- openldap-bugs - openldap.org

[Issue 10315] Re-Usage of Message IDs of async search blocks all available connections
by openldap-its＠openldap.org 11 Mar '25

11 Mar '25

https://bugs.openldap.org/show_bug.cgi?id=10315 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10315] Re-Usage of Message IDs of async search blocks all available connections
by openldap-its＠openldap.org 11 Mar '25

11 Mar '25

https://bugs.openldap.org/show_bug.cgi?id=10315 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID --- Comment #7 from Quanah Gibson-Mount <quanah(a)openldap.org> --- No OpenLDAP issue seen. Use proper file limit settings. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10315] Re-Usage of Message IDs of async search blocks all available connections
by openldap-its＠openldap.org 11 Mar '25

11 Mar '25

https://bugs.openldap.org/show_bug.cgi?id=10315 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Group|OpenLDAP-devs | Keywords|needs_review | -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10318] New: Potential null-pointer-dereference in servers/slapd/connection.c
by openldap-its＠openldap.org 11 Mar '25

11 Mar '25

https://bugs.openldap.org/show_bug.cgi?id=10318 Issue ID: 10318 Summary: Potential null-pointer-dereference in servers/slapd/connection.c Product: OpenLDAP Version: 2.5.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: 1367173408(a)qq.com Target Milestone: --- Created attachment 1056 --> https://bugs.openldap.org/attachment.cgi?id=1056&action=edit execution trace Hi, I have found a potential null pointer dereference bug in the project and would like to report it to the maintainers. At line 267 and line 284 in file `servers/slapd/connection.c`, the function `connection_get` may return NULL. Then, at line 1239 in the same file, the pointer `c` receives the return value, which may be NULL. But `c` is dereferenced at following lines without checking, which may lead to a null-pointer-dereference bug. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10317] New: Potential null-pointer-dereference
by openldap-its＠openldap.org 11 Mar '25

11 Mar '25

https://bugs.openldap.org/show_bug.cgi?id=10317 Issue ID: 10317 Summary: Potential null-pointer-dereference Product: OpenLDAP Version: 2.5.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: 1367173408(a)qq.com Target Milestone: --- Created attachment 1055 --> https://bugs.openldap.org/attachment.cgi?id=1055&action=edit execution trace Hi, I have found a potential null pointer dereference bug in the project and would like to report it to the maintainers. At line 836 in file `servers/slapd/backglue.c`, the function `glue_tool_inst` may return NULL. Then, at line 765 in the same file, the pointer `on` receives the return value, which may be NULL. But `on` is dereferenced at line 766 without checking, which may lead to a null-pointer-dereference bug. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10266] New: Adopt broader RFC4511 NoD interpretation on lloadd's client side
by openldap-its＠openldap.org 04 Mar '25

04 Mar '25

https://bugs.openldap.org/show_bug.cgi?id=10266 Issue ID: 10266 Summary: Adopt broader RFC4511 NoD interpretation on lloadd's client side Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: lloadd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Server side, lloadd has long implemented a broad interpretation of NoD unsolicited response handling: when the message is issued, no new requests are accepted on the session however the client and server are both free to keep the session open if there are any operations that have not resolved yet. The server is still expected to close the connection as soon as no operations are still pending. This seems to interoperate with known clients. Those that want to will close the session immediately, unaware of this possibility, those that also want to interpret RFC 4511 this way can choose to wait for existing operations to resolve. This ticket is to track the lloadd's implementation of the client side of this - when receiving a NoD message, we don't close the connection immediately+unconditionally either but are willing to wait. Related functionality: - if connection was a bind connection processing a multi-stage SASL bind, the bind should fail if/when the client attempts to progress it - clients assigned to this connection through coherence at least 'connection' are also marked closing -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10310] New: Update pbkdf2 overlay so iterations can be configurable
by openldap-its＠openldap.org 04 Mar '25

04 Mar '25

https://bugs.openldap.org/show_bug.cgi?id=10310 Issue ID: 10310 Summary: Update pbkdf2 overlay so iterations can be configurable Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: contrib Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- The pbkdf2 password hashing contrib overlay has the number of iterations hard coded at 10,000. It would be helpful to update the module to allow this to be configurable instead, as is done with other password hashing modules. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10314] New: Only install the slapi-plugin.h header if building slapi library
by openldap-its＠openldap.org 04 Mar '25

04 Mar '25

https://bugs.openldap.org/show_bug.cgi?id=10314 Issue ID: 10314 Summary: Only install the slapi-plugin.h header if building slapi library Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: mattias.ellert(a)physics.uu.se Target Milestone: --- Created attachment 1054 --> https://bugs.openldap.org/attachment.cgi?id=1054&action=edit Proposed patch The slapi-plugin.h header does not make sense without the slapi library. The attached patch makes the installation of the header conditional. -- You are receiving this mail because: You are on the CC list for the issue.

1 1

[Issue 10305] New: pkg-config should be used to find cyrus-sasl
by openldap-its＠openldap.org 25 Feb '25

25 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10305 Issue ID: 10305 Summary: pkg-config should be used to find cyrus-sasl Product: OpenLDAP Version: 2.6.9 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: hi(a)alyssa.is Target Milestone: --- Static libraries do not encode their dependencies, so dependencies have to be discovered using pkg-config or another equivalent mechanism. OpenLDAP does not use pkg-config to find cyrus-sasl, which means that even if a working static cyrus-sasl library is available, it won't be used, because OpenLDAP's build system won't know to link its dependency libraries. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10311] New: Work with IETF LDAP working group to update password hashing mechanism RFC
by openldap-its＠openldap.org 25 Feb '25

25 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10311 Issue ID: 10311 Summary: Work with IETF LDAP working group to update password hashing mechanism RFC Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- Work with the IETF ldap working group to update the RFC to make the suggested hashing mechanism be what is currently "best practice" rather than a specific hashing mechanism. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10024] New: MDB_PREVSNAPSHOT broken
by openldap-its＠openldap.org 21 Feb '25

21 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10024 Issue ID: 10024 Summary: MDB_PREVSNAPSHOT broken Product: LMDB Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: markus(a)objectbox.io Target Milestone: --- It seems that the patch #9496 had a negative side effect on MDB_PREVSNAPSHOT. In certain cases, when opening the DB using MDB_PREVSNAPSHOT, the previous (2nd latest) commit is not selected. Instead, reads show that the latest commit was selected voiding the effect of MDB_PREVSNAPSHOT. I observed this in our test cases a while back. Today, I was finally able to reproduce it and debug into it. When creating the transaction to read the data, I debugged into mdb_txn_renew0. Here, ti (MDB_txninfo; env->me_txns) was non-NULL. However, ti->mti_txnid was 0 (!) and thus txn->mt_txnid was set to 0. That's the reason for always selecting the first (index 0) meta page inside mdb_txn_renew0: meta = env->me_metas[txn->mt_txnid & 1]; This line occurs twice (once for read txn and once for write txn; it affects both txn types). Thus, the chances of MDB_PREVSNAPSHOT selecting the correct meta page is 50-50. It's only correct if the first meta page (index 0) is the older one. I believe that this is related to #9496 because the patch, that was provided there, removed the initialization of "env->me_txns->mti_txnid" in mdb_env_open2. This would explain why txn->mt_txnid inside mdb_txn_renew0 was set to 0. I can confirm that adding back the following two lines back in fixes MDB_PREVSNAPSHOT: if (env->me_txns) env->me_txns->mti_txnid = meta.mm_txnid; The said patch including the removal of these two lines was applied in the commit(s) "ITS#9496 fix mdb_env_open bug from #8704" (Howard Chu on 09.04.21). I hope this information is useful to find a suitable fix. Please let me know if you have questions. Also, I'd be happy to help confirming a potential fix with our test suite. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 10265] New: Make it possible to change olcBkLloadListen at runtime
by openldap-its＠openldap.org 19 Feb '25

19 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10265 Issue ID: 10265 Summary: Make it possible to change olcBkLloadListen at runtime Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: lloadd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Currently, olcBkLloadListen changes only take effect on lloadd startup: - an added olcBkLloadListen should come online at the end of the modify operation - at the end of the modify operation a removed olcBkLloadListen will stop listening on the sockets associated with it, clients that connected over these are marked CLOSING - to facilitate replacing a value where URIs resolved sockets overlap, olcBkLloadListen should become a MAY in olcBkLloadConfig objectclass Lloadd's startup was modelled upon slapd's, but the requirements have changed considerably when it was turned into a module. Sockets are acquired at module configuration time, which is much later than standalone/slapd's own startup and so the way the URLs are handled also needs to be reworked. This will resolve other related issues. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Bug 9186] New: RFE: More metrics in cn=monitor
by openldap-its＠openldap.org 19 Feb '25

19 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=9186 Bug ID: 9186 Summary: RFE: More metrics in cn=monitor Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- Currently I'm grepping metrics from syslog with mtail: https://gitlab.com/ae-dir/ansible-ae-dir-server/-/blob/master/templates/mta… With a new binary logging this is not possible anymore. Thus it would be nice if cn=monitor provides more metrics. 1. Overall connection count per listener starting at 0 when started. This would be a simple counter added to: entries cn=Listener 0,cn=Listeners,cn=Monitor 2. Counter for the various "deferring" messages separated by the reason for deferring. 3. Counters for all possible result codes. In my mtail program I also label it with the result type. -- You are receiving this mail because: You are on the CC list for the bug.

1 15

[Issue 7249] slapd segfault with memberof overlay on frontend db
by openldap-its＠openldap.org 19 Feb '25

19 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=7249 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED --- Comment #23 from Quanah Gibson-Mount <quanah(a)openldap.org> --- RE26: • d66062dc by Ondřej Kuzník at 2025-02-19T18:37:48+00:00 ITS#7249 Let backend_attribute know who's calling it • 5c734d2b by Ondřej Kuzník at 2025-02-19T18:37:53+00:00 ITS#7249 Disallow memberof-addcheck when memberof is global -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7080] post read control in back-config
by openldap-its＠openldap.org 19 Feb '25

19 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=7080 --- Comment #6 from Quanah Gibson-Mount <quanah(a)openldap.org> --- RE26 (2.6.10): • 8d19c205 by Ondřej Kuzník at 2025-02-19T18:06:29+00:00 ITS#7080 Do not munge path twice • f328965d by Ondřej Kuzník at 2025-02-19T18:06:33+00:00 ITS#7080 Implement pre/postread for modrdn • c667f2ea by Ondřej Kuzník at 2025-02-19T18:15:58+00:00 ITS#7080 Do not reuse back-ldif's stack for controls -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7249] slapd segfault with memberof overlay on frontend db
by openldap-its＠openldap.org 19 Feb '25

19 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=7249 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |TEST --- Comment #22 from Quanah Gibson-Mount <quanah(a)openldap.org> --- head: • 993f488e by Ondřej Kuzník at 2025-02-19T17:29:04+00:00 ITS#7249 Let backend_attribute know who's calling it • f2cba910 by Ondřej Kuzník at 2025-02-19T17:29:04+00:00 ITS#7249 Disallow memberof-addcheck when memberof is global -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10296] New: Force a Mac OS full flush
by openldap-its＠openldap.org 19 Feb '25

19 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10296 Issue ID: 10296 Summary: Force a Mac OS full flush Product: LMDB Version: unspecified Hardware: All OS: Mac OS Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: renault.cle(a)gmail.com Target Milestone: --- Created attachment 1045 --> https://bugs.openldap.org/attachment.cgi?id=1045&action=edit Use a F_FULLFSYNC fcntl when committing on Mac OS Hello Howard and Happy New Year, As discussed in this issue [1], the LMDB durability is incorrect when committing. I propose the following patch that uses fcntl with the F_FULLFSYNC flag. The fcntl documentation is on this page [2]. Note that I kept the calls to msync/fsync for simplicity and because they don't cost much but feel free to skip them on Mac OS. Have a nice day, kero [1]: https://github.com/cberner/redb/pull/928#issuecomment-2567032808 [2]: https://developer.apple.com/library/archive/documentation/System/Conceptual… -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 10160] New: Add negset and negurl for slapo-constraint
by openldap-its＠openldap.org 19 Feb '25

19 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10160 Issue ID: 10160 Summary: Add negset and negurl for slapo-constraint Product: OpenLDAP Version: 2.6.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: manu(a)netbsd.org Target Milestone: --- Created attachment 1003 --> https://bugs.openldap.org/attachment.cgi?id=1003&action=edit Add negset and negurl for slapo-constraint Add negset and negurl constraints for slapo-constraint. THe two new types are logical not of set and url. They will fire a constraint violation if the set or LDAP URL query is non empty. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 7080] post read control in back-config
by openldap-its＠openldap.org 19 Feb '25

19 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=7080 --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- • 86d23423 by Ondřej Kuzník at 2024-12-16T17:01:26+00:00 ITS#7080 Do not munge path twice • e5826622 by Ondřej Kuzník at 2024-12-16T17:01:26+00:00 ITS#7080 Implement pre/postread for modrdn • 70d8e22d by Ondřej Kuzník at 2024-12-16T17:01:26+00:00 ITS#7080 Do not reuse back-ldif's stack for controls -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10294] New: Overlay seems to load before schema in folder configuration mode
by openldap-its＠openldap.org 13 Feb '25

13 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10294 Issue ID: 10294 Summary: Overlay seems to load before schema in folder configuration mode Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: pduvax(a)gmail.com Target Milestone: --- In the folder configuration (vs slapd.conf file), the modules seem to be loaded before schema folders files. This makes troubles with memberOf attributeType which is created by the dynlist overlay if missing (cf. the base function "dynlist_initialize" which starts by doing this). As the schema files are not yet loaded, it creates systematically the attributes which then prohibits the load of msuser.ldif schema without raising the error "Duplicate attributeType". I found a workaround by naming the entry of the dynlist overlay olcModuleList cn=z-module{X} while z is alphanumerically after cn=schema. But as it is hazardous, I think that the best way is to load modules after the schema by the code. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10306] New: epoll, kqueue etc. are not used when cross compiling
by openldap-its＠openldap.org 11 Feb '25

11 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10306 Issue ID: 10306 Summary: epoll, kqueue etc. are not used when cross compiling Product: OpenLDAP Version: 2.6.9 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: hi(a)alyssa.is Target Milestone: --- OpenLDAP's build system relies on running test programs to see whether epoll or kqueue are available, after checking the headers are available. When cross compiling, test programs can't be run, and even if they could, they wouldn't produce useful results because they'd be testing the build machine. Running test programs like this isn't even a great idea for native builds, because the package is still quite likely to end up running on a different machine than it was built for — think about distro packages. This means that cross-compiled OpenLDAP ends up using select, even though it could almost certainly use epoll or kqueue. The best thing to do for this sort of thing is to check at runtime whether the epoll/kqueue/whatever is available, and fall back if not, but this would probably be hard to implement in OpenLDAP. Other, easier, things that could be done to improve the situation would be: • Assume that epoll/kqueue are available if the headers are. It's very unlikely nowadays that a system with the headers won't actually have the API available. • If the AC_RUN_IFELSE checks are staying, make sure that they're all overridabel with configure flags or at least AC_CACHE_CHECK. There are also uses of AC_RUN_IFELSE for pthreads, which presumably have the same problem. -- You are receiving this mail because: You are on the CC list for the issue.

1 1

[Issue 10139] back-config discloses existence of entries contrary to ACL
by openldap-its＠openldap.org 10 Feb '25

10 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10139 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=10307 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10056] New: test069-delta-multiprovider-starttls failures on static builds
by openldap-its＠openldap.org 08 Feb '25

08 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10056 Issue ID: 10056 Summary: test069-delta-multiprovider-starttls failures on static builds Product: OpenLDAP Version: 2.6.4 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: kaction(a)disroot.org Target Milestone: --- Hello. I am getting following test error when trying to build `openldap` statically: ``` [nix-shell:/tmp/openldap-static/openldap-2.6.4/tests]$ ./run test069-delta-multiprovider-starttls Cleaning up test run directory leftover from previous run. Running ./scripts/test069-delta-multiprovider-starttls for mdb... running defines.sh Initializing server configurations... Starting server 1 on TCP/IP port 9011... Using ldapsearch to check that server 1 is running... Waiting 5 seconds for slapd to start... Using ldapadd for context on server 1... Starting server 2 on TCP/IP port 9012... Using ldapsearch to check that server 2 is running... Waiting 5 seconds for slapd to start... Using ldapadd to populate server 1... Waiting 7 seconds for syncrepl to receive changes... Using ldapsearch to read all the entries from server 1... Using ldapsearch to read all the entries from server 2... Comparing retrieved entries from server 1 and server 2... Using ldapadd to populate server 2... Using ldapsearch to read all the entries from server 1... Using ldapsearch to read all the entries from server 2... Comparing retrieved entries from server 1 and server 2... Breaking replication between server 1 and 2... Using ldapmodify to force conflicts between server 1 and 2... Restoring replication between server 1 and 2... Waiting 7 seconds for syncrepl to receive changes... Using ldapsearch to read all the entries from server 1... Using ldapsearch to read all the entries from server 2... Comparing retrieved entries from server 1 and server 2... test failed - server 1 and server 2 databases differ (561) ``` I added line number (561) into error message to pinpoint it more precisely. And here is difference between databases: ``` --- /tmp/openldap-static/openldap-2.6.4/tests/testrun/server1.flt 2023-05-23 22:53:51.000965129 -0400 +++ /tmp/openldap-static/openldap-2.6.4/tests/testrun/server2.flt 2023-05-23 22:53:51.005965136 -0400 @@ -289,13 +289,10 @@ userPassword:: amFq dn: cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com -carLicense: 123-XYZ cn: James A Jones 2 cn: James Jones cn: Jim Jones -description: Amazing description: Bizarre -description: Mindboggling description: Stupendous employeeNumber: 64 employeeType: deadwood @@ -307,7 +304,7 @@ pager: +1 313 555 3923 postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109 seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com -sn: Surname +sn: Jones telephoneNumber: +1 313 555 0895 title: Mad Cow Researcher, UM Alumni Association uid: jaj ``` Suggestions on what more information I can provide are welcome. You can also try to build `pkgsStatic.openldap` in this nixpkgs [commit](f9e32f61282275eb5fa9064e08bbd0a92d1187de) -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 10149] New: [PATCH] Allow certificates and keys to be read from URIs.
by openldap-its＠openldap.org 05 Feb '25

05 Feb '25

https://bugs.openldap.org/show_bug.cgi?id=10149 Issue ID: 10149 Summary: [PATCH] Allow certificates and keys to be read from URIs. Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: minfrin(a)sharp.fm Target Milestone: --- Add the LDAP_OPT_X_TLS_URIS and LDAP_OPT_X_TLS_CACERTURIS options to allow certificates and keys to be set using OpenSSL provider URIs. The attached patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Graham Leggett minfrin(a)sharp.fm. I have not assigned rights and/or interest in this work to any party. The attached modifications to OpenLDAP Software are subject to the following notice: Copyright 2023 Graham Leggett Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License. -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 10300] New: Add detailed instructions for MRs to "Guidelines for Contributing" page
by openldap-its＠openldap.org 28 Jan '25

28 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=10300 Issue ID: 10300 Summary: Add detailed instructions for MRs to "Guidelines for Contributing" page Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: smckinney(a)symas.com Target Milestone: --- The current page covers submitting patches but doesn't adequately cover creating merge requests. This provides a barrier for new developers. In addition to clarifying when a change should be submitted with a patch or merge request, it could provide a set of steps including creating a fork, branch, squash, fixup, naming conventions and other info that would be lost on a new contributor. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Bug 9245] New: devel/programming needs rewrite
by openldap-its＠openldap.org 28 Jan '25

28 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=9245 Bug ID: 9245 Summary: devel/programming needs rewrite Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- The information on the devel/programming web page is at least a decade out of date and needs a complete overhaul. -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Issue 10298] New: cannot find DN in memberOf attribute when dynlist overlay contains multiple memberOf definitions
by openldap-its＠openldap.org 22 Jan '25

22 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=10298 Issue ID: 10298 Summary: cannot find DN in memberOf attribute when dynlist overlay contains multiple memberOf definitions Product: OpenLDAP Version: 2.5.13 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: jan.pekar(a)imatic.cz Target Milestone: --- I'm using dynlist to define multiple static objectClasses (static-oc) to be searched for member attributes and added to memberOf attribute. My configuration is in cn=config, so I defined it using multiple olcDlAttrSet attributes groupOfURLs memberURL member+memberOf@groupOfMembers* groupOfURLs memberURL member+memberOf@groupOfNames* I noticed, that memberOf attribute contains users from both groups (groupOfMembers and groupOfNames) but I can use search operation to only first defined configuration (in above example groupOfMembers) and user membership from groupOfNames groups is not found. Maybe it must be defined in one line but I was not able to find proper syntax. Maybe attribute must be mapped somehow but when it works for first definition, should be working for next one so it is bug? Thank you -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 8988] Undefined Behavior in slapadd
by openldap-its＠openldap.org 21 Jan '25

21 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=8988 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|INVALID |--- Status|VERIFIED |CONFIRMED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8988] Undefined Behavior in slapadd
by openldap-its＠openldap.org 21 Jan '25

21 Jan '25

1 0

[Issue 7249] slapd segfault with memberof overlay on frontend db
by openldap-its＠openldap.org 16 Jan '25

16 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=7249 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |IN_PROGRESS Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net --- Comment #21 from Ondřej Kuzník <ondra(a)mistotebe.net> --- https://git.openldap.org/openldap/openldap/-/merge_requests/742 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10084] New: Move away from DIGEST-MD5 as a default in the test suite
by openldap-its＠openldap.org 14 Jan '25

14 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=10084 Issue ID: 10084 Summary: Move away from DIGEST-MD5 as a default in the test suite Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: test suite Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- cyrus-sasl seem on the verge or removing the DIGEST-MD5 mechanism from 2.2 onwards. As such we should update our defaults in a couple of our test scripts for master/2.7 at least. Are SCRAM mechanisms the go-to these days? -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9739] New: Undefined reference to ber_sockbuf_io_udp in 2.6.0
by openldap-its＠openldap.org 13 Jan '25

13 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=9739 Issue ID: 9739 Summary: Undefined reference to ber_sockbuf_io_udp in 2.6.0 Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: simon.pichugin(a)gmail.com Target Milestone: --- While I was trying to build OpenLDAP 2.6 on Fedora Rawhide I've got the error message: /usr/bin/ld: ./.libs/libldap.so: undefined reference to `ber_sockbuf_io_udp' I've checked commits from https://bugs.openldap.org/show_bug.cgi?id=9673 and found that 'ber_sockbuf_io_udp' was not added to https://git.openldap.org/openldap/openldap/-/blob/master/libraries/liblber/… I've asked on the project's mailing list and got a reply: "That symbol only exists if OpenLDAP is built with LDAP_CONNECTIONLESS defined, which is not a supported feature. Feel free to file a bug report at https://bugs.openldap.org/" https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/… Hence, creating the bug. -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 10295] New: To compare strings in Java
by openldap-its＠openldap.org 03 Jan '25

03 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=10295 Issue ID: 10295 Summary: To compare strings in Java Product: JLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: JLDAP Assignee: bugs(a)openldap.org Reporter: chetansinha35(a)gmail.com Target Milestone: --- Created attachment 1044 --> https://bugs.openldap.org/attachment.cgi?id=1044&action=edit https://docs.vultr.com/java/java/examples/java/examples/reverse-a-number Java Program to Reversing a number in Java is a common task achieved using loops and arithmetic operations. By repeatedly extracting the last digit of the number with the modulus operator (%) and constructing the reversed number using multiplication and addition, the process is efficient. For example, a while loop can be used to iterate until the number becomes zero, applying reversed = reversed * 10 + number % 10. This logic makes reversing numbers simple and highlights Java's flexibility in handling number manipulation tasks. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8988] Undefined Behavior in slapadd
by openldap-its＠openldap.org 02 Jan '25

02 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=8988 --- Comment #27 from jhaberman(a)gmail.com --- Unfortunately I can still reproduce this with LMDB 0.9.33. Repro: #include <stdlib.h> #include <string.h> #include <stdio.h> #include "lmdb.h" #define VAL(str) {strlen(str), str} #define CHK(st) if (st != 0) { fprintf(stderr, "fail at %d\n", __LINE__); abort(); } int main() { MDB_env* lmdb; int status; status= mdb_env_create(&lmdb); CHK(status); status = mdb_env_open(lmdb, "/tmp/lmdb_repro", 0, 0644); CHK(status); MDB_txn* txn; status = mdb_txn_begin(lmdb, NULL, 0, &txn); CHK(status); MDB_dbi dbi; status = mdb_dbi_open(txn, NULL, MDB_CREATE | MDB_DUPSORT, &dbi); CHK(status); MDB_val k = VAL("key"); MDB_val v1 = VAL("val1"); status = mdb_put(txn, dbi, &k, &v1, MDB_NODUPDATA); CHK(status); MDB_val v2 = VAL("val2"); status = mdb_put(txn, dbi, &k, &v2, MDB_NODUPDATA); CHK(status); return 0; } $ clang -fsanitize=undefined -o repro repro.c mdb.c midl.c $ mkdir /tmp/lmdb_repro $ ./repro Output: --- mdb.c:7654:26: runtime error: member access within misaligned address 0x561c906b85d3 for type 'MDB_page2' (aka 'struct MDB_page2'), which requires 2 byte alignment 0x561c906b85d3: note: pointer points here 00 6b 65 79 02 00 00 00 00 00 00 00 00 00 52 00 10 00 2c 00 76 61 6c 31 00 00 00 00 00 00 00 00 ^ SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mdb.c:7654:26 in mdb.c:7654:26: runtime error: load of misaligned address 0x561c906b85df for type 'indx_t' (aka 'unsigned short'), which requires 2 byte alignment 0x561c906b85df: note: pointer points here 00 00 52 00 10 00 2c 00 76 61 6c 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mdb.c:7654:26 in mdb.c:7655:3: runtime error: member access within misaligned address 0x561c906b85d3 for type 'MDB_page' (aka 'struct MDB_page'), which requires 8 byte alignment 0x561c906b85d3: note: pointer points here 00 6b 65 79 02 00 00 00 00 00 00 00 00 00 52 00 10 00 2c 00 76 61 6c 31 00 00 00 00 00 00 00 00 [...] --- It appears that some instances of MDB_page2 are not 2-byte aligned. Is this expected? -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8988] Undefined Behavior in slapadd
by openldap-its＠openldap.org 01 Jan '25

01 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=8988 --- Comment #26 from jhaberman(a)gmail.com --- I see now that https://github.com/LMDB/lmdb/commit/3947014aed7ffe39a79991fa7fb5b234da47ad1a may have fixed this issue. I was using a version older than this commit. I will try updating and see if that fixes the problem. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8988] Undefined Behavior in slapadd
by openldap-its＠openldap.org 01 Jan '25

01 Jan '25

https://bugs.openldap.org/show_bug.cgi?id=8988 --- Comment #25 from jhaberman(a)gmail.com --- I ran into this UBSAN error today: > third_party/liblmdb/mdb.c:7559:26: runtime error: member access within misaligned address 0x32577fcf7fd3 for type 'MDB_page' (aka 'struct MDB_page'), which requires 8 byte alignment 0x32577fcf7fd3: note: pointer points here 00 66 6f 6f 02 00 00 00 00 00 00 00 00 00 52 00 10 00 2c 00 00 00 00 00 00 00 00 00 62 61 72 00 This corresponds to this line: https://github.com/LMDB/lmdb/blob/da9aeda08c3ff710a0d47d61a079f5a905b0a10a/… > mx->mx_db.md_entries = NUMKEYS(fp); From the bug log I see that there is disagreement over the interpretation of UB. Language lawyering aside, this issue makes it difficult to use LMDB in environments where UBSAN is in use. I also worry about the potential for miscompiles if the compiler is using its own interpretation of UB, and optimizing based on the assumption that UB cannot happen. Is there any way to make LMDB pack its structures less aggressively, so that it will satisfy UBSAN's alignment expectations? Alternatively, there are ways to perform the accesses that make UBSAN happy, but they make the code uglier: https://godbolt.org/z/8EP6cW77s > The code in question is accessing an unsigned short on a 2 byte boundary. I.e., its alignment is correct. UBsan is incorrect here. I cannot speak for the UBSAN authors, but I believe the issue is that, since p->x is equivalent to (*p).x, the dereference of p must be valid, even if x's alignment requirements are looser. To avoid this, you could write *(uint16_t*)((char*)p + offsetof(S, x)), since this avoids actually dereferencing p. But this is obviously much less readable. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10291] New: OpenLDAP matches localhost against local hostname incorrectly
by openldap-its＠openldap.org 18 Dec '24

18 Dec '24

https://bugs.openldap.org/show_bug.cgi?id=10291 Issue ID: 10291 Summary: OpenLDAP matches localhost against local hostname incorrectly Product: OpenLDAP Version: 2.6.2 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: cmousefi(a)gmail.com Target Milestone: --- When connecting to a localhost LDAP server using TLS, I get this in debug log: # ldapsearch -ZZ -H ldap://localhost/ -d9 <skip...> TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS read server hello TLS trace: SSL_connect:TLSv1.3 read encrypted extensions TLS certificate verification: depth: 1, err: 0, subject: /CN=Test LDAP CA Root, issuer: /CN=Test LDAP CA Root TLS certificate verification: depth: 0, err: 0, subject: /CN=localhost, issuer: /CN=Test LDAP CA Root TLS trace: SSL_connect:SSLv3/TLS read server certificate TLS trace: SSL_connect:TLSv1.3 read server certificate verify TLS trace: SSL_connect:SSLv3/TLS read finished TLS trace: SSL_connect:SSLv3/TLS write change cipher spec TLS trace: SSL_connect:SSLv3/TLS write finished TLS: hostname (1384a4485398) does not match common name in certificate (localhost). TLS: can't connect: TLS: hostname does not match name in peer certificate. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match name in peer certificate Expected behaviour: When connecting to localhost, I would expect the certificate issued to localhost to work. Actual behaviour: Certificate is issued to localhost but ldapsearch matches against local hostname. Here is the server certificate textual presentation subject=CN=localhost Certificate: Data: Version: 3 (0x2) Serial Number: 41:68:1b:be:cb:46:95:45:e7:72:03:8b:6c:b4:75:55:ca:5c:cb:c9 Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=Test LDAP CA Root Validity Not Before: Dec 3 19:04:58 2024 GMT Not After : Sep 2 19:04:58 2034 GMT Subject: CN=localhost Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:f5:f1:f4:7d:56:85:87:b2:98:c9:b2:a2:83:ef: 52:71:01:1e:81:64:9f:64:ec:99:5a:e4:38:63:13: 69:de:09:00:1e:a1:e1:83:4a:c6:58:0d:c0:bb:4f: 36:7f:5a:f7:8f:74:b4:e2:96:06:09:9b:2c:0d:fb: 8c:6d:57:44:2e ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Subject Key Identifier: 5A:54:AF:41:E8:A0:EC:3D:28:3D:D6:0D:91:20:97:73:FA:40:AE:9C X509v3 Authority Key Identifier: FB:AF:31:4B:A2:2B:E1:DA:55:6A:3F:EE:D1:A4:74:51:C7:B9:9F:A7 X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, DNS:localhost, DNS:localhost.localdomain Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:46:02:21:00:d4:9a:16:ba:6e:1d:c7:df:bd:5b:3d:56:b7: 0d:ea:aa:a7:7a:7f:d0:c1:ed:77:11:48:e8:aa:b1:6a:a8:ac: 28:02:21:00:d8:41:3d:a0:52:c8:2b:cc:13:34:46:1b:34:dd: 96:87:e5:7c:71:62:50:f3:2d:b1:18:3d:ce:27:34:c9:c4:32 -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 10292] New: LMDB documentation is unavailable. lmdb.tech domain has expired
by openldap-its＠openldap.org 17 Dec '24

17 Dec '24

https://bugs.openldap.org/show_bug.cgi?id=10292 Issue ID: 10292 Summary: LMDB documentation is unavailable. lmdb.tech domain has expired Product: LMDB Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: vadim.kovalyov(a)gmail.com Target Milestone: --- LMDB documentation is unavailable. lmdb.tech domain has expired. I can't find the documentation anywhere else. If domain is gone, at least we need to update the openldap website to point to a (new) documentation site. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9886] New: At "sync" logging, nothing shows how long a write op took on consumers
by openldap-its＠openldap.org 17 Dec '24

17 Dec '24

https://bugs.openldap.org/show_bug.cgi?id=9886 Issue ID: 9886 Summary: At "sync" logging, nothing shows how long a write op took on consumers Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- If sync logging is enabled on a consumer, there's no etime logged which means it is not possible to see how long a write op took on that consumer. This can be useful information to see how the node is performing, particularly if it is a read only node where there will be no general MOD timing logged. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10289] New: myldap
by openldap-its＠openldap.org 17 Dec '24

17 Dec '24

https://bugs.openldap.org/show_bug.cgi?id=10289 Issue ID: 10289 Summary: myldap Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: cmp(a)tutanota.de Target Milestone: --- -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10275] New: mdb_load could use a parameter to pass batch size
by openldap-its＠openldap.org 10 Dec '24

10 Dec '24

https://bugs.openldap.org/show_bug.cgi?id=10275 Issue ID: 10275 Summary: mdb_load could use a parameter to pass batch size Product: LMDB Version: 0.9.21 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: tools Assignee: bugs(a)openldap.org Reporter: gkwicker(a)amazon.com Target Milestone: --- Created attachment 1037 --> https://bugs.openldap.org/attachment.cgi?id=1037&action=edit Patch to mdb_load.c in version 0.9.21 mdb_load is very slow when ingesting a large db. The attached patch (0.9.21 but will apply to other versions with modification) allows the user to pass a batch size to be used instead of the default value of 100. Changing the batch size to a larger value improves ingestion speed. I, Gary Wicker, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. -- You are receiving this mail because: You are on the CC list for the issue.

1 22

[Issue 10286] New: ldap_pvt_gettime may result in "not new enough csn" problems in multi-thread case.
by openldap-its＠openldap.org 01 Dec '24

01 Dec '24

https://bugs.openldap.org/show_bug.cgi?id=10286 Issue ID: 10286 Summary: ldap_pvt_gettime may result in "not new enough csn" problems in multi-thread case. Product: OpenLDAP Version: 2.6.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: 971748261(a)qq.com Target Milestone: --- Created attachment 1041 --> https://bugs.openldap.org/attachment.cgi?id=1041&action=edit the log of adding two entry which shows the time sequence. I used openldap as krb5's database, and openldap was deploymented in mirrormode. I tried to add kerberos principals via kadmin.local -q "addprinc -randkey principal. slapd log showed that the entry of kadmin/admin was added earlier than the entry of ossuser. But the csn of kadmin/admin was greater than ossuser. In this case, when the two entry began to sync to the other slapd server, ossuser was ignored because of "csn not new enough" -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 7441] cn=config filters ignore {number}
by openldap-its＠openldap.org 27 Nov '24

27 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=7441 --- Comment #3 from Ondřej Kuzník <ondra(a)mistotebe.net> --- https://git.openldap.org/openldap/openldap/-/merge_requests/662 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10218] New: Disabling and re-enabling an asyncmeta database via cn=config leaks memory
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10218 Issue ID: 10218 Summary: Disabling and re-enabling an asyncmeta database via cn=config leaks memory Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: nivanova(a)symas.com Target Milestone: --- To reproduce - run OpenLDAP with valgrind, and set the olcDisabled attribute of an asyncmeta database to TRUE, then again to FALSE. The connection structures of the database are subsequently shown as leaked. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10249] New: slapo-nestgroup leak with non-nested groups
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10249 Issue ID: 10249 Summary: slapo-nestgroup leak with non-nested groups Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Searching for a member= of a group when no nesting is in place will leak memory. It seems to stem from a few `gi.gi_numDNs` tests that should most likely be against `gi.gi_DNs` instead. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10263] New: ldapmodify error messages should be more helpful when dealing with trailing whitespace
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10263 Issue ID: 10263 Summary: ldapmodify error messages should be more helpful when dealing with trailing whitespace Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Often when copy-pasting, a trailing whitespace can sneak in to a modify LDIF (e.g. "delete: attribute \nattribute: ..."), ldapmodify should emit a different message than: "ldapmodify: wrong attributeType at line x" because that is just not helpful. First off, the line number refers to the one that's usually correct. Emitting an "expecting '%s'" would be a start. Maybe we should even warn/error when an attribute name in a change record contains whitespace, because it's not valid as RFC 2849 grammar only allows ALPHA/DIGIT/'-'/'.'/';' anyway. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10234] New: syncrepl does not reset the retrynum
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10234 Issue ID: 10234 Summary: syncrepl does not reset the retrynum Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: hamano(a)osstech.co.jp Target Milestone: --- ``` syncrepl retry="5 10 30 +" ``` When replication fails with the above settings, syncrepl retries "10 times at 5 second intervals". Then, the retry count should be reset on the next replication failure. In actual, it does not reset. The behavior is as follows: ``` (first time replication failure) do_syncrepl: rid=001 rc -1 retrying (9 retries left) do_syncrepl: rid=001 rc -1 retrying (8 retries left) (resume replication) (second time replication failure) do_syncrepl: rid=001 rc -1 retrying (7 retries left) do_syncrepl: rid=001 rc -1 retrying (6 retries left) ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10235] New: Configure without --enable-nestgroup=no enables feature
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10235 Issue ID: 10235 Summary: Configure without --enable-nestgroup=no enables feature Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: stacey.marshall(a)gmail.com Target Milestone: --- OpenLDAP 2.6.8 configured with --enable-overlays. Some openldap commands output a Duplicate attributeType notice, for example # /sbin/slapcat -b cn=config -H ldap:///???olcTLSCertificateKeyFile=\* | grep olcTLSCertificateKeyFile register_at: AttributeType "( 1.2.840.113556.1.2.102 NAME 'memberOf' DESC 'Group that the entry belongs to' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' EQUALITY distinguishedNameMatch USAGE dSAOperation NO-USER-MODIFICATION X-ORIGIN 'iPlanet Delegated Administrator' )": Duplicate attributeType, 1.2.840.113556.1.2.102 olcTLSCertificateKeyFile: /etc/certs/localhost/host.key Specifying configure option --enable-nestgroup=no prevents nestgroup feature and the message from being displayed. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10256] New: Custom attribute disappears after slapd restart
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10256 Issue ID: 10256 Summary: Custom attribute disappears after slapd restart Product: OpenLDAP Version: 2.4.57 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: heinrich.blatt(a)googlemail.com Target Milestone: --- Hi, i want to use a custom attribute in my schema. I use that ldif: dn: cn=schema,cn=config changetype: modify add: olcAttributeTypes olcAttributeTypes: ( 1.2.840.113556.1.4.7000 NAME 'rfidtoken' DESC 'RFID Token' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) This i inject via ldapmodify. For the session it works, but after restarting slapd the attribute disappears. If i add it again via ldapmodify it is there for the session again. My /etc/ldap/slapd.d/cn=config/cn=schema.ldif contains the change. This seems related to #9066, however the documentation indicates that i can make the changes via ldapmodify persistent. What is the right approach there? What i can do to persist the change? Thanks in advance for support -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 8047] TIMEOUT and NETWORK_TIMEOUT don't work properly with SSL
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=8047 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10230] New: memberof addcheck must ignore other overlays
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10230 Issue ID: 10230 Summary: memberof addcheck must ignore other overlays Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: hyc(a)openldap.org Target Milestone: --- The addcheck feature added in ITS#10167 does a search to see if a newly added entry is already a member of any existing groups, and fixes its memberof attribute appropriately if so. The values written here should only be static values, but if the nestgroup overlay was configured, dynamic values were also being included. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10233] New: wrong idl intersection
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10233 Issue ID: 10233 Summary: wrong idl intersection Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: hamano(a)osstech.co.jp Target Milestone: --- The `mdb_idl_intersection()` and `wt_idl_intersection()` functions derived from back-bdb return wrong results. expect: [1, 3] ∩ [2] = [] actual: [1, 3] ∩ [2] = [2] -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10248] New: translucent + subordinate regression
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10248 Issue ID: 10248 Summary: translucent + subordinate regression Product: OpenLDAP Version: 2.6.8 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: mike(a)nolta.net Target Milestone: --- Created attachment 1027 --> https://bugs.openldap.org/attachment.cgi?id=1027&action=edit translucent + subordinate regression testcase, formatted for tests/data/regressions/ Hi, Attached please find a testcase for a regression we noticed in a translucent + subordinate slapd configuration. The test works in version 2.4.59, but fails in versions 2.5.5 and 2.6.8. In a nutshell, search results from the subordinate database aren't being returned, even though (judging by the logs) they appear to be found. Thanks, -Mike -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 10223] New: tlso_ctx_cipherfree: does not check result of SSL_CTX_set_ciphersuites; can fail with incomplete input provided earlier on in the function
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10223 Issue ID: 10223 Summary: tlso_ctx_cipherfree: does not check result of SSL_CTX_set_ciphersuites; can fail with incomplete input provided earlier on in the function Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: yaneurabeya(a)gmail.com Target Milestone: --- The code on line 366 [1] doesn't check the return value of SSL_CTX_set_ciphersuites(..) before returning from the function, if there's leftover data in the tls13_suites buffer, after processing tls13_suites looking for TLS v1.3 compatible ciphers. OpenSSL doesn't state what specific scenarios could result in a failure with the function, but doing some code inspection [2] it appears that a failure could occur if the value provided in the second parameter (`str` per the manpage [3]) to SSL_CTX_set_ciphersuites(..) is either invalid or an internal memory allocation error occurs. While this isn't necessarily something that can be easily handled, it would be prudent to either ignore the return code explicitly by casting the result to (void) and clearing the error, or handling the OpenSSL error explicitly, using the ERR_* family APIs. This issue was reported by Coverity. 1. https://github.com/openldap/openldap/blob/15edb3b30f2b6a3dbdf77cc42d39466d5… 2. https://github.com/openssl/openssl/blob/5bbdbce856c7ca132e039a24a3156184848… 3. https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 10221] New: Fix build script for 2.5.18
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10221 Issue ID: 10221 Summary: Fix build script for 2.5.18 Product: OpenLDAP Version: 2.5.17 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: delphij(a)freebsd.org Target Milestone: --- Hi, In revision 619afaccab5 (ITS#10177) an extra " was introduced, which will prevent configure script from working with FreeBSD's sh(1) (I suspect it would also break on other shell implementations). The fix is to delete that extra ". This affects OpenLDAP 2.5.18 only. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10231] New: slapadd segfault on non-configured backend
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10231 Issue ID: 10231 Summary: slapadd segfault on non-configured backend Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: hyc(a)openldap.org Target Milestone: --- If the LDIF being loaded corresponds to a different backend than the one specified (or the default backend, if none was specified), and the specified backend's configuration is incomplete and lacks a suffix, slapadd will SEGV when trying to print the error message about the LDIF not matching the specified backend, because it tries to print the suffix but the suffix is NULL. E.g. using this setup: ### mkdir dumb dumb/db cat > dumb/slapd.conf <<EOF include schema/core.schema backend ldif database ldif directory dumb/db EOF slapd -Ta -f dumb/slapd.conf -l schema/inetorgperson.ldif ### When fixed, the normal error message will be shown instead: slapadd: line 1: database #1 ((null)) not configured to hold "cn=inetorgperson,cn=schema,cn=config"; did you mean to use database #0 (cn=config)? Closing DB... -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9827] New: Feature request for module argon2.so to support Argon2i, Argon2d, Argon2id
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=9827 Issue ID: 9827 Summary: Feature request for module argon2.so to support Argon2i, Argon2d, Argon2id Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: juergen.sprenger(a)swisscom.com Target Milestone: --- Hi, This is a feature request. I would like to be able to chooses between Argon2i, Argon2d and Argon2id in slappasswd like in argon2 command: # argon2 Usage: argon2 [-h] salt [-i|-d|-id] [-t iterations] [-m log2(memory in KiB) | -k memory in KiB] [-p parallelism] [-l hash length] [-e|-r] [-v (10|13)] Password is read from stdin Parameters: salt The salt to use, at least 8 characters -i Use Argon2i (this is the default) -d Use Argon2d instead of Argon2i -id Use Argon2id instead of Argon2i -t N Sets the number of iterations to N (default = 3) -m N Sets the memory usage of 2^N KiB (default 12) -k N Sets the memory usage of N KiB (default 4096) -p N Sets parallelism to N threads (default 1) -l N Sets hash output length to N bytes (default 32) -e Output only encoded hash -r Output only the raw bytes of the hash -v (10|13) Argon2 version (defaults to the most recent version, currently 13) -h Print argon2 usage Example: /usr/local/etc/openldap # /usr/sbin/slappasswd -h "{ARGON2}" -o module-load="argon2.so i" -s secret /usr/local/etc/openldap # /usr/sbin/slappasswd -h "{ARGON2}" -o module-load="argon2.so d" -s secret /usr/local/etc/openldap # /usr/sbin/slappasswd -h "{ARGON2}" -o module-load="argon2.so id" -s secret Best regards Juergen Sprenger -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9952] New: Crash on exit with OpenSSL 3
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=9952 Issue ID: 9952 Summary: Crash on exit with OpenSSL 3 Product: OpenLDAP Version: 2.6.2 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: artur.zaprzala(a)gmail.com Target Milestone: --- A program using libldap will crash on exit after using SSL connection. How to reproduce on CentOS 9: Uncomment the following lines in /etc/pki/tls/openssl.cnf: [provider_sect] legacy = legacy_sect [legacy_sect] activate = 1 Run the command (you must enter a valid LDAP server address): python3 -c "import ldap; ldap.initialize('ldaps://<LDAP SERVER ADDRESS>').whoami_s()" Another example (no server required): python3 -c "import ctypes; ctypes.CDLL('libldap.so.2').ldap_pvt_tls_init_def_ctx(0)" Results: Segmentation fault (core dumped) Backtrace from gdb: Program received signal SIGSEGV, Segmentation fault. 0 ___pthread_rwlock_rdlock (rwlock=0x0) at pthread_rwlock_rdlock.c:27 1 0x00007ffff7c92f3d in CRYPTO_THREAD_read_lock (lock=<optimized out>) at crypto/threads_pthread.c:85 2 0x00007ffff7c8b126 in ossl_lib_ctx_get_data (ctx=0x7ffff7eff540 <default_context_int.lto_priv>, index=1, meth=0x7ffff7eb8a00 <provider_store_method.lto_priv>) at crypto/context.c:398 3 0x00007ffff7c98bea in get_provider_store (libctx=<optimized out>) at crypto/provider_core.c:334 4 ossl_provider_deregister_child_cb (handle=0x5555555ed620) at crypto/provider_core.c:1752 5 0x00007ffff7c8bf2f in ossl_provider_deinit_child (ctx=0x5555555d2650) at crypto/provider_child.c:279 6 OSSL_LIB_CTX_free (ctx=0x5555555d2650) at crypto/context.c:283 7 OSSL_LIB_CTX_free (ctx=0x5555555d2650) at crypto/context.c:276 8 0x00007ffff7634af6 in legacy_teardown (provctx=0x5555555ee9f0) at providers/legacyprov.c:168 9 0x00007ffff7c9901b in ossl_provider_teardown (prov=0x5555555ed620) at crypto/provider_core.c:1477 10 ossl_provider_free (prov=0x5555555ed620) at crypto/provider_core.c:683 11 0x00007ffff7c63956 in ossl_provider_free (prov=<optimized out>) at crypto/provider_core.c:668 12 evp_cipher_free_int (cipher=0x555555916c10) at crypto/evp/evp_enc.c:1632 13 EVP_CIPHER_free (cipher=0x555555916c10) at crypto/evp/evp_enc.c:1647 14 0x00007ffff7a6bc1d in ssl_evp_cipher_free (cipher=0x555555916c10) at ssl/ssl_lib.c:5925 15 ssl_evp_cipher_free (cipher=0x555555916c10) at ssl/ssl_lib.c:5915 16 SSL_CTX_free (a=0x555555ec1020) at ssl/ssl_lib.c:3455 17 SSL_CTX_free (a=0x555555ec1020) at ssl/ssl_lib.c:3392 18 0x00007fffe95edb89 in ldap_int_tls_destroy (lo=0x7fffe9616000 <ldap_int_global_options>) at /usr/src/debug/openldap-2.6.2-1.el9_0.x86_64/openldap-2.6.2/libraries/libldap/tls2.c:104 19 0x00007ffff7fd100b in _dl_fini () at dl-fini.c:138 20 0x00007ffff7873475 in __run_exit_handlers (status=0, listp=0x7ffff7a11658 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:113 21 0x00007ffff78735f0 in __GI_exit (status=<optimized out>) at exit.c:143 22 0x00007ffff785be57 in __libc_start_call_main (main=main@entry=0x55555556aa20 <main>, argc=argc@entry=4, argv=argv@entry=0x7fffffffe2b8) at ../sysdeps/nptl/libc_start_call_main.h:74 23 0x00007ffff785befc in __libc_start_main_impl (main=0x55555556aa20 <main>, argc=4, argv=0x7fffffffe2b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2a8) at ../csu/libc-start.c:409 24 0x000055555556b575 in _start () The problem is that ldap_int_tls_destroy() is called after the clean up of libssl. On program exit, at first default_context_int is cleaned up (OPENSSL_cleanup() was registered with atexit()): 0 ossl_lib_ctx_default_deinit () at crypto/context.c:196 1 OPENSSL_cleanup () at crypto/init.c:424 2 OPENSSL_cleanup () at crypto/init.c:338 3 0x00007ffff7873475 in __run_exit_handlers (status=0, listp=0x7ffff7a11658 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:113 4 0x00007ffff78735f0 in __GI_exit (status=<optimized out>) at exit.c:143 5 0x00007ffff785be57 in __libc_start_call_main (main=main@entry=0x55555556aa20 <main>, argc=argc@entry=4, argv=argv@entry=0x7fffffffe2c8) at ../sysdeps/nptl/libc_start_call_main.h:74 6 0x00007ffff785befc in __libc_start_main_impl (main=0x55555556aa20 <main>, argc=4, argv=0x7fffffffe2c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2b8) at ../csu/libc-start.c:409 7 0x000055555556b575 in _start () Then ossl_lib_ctx_get_data() tries to use default_context_int.lock, which is NULL. ldap_int_tls_destroy() is called by ldap_int_destroy_global_options(), registered by "__attribute__ ((destructor))". It seems that shared library destructors are always called before functions registered with atexit(). A solution may be to modify libraries/libldap/init.c to use atexit() instead of "__attribute__ ((destructor))". atexit() manual page says: "Since glibc 2.2.3, atexit() can be used within a shared library to establish functions that are called when the shared library is unloaded.". Functions registered with atexit() are called in the reverse order of their registration, so libssl must by initialized before libldap. If the order is wrong, libldap should detect it somehow and exit with abort(). -- You are receiving this mail because: You are on the CC list for the issue.

1 29

[Issue 10232] New: assert() at shutdown if a syncrepl session is in refresh
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10232 Issue ID: 10232 Summary: assert() at shutdown if a syncrepl session is in refresh Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- When removing the last one, syncinfo_free() checks that there is no active refresh on the backend. This works if operating on olcSyncrepl values because refresh_finished is called where appropriate. However if we're shutting down, this is skipped to make sure we don't schedule a new task and that could lead to an assert failure if there indeed was a refresh in progress (the same probably applies when removing the DB). -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10253] New: Compile failure with GnuTLS and GCC 14 on 32-bit
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10253 Issue ID: 10253 Summary: Compile failure with GnuTLS and GCC 14 on 32-bit Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: ryan(a)openldap.org Target Milestone: --- Debian bug report: https://bugs.debian.org/1078822 tls_g.c fails to compile on 32-bit platforms with GCC 14: $ gcc --version gcc (Debian 14.2.0-2) 14.2.0 Copyright (C) 2024 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ gcc -dumpmachine i686-linux-gnu $ ./configure --disable-slapd --with-tls=gnutls [...] $ make [...] libtool: compile: cc -g -O2 -I../../include -I../../include -DLDAP_LIBRARY -c tls_g.c -fPIC -DPIC -o .libs/tls_g.o tls_g.c: In function ‘tlsg_session_pinning’: tls_g.c:971:57: error: passing argument 4 of ‘gnutls_fingerprint’ from incompatible pointer type [-Wincompatible-pointer-types] 971 | keyhash.bv_val, &keyhash.bv_len ) < 0 ) { | ^~~~~~~~~~~~~~~ | | | ber_len_t * {aka long unsigned int *} In file included from tls_g.c:44: /usr/include/gnutls/gnutls.h:2408:32: note: expected ‘size_t *’ {aka ‘unsigned int *’} but argument is of type ‘ber_len_t *’ {aka ‘long unsigned int *’} 2408 | size_t *result_size); | ~~~~~~~~^~~~~~~~~~~ make[2]: *** [Makefile:431: tls_g.lo] Error 1 It looks like the warning has always been emitted since the code was originally committed, but with GCC 14 it became an error. (See <https://gcc.gnu.org/gcc-14/porting_to.html>. The last successful Debian build used GCC 13.) Quoting from the Debian bug report: > ber_len_t is typedef'ed in openldap as unsigned LBER_LEN_T, which is > AC_DEFINED as long. I'm not sure what a static AC_DEFINE in configure.ac > achieves, but that's what we have. On the other side, we have size_t, > which happens to be 32bit. Bummer. I suggest passing the 4th argument as > a temporary variable of type size_t and copying it from/to the target > structure after validating that it fits. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10264] New: libpdap leaks dummy_lr data on NoD processing
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10264 Issue ID: 10264 Summary: libpdap leaks dummy_lr data on NoD processing Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- When a NoD unsolicited response is being processed in try_read1msg, we use the dummy_lr on stack, but data copied onto it is never freed, so we leak it as we return. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10237] New: openldap-2.6.8 fails to build with GCC14 with [-Wint-conversion]
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10237 Issue ID: 10237 Summary: openldap-2.6.8 fails to build with GCC14 with [-Wint-conversion] Product: OpenLDAP Version: 2.6.8 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: timo.gurr(a)gmail.com Target Milestone: --- Created attachment 1023 --> https://bugs.openldap.org/attachment.cgi?id=1023&action=edit openldap-2.6.8-build.log With GCC 14 I'm experiencing the following error trying to build openldap 2.6.8: [...] In file included from ../slap.h:55, from search.c:32: search.c: In function 'ldap_back_search': ../../../include/ldap_pvt.h:531:31: error: passing argument 3 of '__gmpz_add' makes pointer from integer without a cast [-Wint-conversion] 531 | mpz_add((mpr), (mpr), (mpv)) | ^~~~~ | | | int search.c:257:9: note: in expansion of macro 'ldap_pvt_mp_add' 257 | ldap_pvt_mp_add( li->li_ops_completed[ SLAP_OP_SEARCH ], 1 ); | ^~~~~~~~~~~~~~~ In file included from ../../../include/ldap_pvt.h:519: /usr/x86_64-pc-linux-gnu/include/gmp.h:633:51: note: expected 'mpz_srcptr' {aka 'const __mpz_struct *'} but argument is of type 'int' 633 | __GMP_DECLSPEC void mpz_add (mpz_ptr, mpz_srcptr, mpz_srcptr); | ^~~~~~~~~~ make[3]: *** [Makefile:331: search.lo] Error 1 make[2]: *** [Makefile:550: .backend] Error 1 make[1]: *** [Makefile:298: all-common] Error 1 make: *** [Makefile:319: all-common] Error 1 This is with GCC 14.1.0, switching to GCC 13.2.0 instead allows the build to succeed, I checked other distributions (already on GCC 14) and git for possible patches but couldn't find anything relevant. Complete build log is attached. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10155] New: Invalid [aka FUZZ] -F and -T options can core dump ldapsearch
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10155 Issue ID: 10155 Summary: Invalid [aka FUZZ] -F and -T options can core dump ldapsearch Product: OpenLDAP Version: 2.6.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: doug.leavitt(a)oracle.com Target Milestone: --- A customer reported core dumps in ldapsearch which has been tracked to the the improper use of the -F and -T options. The customer confirmed removing the invalid -F and -T options from their script eliminated the core dumps. The CLI arguments of the failing ldapsearch look like: ldapsearch <good CLI args> -F , -T u <good filter and attr args> The good CLI args include proper uses of -H... -x -D ... -w ... -b ... -s ... The good filter and attrs are also valid CLI inputs. The "bad" args are <sp>-F<sp><COMMA><sp>-T<sp>-u<sp> The -u is also valid but it is consumed as a directory name of -T From man page and code review the the -F argument is supposed to be a valid URL. and the -T argument is supposed to be a valid directory The core file output indicates that main calls free after the search takes place. The location is believed to be here: 1658 if ( urlpre != NULL ) { 1659 if ( def_urlpre != urlpre ) 1660 free( def_urlpre ); <--------- 1661 free( urlpre ); 1662 } ... 1672 tool_exit( ld, rc ); ... This is the first example of the use of -F we have seen so it is unclear how this should be fixed. But code review of ldapsearch.c and common.c exposed a few weaknesses that could help in addressing the issue. Observed weaknesses: The getopt processing code for -T does not check that the arg is actually a directory and fail/error when bad input is provided. Perhaps at least an access(2) check should be performed? It is unclear if -F should only accept file:// URLs. The existing code does not sufficiently check any URL format instead it processes the argument by looking for the first '/' [no error checking] and determine the remainder to be a tmpdir location similar to the -T argument. So, Fuzz input of <COMMA> seems to eventually lead to the core files. It is unclear if -F and -T should be mutually exclusive or not. It seems like the fix to this issue is to add better error checking and to fail on FUZZ inputs. I defer a solution to upstream as it probably requires project direction I lack. -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 10272] New: translucent regression when asking for attributes
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10272 Issue ID: 10272 Summary: translucent regression when asking for attributes Product: OpenLDAP Version: 2.6.8 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: mike(a)nolta.net Target Milestone: --- Hi, Attached please find a translucent overlay regression testcase. The test works in version 2.4.59, but fails in versions 2.5.5 and 2.6.8. Basically, `ldapsearch "employeeType=fulltime"` returns the expected entries, but `ldapsearch "employeeType=fulltime" cn` returns nothing. -Mike -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 10227] New: Asyncmeta will not reset a connection if a bind operation fails with LDAP_OTHER, leaving the connection in invalid state
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10227 Issue ID: 10227 Summary: Asyncmeta will not reset a connection if a bind operation fails with LDAP_OTHER, leaving the connection in invalid state Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: nivanova(a)symas.com Target Milestone: --- The issue is difficult to reproduce, it can happen under heavy traffic if the target is configured to do a sasl bind with a custom saslmech. In any case, currently asyncmeta only resets the connection of the error is LDAP_UNAVAILABLE, which is incorrect. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10219] New: Modify of olcDisabled by removing and adding a value invokes db_open twice
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10219 Issue ID: 10219 Summary: Modify of olcDisabled by removing and adding a value invokes db_open twice Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: nivanova(a)symas.com Target Milestone: --- A database is enabled by default, and therefore a missing olcDisabled attribute is equivalent to a value of FALSE. This means that currently a modify operation that removes a olcDisabled value will invoke the db_open handler for that database, even if in the same modify operation a value of TRUE is added. A modify operation like this: dn: olcDatabase={1}asyncmeta,cn=config changetype: modify delete: olcDisabled olcDisabled: FALSE - add: olcDisabled olcDisabled: TRUE - will call both db_open and db_close. This could be potentially harmful if the backend type allocates memory on db_open like asyncmeta, for example. It is a rare case, but it is best to fix it just in case. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10224] New: tlso_session_pinning: return codes from EVP* calls are not checked; can result in crashes or undefined behavior in library
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10224 Issue ID: 10224 Summary: tlso_session_pinning: return codes from EVP* calls are not checked; can result in crashes or undefined behavior in library Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: yaneurabeya(a)gmail.com Target Milestone: --- EVP* calls made in tlso_session_pinning on lines 1189-1191 [1] are not checked when computing the digest which is eventually placed in `keyhash.bv_val` on line [2]. Not checking the EVP* calls can result in undefined behavior, e.g., a library crash with SIGBUS, SIGSEGV, etc, and/or incorrect results when analyzing `keyhash.bv_val` later. The calls should be checked to avoid this scenario. Reported by Coverity. 1. https://github.com/openldap/openldap/blob/15edb3b30f2b6a3dbdf77cc42d39466d5… 2. https://github.com/openldap/openldap/blob/15edb3b30f2b6a3dbdf77cc42d39466d5… -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10280] New: Combining positive & negated filters doesn't work with dynlist
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10280 Issue ID: 10280 Summary: Combining positive & negated filters doesn't work with dynlist Product: OpenLDAP Version: 2.5.18 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: code(a)pipoprods.org Target Milestone: --- The directory contains 3 users & 2 groups. user1 is in group1, user2 is in group2, user3 isn't is any group. Filter [1] matches users that are either: - member of group1 - member of group2 ✅ It returns user1 & user2 Filter [2] matches user that are: - not member of group1 nor group2 ✅ It returns user3 Filter [3] should match users that are either: - member of group1 - member of group2 - not member of group1 nor group2 ❌ It should return the 3 users but only returns users matched by the first part of the filter (whatever the first part, if we swap both parts we get the complementary search results) Filter [1]: (|(memberOf=cn=group1,ou=example-groups,dc=example,dc=com)(memberOf=cn=group2,ou=example-groups,dc=example,dc=com)) Filter [2]: (!(|(memberOf=cn=group1,ou=example-groups,dc=example,dc=com)(memberOf=cn=group2,ou=example-groups,dc=example,dc=com))) Filter [3]: (|(memberOf=cn=group1,ou=example-groups,dc=example,dc=com)(memberOf=cn=group2,ou=example-groups,dc=example,dc=com)(!(|(memberOf=cn=group1,ou=example-groups,dc=example,dc=com)(memberOf=cn=group2,ou=example-groups,dc=example,dc=com)))) Here's my dynlist config: ``` dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynListConfig olcOverlay: {2}dynlist olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames structuralObjectClass: olcDynListConfig entryUUID: 7df8328a-fd72-103e-82df-6fed25d5f6c8 creatorsName: cn=config createTimestamp: 20240902122741Z entryCSN: 20240902122741.257759Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20240902122741Z ``` Here's a LDIF to initialise directory contents: ``` dn: ou=example-groups,dc=example,dc=com changetype: add objectClass: organizationalUnit ou: example-groups dn: ou=example-users,dc=example,dc=com changetype: add objectClass: organizationalUnit ou: example-users dn: uid=user1,ou=example-users,dc=example,dc=com changetype: add objectClass: inetOrgPerson cn: User sn: One uid: user1 dn: uid=user2,ou=example-users,dc=example,dc=com changetype: add objectClass: inetOrgPerson cn: User sn: Two uid: user2 dn: uid=user3,ou=example-users,dc=example,dc=com changetype: add objectClass: inetOrgPerson cn: User sn: Three uid: user3 dn: cn=group1,ou=example-groups,dc=example,dc=com changetype: add objectClass: groupOfNames cn: group1 member: uid=user1,ou=example-users,dc=example,dc=com dn: cn=group2,ou=example-groups,dc=example,dc=com changetype: add objectClass: groupOfNames cn: group2 member: uid=user2,ou=example-users,dc=example,dc=com ``` -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10287] New: Add test case for mdb_get
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10287 Issue ID: 10287 Summary: Add test case for mdb_get Product: LMDB Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: ahmed.zaki(a)imperial.ac.uk Target Milestone: --- Added a new file mtest7.c which tests the export mdb_get(). -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10282] New: MSVC builds are not supported
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10282 Issue ID: 10282 Summary: MSVC builds are not supported Product: OpenLDAP Version: 2.5.18 Hardware: All OS: Windows Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: cmb(a)php.net Target Milestone: --- I'm a maintainer of an OpenLDAP port[1] which is used to build liblber and libldap for PHP on Windows. So far this uses hand-made configuration and Visual Studio solutions, but that is not sustainable in the long run. Instead, I'd rather like to use the autotools based build chain with MSYS2 (or Cygwin), but still using the MSVC build tools (cl.exe, link.exe, etc.) and the MS Windows SDK for best compatibility with other builds for PHP on Windows. Apparently, this is not yet supported by OpenLDAP (2.5.18). I've managed to add some patches[2] to get where I'd like this to go[3]. Some of the patches are highly PHP (BC) specific, some are just quick hacks (because I don't know better), but some appear to be appropriate for inclusion into the OpenLDAP sources. Are you generally interested in supporting MSVC tools and MS Windows SDKs? If so, what would be the best way to contribute -- sending MRs to the repo[4]? Should these tackle individual issues, or rather be complete (note that I'm likely not able to provide a full-fledged solution due to my very limited knowledge of autotools and Linux, and limited time). [1] <https://github.com/winlibs/openldap> [2] <https://github.com/winlibs/openldap/tree/cmb/2.5.18> [3] <https://github.com/cmb69/winlib-builder/actions/runs/11713086509> [4] <https://git.openldap.org/openldap/openldap> -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 7249] slapd segfault with memberof overlay on frontend db
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=7249 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.9 |2.6.10 --- Comment #20 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Need to see if a fix similar to what was done in 10135 needs doing here -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10135] New: dynlist (and maybe others) doesn't use the right overinst context in callbacks
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10135 Issue ID: 10135 Summary: dynlist (and maybe others) doesn't use the right overinst context in callbacks Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Running the test suite with `-fsanitize=address` picks up a bug in https://git.openldap.org/openldap/openldap/-/blob/860b61f41dfeeb19cc0eb011f… Here, op->o_bd->bd_info isn't actually dynlist but mdb's own static bi, so overlay_entry_get_ov then reaches into the void when reading on->on_info. It's very likely that other places/overlays share the same bug as it is subtle and doesn't get picked up immediately (slap_overinst embeds a BackendInfo and oi_orig is not often set). -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 7249] slapd segfault with memberof overlay on frontend db
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=7249 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=10135 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10071] New: Extra sids in cookie should only be ignored for replay consideration
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10071 Issue ID: 10071 Summary: Extra sids in cookie should only be ignored for replay consideration Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- A consumer's cookie might contain sids that the provider is not aware of. Those are currently screened out. This is appropriate for initial checks whether/how to allow the operation to go ahead but might be needed for content determination in refresh/persist. As such the cookie should be retained rather than edited in place. I don't have the logs from a failed test at hand but will post the analysis/logs if I find them again. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10271] New: EINTR is handled as LDAP_SERVER_DOWN in socket operation in ldap client APIs
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10271 Issue ID: 10271 Summary: EINTR is handled as LDAP_SERVER_DOWN in socket operation in ldap client APIs Product: OpenLDAP Version: 2.5.18 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: volan.shu(a)nokia.com Target Milestone: --- In case EINTR fired by OS in any case in ldap client api for socket related operation, the ldap client API returns LDAP_SERVER_DOWN which is not correct. In this case, I suppose the ldap client need retry socket operateion. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10284] New: RFE: retain subordinate entries to cn=connections,cn=monitor branch for a configurable duration
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10284 Issue ID: 10284 Summary: RFE: retain subordinate entries to cn=connections,cn=monitor branch for a configurable duration Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: chris.paul(a)rexconsulting.net Target Milestone: --- Please consider an enhancement to retain entries under the cn=connections,cn=monitor branch for a configurable duration. This would enable monitoring of short-lived connections that currently disappear between polling intervals, significantly increasing the utility of this metric for connection tracking. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10285] New: Account on gitlab -- gitlab account awaiting approval
by openldap-its＠openldap.org 26 Nov '24

26 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10285 Issue ID: 10285 Summary: Account on gitlab -- gitlab account awaiting approval Product: LMDB Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: ahmed.zaki(a)imperial.ac.uk Target Milestone: --- Dear, I have some test cases I would like to contribute to LMDB. I created an account using the email address: ahmed.zaki(a)imperial.ac.uk Would it be possible to approve the account ? Kind regards, Ahmed -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10106] New: Add organization to web list of OpenLDAP support providers
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10106 Issue ID: 10106 Summary: Add organization to web list of OpenLDAP support providers Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: sudo(a)migrateq.io Target Milestone: --- Hello! This request is being opened as suggested by Quanah Gibson-Mount. Could you please add Migrateq to your OpenLDAP Support page on https://openldap.org/support Company: Migrateq Inc. Website: https://migrateq.io/support/tech/openldap Migrateq provides migrations, integrations and advanced 24/7/365 technical support for OpenLDAP and most Linux and Open Source Software. Thank you =) Richard -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 10281] New: Update organization on web list of OpenLDAP support providers
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10281 Issue ID: 10281 Summary: Update organization on web list of OpenLDAP support providers Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: sudo(a)migrateq.io Target Milestone: --- Hello, this OpenLDAP support provider on the OpenLDAP support page, Migrateq, has recently changed their name to "Linux Pro", and kindly request an update: Company: Linux Pro Website: https://linux.pro/support/tech/openldap Linux Pro provides migrations, integrations and advanced 24/7/365 technical support for OpenLDAP and most Linux and Open Source Software. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10141] New: 100% CPU consumption with ldap_int_tls_connect
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10141 Issue ID: 10141 Summary: 100% CPU consumption with ldap_int_tls_connect Product: OpenLDAP Version: 2.6.3 Hardware: Other OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: vivekanand754(a)gmail.com Target Milestone: --- While doing secure ldap connection, i'm seeing that connection is getting stuck in read block in case it is unable to connect active directory sometime: ~ # strace -p 15049 strace: Process 15049 attached read(3, 0x55ef720bda53, 5) = -1 EAGAIN (Resource temporarily unavailable) read(3, 0x55ef720bda53, 5) = -1 EAGAIN (Resource temporarily unavailable) .. .. .. .. After putting some logs, I can see that "ldap_int_tls_start" function of "openldap-2.6.3/libraries/libldap/tls2.c" calls "ldap_int_tls_connect" in while loop. It seems to be blocking call, as it try to connect continuously until it get connected(ti_session_connect returns 0) and thus consumes 100% CPU during that time. Is there any known issue ? -- You are receiving this mail because: You are on the CC list for the issue.

1 17

[Issue 8047] TIMEOUT and NETWORK_TIMEOUT don't work properly with SSL
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=8047 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vivekanand.devworks(a)gmail.c | |om --- Comment #16 from Quanah Gibson-Mount <quanah(a)openldap.org> --- *** Issue 10141 has been marked as a duplicate of this issue. *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8047] TIMEOUT and NETWORK_TIMEOUT don't work properly with SSL
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=8047 --- Comment #15 from Quanah Gibson-Mount <quanah(a)openldap.org> --- RE26: • 5645e370 by Ondřej Kuzník at 2024-11-12T17:55:56+00:00 ITS#8047 Fix TLS connection timeout handling -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8047] TIMEOUT and NETWORK_TIMEOUT don't work properly with SSL
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=8047 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #14 from Quanah Gibson-Mount <quanah(a)openldap.org> --- head: • d143f7a2 by Ondřej Kuzník at 2024-10-26T20:51:35+00:00 ITS#8047 Fix TLS connection timeout handling -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8047] TIMEOUT and NETWORK_TIMEOUT don't work properly with SSL
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=8047 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.6.9 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9393] New: Provider a LDAP filter validation function
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=9393 Issue ID: 9393 Summary: Provider a LDAP filter validation function Product: OpenLDAP Version: 2.4.56 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: best(a)univention.de Target Milestone: --- In many situations I need to validate if a user submitted LDAP filter has valid syntax. It seems there is no official function to check this. Could you provide one? libraries/libldap/filter.c: ldap_pvt_put_filter() can be used as a basis. -- My current workaround is using a unconnected ldap connection and do a search with that filter. This yields a FILTER_ERROR (invalid filter) or a SERVER_DOWN error (invalid filter). See also: https://github.com/python-ldap/python-ldap/pull/272 -- You are receiving this mail because: You are on the CC list for the issue.

1 12

[Issue 9042] loglevel setting that allows seeing attribute values for MOD operations
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=9042 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> --- • 4b8e60f8 by Ondřej Kuzník at 2024-10-25T20:02:19+00:00 ITS#9042 Log modify values under STATS2 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9914] New: Add OS pagesize to the back-mdb monitor information
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=9914 Issue ID: 9914 Summary: Add OS pagesize to the back-mdb monitor information Product: OpenLDAP Version: 2.6.3 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- The pagesize that back-mdb is using for pages should be exposed via the cn=monitor backend, as a remote client doing a query will not have that information available to it. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10283] New: Search result internal error: mdb_opinfo_get: thread_pool_setkey failed err
by openldap-its＠openldap.org 12 Nov '24

12 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10283 Issue ID: 10283 Summary: Search result internal error: mdb_opinfo_get: thread_pool_setkey failed err Product: OpenLDAP Version: 2.5.13 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: asilva(a)wirelessmundi.com Target Milestone: --- Hi, From time to time i got errors when perform searches and i need to restart the server to establish the service. This is the event log when it happens: Nov 08 10:07:39 main slapd[3946463]: conn=1780 fd=182 ACCEPT from IP=113.53.215.185:41404 (IP=0.0.0.0:389) Nov 08 10:07:39 main slapd[3946463]: conn=1780 op=0 BIND dn="cn=admin,ou=users,o=cptrabajosocial.local.com" method=128 Nov 08 10:07:39 main slapd[3946463]: mdb_opinfo_get: thread_pool_setkey failed err (12) Nov 08 10:07:39 main slapd[3946463]: conn=1780 op=0 RESULT tag=97 err=12 qtime=0.000027 etime=0.000159 text=internal error Nov 08 10:07:39 main slapd[3946463]: conn=1780 op=1 UNBIND Nov 08 10:07:39 main slapd[3946463]: conn=1780 fd=182 closed In the code i found: if ( ( rc = ldap_pvt_thread_pool_setkey( ctx, mdb->mi_dbenv, data, mdb_reader_free, NULL, NULL ) ) ) { mdb_txn_abort( moi->moi_txn ); moi->moi_txn = NULL; Debug( LDAP_DEBUG_ANY, "mdb_opinfo_get: thread_pool_setkey failed err (%d)\n", rc ); return rc; } and libraries/libldap/tpool.c i see that the error 12 (ENOMEM) is returned when MAXKEYS is reached: if ( data || kfree ) { if ( i>=MAXKEYS ) return ENOMEM; ctx->ltu_key[i].ltk_key = key; ctx->ltu_key[i].ltk_data = data; ctx->ltu_key[i].ltk_free = kfree; } else if ( found ) { clear_key_idx( ctx, i ); } Found an old mail about this issue: https://openldap-technical.openldap.narkive.com/Th0WLQYh/max-numbers-of-sub… In my setup I've configured 47 MBs databases, for contacts only, one for each company in the server, so they cannot see each others data. I can't understand how it happens and how to prevent it, is there any configuration i can set to avoid reach the MAXKEYS? Thanks, -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10257] New: Documentation assessment
by openldap-its＠openldap.org 11 Nov '24

11 Nov '24

https://bugs.openldap.org/show_bug.cgi?id=10257 Issue ID: 10257 Summary: Documentation assessment Product: OpenLDAP Version: 2.6.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: hyc(a)openldap.org Target Milestone: --- Created attachment 1031 --> https://bugs.openldap.org/attachment.cgi?id=1031&action=edit Admin guide assessment Last month I commissioned a tech writer to review the current 2.6 Admin Guide to see what needs to be worked on before the 2.7 release. I'm attaching the report here so we can reference it. Should have distributed it sooner but Life got in the way. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10278] New: Move away from python-ldap0 in the test suite
by openldap-its＠openldap.org 29 Oct '24

29 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=10278 Issue ID: 10278 Summary: Move away from python-ldap0 in the test suite Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: test suite Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- While python-ldap0 has a superior API, it seems the module is no longer receiving any development. We should move our python test suite over to another module that can be supported long-term. -- You are receiving this mail because: You are on the CC list for the issue.

1 1

[Issue 10277] New: How to deal with desync between cn=config and back-ldif DNs
by openldap-its＠openldap.org 29 Oct '24

29 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=10277 Issue ID: 10277 Summary: How to deal with desync between cn=config and back-ldif DNs Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- If someone deletes a cn=config entry offline (or through bugs in cn=config, they exist, will file as I isolate), the X-ORDERED RDNs will not be contiguous. cn=config papers over this internally at a cost of never being able to modify the entries affected. Right now the only remedy is slapcat+slapadd of the whole config DB, is that the best we can do? When we detect this (doesn't always happen), should we fix the on-disk copy on startup? -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10276] New: crash using pcache overlay on mdb backend
by openldap-its＠openldap.org 29 Oct '24

29 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=10276 Issue ID: 10276 Summary: crash using pcache overlay on mdb backend Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: chris.paul(a)rexconsulting.net Target Milestone: --- Created attachment 1038 --> https://bugs.openldap.org/attachment.cgi?id=1038&action=edit backtrace When using the pcache overlay with a local mdb backend, slapd crashes. The intention is to use pcache to reduce lookup times for dynamic (dynlist) groups and memberOf values. GDB backtrace attached. Config available upon request. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10268] New: Operation rate limiting
by openldap-its＠openldap.org 29 Oct '24

29 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=10268 Issue ID: 10268 Summary: Operation rate limiting Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: chris.paul(a)rexconsulting.net Target Milestone: --- Please consider this request for enhancement. It would be very useful for slapd to have some basic rate limiting per connection or per IP. The monitorConnectionsOpsCompleted counts are available in cn=monitor. A dependency of cn=monitor seems reasonable. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Bug 9211] New: Relax control is not consistently access-restricted
by openldap-its＠openldap.org 25 Oct '24

25 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=9211 Bug ID: 9211 Summary: Relax control is not consistently access-restricted Product: OpenLDAP Version: 2.4.49 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ryan(a)openldap.org Target Milestone: --- The following operations can be performed by anyone having 'write' access (not even 'manage') using the Relax control: - modifying/replacing structural objectClass - adding/modifying OBSOLETE attributes Some operations are correctly restricted: - adding/modifying NO-USER-MODIFICATION attributes marked as manageable (Modification of non-conformant objects doesn't appear to be implemented at all.) In the absence of ACLs for controls, I'm of the opinion that all use of the Relax control should require manage access. The Relax draft clearly and repeatedly discusses its use cases in terms of directory _administrators_ temporarily relaxing constraints in order to accomplish a specific task. -- You are receiving this mail because: You are on the CC list for the bug.

1 13

[Issue 9920] New: MDB_PAGE_FULL with master3 (encryption) because there is no room for the authentication data (MAC)
by openldap-its＠openldap.org 25 Oct '24

25 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=9920 Issue ID: 9920 Summary: MDB_PAGE_FULL with master3 (encryption) because there is no room for the authentication data (MAC) Product: LMDB Version: unspecified Hardware: x86_64 OS: Mac OS Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: info(a)parlepeuple.fr Target Milestone: --- Created attachment 915 --> https://bugs.openldap.org/attachment.cgi?id=915&action=edit proposed patch Hello, on master3, using the encryption at rest feature, I am testing as follow: - on a new named database, i set the encryption function with mdb_env_set_encrypt(env, encfunc, &enckey, 32) - note that I chose to have a size parameter (The size of authentication data in bytes, if any. Set this to zero for unauthenticated encryption mechanisms.) of 32 bytes. - I add 2 entries on the DB, trying to saturate the first page. I chose to add a key of 33 Bytes and a value of 1977 Bytes, so the size of each node is 2010 Bytes (obviously the 2 keys are different). - This passes and the DB has just one leaf_pages, no overflow_pages, no branch_pages, an a depth of 1. - If I add one byte to the values I insert (starting again from a blank DB), then , instead of seeing 2 overflow_pages, I get an error : MDB_PAGE_FULL. - this clearly should not have happened. - Here is some tracing : add to leaf page 2 index 0, data size 48 key size 7 [74657374646200] add to leaf page 3 index 0, data size 1978 key size 33 [000000000000000000000000000000000000000000000000000000000000000000] add to branch page 5 index 0, data size 0 key size 0 [null] add to branch page 5 index 1, data size 0 key size 33 [000000000000000000000000000000000000000000000000000000000000000000] add to leaf page 4 index 0, data size 1978 key size 33 [000000000000000000000000000000000000000000000000000000000000000000] add to leaf page 4 index 1, data size 1978 key size 33 [020202020202020202020202020202020202020202020202020202020202020202] not enough room in page 4, got 1 ptrs upper-lower = 2020 - 2 = 2016 node size = 2020 Looking at the code, I understand that there is a problem at line 9005 : } else if (node_size + data->mv_size > mc->mc_txn->mt_env->me_nodemax) { where me_nodemax is incorrect, as it is not taking into account that some bytes will be needed for the MAC authentication code, which size is in env->me_esumsize. me_nodemax is calculated at line 5349: env->me_nodemax = (((env->me_psize - PAGEHDRSZ ) / MDB_MINKEYS) & -2) - sizeof(indx_t); So I substract me_esumsize with a "- env->me_esumsize" here: env->me_nodemax = (((env->me_psize - PAGEHDRSZ - env->me_esumsize) / MDB_MINKEYS) & -2) - sizeof(indx_t); I also substract it from me_maxfree_1pg in the line above, and in pmax in line 10435. I do not know if my patch is correct, but it solves the issue. Maybe there are other places in the code where the me_esumsize should be substracted from the available size. By example, when calculating the number of overflow pages in OVPAGES, it does not take into account me_esumsize, but I think it is ok, because there is only one MAC for the entire set of OV pages, and there is room for it in the first OV page. See the attached proposed patch. -- You are receiving this mail because: You are on the CC list for the issue.

1 40

[Issue 9596] New: Python test suite
by openldap-its＠openldap.org 24 Oct '24

24 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=9596 Issue ID: 9596 Summary: Python test suite Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- The bash test suite is extremely limited, hard to write for and slow. We can't lose it as it is also portable, but something should be introduced for developers/CI on more modern systems and increase coverage. A Python 3 seed for one is in development in MR!347. -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 8149] nssov loginStatus doesn't play well with replication
by openldap-its＠openldap.org 22 Oct '24

22 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=8149 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9786] New: liblber: missing export of ber_pvt_wsa_err2string
by openldap-its＠openldap.org 22 Oct '24

22 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=9786 Issue ID: 9786 Summary: liblber: missing export of ber_pvt_wsa_err2string Product: OpenLDAP Version: 2.6.1 Hardware: All OS: Windows Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: tobias.junghans(a)veyon.io Target Milestone: --- When building (cross-compiling) OpenLDAP via GCC/mingw-w64, an undefined reference to ber_pvt_wsa_err2string() is reported when libldap.dll is linked. This can be fixed easily by adding ber_pvt_wsa_err2string() to libraries/liblber/lber.map -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9982] New: Linker error when building with LDAP_CONNECTIONLESS
by openldap-its＠openldap.org 22 Oct '24

22 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=9982 Issue ID: 9982 Summary: Linker error when building with LDAP_CONNECTIONLESS Product: OpenLDAP Version: 2.6.3 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: invokesus+openldap(a)gmail.com Target Milestone: --- Created attachment 942 --> https://bugs.openldap.org/attachment.cgi?id=942&action=edit Build log I'm encountering the following linker error when building from the master branch, with LDAP_CONNECTIONLESS defined. /nix/store/jbnmj9fljgnfyc1iswnrpfhlkpnnwiii-binutils-2.39/bin/ld: ./.libs/libldap.so: undefined reference to `ber_sockbuf_io_udp' Seems to have been happening since https://git.openldap.org/openldap/openldap/-/commit/4a87d7aad200aaa91cb0cb8…. Attaching the full build log. Also, attaching in the next update, a patch to fix the error. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 8070] test023 failures
by openldap-its＠openldap.org 22 Oct '24

22 Oct '24

https://bugs.openldap.org/show_bug.cgi?id=8070 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9596 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs