- openldap-bugs - openldap.org

[Issue 10150] New: liblber/etest.c calls open with O_CREAT without specifying file mode
by openldap-its＠openldap.org 12 Jan '24

12 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=10150 Issue ID: 10150 Summary: liblber/etest.c calls open with O_CREAT without specifying file mode Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: alan.coopersmith(a)oracle.com Target Milestone: --- https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_6_6/li… has this call to the open() function: if (( fd = open( "lber-test", O_WRONLY|O_CREAT|O_TRUNC|O_BINARY )) Since O_CREAT is specified, there should be a third argument specifying the file permissions for the newly created file, but it is missing here, which may cause the file to be created with permissions based on whatever noise is in the register or stack position the call reads the third argument from on a given platform. Fortunately, it looks like this code may never be compiled, since it's inside #ifdef HAVE_CONSOLE_H and I can't find anywhere that is set, since it's not in any AC_CONFIG_HEADER checks in the configure.ac file. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 10125] New: mdb_load: fix loading in Append mode
by openldap-its＠openldap.org 11 Jan '24

11 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=10125 Issue ID: 10125 Summary: mdb_load: fix loading in Append mode Product: LMDB Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: tools Assignee: bugs(a)openldap.org Reporter: hyc(a)openldap.org Target Milestone: --- After committing/flushing a batch of writes, the cursor is not correctly reinitialized in Append mode. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 8498] slapadd complains about missing attrs
by openldap-its＠openldap.org 11 Jan '24

11 Jan '24

https://bugs.openldap.org/show_bug.cgi?id=8498 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED --- Comment #6 from Quanah Gibson-Mount <quanah(a)openldap.org> --- head: • 2939df1a by Howard Chu at 2023-11-02T16:53:26+00:00 ITS#8498 slapadd: silence warning for NULL entry -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10148] New: About
by openldap-its＠openldap.org 26 Dec '23

26 Dec '23

https://bugs.openldap.org/show_bug.cgi?id=10148 Issue ID: 10148 Summary: About Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: pinkilhagency(a)gmail.com Target Milestone: --- Welcome to LH Talent Agency, a leading provider of live hosting talent for events and productions. In the fast-paced world of live hosting, finding the perfect individual to engage and captivate your audience is crucial. That's where LH Talent Agency comes in. With our extensive network of experienced and dynamic hosts, we can match you with the perfect talent to ensure your event is a success. Whether you need a skilled emcee, a charismatic presenter, or a engaging host, LH Talent Agency has the expertise and resources to meet your needs. Read on to learn more about how LH Talent Agency can elevate your live hosting experience. More Info - https://livehosting.xyz/ -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10146] New: Typo in doc/man/man3/lber-decode.3
by openldap-its＠openldap.org 19 Dec '23

19 Dec '23

https://bugs.openldap.org/show_bug.cgi?id=10146 Issue ID: 10146 Summary: Typo in doc/man/man3/lber-decode.3 Product: OpenLDAP Version: 2.6.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: joshua(a)joshua.hu Target Milestone: --- In doc/man/man3/lber-decode.3 it states that the fmt for null is: n Null. No parameter is required. The element is simply skipped if it is recognized. Should it not be 'N'? -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 7420] Possible to bypass overlay unique and constraint
by openldap-its＠openldap.org 19 Dec '23

19 Dec '23

https://bugs.openldap.org/show_bug.cgi?id=7420 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS --- Comment #7 from Howard Chu <hyc(a)openldap.org> --- Fix in https://git.openldap.org/openldap/openldap/-/merge_requests/665 please test -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10131] New: wildcard search crash slapd with OU containing parenthesis
by openldap-its＠openldap.org 12 Dec '23

12 Dec '23

https://bugs.openldap.org/show_bug.cgi?id=10131 Issue ID: 10131 Summary: wildcard search crash slapd with OU containing parenthesis Product: OpenLDAP Version: 2.5.16 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: bourguijl(a)gmail.com Target Milestone: --- Dears, When I do following ldapsearch as following : ldapsearch -x -H ldap://hostname:3891 -b "o=mobistar.be" -s subtree "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=jlb,ou=*,o=mobistar.be))" cn dn and the DB is containing these entries : dn: uid=jlb,ou=Test (aa),ou=Partners,o=mobistar.be dn: ou=Test (aa),ou=Partners,o=mobistar.be even if this "uid=jlb" isn't member of a group as uniqueMember, it makes slapd crashing. I did test it on versions 2.5.7 & 2.5.16, same result --> slapd crashed. Seems to be related to parenthesis presence in OU attribut. Is it a bug ? Thx, Jean-Luc. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 8826] Contrib dsaschema module needs updating for cn=config
by openldap-its＠openldap.org 28 Nov '23

28 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8826 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1 --- Comment #1 from Ondřej Kuzník <ondra(a)mistotebe.net> --- https://git.openldap.org/openldap/openldap/-/merge_requests/661 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6166] Overlay/backend restructuring
by openldap-its＠openldap.org 23 Nov '23

23 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=6166 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=10135 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10134] New: OpenLDAP Docker Installation and Migration
by openldap-its＠openldap.org 22 Nov '23

22 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=10134 Issue ID: 10134 Summary: OpenLDAP Docker Installation and Migration Product: OpenLDAP Version: 2.5.13 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: chilimili1(a)outlook.de Target Milestone: --- Created attachment 990 --> https://bugs.openldap.org/attachment.cgi?id=990&action=edit Dockerfile.txt logs_importfile.txt logs_slaptest.txt Hi, I am currently experiencing issues while building a Docker container for OpenLDAP. I hope that an expert from the community can help me solve my problem. Issue 1: Docker Setup I'm in the process of setting up OpenLDAP within a Docker container on a RHEL 9 base OS. I've attached the Dockerfile I'm using for reference. My primary concern is that when I run the command RUN slaptest -f /tmp/slapd.conf -F /etc/openldap/slapd.d -d 1, it fails with mdb_db_open: database "dc=my-domain,dc=com": dbenv_open(/usr/var/openldap-data). mdb_db_open: database "dc=my-domain,dc=com" cannot be opened: No such file or directory (2). Restore from backup!. Interestingly, slaptest -u seems to work fine. I would greatly appreciate it if you could review my Dockerfile or provide insights into what might be causing this issue. Issue 2: LDAP Migration Additionally, I'm trying to migrate configuration data from a system using OpenLDAP 2.4.50 to OpenLDAP 2.5.13. During this process, I encountered the following error: csharp Copy code olcAuthzRegexp: value #0: keyword <olcAuthzRegexp> missing <regexp> <DN> argument slapadd: could not add entry dn="cn=config" (line=1) Dockerfile.txt logs_importfile.txt logs_slaptest.txt I'm not sure if these issues are related, but I thought it would be best to ask for your expertise on both matters. Thank you in advance for your assistance. Your guidance would be greatly appreciated. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10133] New: We tried to use centralized authentication for the root account, but it failed.
by openldap-its＠openldap.org 20 Nov '23

20 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=10133 Issue ID: 10133 Summary: We tried to use centralized authentication for the root account, but it failed. Product: OpenLDAP Version: 2.6.0 Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: liubo335(a)huawei.com Target Milestone: --- When sssd+ldap is used for centralized authentication of Linux users, it is found that only non-root users can be authenticated, but the root user cannot be authenticated. Therefore, I would like to ask whether the authentication of the root user is not supported. If yes, what additional configuration items do you need to pay attention to when authenticating the root user? Looking forward to your answer, thank you very much. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 8890] adapt to 64-bit time_t on systems with 32-bit long
by openldap-its＠openldap.org 16 Nov '23

16 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8890 --- Comment #15 from tg(a)debian.org <tg(a)debian.org> --- FWIW, Debian is going to switch 32-bit ARM (with 32-bit long) to 64-bit time_t and off_t soon, and others, even m68k, will follow. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6097] MMR problems with deletes
by openldap-its＠openldap.org 16 Nov '23

16 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=6097 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |3.0.0 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6942] updateref config is inadequate
by openldap-its＠openldap.org 16 Nov '23

16 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=6942 --- Comment #4 from Ondřej Kuzník <ondra(a)mistotebe.net> --- Maybe putting updateref on the syncrepl consumer configuration is a way to deal with this. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6198] Authorization for extensions
by openldap-its＠openldap.org 16 Nov '23

16 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=6198 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |blocker Priority|--- |Highest -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9009] 2.7: Switch to LMDB v1.0
by openldap-its＠openldap.org 16 Nov '23

16 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9009 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |blocker -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8890] adapt to 64-bit time_t on systems with 32-bit long
by openldap-its＠openldap.org 16 Nov '23

16 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8890 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|Low |Normal -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9719] New: refreshOnly sends empty cookie when client up to date
by openldap-its＠openldap.org 16 Nov '23

16 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9719 Issue ID: 9719 Summary: refreshOnly sends empty cookie when client up to date Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Syncprov will send an empty cookie if the consumer has the same cookie as provider. To the best of my knowledge this is not in line with RFC4533 and consumers would effectively drop their cookie when the search finishes. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10065] New: slapd needs a config option for the ssf of an external security proxy using "proxy protocol v2"
by openldap-its＠openldap.org 14 Nov '23

14 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=10065 Issue ID: 10065 Summary: slapd needs a config option for the ssf of an external security proxy using "proxy protocol v2" Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: sean(a)teletech.com.au Target Milestone: --- Commit 146889f introduced support for the haproxy "proxy protocol v2". A very welcome addition that allows an external security layer to be implemented. This implementation is however somewhat hobbled. Cyrus SASL uses "Security Strength Factors" or "ssf" to determine what Authentication mechanisms to offer. slapd conveys the implicit security of UNIX domain sockets to the SASL layer by specifying a non-zero ssf for these connections. This can be configured with the "olcLocalSSF" config setting. For implicit/explicit TLS connections, the "olcSecurity: tls=<n>" provides the cryptographic strength of the TLS layer to the SASL layer. For an external TLS-terminating proxy, there does not appear to be any way to inform Cyrus SASL of the presence of TLS security on these proxied connections. The outcome of this is that PLAIN and EXTERNAL authentication mechanisms are not offered to clients connecting through the secure proxy. This can be overcome by weakening the security properties of the SASL layer with the olcSaslSecProps configuration option, but this weakening will apply to all clients, not just clients connecting via the secure proxy. What is required is some way to tell slapd and it's integrated SASL layer about the presence of TLS encryption on the proxy's input. As a precaution, this might be restricted to slapd connections in the 127.0.0.0/8 [IPv6:::] address ranges. -- You are receiving this mail because: You are on the CC list for the issue.

2 29

[Issue 9677] New: Create "make install-strip” target
by openldap-its＠openldap.org 14 Nov '23

14 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9677 Issue ID: 9677 Summary: Create "make install-strip” target Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- All open source make-based projects shall follow the same naming and semantics of targets, described at https://www.gnu.org/prep/standards/html_node/Standard-Targets.html . In particular “make install-strip” shall strip the binaries during the installation, while “make install” shall not strip them. In openldap currently “make install” does strip, which surprised me. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10128] New: Unavailability of OpenSSL 3.X compatible openldap lib libldap_r.so
by openldap-its＠openldap.org 14 Nov '23

14 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=10128 Issue ID: 10128 Summary: Unavailability of OpenSSL 3.X compatible openldap lib libldap_r.so Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: umakanta.senapati(a)netwitness.com Target Milestone: --- Hi Team, We are looking for openldap lib libldap_r.so compatible with openssl 3.x for el8 platform. From the release note i could check Open ldap has added openSSL 3.X support from version 2.5X onwards. But we couldn’t find any open ldap el8 rpm available with OpenSSL3.X support for 2.5.x or higher version. Please correct me if my understanding is wrong. Is there any plan to provide open ldap el8 rpm with libldap_r.so compatible with Openssl 3.X. Please help me if i can build the open ldap libldap_r.so with opensll 3.x lib or not? If yes please share the guide lines for the same. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10099] New: OpenLDAP version 2.5 & 2.6 causes IP connectivity to break and breaks basic commands like reboot
by openldap-its＠openldap.org 09 Nov '23

09 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=10099 Issue ID: 10099 Summary: OpenLDAP version 2.5 & 2.6 causes IP connectivity to break and breaks basic commands like reboot Product: OpenLDAP Version: 2.5.16 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: amcwongahey(a)rbbn.com Target Milestone: --- Created attachment 980 --> https://bugs.openldap.org/attachment.cgi?id=980&action=edit The package Makefile I am upgrading openLDAP from version 2.4.59 to 2.5.16 and am running into show stopper issues. In my environment I am running CLIENT mode only (libldap). I have tried 2.5.16 with the following combinations: openSSL version 1.1.1s and 3.0.8 Kernel versions: 5.4.92, 4.19.192 and 2.6.32 Problems described below ONLY happens when connecting with a domain controller using LDAPS - does NOT happen with LDAP (non-secure). When I use ANY combination that includes kernel version 4 or 5 along with openLDAP 2.5.16 I get random lockups to the point where IP connectivity breaks into and out of the node. And also it is so completely hosed that even issuing a reboot command from the console completely hangs and does not restart the node. The problem happens roughly 50% of the time with openLDAP combined with version 5 kernel but happens noticeably less frequently with the version 4 kernel. As soon as I kill the process that invokes the connection with openLDAP the problem clears up. I invoke the connection with the following function call: nReturnCode = ldap_sasl_bind( m_pLD, m_ADBind.GetBindDN(), LDAP_SASL_SIMPLE, &stPassword, NULL, NULL, &nMsgID); I use simple auth simply because the entire connection is secured with TLS anyway and there is another functional reason which I cannot go into details on. OpenLDAP never returns from the ldap_sasl_bind function call. It hangs somewhere inside the library but that alone cannot account for the complete lockup where basic commands like reboot, etc do not work and where all IP connectivity breaks. It seems it has to be something with openLDAP and the Linux kernel combined that triggers this issue. I am hoping that someone who is much more familiar with the libldap part of the library will pick up on this and be able to determine how to fix this. As an FYI: I also tried the very first version of 2.5.1 (alpha release) and the latest 2.6 and the problem happens on those versions as well. To be clear the problem does NOT happen if I run openLDAP 2.5.16 with Linux kernel version 2.6.32. ADDITIONALLY ALL openSSL & kernel combinations works with openLDAP version 2.4.59! I am attaching the package Makefile to this report. Below is the ldap.conf contents: TLS_REQCERT never TLS_KEY /tmp/ssl/certs/server.pem TLS_CERT /tmp/ssl/certs/server.pem TLS_PROTOCOL_MIN 3.1 sasl_secprops maxssf=0 -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 9009] 2.7: Switch to LMDB v1.0
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9009 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |db_reload -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9612] New: Change index_hash64 default to on
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9612 Issue ID: 9612 Summary: Change index_hash64 default to on Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- Change the default value of index_hash64. By default this means slapd won't run on a 32-bit CPU (It will continue to work on 32-bit OSes running on 64-bit CPUs). If someone needs to run slapd on a 32-bit CPU they can turn this option off. In the documentation, mark the option as deprecated for eventual removal in a future release. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9580] New: Refresh vs. accesslog in delta-MPR
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9580 Issue ID: 9580 Summary: Refresh vs. accesslog in delta-MPR Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: replication Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- A server consuming a plain syncrepl session (might be a delta-MMR refresh) still has to log the entries into accesslog, however that accesslog stops being capable of serving as a delta-sync source: - operation entryCSNs will be out-of-order - the changes logged will not be the intended modifications (e.g. if we fell back after a conflict, the conflicting entry will be replaced with the other version, other examples available) We need to deal with that somehow, at the very least we need to make sure the consumer will not take them at face value. We could record this in the accesslog root entry if we can detect when this starts and match it up with the final cookie, syncprov would still need some tweaks to understand it. We could mark the entries received this way and make sure delta-consumers treat them as "poison", as if they were running a plain syncrepl session themselves (not update contextCSN until that's finished, mark its own accesslog entries this way, ...). Anything like that needs guarantees that it will clean itself up once all of the real plain sessions finish otherwise we've lost delta-sync altogether. A different approach might or might not be needed for live delta-persist sessions replicating from a refreshing provider, but at least that syncprov has a way of detecting this live if it chooses to. -- You are receiving this mail because: You are on the CC list for the issue.

1 13

[Issue 9341] New: Delta-sync MPR needs to be stable regardless of ordering
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9341 Issue ID: 9341 Summary: Delta-sync MPR needs to be stable regardless of ordering Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: replication Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- If two or more updates are spread across several providers before they have a chance to learn about the others, all replicas need to arrive at the same content regardless of the order in which they arrive. One example that is broken at the moment: - (csn a) server 1 accepts a modify - (csn b) server 2 accepts a delete on the same DN - (csn c) server 2 accepts an add on that DN again If a replica receives the actions in the order bca vs. abc, the content of the entry will be different even though the final CSN set is the same -> they will never converge. The ordering 'bac' also needs to result in eventual convergence, even if it means a refresh or replication from either provider stalling temporarily? Merge request with this test case (so far): https://git.openldap.org/openldap/openldap/-/merge_requests/145 -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 9547] New: OpenLDAP does not send port as SPN when authenticating SASL GSSAPI
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9547 Issue ID: 9547 Summary: OpenLDAP does not send port as SPN when authenticating SASL GSSAPI Product: OpenLDAP Version: 2.4.44 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: robert.wilson1717(a)gmail.com Target Milestone: --- When trying to authenticate to an ADLDS server using kerberos and a MIT ccache, OpenLdap only passes the hostname to the SASL mechanism, causing a mismatch between the SPN in the client "ldap/adlds.my.domain" and the one registered in AD "ldap/adlds.my.domain:50000" Is there a way fo forcing OpenLDAP to pass the port as part of the SASL request? Or is there a part of the OpenLDAP -> Cyprus-SASL -> MIT KRB5 chain where this can be enabled? -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9506] New: dynlist: member expansion when member attribute not requested
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9506 Issue ID: 9506 Summary: dynlist: member expansion when member attribute not requested Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- When configured to do dynamic "member" expansion, i.e.: overlay dynlist dynlist-attrset groupOfURLs memberURL member Any query against an object that would trigger this expansion will incur a penalty while dynlist does the expansion work even if there was no request for the member attribute. Currently that can be worked around by specifying the manageDSAit control when doing a search on the object, but this may not be feasible for some client applications and additionally other directory servers do not do this expansion for their dynamic group implementations unless the underlying configured attribute is explicitly requested. We've already implemented this in dynlist for the memberOfAD case, we should do it here as well. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9269] New: "hidden" "subordinate" database is shown in a directory tree
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9269 Issue ID: 9269 Summary: "hidden" "subordinate" database is shown in a directory tree Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: grapvar(a)gmail.com Target Milestone: --- "hidden" configuration option is ignored by slapd (not honored by "glue" overlay?) if the database it tries to hide is also a "subordinate" database. Checked for openldap 2.4.47 and current git master (f3952d9). -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 8957] Handling of TLS in async mode
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8957 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9244 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8968] Async connect mode does not work on Solaris
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8968 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9244 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8980] Async mode and TLS Non-Blocking Issue
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8980 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9244 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Bug 9229] New: Make liblutil usable by libldap
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9229 Bug ID: 9229 Summary: Make liblutil usable by libldap Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: ryan(a)openldap.org Target Milestone: --- liblutil is a static library (non-PIC) and so cannot be linked into shared objects, however we have several use cases for reusing its code in libldap. Some options: - moving more code from liblutil to libldap - just merge the whole thing? - are there components that link liblutil but _not_ libldap? - build liblutil as PIC (take a minor performance hit when linked into programs?) - build liblutil twice (liblutil.a and liblutil_pic.a) - symlink liblutil sources into libldap build dir, like libldap_r does with libldap - both of these last options require checking whether executables can call the PIC symbols safely (if some symbols are used by both library and program code) Nice-to-have for 2.5, I'd say more likely for 2.6 at this point. -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Issue 9009] 2.7: Switch to LMDB v1.0
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9009 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |9225 Referenced Issues: https://bugs.openldap.org/show_bug.cgi?id=9225 [Issue 9225] back-mdb: Add support for PREPARE/2-phase commit -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Bug 9221] New: Move all replication consumer code into its own overlay
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9221 Bug ID: 9221 Summary: Move all replication consumer code into its own overlay Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- (In relation to a discussion about slapo-chain) <hyc> anyway, the nicer ting to fix would be in 2.5, push all of the repl consumer code into its own overlay <hyc> in that case, updateref would be processed wherever the overlay was configured <hyc> so no longer tied to the frontend <hyc> it would also make it more feasible to have multiple different consumer configs in a single DB, each with their own provider URL (and thus their own updateref) <hyc> I would think we can get rid of the update ref directive entirely, just point all writes to that consumer's provider. -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 9218] New: Revist entry_release handling in slapo-pache, slapo-translucent
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9218 Bug ID: 9218 Summary: Revist entry_release handling in slapo-pache, slapo-translucent Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- From a past discussion with hyc on 2.5 items: [13:57] <hyc> there's a nagging problem though, pcache's entry_release function needs to distinguish between its backend actually freeing the entry, or being a no-op [13:57] <hyc> so it can decide whether to return success or continue [13:58] <hyc> the patch to translucent sidesteps the question, by avoiding other overlays [13:58] <hyc> but we need to revisit this in 2.5 -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 9217] New: Audit all schema definitions to have official non-experimental OIDs where possible
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9217 Bug ID: 9217 Summary: Audit all schema definitions to have official non-experimental OIDs where possible Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- From a past discussion with hyc on 2.5 requirements: [09:27] <hyc> we also need to audit all of these schema defs [09:27] <hyc> we're supposed to have official, non-experimental OIDs for released schema [09:28] <hyc> accesslog is still using 666, experimental arc [09:29] <hyc> I think this means we should polish up the logschema draft, Informational status, and publish it again as final -- You are receiving this mail because: You are on the CC list for the bug.

1 12

[Bug 9216] New: Port autoca to gnutls
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=9216 Bug ID: 9216 Summary: Port autoca to gnutls Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ryan(a)openldap.org Target Milestone: --- For 2.5, support building and running the autoca overlay with GnuTLS. -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Issue 10126] New: Openldap 2.5.16 Segmentation fault during start
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=10126 Issue ID: 10126 Summary: Openldap 2.5.16 Segmentation fault during start Product: OpenLDAP Version: 2.5.16 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: bogdan.siara(a)gmail.com Target Milestone: --- Created attachment 987 --> https://bugs.openldap.org/attachment.cgi?id=987&action=edit gdb stacktrace Hi, I have openldap cluster with 2 nodes. Openldap is compiled in docker debian:bookworm-slim with options: ./configure --prefix=${LDAP_HOME}/openldap \ --enable-debug \ --enable-dynamic \ --enable-syslog \ --enable-ipv6 \ --enable-local \ --enable-slapd \ --enable-dynacl \ --enable-cleartext \ --enable-crypt \ --enable-spasswd \ --enable-modules \ --enable-slapi \ --enable-wrappers \ --enable-dnssrv=mod \ --enable-ldap=mod \ --enable-mdb=mod \ --enable-meta=mod \ --enable-asyncmeta=mod \ --enable-relay=mod \ --enable-overlays=mod \ --enable-argon2=yes \ --enable-balancer=mod \ --with-cyrus-sasl \ --with-threads \ --with-argon2=auto \ --without-systemd \ --with-tls=openssl make depend make make install cd contrib/slapd-modules/smbk5pwd sed -i "s|prefix=/usr/local|prefix=${LDAP_HOME}/openldap|g" Makefile sed -i "s|SSL_LIB = -lcrypto|SSL_LIB = -lnettle|g" Makefile sed -i "s|HEIMDAL_INC = -I/usr/heimdal/include|HEIMDAL_INC = \$(shell krb5-config.heimdal --cflags krb5 kadm-server)|g" Makefile sed -i "s|HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv|HEIMDAL_LIB = \$(shell krb5-config.heimdal --libs krb5 kadm-server)|g" Makefile sed -i "s|LIBS = \$(LDAP_LIB) \$(HEIMDAL_LIB) \$(SSL_LIB)|LIBS = \$(HEIMDAL_LIB) \$(LDAP_LIB) \$(SSL_LIB)|g" Makefile make make install cd ../passwd/pbkdf2 sed -i "s|prefix=/usr/local|prefix=${LDAP_HOME}/openldap|g" Makefile sed -i "s|SSL_LIB = -lcrypto|SSL_LIB = -lnettle|g" Makefile make make install cd ../sha2 sed -i "s|prefix=/usr/local|prefix=${LDAP_HOME}/openldap|g" Makefile make make install cd ../../ppm sed -i "s|prefix=/usr/local|prefix=${LDAP_HOME}/openldap|g" Makefile make make install When I start openldap: slapd -h 'ldap://0.0.0.0:10389 ldaps://0.0.0.0:10536 ldapi://%2Fopt%2Fldap%2Fldapi' -F /opt/ldap//openldap/etc/openldap/slapd.d I get error: @(#) $OpenLDAP: slapd 2.5.16 (Nov 3 2023 07:51:03) $#012#011@f3068170494c:\/opt\/ldap\/openldap-2.5.16\/servers\/slapd /opt\/ldap\/openldap\/etc\/openldap\/slapd.d: line 1: rootdn is always granted unlimited privileges. Segmentation fault (core dumped) and in syslog: Nov 6 08:48:17 openldap-1 kernel: [44480681.935173] slapd[3775972]: segfault at 7f049da0375f ip 00007f049d75fc12 sp 00007fff24e77dd0 error 7 in libcrypto.so.3[7f049d60a000+279000] Nov 6 08:48:17 openldap-1 kernel: [44480681.935183] Code: 64 f9 ff ff eb a8 e8 ed 23 eb ff 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 85 ff 0f 84 a7 00 00 00 53 b8 ff ff ff ff 48 89 fb <f0> 0f c1 47 30 83 e8 01 85 c0 74 12 7e 10 5b 31 c0 31 d2 31 f6 31 Next start with gdb: ldap@openldap-1:~$ gdb --args /opt/ldap/openldap/libexec/slapd -d 0 -h ldap://0.0.0.0:10389 -F /opt/ldap//openldap/etc/openldap/slapd.d GNU gdb (Debian 13.1-3) 13.1 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /opt/ldap/openldap/libexec/slapd... (No debugging symbols found in /opt/ldap/openldap/libexec/slapd) (gdb) run Starting program: /opt/ldap/openldap/libexec/slapd -d 0 -h ldap://0.0.0.0:10389 -F /opt/ldap//openldap/etc/openldap/slapd.d [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff79bfc12 in EVP_PKEY_free () from /lib/x86_64-linux-gnu/libcrypto.so.3 (gdb) bt full #0 0x00007ffff79bfc12 in EVP_PKEY_free () from /lib/x86_64-linux-gnu/libcrypto.so.3 No symbol table info available. #1 0x00007ffff79fa393 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3 No symbol table info available. #2 0x00007ffff79fa8cd in PEM_read_bio_Parameters_ex () from /lib/x86_64-linux-gnu/libcrypto.so.3 No symbol table info available. #3 0x00007ffff7fa1b38 in tlso_ctx_init (lo=0x5555556fd550, lt=0x7fffffffe280, is_server=1) at tls_o.c:546 dh = 0x7ffff7c6372f <SSL_CTX_new_ex+815> bio = 0x5555558afab0 ctx = 0x55555586b760 i = <optimized out> #4 0x00007ffff7f9de08 in ldap_int_tls_init_ctx (lo=0x5555556fd550, is_server=1) at tls2.c:264 rc = 0 ti = <optimized out> lts = {lt_certfile = 0x555555773350 "/opt/ldap/openldap/etc/openldap/certs/ldap.crt", lt_keyfile = 0x555555773390 "/opt/ldap/openldap/etc/openldap/certs/ldap.key", lt_dhfile = 0x555555773470 "/opt/ldap/openldap/etc/openldap/certs/dhparam", lt_cacertfile = 0x555555773310 "/opt/ldap/openldap/etc/openldap/certs/ca.crt", lt_cacertdir = 0x0, lt_ciphersuite = 0x5555557733d0 "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM", lt_crlfile = 0x0, lt_randfile = 0x0, lt_ecname = 0x0, lt_protocol_min = 771, lt_protocol_max = 0, lt_cacert = {bv_len = 0, bv_val = 0x0}, lt_cert = {bv_len = 0, bv_val = 0x0}, lt_key = { bv_len = 0, bv_val = 0x0}} #5 0x00005555555759e7 in main () No symbol table info available. (gdb) thread apply all bt Thread 1 (Thread 0x7ffff75ce7c0 (LWP 64) "slapd"): #0 0x00007ffff79bfc12 in EVP_PKEY_free () from /lib/x86_64-linux-gnu/libcrypto.so.3 #1 0x00007ffff79fa393 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3 #2 0x00007ffff79fa8cd in PEM_read_bio_Parameters_ex () from /lib/x86_64-linux-gnu/libcrypto.so.3 #3 0x00007ffff7fa1b38 in tlso_ctx_init (lo=0x5555556fd550, lt=0x7fffffffe280, is_server=1) at tls_o.c:546 #4 0x00007ffff7f9de08 in ldap_int_tls_init_ctx (lo=0x5555556fd550, is_server=1) at tls2.c:264 #5 0x00005555555759e7 in main () Next I rebuild openldap adding flags to configure step: ./configure CFLAGS=-g When I run slapd in new image: slapd -h 'ldap://0.0.0.0:10389 ldaps://0.0.0.0:10536 ldapi://%2Fopt%2Fldap%2Fldapi' -F /opt/ldap//openldap/etc/openldap/slapd.d all working well and I didn't get segementation fault. Can someone tell me what I'm doing wrong and how to investigate the problem? Regards BS -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10127] New: Thread Safety in LMDB with MDB_NOTLS and Readonly Cursors
by openldap-its＠openldap.org 07 Nov '23

07 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=10127 Issue ID: 10127 Summary: Thread Safety in LMDB with MDB_NOTLS and Readonly Cursors Product: LMDB Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: xiaoya2wei(a)gmail.com Target Milestone: --- Greetings LMDB Community, I am delving into the thread-safety aspects of LMDB, specifically regarding the use of readonly cursors across multiple threads. With the MDB_NOTLS flag enabled, which disables thread-local storage, my understanding is that readonly transactions may be shared between threads, provided there is proper synchronization to prevent concurrent access. Building upon this, I seek clarity on the following: Can multiple threads safely access a single readonly cursor derived from such a synchronized readonly transaction when MDB_NOTLS is enabled? Upon reviewing the LMDB source code, I noticed that cursors are tied to transactions (see mdb.c#L1335). This suggests that if threads can synchronously share a transaction, they might also share a cursor associated with it for data retrieval. I recognize my analysis might be superficial, and I'm open to corrections. Your insights on this matter would be greatly appreciated to enhance my understanding of LMDB's concurrency mechanisms. Thank you in advance for your assistance! -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 8852] slapd memory use grows continuously with non-delta syncrepl and modifying groups
by openldap-its＠openldap.org 03 Nov '23

03 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8852 --- Comment #8 from Ondřej Kuzník <ondra(a)mistotebe.net> --- For comparison, using deltasync (and sortvals!) makes the consumer take a similar amount of CPU time (about +50-90 % on the provider's) to process the 10k value additions, just like Ryan noted earlier. On the other idea, no clue on whether we can somehow limit the amount of data queued up without severely impairing replication progress. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8852] slapd memory use grows continuously with non-delta syncrepl and modifying groups
by openldap-its＠openldap.org 03 Nov '23

03 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8852 --- Comment #7 from Ondřej Kuzník <ondra(a)mistotebe.net> --- Making attr_cmp do a linear sweep for sortvals attributes (instead of the quadratic match it has to do right now) makes the consumer 7-8x slower than a provider across the board with the environment provided. I might have expected something like 3-4x but that's out of scope for this particular ITS. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8180] back-sock should not return sucess in case of error
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8180 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1 --- Comment #2 from Howard Chu <hyc(a)openldap.org> --- https://git.openldap.org/openldap/openldap/-/merge_requests/657 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8677] back-sock segfaults on CONTINUE (database sock)
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8677 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1 --- Comment #3 from Howard Chu <hyc(a)openldap.org> --- https://git.openldap.org/openldap/openldap/-/merge_requests/657 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6198] Authorization for extensions
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=6198 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |9204 Referenced Issues: https://bugs.openldap.org/show_bug.cgi?id=9204 [Issue 9204] slapo-constraint allows anyone to apply Relax control -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8884] enabling overlay slapo-rwm makes 'entryDN' invisible
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8884 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8498] slapadd complains about missing attrs
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8498 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |TEST Status|UNCONFIRMED |RESOLVED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8852] slapd memory use grows continuously with non-delta syncrepl and modifying groups
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8852 --- Comment #6 from Ondřej Kuzník <ondra(a)mistotebe.net> --- attr_cmp should check the attribute is a sortval and if so, should diff without resolving to a double loop. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8498] slapadd complains about missing attrs
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8498 --- Comment #5 from Howard Chu <hyc(a)openldap.org> --- Fixed in master 2939df1a1dead2a11d1878ccd246660cda2b41a6 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8852] slapd memory use grows continuously with non-delta syncrepl and modifying groups
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8852 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- May be possible to improve diff code for standard syncrepl to improve performance on the consumer side if the attribute is sorted via sortvals, needs investigation. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8852] slapd memory use grows continuously with non-delta syncrepl and modifying groups
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8852 --- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Similarly, when I used AWS, it was necessary to have the consumers be set at 4k IOPS while the providers were 3k IOPS. I.e., it's generally necessary that consumers be faster than providers when processing large sequences of write updates. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8826] Contrib dsaschema module needs updating for cn=config
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8826 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8678] Slow deletes of large indexed attrributes
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8678 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8677] back-sock segfaults on CONTINUE (database sock)
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8677 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|overlays |backends -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8581] slapd-meta backend SSL negotiation timeout
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8581 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8581] slapd-meta backend SSL negotiation timeout
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8581 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|UNCONFIRMED |RESOLVED --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- *** This issue has been marked as a duplicate of issue 8047 *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8047] TIMEOUT and NETWORK_TIMEOUT don't work properly with SSL
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8047 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |louis.chanouha@univ-toulous | |e.fr --- Comment #10 from Quanah Gibson-Mount <quanah(a)openldap.org> --- *** Issue 8581 has been marked as a duplicate of this issue. *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8524] cn=config + ditContentRule
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8524 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |--- Component|slapd |documentation Severity|development |normal --- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Need to document how to correctly include this type of configuration as a part of an additional schema include. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8498] slapadd complains about missing attrs
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8498 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|quanah(a)openldap.org |hyc(a)openldap.org Target Milestone|--- |2.7.0 --- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Specific to using the null base, where these attributes won't exist. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8498] slapadd complains about missing attrs
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8498 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |--- Severity|normal |enhancement -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8491] slapdelete test needed
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8491 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement --- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> --- requires slapdelete exist first -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8182] setspec matching fails unexpectedly
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8182 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8182] setspec matching fails unexpectedly
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8182 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |SUSPENDED --- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> --- patches welcome, has usable workaound -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8182] setspec matching fails unexpectedly
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8182 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |--- -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8180] back-sock should not return sucess in case of error
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8180 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8178] back-sock: Timeout to avoid locking
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=8178 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10121] New: cldap is not work in 2.6.0
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=10121 Issue ID: 10121 Summary: cldap is not work in 2.6.0 Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: 1010881517(a)qq.com Target Milestone: --- I can't use ldapsearch to query cldap:/// on 2.6.0, but it works fine on 2.4.0. Do you have any instructions on cldap configuration?ldap and ldapi are normal. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 7981] Feature request: Crypt scheme in pwdPolicy
by openldap-its＠openldap.org 02 Nov '23

02 Nov '23

https://bugs.openldap.org/show_bug.cgi?id=7981 --- Comment #3 from Ondřej Kuzník <ondra(a)mistotebe.net> --- Rather than extending the pwdPolicy objectclass, maybe the new mechanism added in ITS#9343 could be used to override the default scheme if desided? -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10111] New: dynlist crashes when using member+memberOf@groupOfNames
by openldap-its＠openldap.org 30 Oct '23

30 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10111 Issue ID: 10111 Summary: dynlist crashes when using member+memberOf@groupOfNames Product: OpenLDAP Version: 2.6.6 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: uberthoth(a)gmail.com Target Milestone: --- slapd crashes if queried for the memberof field if dynlist has this config (which is directly from the manpage for slapo-dynlist): olcDynListAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames There is an example repo with a docker-compose.yml to replicate this issue here: https://github.com/joshuacox/openldap-overlay-dynlist This may be a duplicate of this https://bugs.openldap.org/show_bug.cgi?id=10091 though I did not see a seg fault. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10072] New: Querying for transaction memory use
by openldap-its＠openldap.org 28 Oct '23

28 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10072 Issue ID: 10072 Summary: Querying for transaction memory use Product: LMDB Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: tagwerk19.openldap(a)innerjoin.org Target Milestone: --- It would be useful to have a way to ask liblmdb how much "dirty memory" a transaction is using, up to that point. The goal is to be able to bundle writes into fewer transactions, making best use of available memory and reducing total disc writes. It is possible for an application to count the number of writes but this has only a loose relation to the *actual* number of dirty pages flagged. The target would be to write data up until the dirty memory gets to a threshold and then commit. I see that there's a: txn->mt_dirty_room and wonder if MDB_IDL_UM_MAX - txn->mt_dirty_room would give a count of that an "aware" application could make use of (an exact count? or maybe a usable and sufficient indication?) The need for this has been sharpened with the use of systemd service files that cap the memory allowed for a process, for example: MemoryHigh=512M If the process reaches this limit and continues to write data, the system uses swap. See: https://invent.kde.org/frameworks/baloo/-/merge_requests/148 Thank you for providing and supporting LMDB -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 10122] New: Deletes are not replicated
by openldap-its＠openldap.org 26 Oct '23

26 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10122 Issue ID: 10122 Summary: Deletes are not replicated Product: OpenLDAP Version: 2.4.46 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: kinouchi-kazuhito(a)jsdnet.co.jp Target Milestone: --- Thank you for your help. I am doing replication using syncrepl rehreshOnly mode. All of a sudden, entry deletions are no longer reflected to the consumer. Looking at the logs, nonpresent_callback is no longer printed in the consumer's logs. Further parsing the logs shows that after the last nonpresent_callback, the provider and consumer are updating the same attribute on the same entry. How should I recover? -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10085] New: test029 can't pass with SLAPD_USE_SASL is set
by openldap-its＠openldap.org 25 Oct '23

25 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10085 Issue ID: 10085 Summary: test029 can't pass with SLAPD_USE_SASL is set Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: test suite Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Running make test with SLAPD_USE_SASL set will fail test029. There is even a comment there that we can't support that functionality as-is when SASL binds are configured. We should probably remove that part of the test or skip it unconditionally for now. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10045] New: back-config operations abandoned while waiting in slap_pause_server() aren't committed to ldif
by openldap-its＠openldap.org 24 Oct '23

24 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10045 Issue ID: 10045 Summary: back-config operations abandoned while waiting in slap_pause_server() aren't committed to ldif Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- slap_pause_server() can take an unbounded time to process and it is possible the operation is abandoned in the meantime (e.g. the connection is lost and the loss is still noticed at this point). However the processing still goes ahead and passed onto back-ldif - where it is discarded as abandoned already so we can end up with an inconsistent view of our persistent configuration. Checking op->o_abandon again after slap_pause_server() finishes might be enough. -- You are receiving this mail because: You are on the CC list for the issue.

2 13

[Issue 10095] New: Race condition causing corruption of mutexes when closing the database
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10095 Issue ID: 10095 Summary: Race condition causing corruption of mutexes when closing the database Product: LMDB Version: 0.9.30 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: peter(a)peterzhu.ca Target Milestone: --- We're running into a race condition across multiple processes causing the corruption of mutexes when a process closes the database caused by the fix for https://bugs.openldap.org/show_bug.cgi?id=9278 (commit https://git.openldap.org/openldap/openldap/-/commit/f683ffdc81d0edb20437cb7…). Here's the interleaving of two processes (p0 and p1) that can cause this situation. p0: Opens connection to database using mdb_env_create and mdb_env_open. ...some things happen in between... p0: Begins closing the database using mdb_env_close: p0: Calls mdb_env_close0: p0: Acquires write lock on the file lock using mdb_env_excl_lock. p0: Calls pthread_mutex_destroy on the mutexes. SWITCH TO p1 p1: Begins opening the database using mdb_env_create. Then calls mdb_env_open, in mdb_env_open: p1: Calls mdb_env_setup_locks: p1: Calls mdb_env_excl_lock, but it's unable to acquire a write file lock due to p0 holding the write file lock. It waits on acquiring a read file lock. SWITCH TO p0 p0: Calls close on the file descriptor which releases the write lock. SWITCH TO p1 p1: Acquires the read file lock. p1: Does NOT call pthread_mutex_init since it did not acquire a write file lock. ...some things happen in between... p1: Try to lock the mutex using pthread_mutex_lock. This call fails with a EINVAL due to locking a destroyed mutex. I'm not sure how to actually solve this problem. We're currently mitigating this problem by reverting the commit linked above (so no mutexes get destroyed). -- You are receiving this mail because: You are on the CC list for the issue.

1 13

[Issue 7226] olcAuditlogFile should be single valued, but accepts multiple values (additional values ignored)
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7226 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |TEST --- Comment #18 from Quanah Gibson-Mount <quanah(a)openldap.org> --- • 242d1e6d by Ondřej Kuzník at 2023-08-21T12:19:16+01:00 ITS#7226 Make olcAuditlogFile SINGLE-VALUE -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9278] New: liblmdb: robust mutexes should not be unmapped
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=9278 Issue ID: 9278 Summary: liblmdb: robust mutexes should not be unmapped Product: LMDB Version: unspecified Hardware: All OS: FreeBSD Status: UNCONFIRMED Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: delphij(a)freebsd.org Target Milestone: --- Created attachment 736 --> https://bugs.openldap.org/attachment.cgi?id=736&action=edit A possible workaround We recently noticed that lmdb would have the memory region containing the robust mutex unmapped on mdb_env_close0(): munmap((void *)env->me_txns, (env->me_maxreaders-1)*sizeof(MDB_reader)+sizeof(MDB_txninfo)); Note that if this is the last unmap for a robust mutex, the FreeBSD implementation would garbage-collect the mutex, making it no longer visible to other processes. As the result, a second instance of the attached test.c (from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244493 with minor changes) would trigger the assertion at mdb_txn_begin() because the acquisition of the mutex would return 22 (EINVAL), because the mutex appeared to be a robust mutex, but was invalid. The attached lmdb.diff is a possible workaround for this (it would skip unmapping when setting up the robust mutex for the first time). -- You are receiving this mail because: You are on the CC list for the issue.

1 20

[Issue 10077] New: Integer overflow in util-int.c
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10077 Issue ID: 10077 Summary: Integer overflow in util-int.c Product: OpenLDAP Version: 2.6.3 Hardware: All OS: Windows Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: michal.pura(a)gmail.com Target Milestone: --- Created attachment 971 --> https://bugs.openldap.org/attachment.cgi?id=971&action=edit the fix proposal for ldap_pvt_gettimensec() function Hello, I found the issue with contextCNS generating process which cause that its format is invalid (minus sign in nanoseconds filed). Example: "generated new csn=20230630080704.-489933Z#000000#000#000000" The bug can introduce the minus sign in the contextCSN what could have an impact in replication process, backup restoring etc. Everywhere when the format of contextCSN is checked before processing it. According to the source code and reference documents the contextCSN nanoseconds filed should have the value from range: 000000-999999. https://www.openldap.org/faq/data/cache/1145.html The problem is in the function ldap_pvt_gettimensec() in util-int.c file. For example in line: count.QuadPart += (10 * BILLION); The value of (10 * BILLION) will be treated as 32-bit value by compilator and will cause the integer overflow. Then the random value is added to count.QuadPart what in some specific cases can produce the negative value which is returned from the function. At the end the value is passed to the function ldap_pvt_csnstr() so the contextCSN is wrongly generated (with minus sign). There is missing 'LL' qualifier, code should looks like this: count.QuadPart += (10LL * BILLION); I also suggest to change the type of _ldap_pvt_gt_offset variable from int to long long. In attachment you will find fix proposal as there are more places in the function where changes are required. -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 10115] New: Delisting Savoir-faire Linux from support page
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10115 Issue ID: 10115 Summary: Delisting Savoir-faire Linux from support page Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: support(a)savoirfairelinux.com Target Milestone: --- Hello, I am the Vice-President, IT Infrastructure at Savoir-faire Linux and I am writing you to remove our company from the support page on your website because we no longer offer OpenLDAP consulting. -- Hussein Abdallah Vice-president Infrastructures Free Software Consultant & Trainer Email: support(a)savoirfairelinux.com savoirfairelinux.com | Montréal, Québec Jami: habdallah Tél.: +1 514 276 5468 ext. 148 -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 8485] [PATCH] Adding support for encrypted server private keys
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=8485 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8485] [PATCH] Adding support for encrypted server private keys
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=8485 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |--- Resolution|--- |SUSPENDED Status|UNCONFIRMED |RESOLVED --- Comment #14 from Quanah Gibson-Mount <quanah(a)openldap.org> --- A patch along the lines on comment#12 welcome. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8197] slapo-constraint and delold=0
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=8197 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FEEDBACK Status|UNCONFIRMED |RESOLVED Target Milestone|2.7.0 |--- --- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Need information on what constraint(s) have been implemented that trigger the issue. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9714] New: Use xorshift in libldap/dnssrv.c
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=9714 Issue ID: 9714 Summary: Use xorshift in libldap/dnssrv.c Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- As discussed in https://git.openldap.org/openldap/openldap/-/merge_requests/417 we may want to shift to using xorshift in libldap/dnssrv.c in a future release. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 8196] PRNG from ITS#7027 (shuffling DNS SRV records) is poorly seeded
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=8196 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |TEST Status|UNCONFIRMED |RESOLVED Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net --- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> --- commit 1220282dd5f941829e999d612eeb226e532b55d7 Author: Ondřej Kuzník <ondra(a)mistotebe.net> Date: Fri Sep 16 14:49:11 2022 +0100 ITS#8196/ITS#9714 Switch to xorshift -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8149] nssov loginStatus doesn't play well with replication
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=8149 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|replication | -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7981] Feature request: Crypt scheme in pwdPolicy
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7981 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7777] Filtering on modifyTimestamp is slower with index
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7777 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7777] Filtering on modifyTimestamp is slower with index
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7777 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |SUSPENDED Target Milestone|2.7.0 |--- --- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> --- patches welcome generally don't index timestamps. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 10114] New: Crash in mdb_copy with stale transactions(?)
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10114 Issue ID: 10114 Summary: Crash in mdb_copy with stale transactions(?) Product: LMDB Version: 0.9.30 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: zack+ldapbugs(a)owlfolio.org Target Milestone: --- I have a LMDB database which is damaged in some way, I'm not sure exactly how, but the application that created it (KDE baloo_file) crashes on startup while trying to read it, with a backtrace pointing inside liblmdb... #0 __memcpy_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:837 #1 0x00007fbf1fa110b6 in mdb_page_touch (mc=mc@entry=0x7ffe8dc1adf0) at mdb.c:2502 #2 0x00007fbf1fa12c9c in mdb_cursor_touch (mc=mc@entry=0x7ffe8dc1adf0) at mdb.c:6563 #3 0x00007fbf1fa16228 in mdb_cursor_put (mc=mc@entry=0x7ffe8dc1adf0, key=key@entry=0x7ffe8dc1b1e0, data=data@entry=0x7ffe8dc1b1f0, flags=<optimized out>, flags@entry=0) at mdb.c:6697 #4 0x00007fbf1fa18d51 in mdb_put (txn=0x55986d167a70, dbi=<optimized out>, key=0x7ffe8dc1b1e0, data=0x7ffe8dc1b1f0, flags=0) at mdb.c:9076 #5 0x00007fbf1fcec44b in Baloo::PostingDB::put (this=this@entry=0x7ffe8dc1b2d0, term=..., list=...) at /usr/src/debug/kde-frameworks/baloo-5.110.0/baloo-5.110.0/src/engine/postingdb.cpp:66 If I try to mdb_dump the database (with nothing else trying to access it) I get mdb_dump: index: MDB_BAD_TXN: Transaction must abort, has a child, or is invalid That sounds like the sort of thing that ought to be cleared by mdb_copy -c, but instead that command also crashes inside __memcpy_avx_unaligned_erms. Backtrace: #0 __memcpy_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:839 #1 0x0000555555557e67 in mdb_env_cwalk (my=my@entry=0x7fffffffdbc0, pg=pg@entry=0x7fffffffd988, flags=0) at mdb.c:9264 #2 0x0000555555557fdf in mdb_env_cwalk (my=my@entry=0x7fffffffdbc0, pg=pg@entry=0x7fffffffdb90, flags=flags@entry=0) at mdb.c:9306 #3 0x0000555555558523 in mdb_env_copyfd1 (env=0x55555556a2a0, fd=<optimized out>) at mdb.c:9469 #4 0x00005555555588c9 in mdb_env_copy2 (env=0x55555556a2a0, path=<optimized out>, flags=flags@entry=1) at mdb.c:9623 #5 0x0000555555558ea6 in main (argc=3, argv=0x7fffffffe008) at mdb_copy.c:74 I tried to poke at the offending data structure a little but I didn't immediately see what was wrong... (gdb) frame 1 #1 0x0000555555557e67 in mdb_env_cwalk (my=my@entry=0x7fffffffdbc0, pg=pg@entry=0x7fffffffd988, flags=0) at mdb.c:9264 9264 mdb_page_copy(leaf, mp, my->mc_env->me_psize); (gdb) p mp $1 = (MDB_page *) 0x7fc008d32000 (gdb) p *mp $2 = {mp_p = {p_pgno = 0x0606060606060606, p_next = 0x0606060606060606}, mp_pad = 1542, mp_flags = 1542, mp_pb = {pb = {pb_lower = 1542, pb_upper = 18832}, pb_pages = 1234175494}, mp_ptrs = 0x7fc008d32010} ... except that those values for p_pgno and p_next don't look terribly plausible to me. The database file is, unfortunately, much too large to attach here (2.3G uncompressed, 383M compressed with xz -17) and also it's, well, a full-text index of everything I have on my computer, so I'd be hesitant to attach it even if it fit. I can make it available for private download if that would be helpful. I'm also happy to do other experiments. I realize that crashes caused by database corruption can be very difficult to avoid but I hope there might be some kind of easy defensive measure to take in this particular case which could at least allow the application to fail cleanly rather than crashing. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10120] New: slapd crashes when changing ARGON2 olcRootPW via ldapmodify
by openldap-its＠openldap.org 23 Oct '23

23 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10120 Issue ID: 10120 Summary: slapd crashes when changing ARGON2 olcRootPW via ldapmodify Product: OpenLDAP Version: 2.6.5 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: aimass(a)yabarana.com Target Milestone: --- slapd dies when executing LDIF remotely with ldapmodify: This is the command we are running: ldapadd -H ldap://:xxx -x -D xxx -w xxx -f foo.ldif (we are using ldapadd as a convenience because the LDIF file creates and modifies entries) This fragment of foo.ldif causes slapd to die: dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: {ARGON2}$argon2id$v=19$m=65536,t=128,p=2$******** The last few lines of debug indicate this: 2023-10-23 15:49:36 653679f0.32572d8b 0xffff45945b10 mdb_idl_insert_keys: 56 [f8bb395f] 2023-10-23 15:49:36 653679f0.325f95ba 0xffff45945b10 send_ldap_result: err=0 matched="" text="" 2023-10-23 15:49:36 653679f0.3266665b 0xffff46249b10 connection_get(13) 2023-10-23 15:49:36 653679f0.3266bebc 0xffff46249b10 conn=1010 op=2 do_modify: dn (olcDatabase={0}config,cn=config) 2023-10-23 15:49:36 653679f0.3266c8a9 0xffff46249b10 => ldap_bv2dn(olcDatabase={0}config,cn=config,0) 2023-10-23 15:49:36 653679f0.3266d026 0xffff46249b10 <= ldap_bv2dn(olcDatabase={0}config,cn=config)=0 2023-10-23 15:49:36 653679f0.3266e35b 0xffff46249b10 => ldap_dn2bv(272) 2023-10-23 15:49:36 653679f0.32671cf9 0xffff46249b10 <= ldap_dn2bv(olcDatabase={0}config,cn=config)=0 2023-10-23 15:49:36 653679f0.326723a5 0xffff46249b10 => ldap_dn2bv(272) 2023-10-23 15:49:36 653679f0.32672904 0xffff46249b10 <= ldap_dn2bv(olcDatabase={0}config,cn=config)=0 2023-10-23 15:49:36 653679f0.32672e63 0xffff46249b10 conn=1010 op=2 modifications: 2023-10-23 15:49:36 653679f0.326803c4 0xffff46249b10 replace: olcRootPW 2023-10-23 15:49:36 653679f0.32681a3a 0xffff46249b10 one value, length 384 2023-10-23 15:49:36 Assertion failed: pool->ltp_pause == PAUSED (tpool.c: ldap_pvt_thread_pool_resume: 1319) -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10119] New: log function do NOT work.
by openldap-its＠openldap.org 22 Oct '23

22 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10119 Issue ID: 10119 Summary: log function do NOT work. Product: OpenLDAP Version: 2.5.13 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: 142857uk(a)gmail.com Target Milestone: --- The logging function of this version of `slapd` seems not working at all. The configuration of `slapd` is as follow : ``` dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogFile: /tmp/slapd.log olcLogLevel: -1 olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 ``` I set `olcLogLevel` to -1 to enable logging everything. Other values to `olcLogLevel` like 256, 4 were already tested, not working. So stop shitting about this direction. I use `tail` to monitor the content of `/tmp/slapd.log`, nothing! I also checked the permission of `openldap` user on `/tmp/slapd.log`, and it does have the right to write to it. So, shut the fuck up about this direction. Am I like a newbee? My question is, why can't a soooooooo simple function like logging work? Did you guys bother testing it at all before you release your fucking software? I try to be civilization, but you bitches just don't deserve it. Sorry to say that but unfortunately it's a fact. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 10118] New: slapcat terminates with "double free or corruption (out)" message
by openldap-its＠openldap.org 21 Oct '23

21 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10118 Issue ID: 10118 Summary: slapcat terminates with "double free or corruption (out)" message Product: OpenLDAP Version: 2.5.13 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: dma_k(a)mail.ru Target Milestone: --- The issue started to appear after upgrading slapd from v2.4.57 to v2.5.13 (Debian bullseye → bookworm). $ slapcat -s cn=config ... double free or corruption (out) Aborted (core dumped) Coredump: #0 0x00007faf0a009d3c n/a (libc.so.6 + 0x8ad3c) #1 0x00007faf09fbaf32 raise (libc.so.6 + 0x3bf32) #2 0x00007faf09fa5472 abort (libc.so.6 + 0x26472) #3 0x00007faf09ffe340 n/a (libc.so.6 + 0x7f340) #4 0x00007faf0a0136ba n/a (libc.so.6 + 0x946ba) #5 0x00007faf0a015720 n/a (libc.so.6 + 0x96720) #6 0x00007faf0a017d9f __libc_free (libc.so.6 + 0x98d9f) #7 0x00005608e5287216 slap_tool_init (slapcat + 0xba216) #8 0x00005608e52864a1 slapcat (slapcat + 0xb94a1) #9 0x00005608e51edc73 main (slapcat + 0x20c73) #10 0x00007faf09fa61ca n/a (libc.so.6 + 0x271ca) #11 0x00007faf09fa6285 __libc_start_main (libc.so.6 + 0x27285) #12 0x00005608e51ef061 _start (slapcat + 0x22061) -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10116] Use-After-Free (CWE-416)
by openldap-its＠openldap.org 19 Oct '23

19 Oct '23

1 0

[Issue 9888] New: When using cn=config replication, schema updates can corrupt the index database(s)
by openldap-its＠openldap.org 19 Oct '23

19 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=9888 Issue ID: 9888 Summary: When using cn=config replication, schema updates can corrupt the index database(s) Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- Today I pushed a schema update out to the config node that holds schema that is replicated to the providers and consumers. Post schema update, 2/11 servers crashed in the mdb online indexing function. I fixed this by slapcat the db and slapadd the db. This is important because it was later revealed that on the 9/11 servers that did not crash or have their database reloaded, ldapsearch would return the wrong attribute names for some attribute:value pairs in the database, which caused mayhem in downstream systems and caused replication issues between the nodes. The 2 nodes that were reloaded immediately after the schema change had the only "good" copies of the database left. To give an example, say an entry was something like: dn: uid=joe,ou=people,dc=example,dc=com uid: joe sn: smith cn: joe smith givenName: joe After the change, the broken servers could return something like: dn: uid=joe,ou=people,dc=example,dc=com uid: joe posixGroup: smith cn: joe smith givenName joe It's not clear how deeply this bug ran in the database. It for sure affected 2 attributes used by the person objectClass. Both of the "replacement" attributes were not valid attributes for the person objectClasses in use. Maybe related to the changes in ITS#9858? -- You are receiving this mail because: You are on the CC list for the issue.

1 19

[Issue 7649] Feature request: numSubordinates attribute
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7649 --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- https://datatracker.ietf.org/doc/html/draft-boreham-numsubordinates-01 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7441] cn=config filters ignore {number}
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7441 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7422] olcExtraAttrs doesn't work with ACIs
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7422 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7422] olcExtraAttrs doesn't work with ACIs
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7422 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |--- Status|UNCONFIRMED |RESOLVED Resolution|--- |SUSPENDED --- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> --- patches still welcome -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7420] Possible to bypass overlay unique and constraint
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7420 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7392] ACL a_dn.a_self is skipped in case of "acl_mask: to all values ..."
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7392 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7347] Exclusive bit masks for: ACL_WADD, ACL_WDEL, and ACL_WRITE
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7347 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs