- openldap-bugs - openldap.org

[Issue 9302] New: ppolicy pwdFailureTime race condition leaves acccount unlocked, violating pwdLockout policy
by openldap-its＠openldap.org 03 Sep '20

03 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=9302 Issue ID: 9302 Summary: ppolicy pwdFailureTime race condition leaves acccount unlocked, violating pwdLockout policy Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: requate(a)univention.de Target Milestone: --- Multiple concurrent ldap binds with invalid passwords against a user account sometimes don't trigger account lockout, even though the number of failed attempts exceeds the configured pwdLockout policy of the ppolicy overlay. How to reproduce: 1. Configure ppolicy overlay with pwdLockout: TRUE 2. set pwdMaxFailure to some value, e.g. 5 3. Create a test user account and start just enough (or more) parallel ldapsearch processes to make the account get locked, e.g. like this in bash/sh (note the backgrounding): for i in $(seq 6); do ldapsearch -x -D "uid=testuser1,$ldap_base" -w invalid >/dev/null 2>&1 & done 4. Check relevant ppolicy attributes, like: ldapsearch -x -H LDAPI:// -b "uid=testuser1,$ldap_base" + \ grep -E '^(pwdFailureTime|pwdAccountLockedTime):' This often shows no pwdAccountLockedTime but enough (or more) pwdFailureTime values to meet the lockout policy. -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 9320] New: ldapsearch nettimeout doesn't work with startTls when the server address is not reachable
by openldap-its＠openldap.org 03 Sep '20

03 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=9320 Issue ID: 9320 Summary: ldapsearch nettimeout doesn't work with startTls when the server address is not reachable Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: allen.zhang(a)audiocodes.com Target Milestone: --- We found that ldapsearch doesn't return with failure according to the nettimeout when the server address is not valid. it fails only after TCP timeout (about 120 seconds in my environment). we dug into in to the source code and found that : in common.c, we set the nettimeout after ldap_start_tls_s is called. We tried to call "ldap_set_option( ld, LDAP_OPT_NETWORK_TIMEOUT, (void *) &nettimeout )" before ldap_start_tls_s and it works well! -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 7743] mdb_idl_intersection() seems to expand the search candidates unnecessarily
by openldap-its＠openldap.org 03 Sep '20

03 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=7743 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|OL_2_5_REQ | Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7743] mdb_idl_intersection() seems to expand the search candidates unnecessarily
by openldap-its＠openldap.org 03 Sep '20

03 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=7743 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|UNCONFIRMED |RESOLVED --- Comment #8 from Howard Chu <hyc(a)openldap.org> --- *** This issue has been marked as a duplicate of issue 8868 *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8868] Inefficiency when processing certain search filters
by openldap-its＠openldap.org 03 Sep '20

03 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=8868 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |yos-nishino(a)ys.jp.nec.com --- Comment #5 from Howard Chu <hyc(a)openldap.org> --- *** Issue 7743 has been marked as a duplicate of this issue. *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8047] TIMEOUT and NETWORK_TIMEOUT don't work properly with SSL
by openldap-its＠openldap.org 02 Sep '20

02 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=8047 --- Comment #7 from Allen Zhang <allen.zhang(a)audiocodes.com> --- we will try to reproduce the SSL engine problem. but we do see there is another problem in the TCP connecting phase -- before the connecting SSL. no timeout if the server IP is not reachable. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5840] mdb online indexing and shutdown
by openldap-its＠openldap.org 02 Sep '20

02 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=5840 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|bdb_online_index and |mdb online indexing and |shutdown |shutdown -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7400] Memberof and Syncrepl incompatibility
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=7400 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7400] Memberof and Syncrepl incompatibility
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=7400 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |WONTFIX Keywords|OL_2_5_REQ | Target Milestone|2.5.0 |--- --- Comment #11 from Quanah Gibson-Mount <quanah(a)openldap.org> --- For 2.5, memberof is deprecated and the recommendation is to use slapo-dynlist as a replacement. The 2.5 dynlist allows memberOf population on objects via static and/or dynamic groups. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5422] strerror(errno) problems
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=5422 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=5421 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5421] slapd vs LDAP_R_COMPILE
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=5421 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=5422 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8738] test066-autoca aborts with TLS error
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

1 0

[Issue 8738] test066-autoca aborts with TLS error
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=8738 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|UNCONFIRMED |RESOLVED --- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Hi Dieter, Your change removes startTLS from being critical, which is a critical part of what's being tested. I.e., it allows the startTLS operation to fail. If you're still seeing this issue, it would imply that your system does not have a validly configured "localhost". Regards, Quanah -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8159] Missing parameter in the Configuration man page
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=8159 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |TEST Keywords|OL_2_5_REQ | --- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Commits: • e749750a by Quanah Gibson-Mount at 2020-09-01T19:40:36+00:00 ITS#8159 - Add missing "hard" parameter to size.prtotal -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6225] GSSAPI support for client library (fixes)
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

1 0

[Issue 6225] GSSAPI support for client library (fixes)
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=6225 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|UNCONFIRMED |RESOLVED --- Comment #8 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Superceded by Issue#6567 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8159] Missing parameter in the Configuration man page
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=8159 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1 --- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> --- https://git.openldap.org/openldap/openldap/-/merge_requests/131 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8333] NAME 'internationalISDNNumber' (RFC 4519)
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=8333 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|OL_2_5_REQ | Target Milestone|2.5.0 |2.6.0 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6151] Update cosine.schema to RFC 4524
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=6151 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|OL_2_5_REQ | Status|IN_PROGRESS |CONFIRMED Target Milestone|2.5.0 |2.6.0 --- Comment #21 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Punting to 2.6 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8175] Some more missing parameter in the Configuration man page
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=8175 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|OL_2_5_REQ | Status|UNCONFIRMED |RESOLVED Resolution|--- |TEST --- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Commits: • 04124c1f by Quanah Gibson-Mount at 2020-09-01T18:04:06+00:00 ITS#8175 - Fix missing descriptions for olcDisallows for proxy_authz_non_critical and dontusecopy_non_critical -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8175] Some more missing parameter in the Configuration man page
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=8175 --- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> --- https://git.openldap.org/openldap/openldap/-/merge_requests/130 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8047] TIMEOUT and NETWORK_TIMEOUT don't work properly with SSL
by openldap-its＠openldap.org 01 Sep '20

01 Sep '20

https://bugs.openldap.org/show_bug.cgi?id=8047 --- Comment #6 from Allen Zhang <allen.zhang(a)audiocodes.com> --- HI what we see is, we get stuck at connect() below 120 seconds. if opt_tv is set, the connect will work in non-block mode and return immediately. later in ldap_int_poll(), the network timeout will take effect. what do you think? static int ldap_pvt_connect(LDAP *ld, ber_socket_t s, struct sockaddr *sin, ber_socklen_t addrlen, int async) { int rc, err; struct timeval tv, *opt_tv = NULL; #ifdef LDAP_CONNECTIONLESS /* We could do a connect() but that would interfere with * attempts to poll a broadcast address */ if (LDAP_IS_UDP(ld)) { if (ld->ld_options.ldo_peer) ldap_memfree(ld->ld_options.ldo_peer); ld->ld_options.ldo_peer=ldap_memcalloc(1, sizeof(struct sockaddr_storage)); AC_MEMCPY(ld->ld_options.ldo_peer,sin,addrlen); return ( 0 ); } #endif if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { tv = ld->ld_options.ldo_tm_net; opt_tv = &tv; } osip_debug(ld, "ldap_pvt_connect: fd: %d tm: %ld async: %d\n", s, opt_tv ? tv.tv_sec : -1L, async); if ( opt_tv && ldap_pvt_ndelay_on(ld, s) == -1 ) return ( -1 ); do{ osip_debug(ld, "attempting to connect: \n", 0, 0, 0); if ( connect(s, sin, addrlen) != AC_SOCKET_ERROR ) { osip_debug(ld, "connect success\n", 0, 0, 0); if ( !async && opt_tv && ldap_pvt_ndelay_off(ld, s) == -1 ) return ( -1 ); return ( 0 ); } err = sock_errno(); osip_debug(ld, "connect errno: %d\n", err, 0, 0); } while(err == EINTR && LDAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_RESTART )); if ( err != EINPROGRESS && err != EWOULDBLOCK ) { return ( -1 ); } if ( async ) { /* caller will call ldap_int_poll() as appropriate? */ return ( -2 ); } rc = ldap_int_poll( ld, s, opt_tv, 1 ); osip_debug(ld, "ldap_pvt_connect: %d\n", rc, 0, 0); return rc; } -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8159] Missing parameter in the Configuration man page
by openldap-its＠openldap.org 31 Aug '20

31 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=8159 --- Comment #1 from Quanah Gibson-Mount <quanah(a)openldap.org> --- So if the argument is "hard", then the code will use the "hard" limit set to the general "sizelimit" parameter. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8047] TIMEOUT and NETWORK_TIMEOUT don't work properly with SSL
by openldap-its＠openldap.org 31 Aug '20

31 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=8047 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|OL_2_5_REQ | Target Milestone|2.5.0 |--- --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Not possible until all SSL engines support async in the underlying SSL library, which is currently not the case -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8047] TIMEOUT and NETWORK_TIMEOUT don't work properly with SSL
by openldap-its＠openldap.org 31 Aug '20

31 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=8047 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |allen.zhang(a)audiocodes.com --- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> --- *** Issue 9320 has been marked as a duplicate of this issue. *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs