpenLDAP Version: 2.5.7 Hardware: x86_64 OS: Other Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: jeetu.singh(a)aol.com Target Milestone: --- CH2105_SYSTEM> @SYS$COMMON:[SYS$STARTUP]LDAP$STARTUP.COM; %RUN-S-PROC_ID, identification of created process is 20E0043A CH2105_SYSTEM> sho time 11-MAY-2022 06:09:20 CH2105_SYSTEM> sho proc/id=20E0043A %SYSTEM-W-NONEXPR, nonexistent process CH2105_SYSTEM> ty ldap$varroot:[run]slapd.log; $ runcmd = "$ldap$bin:slapd.exe" $ dbglvl = f$trnlnm("LDAP$DEBUG") $ if dbglvl .nes. "" then runcmd = "$ldap$bin:slapd.exe -d " $ runcmd %DEBUGBOOT-W-EXPGFLQUOTA, exceeded pagefile quota %SYSTEM-W-EXIT_UNWIND, exit unwind currently in progress SYSTEM job terminated at 11-MAY-2022 06:09:17.86 Accounting information: Buffered I/O count: 778 Peak working set size: 44368 Direct I/O count: 117 Peak virtual size: 962112 Page faults: 3447 Mounted volumes: 0 Charged CPU time: 0 00:00:00.38 Elapsed time: 0 00:00:00.50 Please let me know if any further input needed. Request to provide "How to configure OpenLDAP on OpenVMS_x86 Environment" Manual. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9745] New: Local Logging - Timestamp Formatting
by openldap-its＠openldap.org 12 May '22

12 May '22

https://bugs.openldap.org/show_bug.cgi?id=9745 Issue ID: 9745 Summary: Local Logging - Timestamp Formatting Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: gnoe(a)symas.com Target Milestone: --- Timestamps for log lines in the 2.6+ local logging feature are saved unformatted (ex: "618ae741.0f6eb63a"). This has the potential to break any log aggregation/analysis program like splunk that expect timestamps in syslog format. These timestamps should configurable in various syslog formats. -- You are receiving this mail because: You are on the CC list for the issue.

1 13

[Issue 9403] New: add option to completely disable syslog logging
by openldap-its＠openldap.org 12 May '22

12 May '22

https://bugs.openldap.org/show_bug.cgi?id=9403 Issue ID: 9403 Summary: add option to completely disable syslog logging Product: OpenLDAP Version: 2.4.45 Hardware: All OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: cvuillemez(a)yahoo.fr Target Milestone: --- For auditing purpose, I need to enable "stats" loglevel. So on heavy load, slapd send lots of events to local syslog socket /dev/log, when compiled with LDAP_SYSLOG (on Debian / Ubuntu). It worked fine on old systems with a simple syslog service. But when upgrading on system with journald+syslog, CPU "overhead" becomes totally crazy. It would be great to have an option at run time to completely disable syslog logging, or/and use a cutom socket, e.g. /run/systemd/journal/syslog to bypass journald service. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 6949] OpenLDAP Logging
by openldap-its＠openldap.org 12 May '22

12 May '22

https://bugs.openldap.org/show_bug.cgi?id=6949 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cvuillemez(a)yahoo.fr --- Comment #23 from Quanah Gibson-Mount <quanah(a)openldap.org> --- *** Issue 9403 has been marked as a duplicate of this issue. *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9844] New: Monitoring your SEO strategy is essential
by openldap-its＠openldap.org 09 May '22

09 May '22

https://bugs.openldap.org/show_bug.cgi?id=9844 Issue ID: 9844 Summary: Monitoring your SEO strategy is essential Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: guptaaaron29(a)gmail.com Target Milestone: --- Monitoring your SEO strategy is essential to measure the success of your website. Fortunately, with the tools available today, it is possible to count all the variables to formulate new tactics or improve existing plans. Whether you need to analyze traffic, potential customers, keyword rankings, among other indicators, by using metrics, you will be able to obtain all the important information you need to know the actual performance of your strategy and improve SEO ranking. https://ghareluupcharinhindi.com/diabetes-ke-lakshan/ -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9842] New: Page should not be spilled if MDB_RESERVE is used
by openldap-its＠openldap.org 06 May '22

06 May '22

https://bugs.openldap.org/show_bug.cgi?id=9842 Issue ID: 9842 Summary: Page should not be spilled if MDB_RESERVE is used Product: LMDB Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: stephan.j.bircher(a)gmail.com Target Milestone: --- The documentation for the function mdb_cursor_put states for MDB_RESERVE the following: "return a pointer to the reserved space, which the caller can fill in later". However this seems only to be valid if no other operation is performed on the cursor. Once the cursor is moved the page where the reserved data resides on might become untracked and therefore eligible to be spilled at any time. This problems occurrs however only for large transactions where lmdb starts to spill and flush pages. I'm using only lmdb and I'm a bit confused as the branches master (https://git.openldap.org/openldap/openldap/-/tree/master/libraries/liblmdb) and mdb.master (https://git.openldap.org/openldap/openldap/-/tree/mdb.master/libraries/libl…) are not the same. For example the function mdb_pages_xkeep differs and master and mdb.master. Will the branches be consolidated again? -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 8882] Empty Directory String Overlay
by openldap-its＠openldap.org 06 May '22

06 May '22

https://bugs.openldap.org/show_bug.cgi?id=8882 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Null Attribute Value |Empty Directory String |Overlay |Overlay -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 06 May '22

06 May '22

https://bugs.openldap.org/show_bug.cgi?id=8882 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1 --- Comment #15 from Ondřej Kuzník <ondra(a)mistotebe.net> --- https://git.openldap.org/openldap/openldap/-/merge_requests/523 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 05 May '22

05 May '22

https://bugs.openldap.org/show_bug.cgi?id=8882 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9830] New: slapd using more memory on linux kernel 5.xx then kernel 4.19
by openldap-its＠openldap.org 05 May '22

05 May '22

https://bugs.openldap.org/show_bug.cgi?id=9830 Issue ID: 9830 Summary: slapd using more memory on linux kernel 5.xx then kernel 4.19 Product: OpenLDAP Version: 2.4.59 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: pavel.mamonov(a)wildix.com Target Milestone: --- Hi, there After upgrade a debian distro from 10 to 11 we are faced with consumption of memory more then before. We testing on the same system with different kernels. ======================================== System with a kernel 4.19: using of memory (slapd) ~ 100-120mb (max) slapd 2.4.59 libc6:amd64 2.31-13+deb11u2 linux-image-4.19.0-14-cloud-amd64 4.19.171-2 ======================================== System with a kernel 5.10: using of memory (slapd) ~ 135-235mb (max) slapd 2.4.59 libc6:amd64 2.31-13+deb11u2 linux-image-5.10.0-10-cloud-amd64 5.10.84-1 ======================================== Also we tried to use other allocator of memory like "libtcmalloc-minimal4:amd64 2.8.1-1" - but, unfortunately, it does not help us. Could you give advice what we can do for optimize memory and reduction using of it ? If need additional info please, let me know. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9675] New: Allow overwriting the default SLAPD_DEFAULT_CONFIGDIR during ./configure
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9675 Issue ID: 9675 Summary: Allow overwriting the default SLAPD_DEFAULT_CONFIGDIR during ./configure Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- Created attachment 839 --> https://bugs.openldap.org/attachment.cgi?id=839&action=edit fix I want to have different default for SLAPD_DEFAULT_CONFIGDIR in my slapd. By calling CPPFLAGS="-DSLAPD_DEFAULT_CONFIGDIR='\"/new/config/dir/\"'" ./configure one can change the default configdir in slapd. Provided that the macro SLAPD_DEFAULT_CONFIGDIR is not changed in the code, which is ensured by the provided patch. Macro SLAPD_DEFAULT_UCDATA is not used anywhere. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=8255 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9814] New: upgrade ppm to 2.1 release
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9814 Issue ID: 9814 Summary: upgrade ppm to 2.1 release Product: OpenLDAP Version: 2.5.11 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: david.coutadeur(a)gmail.com Target Milestone: --- Hello, I have just opened two new MR to upgrade ppm to 2.1 release: * for OpenLDAP 2.5: https://git.openldap.org/openldap/openldap/-/merge_requests/509 * for OpenLDAP 2.6: https://git.openldap.org/openldap/openldap/-/merge_requests/510 Changes: - Reject password if it contains tokens from an attribute of the LDAP entry https://github.com/ltb-project/ppm/issues/17 -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 9737] New: ldapdelete unable to prune LDAP subentries
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9737 Issue ID: 9737 Summary: ldapdelete unable to prune LDAP subentries Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: neuroc0der(a)gmail.com Target Milestone: --- ldapdelete has a builtin capability to prune LDAP subentries (RFC 3672) by utilizing LDAP subentries control when tracking children however currently that logic does not work in the code and pruning always fails with 66 / 'not allowed on non-leaf'. the test case for this is a normal parent entry which has LDAP subentry type children underneath. the patch below addresses this issue. From ba29cbf20804d1c73cc0b5ab16549c4faba75a9e Mon Sep 17 00:00:00 2001 From: Anton Bobrov <antbob(a)users.noreply.github.com> Date: Thu, 4 Nov 2021 17:27:34 +0100 Subject: [PATCH] ldapdelete unable to prune LDAP subentries --- clients/tools/ldapdelete.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/clients/tools/ldapdelete.c b/clients/tools/ldapdelete.c index 8aa8e8c12..1a93aaadf 100644 --- a/clients/tools/ldapdelete.c +++ b/clients/tools/ldapdelete.c @@ -279,8 +279,13 @@ retry:; } rc = ldap_parse_result( ld, res, &code, &matcheddn, &text, &refs, &ctrls, 1 ); + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, "%s: ldap_parse_result: %s (%d)\n", + prog, ldap_err2string( rc ), rc ); + return rc; + } - switch ( rc ) { + switch ( code ) { case LDAP_SUCCESS: break; @@ -292,9 +297,7 @@ retry:; /* fallthru */ default: - fprintf( stderr, "%s: ldap_parse_result: %s (%d)\n", - prog, ldap_err2string( rc ), rc ); - return rc; + break; } if( code != LDAP_SUCCESS ) { -- 2.31.1 -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9787] New: 2.6.1 segfault in slaptest when logfile-format param is set
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9787 Issue ID: 9787 Summary: 2.6.1 segfault in slaptest when logfile-format param is set Product: OpenLDAP Version: 2.6.1 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: smckinney(a)symas.com Target Milestone: --- Segfault in slaptest when any value for logfile-format is set. debug, syslog-utc, etc. This doesn’t occur during slapd startup. Only in slaptest. Observed on U20 and R8 platforms. slapd.conf ``` logfile "/var/symas/openldap-data/openldap26.log" logfile-only on # segfaults when any value for: logfile-format syslog-utc ``` Backtrace: ``` #0 0x00007f8fca27f685 in __strlen_avx2 () from /lib64/libc.so.6 #1 0x000055df6eaddedf in config_logging (c=<optimized out>) at logging.c:731 #2 0x000055df6ea9fe33 in config_set_vals (Conf=0x55df6edbe348 <config_back_cf_table+3432>, c=0x55df70bc4080) at config.c:378 #3 0x000055df6eaa3010 in read_config_file (fname=fname@entry=0x7ffe8f3a4706 "/opt/symas/etc/openldap/slapd.conf", depth=depth@entry=0, cf=cf@entry=0x0, cft=cft@entry=0x55df6edbd5e0 <config_back_cf_table>) at config.c:908 #4 0x000055df6ea98b98 in read_config (fname=fname@entry=0x7ffe8f3a4706 "/opt/symas/etc/openldap/slapd.conf", dir=dir@entry=0x0) at bconfig.c:4519 #5 0x000055df6eb29946 in slap_tool_init (progname=progname@entry=0x55df6eb50da3 "slaptest", tool=tool@entry=8, argc=4, argv=0x7ffe8f3a28f8) at slapcommon.c:682 #6 0x000055df6eb2c27e in slaptest (argc=<optimized out>, argv=<optimized out>) at slaptest.c:99 #7 0x000055df6ea8baea in main (argc=4, argv=0x7ffe8f3a28f8) at main.c:287 (gdb ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9780] New: Documenting sticky session support in 2.6
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9780 Issue ID: 9780 Summary: Documenting sticky session support in 2.6 Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: lloadd Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- https://www.openldap.org/doc/admin26/loadbalancer.html contains the documentation for lload version 2.6. It says: • 2.6 release of lloadd will include sticky sessions (coherency). Since this is the documentation for version 2.6, the documentation shall say what is included in v2.6, not what will be included in v2.6. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9790] New: Build failure with GCC 4.1 and 4.3
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9790 Issue ID: 9790 Summary: Build failure with GCC 4.1 and 4.3 Product: OpenLDAP Version: 2.6.1 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: orgads(a)gmail.com Target Milestone: --- In file included from ../../include/lutil.h:21, from passwd.c:60: ../../include/ac/socket.h:247: error: redefinition of typedef 'Sockaddr' ../../include/ldap_pvt.h:188: error: previous declaration of 'Sockaddr' was here -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9788] New: make warns about disabling/resetting jobserver
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9788 Issue ID: 9788 Summary: make warns about disabling/resetting jobserver Product: OpenLDAP Version: 2.6.1 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: orgads(a)gmail.com Target Milestone: --- Running make -j8 issues the following warning for each directory with make 4.3: make[2]: warning: -j8 forced in submake: resetting jobserver mode. with make 4.2.1: make[3]: warning: -jN forced in submake: disabling jobserver mode. With make 3.82 there is no warning, but the jobserver flags are duplicated for each nested directory. e.g.: cd back-monitor && make -w --jobserver-fds=3,4 - --jobserver-fds=3,4 - --jobserver-fds=3,4 - --jobserver-fds=3,4 -j all On my env this is fixed by removing all the occurrences of $(MFLAGS) from build/dir.mk. MFLAGS is picked up by make when it exists, and there is no need to pass it explicitly. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9831] New: connection_next() can skip an active connection
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9831 Issue ID: 9831 Summary: connection_next() can skip an active connection Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Uncovered by running test056 under interesting conditions repeatedly. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9809] New: slapo-pcache: incorrect call to monitor unregister_entry
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9809 Issue ID: 9809 Summary: slapo-pcache: incorrect call to monitor unregister_entry Product: OpenLDAP Version: 2.4.18 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: hyc(a)openldap.org Target Milestone: --- Also an incorrect check for whether monitoring was initialized, thus calling unregister_entry_callback when there's nothing to unregister. The incorrect call causes a SEGV. The incorrect call is also present in back-mdb, but never invoked because it correctly sees there's nothing to unregister. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9811] New: slapadd silently fails when importing ldif file including another one
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9811 Issue ID: 9811 Summary: slapadd silently fails when importing ldif file including another one Product: OpenLDAP Version: 2.5.11 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: david.coutadeur(a)gmail.com Target Milestone: --- This issue is about openldap 2.5.11. (not tested on 2.6) When importing a new configuration from an ldif file, for example by this command: slapadd -n0 -F /usr/local/openldap/etc/openldap/slapd.d -l /var/backups/openldap/config-00000000000000.ldif the command answers by a 0 result code but the cn=config database is not fully imported. Also there is no special message displayed. The complete config-00000000000000.ldif file is below. The problem is in the custom.ldif included from config-00000000000000.ldif For example, the problem appears if the custom.ldif is this one: ``` # Custom ldif schema ``` or if the custom.ldif is that one (with an end-of-line at the end): ``` # Custom ldif schema dn: cn=custom,cn=schema,cn=config objectClass: olcSchemaConfig cn: custom ``` The expected behaviour should be to return an error code, and to display the corresponding message on stdout. Here is the full config-00000000000000.ldif file: ``` dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: slapd.conf olcConfigDir: slapd.d olcArgsFile: /usr/local/openldap/var/run/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcListenerThreads: 1 olcLocalSSF: 71 olcPidFile: /usr/local/openldap/var/run/slapd.pid olcReadOnly: FALSE olcSaslHost: 127.0.0.1 olcSaslSecProps: none olcServerID: 1 olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key olcTLSCRLCheck: none olcTLSVerifyClient: allow olcTLSProtocolMin: 3.3 olcToolThreads: 1 olcWriteTimeout: 0 olcLogLevel: stats dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/local/openldap/lib64/:/usr/local/openldap/libexec/openldap/ olcModuleLoad: argon2.la olcModuleLoad: pw-pbkdf2.la olcModuleLoad: back_mdb.la olcModuleLoad: dynlist.la olcModuleLoad: ppolicy.la olcModuleLoad: syncprov.la olcModuleLoad: unique.la olcModuleLoad: refint.la dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema include: file:///usr/local/openldap/etc/openldap/schema/core.ldif include: file:///usr/local/openldap/etc/openldap/schema/cosine.ldif include: file:///usr/local/openldap/etc/openldap/schema/nis.ldif include: file:///usr/local/openldap/etc/openldap/schema/inetorgperson.ldif include: file:///usr/local/openldap/etc/openldap/schema/dyngroup.ldif include: file:///usr/local/openldap/etc/openldap/schema/custom.ldif dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: to dn.base="" by * read olcAccess: to dn.base="cn=Subschema" by * read olcAccess: to * by self write by users read by anonymous auth olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 0 olcReadOnly: FALSE olcSchemaDN: cn=Subschema olcSecurity: ssf=128 olcSizeLimit: 500 olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcPasswordHash: {ARGON2} olcSortVals: member dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by * none olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,cn=config olcRootPW: {ARGON2}$argon2id$v=19$m=65536,t=2,p=1$eBzdIP+Zv/H/TmAw0xTXOg$JNQR9asBjEX5XYcTuqygvIY5S3iH43uqaqWQa9e0jNU olcSyncUseSubentry: FALSE olcMonitoring: FALSE dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /usr/local/openldap/var/openldap-data olcSuffix: dc=my-organization,dc=com olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,dc=my-organization,dc=com olcRootPW: {ARGON2}$argon2id$v=19$m=65536,t=2,p=1$22H7iUTEuPMmwYnLr07PjQ$257rNncoS6L/k4HUXmROU7p2SfinVjfjFeUz4pK8gEw olcSyncUseSubentry: FALSE olcLastBind: TRUE olcMonitoring: TRUE olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbMaxSize: 4294967296 dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100 dn: olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {1}ppolicy olcPPolicyDefault: cn=default,ou=ppolicies,dc=my-organization,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE dn: olcOverlay={2}refint,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcOverlay: {2}refint olcRefintAttribute: member olcRefintNothing: cn=nothing,dc=my-organization,dc=com dn: olcOverlay={3}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {3}dynlist olcDlAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames* dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcRootDN: cn=monitor olcRootPW: {ARGON2}$argon2id$v=19$m=65536,t=2,p=1$f1aoIjM0CjWwGIyBAsjzyw$j+1bYxs+CYOPR2lXrvamB7yFzSX/nNMiVwIn7vwPRVw olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9803] New: liblber: assertion( ber->ber_buf == NULL ); failed
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9803 Issue ID: 9803 Summary: liblber: assertion( ber->ber_buf == NULL ); failed Product: OpenLDAP Version: 2.4.46 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: jengelh(a)inai.de Target Milestone: --- libraries/liblber/io.c function ber_get_next contains a line assert( ber->ber_buf == NULL ); and with a larger application that uses libldap-2.4.46, I am running into that sporadically. I have no idea how that happens, but it seems probable the LDAP server (of which there is also no info on) is sending something that is interpreted as invalid and ber_buf does not get freed, so it's set on the next invocation. ``` (gdb) zcore: io.c:514: ber_get_next: Assertion `ber->ber_buf == NULL' failed. Thread 40 "rpc/34" received signal SIGABRT, Aborted. [Switching to Thread 0x7fffd6ff8700 (LWP 18485)] (gdb) up #1 0x00007ffff20fb585 in abort () from /lib64/libc.so.6 (gdb) #2 0x00007ffff20f285a in __assert_fail_base () from /lib64/libc.so.6 (gdb) #3 0x00007ffff20f28d2 in __assert_fail () from /lib64/libc.so.6 (gdb) #4 0x00007fffee0f48a1 in ber_get_next (sb=0x6040000aa650, len=len@entry=0x7fffd6ff61c8, ber=ber@entry=0x6070000b0360) at io.c:514 514 assert( ber->ber_buf == NULL ); (gdb) p ber $1 = (BerElement *) 0x6070000b0360 (gdb) p *ber $2 = {ber_opts = {lbo_valid = 2, lbo_options = 1, lbo_debug = 0}, ber_tag = 116, ber_len = 78, ber_usertag = 0, ber_buf = 0x6070000b03d0 "cP", ber_ptr = 0x6070000b03d0 "cP", ber_end = 0x6070000b041e "", ber_sos_ptr = 0x0, ber_rwptr = 0x0, ber_memctx = 0x0} (gdb) up #5 0x00007fffee310c91 in try_read1msg (result=0x7fffd6ff6348, lc=0x6080001182a0, all=1, msgid=18, ld=0x6040000aa610) at result.c:494 494 tag = ber_get_next( lc->lconn_sb, &len, ber ); (gdb) up #6 wait4msg (result=0x7fffd6ff6348, timeout=<optimized out>, all=1, msgid=<optimized out>, ld=0x6040000aa610) at result.c:365 365 rc = try_read1msg( ld, msgid, all, lc, result ); (gdb) #7 ldap_result (ld=ld@entry=0x6040000aa610, msgid=<optimized out>, all=all@entry=1, timeout=timeout@entry=0x0, result=result@entry=0x7fffd6ff6348) at result.c:120 120 rc = wait4msg( ld, msgid, all, timeout, result ); (gdb) p result $3 = (LDAPMessage **) 0x7fffd6ff6348 (gdb) p result[0] $4 = (LDAPMessage *) 0x0 (gdb) dow #6 wait4msg (result=0x7fffd6ff6348, timeout=<optimized out>, all=1, msgid=<optimized out>, ld=0x6040000aa610) at result.c:365 365 rc = try_read1msg( ld, msgid, all, lc, result ); (gdb) dow #5 0x00007fffee310c91 in try_read1msg (result=0x7fffd6ff6348, lc=0x6080001182a0, all=1, msgid=18, ld=0x6040000aa610) at result.c:494 494 tag = ber_get_next( lc->lconn_sb, &len, ber ); (gdb) p ber $5 = <optimized out> (gdb) dow #4 0x00007fffee0f48a1 in ber_get_next (sb=0x6040000aa650, len=len@entry=0x7fffd6ff61c8, ber=ber@entry=0x6070000b0360) at io.c:514 514 assert( ber->ber_buf == NULL ); (gdb) l 509 * 510 * We expect tag and len to be at most 32 bits wide. 511 */ 512 513 if (ber->ber_rwptr == NULL) { 514 assert( ber->ber_buf == NULL ); 515 ber->ber_rwptr = (char *) &ber->ber_len-1; 516 ber->ber_ptr = ber->ber_rwptr; 517 ber->ber_tag = 0; 518 } (gdb) p ber $6 = (BerElement *) 0x6070000b0360 (gdb) p ber[0] $7 = {ber_opts = {lbo_valid = 2, lbo_options = 1, lbo_debug = 0}, ber_tag = 116, ber_len = 78, ber_usertag = 0, ber_buf = 0x6070000b03d0 "cP", ber_ptr = 0x6070000b03d0 "cP", ber_end = 0x6070000b041e "", ber_sos_ptr = 0x0, ber_rwptr = 0x0, ber_memctx = 0x0} (gdb) p ber->ber_buf $8 = 0x6070000b03d0 "cP" (gdb) up #5 0x00007fffee310c91 in try_read1msg (result=0x7fffd6ff6348, lc=0x6080001182a0, all=1, msgid=18, ld=0x6040000aa610) at result.c:494 494 tag = ber_get_next( lc->lconn_sb, &len, ber ); (gdb) p len $10 = 99 (gdb) p lc $11 = (LDAPConn *) 0x6080001182a0 ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 15

[Issue 9802] New: Segfault while changing configuration in OpenLDAP 2.6.1
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9802 Issue ID: 9802 Summary: Segfault while changing configuration in OpenLDAP 2.6.1 Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: manuel.flury(a)gmail.com Target Milestone: --- Created attachment 878 --> https://bugs.openldap.org/attachment.cgi?id=878&action=edit GDB traces and olcConfig Dear all, I am trying to configure back_meta for testing virtual directory. Attached is my config. It may not make sense. Trying to change configuration under olcMetaSub={0}uri,olcDatabase={1}meta,cn=config From : {5}rewriteRule "^(.+uid=[^,]+)(a)domain.two.com(,.*)$" "${&&target(\"ou=people,dc=domain,dc=two,dc=com\")}$1$2" ":" To: {5}rewriteRule "^(.+uid=[^,]+)(a)domain.two.com(,.*)$" "${&&target(\"ou=mynetworkpeople,o=my.example.com\")}$1$2" ":" I get a segfault. Please find attached the gdb traces. Before segfault, slapd is able to log the following messages: Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: daemon: activity on 1 descriptor Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: daemon: activity on:Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: 10rFeb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: daemon: read active on 10 Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: connection_get(10): got connid=1000 Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: connection_read(10): checking for input on id=1000 Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: op tag 0x66, time 1645812518 Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: conn=1000 op=14 do_modify Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: daemon: activity on 1 descriptor Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: >>> dnPrettyNormal: <olcMetaSub={0}uri,olcDatabase={1}meta,cn=config> Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: daemon: activity on:Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: <<< dnPrettyNormal: <olcMetaSub={0}uri,olcDatabase={1}meta,cn=config>, <olcMetaSub={0}uri,olcDatabase={1}meta,cn=config> Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: conn=1000 op=14 MOD dn="olcMetaSub={0}uri,olcDatabase={1}meta,cn=config" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: conn=1000 op=14 MOD attr=olcDbRewrite olcDbRewrite Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: slap_get_csn: conn=1000 op=14 generated new csn=20220225180838.334352Z#000000#001#000000 manage=1 Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: slap_queue_csn: queueing 0x7f030c140330 20220225180838.334352Z#000000#001#000000 Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_required entry (olcMetaSub={0}uri,olcDatabase={1}meta,cn=config), objectClass "olcMetaTargetConfig" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "objectClass" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcMetaSub" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbURI" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbIDAssertBind" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbRewrite" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbKeepalive" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbBindTimeout" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbCancel" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbChaseReferrals" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbNoRefs" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbNoUndefFilter" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbNretries" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbProtocolVersion" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbRebindAsUser" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbSessionTrackingRequest" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "olcDbTFSupport" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "structuralObjectClass" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "entryUUID" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "creatorsName" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "createTimestamp" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "entryCSN" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "modifiersName" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: oc_check_allowed type "modifyTimestamp" Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: >>> dnPrettyNormal: <dc=my,dc=example,dc=com> Feb 25 19:08:38 mydevldapsrvmd21.datacenter.my.example.com slapd[1066842]: <<< dnPrettyNormal: <dc=my,dc=example,dc=com>, <dc=my,dc=example,dc=com> Best Regards -- You are receiving this mail because: You are on the CC list for the issue.

1 19

[Issue 9818] New: slapo-translucent overlay crashes during wildcard search with subordinate
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9818 Issue ID: 9818 Summary: slapo-translucent overlay crashes during wildcard search with subordinate Product: OpenLDAP Version: 2.5.11 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: jeremy.diaz(a)rexconsulting.net Target Milestone: --- I found that slapd 2.5.11 w/slapo-translucent will crash when queried with a wildcard search. It looks like any wildcard search on any attribute specified in "translucent_local" will cause the SIGSEGV on the latest version of Symas OpenLDAP slapd, 2.5.11, MDB databases, running on CentOS7. It seems that the SIGSEGV problem does not occur w the 2.4.44 from the RHEL7 distribution, and so the problem may have be a regression. I have not tested any other versions but have verified that, with the exact same config, the problem does not happen on the RHEL7 2.4.44 version, but does happen w/Symas OpenLDAP 2.5.11. It's an interesting config here. There are two database+suffixes defined in the instance. The first one is subordinate (ou=someorg,dc=corp,dc=com) to the second one (dc=corp,dc=com). The "subordinate" option is set to "True". The second database section loads the translucent overlay which is pointed to the upstream Active Directory instance and has the same suffix of AD. The problem is administrative. The group want their admins who manage LDAP data to be able to search using wildcard "cn=xyx*" filters. Besides crashing, we have noticed that these work, but only when setting the basedn of the subordinate database. I tried a few things in a test lab and was able to reproduce the issue. with "cn" in "translucent_local" and sublevel search of translucent superior basedn dc=corp,dc=com "(cn=jed)" filter returns subordinate database entry "(cn=je*)" filter crashes slapd with "cn" not in "translucent_local" and sublevel search of translucent superior basedn dc=corp,dc=com "(cn=jed)" filter return referrals from upstream Active Directory "(cn=je*)" filter return referrals from upstream Active Directory with "cn" in "translucent_local" and sublevel search of subordinate basedn ou=someorg,dc=corp,dc=com "(cn=jed)" filter returns subordinate database entry from ou=someorg "(cn=je*)" filter returns subordinate database entry(ies) from ou=someorg with "cn" not in "translucent_local" and sublevel search of subordinate dbasedn ou=someorg,dc=corp,dc=com "(cn=jed)" filter returns subordinate database entry from ou=someorg "(cn=je*)" filter returns subordinate database entry(ies) from ou=someorg Here's what the crash looks like: 622eb2f7.0393c4d6 0x7fcf15e89880 slapd starting 622eb2fd.32371976 0x7fce8d9f3700 slap_listener_activate(8): 622eb2fd.323bb364 0x7fce8d1f2700 >>> slap_listener(ldap:///) 622eb2fd.3247761c 0x7fce8d1f2700 connection_get(15): got connid=1000 622eb2fd.3247962c 0x7fce8d1f2700 connection_read(15): checking for input on id=1000 622eb2fd.3247b177 0x7fce8d1f2700 ber_get_next 622eb2fd.3247e0b8 0x7fce8d1f2700 ber_get_next: tag 0x30 len 12 contents: 622eb2fd.3247f6f1 0x7fce8d1f2700 op tag 0x60, time 1647227645 622eb2fd.32480615 0x7fce8d1f2700 ber_get_next 622eb2fd.32484eca 0x7fce8d1f2700 conn=1000 op=0 do_bind 622eb2fd.324861e8 0x7fce8d1f2700 ber_scanf fmt ({imt) ber: 622eb2fd.324871c1 0x7fce8d1f2700 ber_scanf fmt (m}) ber: 622eb2fd.32488890 0x7fce8d1f2700 >>> dnPrettyNormal: <> 622eb2fd.32489324 0x7fce8d1f2700 <<< dnPrettyNormal: <>, <> 622eb2fd.3248ce51 0x7fce8d1f2700 do_bind: version=3 dn="" method=128 622eb2fd.3248efc7 0x7fce8d1f2700 send_ldap_result: conn=1000 op=0 p=3 622eb2fd.324906be 0x7fce8d1f2700 send_ldap_response: msgid=1 tag=97 err=0 622eb2fd.32492605 0x7fce8d1f2700 ber_flush2: 14 bytes to sd 15 622eb2fd.324ab763 0x7fce8d1f2700 do_bind: v3 anonymous bind 622eb2fd.325dc3b4 0x7fce8d1f2700 connection_get(15): got connid=1000 622eb2fd.325de12a 0x7fce8d1f2700 connection_read(15): checking for input on id=1000 622eb2fd.325dec44 0x7fce8d1f2700 ber_get_next 622eb2fd.325e0856 0x7fce8d1f2700 ber_get_next: tag 0x30 len 63 contents: 622eb2fd.325e1663 0x7fce8d1f2700 op tag 0x63, time 1647227645 622eb2fd.325e22e8 0x7fce8d1f2700 ber_get_next 622eb2fd.325e500c 0x7fce8d1f2700 conn=1000 op=1 do_search 622eb2fd.325e5ae0 0x7fce8d1f2700 ber_scanf fmt ({miiiib) ber: 622eb2fd.325e69ea 0x7fce8d1f2700 >>> dnPrettyNormal: <dc=corp,dc=com> 622eb2fd.325e98bd 0x7fce8d1f2700 <<< dnPrettyNormal: <dc=corp,dc=com>, <dc=corp,dc=com> 622eb2fd.325eaad7 0x7fce8d1f2700 ber_scanf fmt ({m) ber: 622eb2fd.325ebce5 0x7fce8d1f2700 ber_scanf fmt (m) ber: 622eb2fd.325eddcb 0x7fce8d1f2700 ber_scanf fmt ({M}}) ber: 622eb2fd.325f334c 0x7fce8d1f2700 ==> limits_get: conn=1000 op=1 self="[anonymous]" this="dc=corp,dc=com" 622eb2fd.325f4dcc 0x7fce8d1f2700 ==> translucent_search: <dc=corp,dc=com> (cn=jed*) Segmentation fault Thanks! -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 9785] New: test050 deadlock
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9785 Issue ID: 9785 Summary: test050 deadlock Product: OpenLDAP Version: 2.5.11 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- Running test050 in a loop sometimes results in a deadlock. Took 17 iterations on one system, was 100% on another. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9789] New: syncprov uses a thread-local counters for the detached op
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9789 Issue ID: 9789 Summary: syncprov uses a thread-local counters for the detached op Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Persistent searches routinely migrate across threads, however they keep using op->o_counters from the original search op which is meant to be thread-local. During shutdown, this counter can be destroyed as the original thread finishes, but the persistent search might still be live somewhere else. At that point, trying to acquire the destroyed sc_mutex fails and the thread usually stalls forever. slapd-asyncmeta is very likely to suffer from the same issues. A representative backtrace of this happening: Thread 3 (Thread 0x7f0b7d933640 (LWP 2928392) "slapd"): #0 futex_wait (private=0, expected=2, futex_word=0x7f0b74000ff8) at ../sysdeps/nptl/futex-internal.h:146 #3 0x00007f0b7fd17a05 in ldap_pvt_thread_mutex_lock (mutex=Locked by LWP 0) at thr_posix.c:313 #4 0x0000000000469564 in slap_send_search_entry (op=Search request conn=1003 op=1 = {...}, rs=Search entry = {...}) at result.c:1503 #5 0x00007f0b7f30561c in syncprov_sendresp (op=Search request conn=1003 op=1 = {...}, ri=0x7f0b701eb8e0, so=0x7f0b74102b20, mode=1) at syncprov.c:976 #6 0x00007f0b7f305064 in syncprov_qplay (op=Search request conn=1003 op=1 = {...}, so=0x7f0b74102b20) at syncprov.c:1028 #7 0x00007f0b7f304ecc in syncprov_qtask (ctx=0x7f0b7d932a58, arg=0x7f0b74102b20) at syncprov.c:1086 -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9804] New: slapd.conf(5) - remove comment from syncrepl about sizelimit
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9804 Issue ID: 9804 Summary: slapd.conf(5) - remove comment from syncrepl about sizelimit Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- slapd.conf(5) and slapd-config(5) contain the following really mis-leading text: "The sizelimit and timelimit parameters define a consumer requested limitation on the number of entries that can be returned by the LDAP Content Synchronization operation; as such, it is intended to implement partial replication based on the size of the replicated database and on the time required by the synchronization." This is wrong. One cannot implement deterministic partial replication with these limits. => This text should be removed. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9808] New: olcLastBind populated incorrectly when converting from slapd.conf
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9808 Issue ID: 9808 Summary: olcLastBind populated incorrectly when converting from slapd.conf Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Fix coming shortly. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9801] New: Segmentation Fault of Openldap 2.6.1 when the syncprov overlay tries to synchronize from ODSEE an attribute that it does not know.
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9801 Issue ID: 9801 Summary: Segmentation Fault of Openldap 2.6.1 when the syncprov overlay tries to synchronize from ODSEE an attribute that it does not know. Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: laurent.revillion(a)icloud.com Target Milestone: --- Created attachment 877 --> https://bugs.openldap.org/attachment.cgi?id=877&action=edit The files from gdb Hello, I just tested Opendlap 2.6.1 synchronization from ODSEE. It seemed to me that everything was going very well but I had a "Segmention Fault" when I tested on ODSEE to add the nsAccountLock: TRUE attribute. This attribute does not exist in the Openldap schema. The Openldap server detects the thing well but ... segmentation fault.:(( 620f6bd2.1b555d23 0x7fd0c9aff700 ldap_get_attribute_ber 620f6bd2.1b556639 0x7fd0c9aff700 ber_scanf fmt ({mM}) ber: 620f6bd2.1b5576f3 0x7fd0c9aff700 ldap_get_attribute_ber 620f6bd2.1b55b147 0x7fd0c9aff700 syncrepl_changelog_mods: rid=002 Invalid attribute nsAccountLock, attribute type undefined ./start-consumer1.sh : ligne 3 : 12531 Erreur de segmentation /opt/symas/lib/slapd -d 1 -u ldap -g ldap -h "ldap://:5389/" -f /opt/symas/config/static-test/slapd-dsee-consumer1.conf Attached are the files generated via gdb. Thanks Laurent -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9584] New: cn=config replication ops/refresh should pause server
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9584 Issue ID: 9584 Summary: cn=config replication ops/refresh should pause server Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Looking into this crash: https://git.openldap.org/openldap/openldap/-/jobs/7286 The thread in question is running a plain syncrepl refresh while another thread seems to have done the same. This thread fetched the entryUUID attribute of the 'cn=config' entry as 'a' and in the meantime, that entry has been rewritten, with 'a' presumably cleaned up and returned to the pool, so addressing a->a_nvals[0] is a NULL-dereference now. This might or might not be related to the fix in ITS#8102. -- You are receiving this mail because: You are on the CC list for the issue.

1 18

[Issue 9791] New: Build failure with certain disabled features in openssl
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9791 Issue ID: 9791 Summary: Build failure with certain disabled features in openssl Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: orgads(a)gmail.com Target Milestone: --- If openssl is configured with either OPENSSL_NO_MD4 or OPENSSL_NO_MD5 the build fails. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9794] New: Define behaviour for pwdChangedTime modifications
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9794 Issue ID: 9794 Summary: Define behaviour for pwdChangedTime modifications Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: david.coutadeur(a)gmail.com Target Milestone: --- This issue applies to: - draft-behera-ldap-password-policy - openldap 2.5 - openldap 2.6 It is a proposition of behaviour for pwdChangedTime modifications. modification of the draft: -------------------------- In section: "8.2.7. Policy State Updates", change this paragraph: If the value of either pwdMaxAge or pwdMinAge is non-zero, the server updates the pwdChangedTime attribute on the entry to the current time. into: If the value of either pwdMaxAge or pwdMinAge is non-zero, the server MUST update the pwdChangedTime attribute on the entry according to this workflow: Then insert a new paragraph: - if the current operation (add or modify) on the password includes adding or modifying a valid pwdChangedTime attribute, then use this pwdChangedTime. A "Valid" pwdChangedTime means a syntactically correct value, compliant with the schema, approved by access rules, and MAY require a relax control according to the schema defined in section 5.3.2. See Relax control RFC for more information: https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax - an invalid pwdChangedTime value MUST result in an error, and the pwdChangedTime MUST NOT be stored - in any other case, compute the current date and store it in a GeneralizedTime format Feel free to comment or propose other ideas. modification of the code: -------------------------- If this behaviour makes a consensus, it would be useful to patch both OpenLDAP 2.5 and 2.6. NOTE: current OpenLDAP 2.5 allows modifying pwdChangedTime alone, but fails to add a user with both userPassword and pwdChangedTime (it results in a duplicated pwdChangedTime error) modification of the documentation: ---------------------------------- In slapo-ppolicy, it can be useful to add a comment in "OPERATIONAL ATTRIBUTES" section: Every attribute defined as "NO-USER-MODIFICATION" SHOULD not be written by standard users. If needed, an administrator MAY modify them with the relax control. See Relax control RFC for more information: https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax -- You are receiving this mail because: You are on the CC list for the issue.

1 12

[Issue 9825] New: MemberOf group in group search not working
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9825 Issue ID: 9825 Summary: MemberOf group in group search not working Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: erikdewaard(a)gmail.com Target Milestone: --- Created attachment 891 --> https://bugs.openldap.org/attachment.cgi?id=891&action=edit database ldif dynlist group in group search not working correctly. Multiple queries needed before returning correct answer. ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com))' uid ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com))' uid ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com))' uid dn: uid=user1,ou=People,dc=example,dc=com uid: user1 -conf # stand-alone slapd config include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/dyngroup.schema # allow big PDUs from anonymous (for testing purposes) sockbuf_max_incoming 4194303 moduleload back_ldap moduleload dynlist ####################################################################### # database definitions ####################################################################### database config database mdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret directory /var/lib/ldap lastbind off overlay dynlist dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@groupOfUniqueNames* database monitor -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9820] New: v2.5 and 2.6 closed (idletimeout) during ldapsearch (work fine with v2.4)
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9820 Issue ID: 9820 Summary: v2.5 and 2.6 closed (idletimeout) during ldapsearch (work fine with v2.4) Product: OpenLDAP Version: 2.6.1 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: jlbs.gregoire(a)gmail.com Target Milestone: --- Hello, Please excuse me for my bad English. Is there a bug with openldap 2.5 and 2.6 ? When I launch a ldapsearch on the whole directory, the connection is abruptly cut during the search (same problem with syncrepl). All work fine with openldap 2.4.48 and 2.4.59. Tested on Debian 10 buster and openssl 1.1.1n (also tested with openssl 1.1.1d and 1.1.1k). The directory contains over one million entries. OpenLDAP 2.6.1 compiled with the following options ./configure --prefix=/opt/openldap-2.6.1 --disable-ipv6 --enable-debug --enable-syslog --enable-slapd --enable-cleartext --enable-crypt --enable-wrappers --enable-backends=no --enable-mdb --enable-overlays --with-tls /opt/openldap-2.6.1/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w 'password' ... # numResponses: 50146 # numEntries: 50146 ldap_result: Can't contact LDAP server (-1) Apr 8 21:28:37 debian slapd[20880]: @(#) $OpenLDAP: slapd 2.6.1 (Apr 8 2022 20:34:26) $#012#011root@debian:/opt/src/openldap-2.6.1/servers/slapd Apr 8 21:28:37 debian slapd[20881]: slapd starting Apr 8 21:29:12 debian slapd[20881]: conn=1000 fd=11 ACCEPT from PATH=/opt/openldap-2.6.1/var/run/ldapi (PATH=/opt/openldap-2.6.1/var/run/ldapi) Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" method=128 Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" mech=SIMPLE bind_ssf=0 ssf=71 Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000041 text= Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=1 SRCH base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)" Apr 8 21:29:57 debian slapd[20881]: conn=1000 fd=11 closed (idletimeout) OpenLDAP 2.5.11 compiled with the following options ./configure --prefix=/opt/openldap-2.5.11 --disable-ipv6 --enable-debug --enable-syslog --enable-slapd --enable-cleartext --enable-crypt --enable-wrappers --enable-backends=no --enable-mdb --enable-overlays --with-tls /opt/openldap-2.5.11/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w 'password' ... # numResponses: 44638 # numEntries: 44638 ldap_result: Can't contact LDAP server (-1) Apr 8 21:44:18 debian slapd[21063]: @(#) $OpenLDAP: slapd 2.5.11 (Apr 8 2022 20:55:50) $#012#011root@debian:/opt/src/openldap-2.5.11/servers/slapd Apr 8 21:44:18 debian slapd[21064]: slapd starting Apr 8 21:44:45 debian slapd[21064]: conn=1000 fd=11 ACCEPT from PATH=/opt/openldap-2.5.11/var/run/ldapi (PATH=/opt/openldap-2.5.11/var/run/ldapi) Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" method=128 Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" mech=SIMPLE bind_ssf=0 ssf=71 Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000006 etime=0.000045 text= Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=1 SRCH base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)" Apr 8 21:45:30 debian slapd[21064]: conn=1000 fd=11 closed (idletimeout) OpenLDAP 2.4.59 compiled with the following options ./configure --prefix=/opt/openldap-2.4.59 --disable-ipv6 --enable-debug --enable-syslog --enable-slapd --enable-cleartext --enable-crypt --enable-wrappers --enable-backends=no --enable-mdb --enable-overlays --with-tls /opt/openldap-2.4.59/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w 'password' Apr 8 21:53:22 debian slapd[17963]: @(#) $OpenLDAP: slapd 2.4.59 (Apr 8 2022 21:51:41) $#012#011root@debian:/opt/src/openldap-2.4.59/servers/slapd Apr 8 21:53:22 debian slapd[17964]: slapd starting Apr 8 21:53:54 debian slapd[17964]: conn=1000 fd=11 ACCEPT from PATH=/opt/openldap-2.4.59/var/run/ldapi (PATH=/opt/openldap-2.4.59/var/run/ldapi) Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" method=128 Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" mech=SIMPLE ssf=0 Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=0 RESULT tag=97 err=0 text= Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=1 SRCH base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)" Apr 8 22:06:02 debian slapd[17964]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1021397 text= Apr 8 22:06:02 debian slapd[17964]: conn=1000 op=2 UNBIND Apr 8 22:06:02 debian slapd[17964]: conn=1000 fd=11 closed OpenLDAP 2.4.48 compiled with the following options ./configure --prefix=/opt/openldap-2.4.48 --disable-ipv6 --enable-debug --enable-syslog --enable-slapd --enable-cleartext --enable-crypt --enable-wrappers --enable-backends=no --enable-mdb --enable-overlays --with-tls /opt/openldap-2.4.48/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w 'password' Apr 8 21:30:44 debian slapd[20942]: @(#) $OpenLDAP: slapd 2.4.48 (Apr 8 2022 20:58:01) $#012#011root@debian:/opt/src/openldap-2.4.48/servers/slapd Apr 8 21:30:44 debian slapd[20943]: slapd starting Apr 8 21:31:05 debian slapd[20943]: conn=1000 fd=11 ACCEPT from PATH=/opt/openldap-2.4.48/var/run/ldapi (PATH=/opt/openldap-2.4.48/var/run/ldapi) Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" method=128 Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" mech=SIMPLE ssf=0 Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=0 RESULT tag=97 err=0 text= Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=1 SRCH base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)" Apr 8 21:43:15 debian slapd[20943]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1021397 text= Apr 8 21:43:15 debian slapd[20943]: conn=1000 op=2 UNBIND Apr 8 21:43:15 debian slapd[20943]: conn=1000 fd=11 closed Content of slapd.conf : pidfile /opt/openldap/var/run/slapd.pid argsfile /opt/openldap/var/run/slapd.args tool-threads 2 require ldapv3 authc disallow bind_anon loglevel stats modulepath /opt/openldap/libexec/openldap moduleload back_mdb moduleload syncprov include /opt/openldap/etc/openldap/schema/core.schema include /opt/openldap/etc/openldap/schema/cosine.schema include /opt/openldap/etc/openldap/schema/inetorgperson.schema include /opt/openldap/etc/openldap/schema/dyngroup_cgi.schema include /opt/openldap/etc/openldap/schema/qmail_cgi.schema defaultsearchbase "dc=societe,dc=com" backend mdb database mdb directory "/ldap/base-ldap" suffix "dc=societe,dc=com" rootdn "cn=manager,dc=societe,dc=com" rootpw password maxsize 12884901888 mode 600 checkpoint 10240 2 dbnosync lastmod on include /opt/openldap/etc/openldap/acl.conf idletimeout 120 reverse-lookup off sizelimit 100 timelimit unlimited include /opt/openldap/etc/openldap/index.conf index_substr_if_minlen 2 index_substr_if_maxlen 4 index_substr_any_len 4 index_substr_any_step 2 When I set loglevel -1 it works correctly (but generates a very huge log file). It's very strange. If you need any further information, feel free to contact me. Jean-Loup Gregoire -- You are receiving this mail because: You are on the CC list for the issue.

1 12

[Issue 9815] Serious SQL injection vulnerability in back-sql
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9815 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Group|OpenLDAP-devs | Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9837] New: Don't throw exceptions when requesting empty integer fields
by openldap-its＠openldap.org 02 May '22

02 May '22

https://bugs.openldap.org/show_bug.cgi?id=9837 Issue ID: 9837 Summary: Don't throw exceptions when requesting empty integer fields Product: JLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: JDBC Assignee: bugs(a)openldap.org Reporter: fredrik(a)roubert.name Target Milestone: --- LibreOffice Base expects to be able to call LdapResultSet.getLong() on an empty Types.INTEGER field without any exception being thrown and the exception that Long.parseLong() throws when passed an empty string will terminate the query with an error message. While I don't know if the JDBC standard says anything about how this is supposed to be handled, it seems reasonable (and harmless) for JDBC-LDAP to accomodate the existing behaviour such a popular open source software package as LibreOffice Base. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9836] New: Support for TLS is needed
by openldap-its＠openldap.org 02 May '22

02 May '22

https://bugs.openldap.org/show_bug.cgi?id=9836 Issue ID: 9836 Summary: Support for TLS is needed Product: JLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: JDBC Assignee: bugs(a)openldap.org Reporter: fredrik(a)roubert.name Target Milestone: --- Using TLS is becoming increasingly more common and the LDAP library has support for this since a long time already, the JDBC connection string just needs to support a new property to allow this to be configured. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9835] New: LDAP aliases ought to always be dereferenced
by openldap-its＠openldap.org 02 May '22

02 May '22

https://bugs.openldap.org/show_bug.cgi?id=9835 Issue ID: 9835 Summary: LDAP aliases ought to always be dereferenced Product: JLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: JDBC Assignee: bugs(a)openldap.org Reporter: fredrik(a)roubert.name Target Milestone: --- No software connecting to an LDAP database through JDBC can be expected to know anything at all about LDAP, so no such software can be expected to be able to do anything useful with an LDAP alias entry. LDAP aliases must therefore always be dereferenced in the JDBC driver. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 3872] Issue with norwegian UTF-8 characters JDBC Bridge
by openldap-its＠openldap.org 02 May '22

02 May '22

https://bugs.openldap.org/show_bug.cgi?id=3872 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 3872] Issue with norwegian UTF-8 characters JDBC Bridge
by openldap-its＠openldap.org 02 May '22

02 May '22

https://bugs.openldap.org/show_bug.cgi?id=3872 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- • 245495e9 by Fredrik Roubert at 2022-05-01T15:12:42+02:00 ITS#3872 Always decode valid UTF-8 data, never Base64 encode it. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 3872] Issue with norwegian UTF-8 characters JDBC Bridge
by openldap-its＠openldap.org 01 May '22

01 May '22

https://bugs.openldap.org/show_bug.cgi?id=3872 --- Comment #4 from Fredrik Roubert <fredrik(a)roubert.name> --- This seems to be a simple mistake for which there is a simple fix: https://git.openldap.org/openldap/jdbcldap/-/merge_requests/1 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9834] New: Can not find admin user after setup openldap on debian
by openldap-its＠openldap.org 29 Apr '22

29 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9834 Issue ID: 9834 Summary: Can not find admin user after setup openldap on debian Product: OpenLDAP Version: 2.4.57 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: sparktour(a)outlook.com Target Milestone: --- Created attachment 897 --> https://bugs.openldap.org/attachment.cgi?id=897&action=edit the screenshot of phpldapadmin dashboard (doesn't have any entry under base) After install the openldap (slapd) from Debian package repository (using the version 2.4.57+dfsg-3~bpo10+1, database created by the dpkg configuration script provide by apt), the admin user (cn=admin,dc=example,dc=com) in could not be found either when performing ldapsearch or viewing the structure of the organisation in phpldapadmin / Apache directory studio. result of ldapsearch: ------------ root@ldap:~# ldapsearch -x -b "dc=example,dc=com" # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example.com dc: exmaple # search result search: 2 result: 0 Success ------------ However, using ldapwhoami (ldapwhoami -vvv -h ldap.example.com -D cn=admin,dc=example,dc=com -x -w password) can return a successful result. result of ldapwhoami: ------------ ldap_initialize( ldap://localhost ) dn:cn=admin,dc=example,dc=com Result: Success (0) ------------ A similar issue can be found here: https://github.com/osixia/docker-openldap/issues/555 on Github. According to the user in Github, this issue is first occurred in openldap 2.4.57 (https://github.com/osixia/docker-openldap/releases/tag/v1.5.0) -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 28 Apr '22

28 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8882 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 28 Apr '22

28 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8882 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.13 --- Comment #14 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Ship in contrib for 2.5.13+ -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 27 Apr '22

27 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8882 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |needs_review -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 27 Apr '22

27 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8882 --- Comment #13 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Tamim provided me the source code previously referenced, now attached to the ticket. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 27 Apr '22

27 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8882 --- Comment #12 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Created attachment 896 --> https://bugs.openldap.org/attachment.cgi?id=896&action=edit source code for empty-directory-string overlay -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9833] New: Backup Restore issue
by openldap-its＠openldap.org 27 Apr '22

27 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9833 Issue ID: 9833 Summary: Backup Restore issue Product: OpenLDAP Version: 2.4.40 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: akshay.jain(a)shopclues.com Target Milestone: --- I Have restored backup from running ldap. data is restored but i am not able to login using directory manager account. This is hampering my production. Can anyone help in this. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9828] New: ldap_count_values_len broken
by openldap-its＠openldap.org 26 Apr '22

26 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9828 Issue ID: 9828 Summary: ldap_count_values_len broken Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Pointer confusion means ldap_count_values_len does not work as intended. Because there are no known users in the openldap project (except slapd-search), this has existed since its inception in UMich code. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9620] New: back-monitor: search can access a persistent entry freed in the meantime
by openldap-its＠openldap.org 25 Apr '22

25 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9620 Issue ID: 9620 Summary: back-monitor: search can access a persistent entry freed in the meantime Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- With ITS#9600 there is now code that adds and removes "persistent" monitor entries outside a server pause. A concurrent cn=monitor search lists all children first and sends them later - monitor is happy to free some of them in the meantime. It seems to me that the monitor cache should be protected by a rw mutex instead, which would be held for reading while a search is happening. -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 9826] New: Openldap process stopped due to the 'segmentation fault'
by openldap-its＠openldap.org 21 Apr '22

21 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9826 Issue ID: 9826 Summary: Openldap process stopped due to the 'segmentation fault' Product: OpenLDAP Version: 2.4.59 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: rekha.shivsan(a)gmail.com Target Milestone: --- Created attachment 892 --> https://bugs.openldap.org/attachment.cgi?id=892&action=edit kernel logs with segmentation fault error Openldap process stopped due to the 'segmentation fault'. We have openldap process running as a service. /var/log/kern.log Mar 6 11:15:01 ip-x-x-x-x kernel: show_signal_msg: 48 callbacks suppressed Mar 6 11:15:01 ip-x-x-x-x kernel: slapd[8778]: segfault at 8 ip 00000000004afcc6 sp 00007fae42ffd400 error 4 in slapd[400000+130000] /var/log/daemon.log Mar 6 11:15:01 ip-x-x-x-xopenldap: 622497b5 connection_read(13): input error=-2 id=19912, closing. Mar 6 11:15:01 ip-x-x-x-xopenldap: 622497b5 connection_closing: readying conn=19912 sd=13 for close Mar 6 11:15:01 ip-x-x-x-xsystemd: openldap.service: main process exited, code=killed, status=11/SEGV Mar 6 11:15:01 ip-x-x-x-xsystemd: Unit openldap.service entered failed state. Mar 6 11:15:01 ip-x-x-x-xsystemd: openldap.service failed. If we restart the service, it runs fine for few days and again segmentation fault is seen in kernel logs and the service gets stopped. Please help us to resolve this issue. Thanks Rekha. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9822] New: The hyperlink "JLDAP resources" needs to be updated
by openldap-its＠openldap.org 12 Apr '22

12 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9822 Issue ID: 9822 Summary: The hyperlink "JLDAP resources" needs to be updated Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: fredrik(a)roubert.name Target Milestone: --- On this page: https://www.openldap.org/jldap/ The hyperlink "JLDAP resources" used to go to this web page: https://web.archive.org/web/20060707012200/http://developer.novell.com/wiki… But that web page is nowadays to be found here instead: https://www.microfocus.com/documentation/edirectory-developer-documentation… -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9784] New: Adding our OpenLDAP support services
by openldap-its＠openldap.org 12 Apr '22

12 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9784 Issue ID: 9784 Summary: Adding our OpenLDAP support services Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: contact(a)linuxstans.com Target Milestone: --- Hi, We offer OpenLDAP support and we'd really appreciate it if you can add our details to your support page https://www.openldap.org/support/ Here are the details: <a href="https://linuxstans.com/support/">Linux Stans</a> - USA Provides installation, configuration, maintenance, and 24/7 support services for OpenLDAP. Let me know if you need more info. Thanks! -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9819] New: Bump version of ldapc++
by openldap-its＠openldap.org 11 Apr '22

11 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9819 Issue ID: 9819 Summary: Bump version of ldapc++ Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: contrib Assignee: bugs(a)openldap.org Reporter: jengelh(a)inai.de Target Milestone: --- In the *SUSE family of Linux distributions, we have had a standalone ldapcpp package, the code of which was authored by R. Haferkamp; the package is marked 0.3.1 inside and out and uses SONAME=libldapcpp.so.1. This ldapcpp package is being phased out in favor of building the software from the copy in openldap/contrib/ldapc++, which I find is also by Haferkamp. However, it is marked as 0.0.0 and uses SONAME=libldapcpp.so.0. ---- » abidiff /usr/lib64/libldapcpp.so.1 .libs/libldapcpp.so.0 ELF SONAME changed Functions changes summary: 0 Removed, 4 Changed, 2 Added (30 filtered out) functions Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 0 Removed, 9 Added function symbols not referenced by debug info Variable symbols changes summary: 0 Removed, 1 Added variable symbol not referenced by debug info SONAME changed from 'libldapcpp.so.1' to 'libldapcpp.so.0' 2 Added functions: [A] 'method virtual LDAPMsg::~LDAPMsg(int)' {_ZN7LDAPMsgD0Ev} note that this adds a new entry to the vtable of class LDAPMsg [A] 'method virtual LDAPMsg::~LDAPMsg(int)' {_ZN7LDAPMsgD2Ev, aliases _ZN7LDAPMsgD1Ev} note that this adds a new entry to the vtable of class LDAPMsg 4 functions with some indirect sub-type change: [C] 'method void LDAPAsynConnection::unbind()' at LDAPAsynConnection.cpp:270:1 has some indirect sub-type changes: parameter 1 of type 'int' was added [C] 'method LDAPAttrType::LDAPAttrType()' at LDAPAttrType.cpp:11:1 has some indirect sub-type changes: parameter 1 of type 'int' was added [C] 'method LDAPAttributeList::LDAPAttributeList()' at LDAPAttributeList.cpp:24:1 has some indirect sub-type changes: parameter 1 of type 'int' was added [C] 'method LDAPSchema::LDAPSchema()' at LDAPSchema.cpp:18:1 has some indirect sub-type changes: parameter 1 of type 'int' was added 9 Added function symbols not referenced by debug info: [A] _ZN12LDAPAttrTypeC1ERKS_ [A] _ZN12LDAPAttrTypeC2ERKS_, aliases _ZN12LDAPAttrTypeC1ERKS_ [A] _ZN13LDAPExceptionC1ERKS_, aliases _ZN13LDAPExceptionC2ERKS_ [A] _ZN13LDAPExceptionC2ERKS_ [A] _ZN16LDAPUrlExceptionD1Ev [A] _ZN16LDAPUrlExceptionD2Ev, aliases _ZN16LDAPUrlExceptionD1Ev [A] _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED0Ev [A] _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED1Ev, aliases _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev [A] _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev 1 Added variable symbol not referenced by debug info: [A] _ZTV7LDAPMsg ---- This leads me to believe that contrib/ldapc++ is actually the newer one despite the inferior versioning. To avoid confusion going forward, I propose to bump the version (in the `version.var` file) to at least 0.3.1, and the SONAME should be changed to libldapcpp.so.2 (now), so that future maintainers won't accidentally reuse libldapcpp.so.1. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 8143] SegV in ~LDAPCtrl()
by openldap-its＠openldap.org 11 Apr '22

11 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8143 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=7806 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7806] memory leak in contrib/ldapc++/LDAPAsynConnection.cpp
by openldap-its＠openldap.org 11 Apr '22

11 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=7806 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=8143 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9821] New: slapo-homedir.5 is installed despite --disable-homedir
by openldap-its＠openldap.org 10 Apr '22

10 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9821 Issue ID: 9821 Summary: slapo-homedir.5 is installed despite --disable-homedir Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- Even with ./configure --disable-homedir the man page file slapo-homedir.5 is installed. Worth to fix this for 2.6.2? -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9812] New: Registered SLAPI plugin functions are not called
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9812 Issue ID: 9812 Summary: Registered SLAPI plugin functions are not called Product: OpenLDAP Version: 2.6.1 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: guru(a)unixarea.de Target Milestone: --- We're running since ages with an OpenLDAP server 2.4.40 a plugin which publishes changes (add, modify, delete) in LDAP to an Identity Server (IDM). We compile on SuSE Linux from source. The configure options for 2.6.1 are: ./configure --enable-aci=yes --enable-dynacl --enable-spasswd=yes --enable-crypt=yes --enable-debug=yes --enable-shared=yes --enable-modules=yes --enable-slapi --enable-slapd=yes --with-tls --prefix=/opt/openldap-2.6.1 Our SLAPI plugin, written in C works fine for 2.4.40 and stopped working for 2.6.1. It is configured in slapd.conf as plugin postoperation /opt/openldap-2.6.1/lib64/idm.so idm_init "IDM Plugin" 10.23.33.52 3001 The function idm_init() registers static C functions the supposed way: int idm_init(Slapi_PBlock * pb) { int rc = LDAP_SUCCESS; log("idm-plugin:","now in idm_init()\n"); // first call, create new list and register the functions ... rc |= slapi_pblock_set( /* Plug-in API version */ pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_CURRENT_VERSION); rc |= slapi_pblock_set( /* Plug-in description */ pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &desc); rc |= slapi_pblock_set( /* Modify function */ pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *) modify_user); ... // read arguments and add list entry rc |= read_arguments(pb); log("idm-plugin", "idm_init() return rc:%d\n", rc); return rc; } The begin of the function for modify_user() looks like this: static int modify_user(Slapi_PBlock * pb) { Slapi_Entry *entry; log("idm-plugin:", "now in modify_user\n"); if (slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &entry) != LDAP_SUCCESS) { log("IDM-Connector Plugin", "entry modified, but couldn't get entry"); return -1; } ... But the function gets never called from slapd on changes in LDAP. The log shows only the registering: 03/16/22 10:52:26 idm-plugin:: now in idm_init() 03/16/22 10:52:26 IDM-Connector Plugin: idm_init: Initializing plugin 03/16/22 10:52:26 idm-plugin:: now in read_arguments() 03/16/22 10:52:26 IDM Plugin: added idm connector: ip=10.23.33.52, port=3001 03/16/22 10:52:26 idm-plugin: idm_init() returns rc:0 03/16/22 10:52:26 plugin_pblock_new: Registered plugin OCLC-IDM-Connector-Notifier 1.0 [OCLC.org] (Notify the OCLC IDM-Connector of changes) As I said, with OpenLDAP 2.4.40 this works fine. It does not work anymore with 2.6.1. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 6461] back-sql quote characters in query
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=6461 --- Comment #10 from Howard Chu <hyc(a)openldap.org> --- Escaping with a backslash appears to be non-portable. All the major SQL implementations escape a single quote by doubling it, as done in the patch for ITS#9815. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6461] back-sql quote characters in query
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=6461 Ryan Tandy <ryan(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9815 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9816] New: slapcat cordeumps during mdb subtree dump with -s
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9816 Issue ID: 9816 Summary: slapcat cordeumps during mdb subtree dump with -s Product: OpenLDAP Version: 2.5.11 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: khoffmann(a)united-internet.de Target Milestone: --- Created attachment 887 --> https://bugs.openldap.org/attachment.cgi?id=887&action=edit gdb backtrace of slapcat run When trying to use slapcat in combination with -b and -s in order to create a LDIF backup of a mdb subtree, slapd crashes with a coredump (please see the attached snippet with gdb output from a reproduced test tree). The problem was reporducible with different mdb databases / suffixes and only appears with option -s. The same dump with -H 'ldap:///ou=users,o=company,c=de??sub?' instead of -s ou=users,o=company,c=de works perfectly fine, as long as the "attrs part" is empty in the ldap-uri. Also using slapcat with -b only (for a full database dump) works fine as well. I'm aware of the fact that -s option is marked as DEPRECATED - I'm not sure if you are going to fix this bug or if you rather take the change to remove the option completely from future major versions. Please let me also know if it's expected behaviour that the -H option doesn't work whenever the attribute part isn't empty and if I should contribute to a documentation update for this edge case. Best regards, Kris -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 7978] OpenLDAP 2.4 fails to build with LibreSSL
by openldap-its＠openldap.org 27 Mar '22

27 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7978 ismael(a)iodev.co.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ismael(a)iodev.co.uk --- Comment #13 from ismael(a)iodev.co.uk --- Created attachment 889 --> https://bugs.openldap.org/attachment.cgi?id=889&action=edit Fix building against LibreSSL OpenLDAP 2.6.1 works fine against LibreSSL 3.4+. The only problem is the configure script checks for a symbol LibreSSL doesn't implement yet. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7832] Proposing ppolicy extended module for OpenLDAP
by openldap-its＠openldap.org 22 Mar '22

22 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7832 --- Comment #25 from Quanah Gibson-Mount <quanah(a)openldap.org> --- (In reply to David Coutadeur from comment #24) > Hello, > I have just opened a new MR: > https://git.openldap.org/openldap/openldap/-/merge_requests/509 to upgrade > ppm to 2.1 release: > > Changes: > - Reject password if it contains tokens from an attribute of the LDAP entry > https://github.com/ltb-project/ppm/issues/17 You should file a new issue for this, rather than commenting in this issue. Thanks -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7832] Proposing ppolicy extended module for OpenLDAP
by openldap-its＠openldap.org 22 Mar '22

22 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7832 --- Comment #24 from David Coutadeur <david.coutadeur(a)gmail.com> --- Hello, I have just opened a new MR: https://git.openldap.org/openldap/openldap/-/merge_requests/509 to upgrade ppm to 2.1 release: Changes: - Reject password if it contains tokens from an attribute of the LDAP entry https://github.com/ltb-project/ppm/issues/17 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7089] ppolicy adds PWDFAILURETIME to organizationalUnit
by openldap-its＠openldap.org 22 Mar '22

22 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7089 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9813 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9810] New: slapacl peername
by openldap-its＠openldap.org 18 Mar '22

18 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9810 Issue ID: 9810 Summary: slapacl peername Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ratness(a)gmail.com Target Milestone: --- Found in 2.4.59 on a $WORK system, replicated in 2.6.1: [root@centos-s-1vcpu-1gb-ams3-01 ~]# rpm -qf /opt/symas/sbin/slapacl symas-openldap-servers-2.6.1-2.el7.x86_64 This is a box where I don't even have slapd running, but that's okay because my point is visible without it: [root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F /etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername.ip=127.0.0.1 entry/read usage: slapacl [-v] [-d debuglevel] [-f configfile] [-F configdir] [-o <name>[=<value>]] [-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>] -b DN [-u] [attr[/access][:value]] [...] When I ask for `-o peername.ip=127.0.0.1` the `slapacl` command bails out with usage, indicating a parse failure. If I then run `slapacl` with `-o peername=ip=127.0.0.1`, I get: [root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F /etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername=ip=127.0.0.1 entry/read invalid config directory /etc/openldap/slapd.d, error 2 slapacl: bad configuration directory! (which I would expect here since I have no server running) Demo on 2.4.59 at work: $ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D uid=replicator,ou=logins,dc=example -b 'mail=me(a)example.com,o=com,dc=mozilla' -o peername=ip=127.0.0.1 entry/read authcDN: "uid=replicator,ou=logins,dc=example" read access to entry: ALLOWED $ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D uid=replicator,ou=logins,dc=example -b 'mail=me(a)example.com,o=com,dc=mozilla' -o peername=ip=127.0.0.2 entry/read authcDN: "uid=replicator,ou=logins,dc=example" read access to entry: DENIED slapacl(8) mentions peername, but also aims us at slapd.access(5), which lists peername[.<peernamesytle>]. It's possible I'm dense and this isn't a bug, but minimally the equalsign repetition is really awkward to my eye. I'd suggest at least an example in slapacl(8) so it's easier to figure out. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9807] New: Cannot enable {ARGON2} passwd scheme support
by openldap-its＠openldap.org 13 Mar '22

13 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9807 Issue ID: 9807 Summary: Cannot enable {ARGON2} passwd scheme support Product: OpenLDAP Version: unspecified Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: gregory.widmer(a)gwidmer.fr Target Milestone: --- Created attachment 881 --> https://bugs.openldap.org/attachment.cgi?id=881&action=edit Trace of every executed command. I want to build OpenLDAP with argon2 support. Unfortunately, it doesn't work and I don't understand why. It seems to be a build issue. Here is how to reproduce the issue : I'm using a fresh install of Debian 11. The following packages were installed for this : - libargon2-dev - libltdl-dev - git - build-essential I am using the master branch of the git repository : https://git.openldap.org/openldap/openldap/-/commit/e8813b12b6188d5ba5f174f… I'm using root, and the repo is under /root/openldap. My objective is to : - Run slapd with {ARGON2} support - Set {ARGON2} as password-hash - Use slappasswd to create a password for LDAP admin in slapd.conf I ran the following commands : - apt install libltdl-dev libargon2-dev git build-essential -y - ./configure --with-argon2=libargon2 --enable-modules --enable-argon2=yes - make depend - make - make check - make install I then created a systemd service for slapd, reloaded daemons with systemctl then started the service. I got the following error : @(#) $OpenLDAP: slapd 2.X (Mar 12 2022 15:31:06) $ root@ldap:/root/openldap/servers/slapd /usr/local/etc/openldap/slapd.conf: line 65: <password-hash> scheme not available ({ARGON2}) /usr/local/etc/openldap/slapd.conf: line 65: <password-hash> no valid hashes found slapd stopped. connections_destroy: nothing to destroy. I don't understand how to build openldap with argon2. I did not find anything. You will find a global trace file for every command used with the program. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9805] New: member attributes managed by autogroup are lost when user attributes are adjusted
by openldap-its＠openldap.org 10 Mar '22

10 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9805 Issue ID: 9805 Summary: member attributes managed by autogroup are lost when user attributes are adjusted Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: contrib Assignee: bugs(a)openldap.org Reporter: michael.bobzin(a)baloise.ch Target Milestone: --- Hello OpenLDAP Team, we use nested groups in our OpenLDAP directory. User X is a member of group A. Group A is a member of group B. User X is therefore also a member of group B. To be able to find out all groups of user X with only one LDAP query we use the dynlist overlay together with the autogroup overlay. Group B is a dynamic group whose member attributes are set with autogroup, to allow a search for members. ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(member=cn=userx,ou=users,dc=basler,dc=ch)" dn Result: cn=groupA,ou=groups,dc=basler,dc=ch cn=groupB,ou=groups,dc=basler,dc=ch ----- Gruppe A ---------------------------------------------------------- dn: cn=groupA,ou=groups,dc=basler,dc=ch cn: groupA objectClass: top objectClass: groupOfNames member:cn=userX,ou=users,dc=basler,dc=ch ----- Gruppe B ---------------------------------------------------------- dn: cn=groupB,ou=groups,dc=basler,dc=ch cn: groupB objectClass: top objectClass: groupOfURLs memberURL: ldap:///ou=groups,dc=basler,dc=ch?member?one?(cn=groupA) # managed by autogroup member:cn=userX,ou=users,dc=basler,dc=ch ----------------------------------------------------------------------- This works until any attribute in the userX object is changed. The member attribute for userX created dynamically by autogroup is then deleted from groupB although userX is still a member of groupA and is therefore matched with the search in the memberURL attribute of groupB matched. The expected behaviour would be that the member attribute in groupB remains unchanged. ----------- configuration -------------------------- OpenLDAP 2.4.59 from https://www.ltb-project.org/download.html --------------- slapd.conf ------------------------- ... moduleload dynlist moduleload autogroup.so ... include /usr/local/openldap/etc/openldap/local-schema/dyngroup.schema ... overlay dynlist dynlist-attrset groupOfURLs memberURL overlay autogroup autogroup-attrset groupOfURLs memberURL member -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9497] New: back-ldif: test022-ppolicy failure
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9497 Issue ID: 9497 Summary: back-ldif: test022-ppolicy failure Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: hamano(a)osstech.co.jp Target Milestone: --- The test022-ppolicy with back-ldif fail for two issue. 1. too short pwdMaxAge ~~~ $ ./run -b ldif test022-ppolicy (snip) Testing password expiration Waiting seconds for password to expire... sleep: missing operand Try 'sleep --help' for more information. Password expiration test failed ~~~ The script tries test for lockout and then a test for password expiration. It will fail if the password has expired(pwdMaxAge: 30) by the time it starts the password expiration test. This is a timing issue and not directly caused by back-ldif. However, the issue is reproduced only with back-ldif in my environment. This test passed in my environment by extending pwdMaxAge by 5 seconds, but there may be a better way. 2. duplicate ldap control response ~~~ Reconfiguring policy to remove grace logins... Clearing forced reset... expr: syntax error: unexpected argument '15' Testing password expiration Waiting seconds for password to expire... sleep: missing operand Try 'sleep --help' for more information. ~~~ This is back-ldif issue. back-ldif responds duplicate ldap control response. -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 5840] mdb online indexing and shutdown
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=5840 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5840] mdb online indexing and shutdown
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=5840 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |DUPLICATE --- Comment #12 from Howard Chu <hyc(a)openldap.org> --- (In reply to Ondřej Kuzník from comment #11) > Is this resolved with ITS#8958? Yes *** This issue has been marked as a duplicate of issue 8958 *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8958] 2nd cn=config update blocks slapd while adding subordinate index
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=8958 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ralf(a)openldap.org --- Comment #42 from Howard Chu <hyc(a)openldap.org> --- *** Issue 5840 has been marked as a duplicate of this issue. *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5840] mdb online indexing and shutdown
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=5840 --- Comment #11 from Ondřej Kuzník <ondra(a)mistotebe.net> --- Is this resolved with ITS#8958? -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9798] New: Clearing pending ops on Bind
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9798 Issue ID: 9798 Summary: Clearing pending ops on Bind Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Some context first. The only universal way of reset an arbitrary (SASL) bind in progress, at least in my reading of RFC4511 is to send an anonymous bind op, so that's what the load balancer does when needed (the client goes away, etc.). Incidentally, this is also what the balancer chooses to do when the pending bind needs to be "abandoned" when the backend doesn't respond within a configured timeout. That's skating the edge of what RFC4511 allows, probably just past it. The issue: When slapd receives a bind and another operation X (lloadd sends the above mentioned "reset" bind) before that first bind starts processing, X gets added into conn->c_ops_pending and does c_n_pending_ops++. Bind then eventually invokes connection_abandon which forgets to zero out c_n_pending_ops and the connection remains unusable forever. On the surface that's trivial to fix and a fix is coming. On the other hand, operation X in the pending list is actually discarded too, so that kind of defeats the idea of trying to "abandon" the original bind and completely reset the connection state. Question is, do we want to retain the last bind in the pending list or does the balancer have to destroy the connection unconditionally when a bind times out? -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 8524] cn=config + ditContentRule
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=8524 --- Comment #3 from Ondřej Kuzník <ondra(a)mistotebe.net> --- Just like with attribute and objectclass definitions, these are stored under cn=schema,cn=config as the file that defined them or directly in cn=config if defined in slapd.conf directly (as you're doing here). Maybe keep them in a file that you also include. Don't know if we should document this behaviour or change it in some way. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7441] cn=config filters ignore {number}
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7441 --- Comment #2 from Ondřej Kuzník <ondra(a)mistotebe.net> --- The inconsistency part comes from bconfig not implementing be_compare. Instead, it relies on the frontend implementation, so while search goes through test_filter->...->ordered_value_match and other backends use slap_compare_entry which triggers the same, frontend's compare gets the actual values through backend_attribute and then calls value_find_ex, which doesn't care about SLAP_AT_ORDERED. Afterwards, allowing attr={index} assertions to match attr={index}value and attr={index}value to match itself only should be possible by adapting ordered_value_match (and value_find_ex or whatever we end up calling from the frontend). -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9748] New: Deleted values of pwdFailureTime seem to reappear
by openldap-its＠openldap.org 03 Mar '22

03 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9748 Issue ID: 9748 Summary: Deleted values of pwdFailureTime seem to reappear Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Created attachment 854 --> https://bugs.openldap.org/attachment.cgi?id=854&action=edit accesslog for uid=dm01-R2H2-956,ou=People,dc=example,dc=com Somehow, ppolicy seems to be able to reference values of pwdFailureTime that had been deleted before the actual bind even started. In the attached accesslog, trace, deletion of everything (including "20211115154510.478330Z") is recorded from reqSession: 3, then a bind comes in and the same value is explicitly removed again. -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 9800] New: ACL with set.expand in <who> clause does not work with deref control
by openldap-its＠openldap.org 03 Mar '22

03 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9800 Issue ID: 9800 Summary: ACL with set.expand in <who> clause does not work with deref control Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- This ACL returns correct values with a normal search requesting the attribute sudoUser: access to dn.subtree="ou=ae-dir" attrs=sudoUser val.regex="^%(.+)$" by set.expand="(user/-1 | user/aeSrvGroup)/aeLoginGroups & [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeGroup)(aeStatus=0)(cn=${v1}))]/entryDN" read by * none But it does not work with a search like this using deref control: ldapsearch -Q -E deref=aeVisibleSudoers:cn,sudoUser '(objectClass=aeSrvGroup)' For completeness see docs and schema for aeSrvGroup: https://www.ae-dir.com/docs.html#schema-oc-aeSrvGroup https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/master/fi… -- You are receiving this mail because: You are on the CC list for the issue.

1 1

[Issue 7335] Create process for updating man pages to handle both cn=config and slapd.conf configurations
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=7335 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.2 |2.7.0 Assignee|hyc(a)openldap.org |bugs(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Bug 9256] New: The ACLs required for SASL binding are not fully documented
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=9256 Bug ID: 9256 Summary: The ACLs required for SASL binding are not fully documented Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: kop(a)karlpinc.com Target Milestone: --- Created attachment 727 --> https://bugs.openldap.org/attachment.cgi?id=727&action=edit Patch massaging the SASL binding requirement docs While some ACL requirements for SASL binding are documented, some are not. E.g, that olcAuthzRegexp requires =x on objectClass when direct DN mapping is not documented. Other requirements can be reasoned out based on the existing documentation, but this can be very difficult when unfamiliar with all the moving parts and the places they are documented. E.g. knowing that (objectClass=*) is the default filter, and that there's _always_ _some_ filter, and connecting this with ACLs required to do search-based SASL mapping. The attached patch brings all the SASL binding requirements together in one place in the docs and makes everything explicit. The word "SASL" is included, for those searching for that keyword. I, Karl O. Pinc, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. -- You are receiving this mail because: You are on the CC list for the bug.

1 27

[Issue 9731] New: startup messages still go to syslog when logfile-only is on
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=9731 Issue ID: 9731 Summary: startup messages still go to syslog when logfile-only is on Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- When setting logfile-only on, slapd still logs its startup message to syslog: Oct 29 21:07:47 u18test slapd[18534]: @(#) $OpenLDAP: slapd 2.6.0 (Oct 29 2021 05:12:17) $#012#011openldap This is useful information to have consolidated into the specified logfile. Note that: 617c62a3.16f03fdb 0x7f9325ed67c0 slapd starting does make it to the logfile. However, it would be useful to have the build date and version in the specified logfile. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs