- openldap-bugs - openldap.org

(ITS#9118) Add support for MAP_NOSYNC
by quanah＠openldap.org 15 Nov '19

15 Nov '19

Full_Name: Quanah Gibson-Mount Version: 2.4.48 OS: FreeBSD 11 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.143.26) To improve back-mdb performance on LMDB when dbnosync is set, it would be useful to support MAP_NOSYNC as documented at http://nixdoc.net/man-pages/FreeBSD/mmap.2.html

1 0

Re: (ITS#9117) LMDB incorrect value for mapsize [Docs]
by hyc＠symas.com 14 Nov '19

14 Nov '19

progr-d(a)yandex.ru wrote: > No, I mean that in the code it is 1MB, and in the documentation - 10MB. Repeating myself just this once: Yes, this is known. The point is that yo= u're not supposed to trust the default value, you're supposed to always set th= e size explicitly. Closing this ITS. > 14 =D0=BD=D0=BE=D1=8F=D0=B1. 2019 =D0=B3., 5:05 +0300, Howard Chu <hyc@= symas.com>, =D0=BF=D0=B8=D1=81=D0=B0=D0=BB: >> progr-d(a)yandex.ru wrote: >>> Full_Name: Denis >>> Version: lmdb 0.9.24 >>> OS: macOS >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (80.211.15.98) >>> >>> >>> Incorrect value in documentation or code for DEFAULT_MAPSIZE: in code= is >>> 1048576, but in doc: 10485760. >>> >>> Code: http://www.lmdb.tech/doc/group__internal.html#ga506f893519db205= 966f7988c03c920f5 >>> Doc (see method description):=C2=A0http://www.lmdb.tech/doc/group__md= b.html#gaa2506ec8dab3d969b0e609cd82e619e5 >> >> Yes, this is known. The point is to force you to explicitly set a sane= value, therefore this >> will never be changed. >> >> -- >> -- Howard Chu >> CTO, Symas Corp. http://www.symas.com >> Director, Highland Sun http://highlandsun.com/hyc/ >> Chief Architect, OpenLDAP http://www.openldap.org/project/ --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#9117) LMDB incorrect value for mapsize [Docs]
by progr-d＠yandex.ru 14 Nov '19

14 Nov '19

--5dccf546_46e87ccd_19a8 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline No, I mean that in the code it is 1MB, and in the documentation - 10MB. 14 =D0=BD=D0=BE=D1=8F=D0=B1. 2019 =D0=B3., 5:05 +0300, Howard Chu <hyc=40= symas.com>, =D0=BF=D0=B8=D1=81=D0=B0=D0=BB: > progr-d=40yandex.ru wrote: > > =46ull=5FName: Denis > > Version: lmdb 0.9.24 > > OS: macOS > > URL: ftp://ftp.openldap.org/incoming/ > > Submission from: (NULL) (80.211.15.98) > > > > > > Incorrect value in documentation or code for DE=46AULT=5FMAPSIZE: in = code is > > 1048576, but in doc: 10485760. > > > > Code: http://www.lmdb.tech/doc/group=5F=5Finternal.html=23ga506f89351= 9db205966f7988c03c920f5 > > Doc (see method description):=C2=A0http://www.lmdb.tech/doc/group=5F=5F= mdb.html=23gaa2506ec8dab3d969b0e609cd82e619e5 > > Yes, this is known. The point is to force you to explicitly set a sane = value, therefore this > will never be changed. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ --5dccf546_46e87ccd_19a8 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline <html xmlns=3D=22http://www.w3.org/1999/xhtml=22> <head> <title></title> </head> <body> <div name=3D=22messageBodySection=22> <div dir=3D=22auto=22>No, I mean that in the code it is 1MB, and in the d= ocumentation - 10MB.</div> </div> <div name=3D=22messageReplySection=22>14 =D0=BD=D0=BE=D1=8F=D0=B1. 2019 =D0= =B3., 5:05 +0300, Howard Chu <hyc=40symas.com>, =D0=BF=D0=B8=D1=81=D0= =B0=D0=BB:<br /> <blockquote type=3D=22cite=22 class=3D=22spark=5Fquote=22 style=3D=22marg= in: 5px 5px; padding-left: 10px; border-left: thin solid =231abc9c;=22>pr= ogr-d=40yandex.ru wrote:<br /> <blockquote type=3D=22cite=22 class=3D=22spark=5Fquote=22 style=3D=22marg= in: 5px 5px; padding-left: 10px; border-left: thin solid =23e67e22;=22>=46= ull=5FName: Denis<br /> Version: lmdb 0.9.24<br /> OS: macOS<br /> URL: ftp://ftp.openldap.org/incoming/<br /> Submission from: (NULL) (80.211.15.98)<br /> <br /> <br /> Incorrect value in documentation or code for DE=46AULT=5FMAPSIZE: in code= is<br /> 1048576, but in doc: 10485760.<br /> <br /> Code: http://www.lmdb.tech/doc/group=5F=5Finternal.html=23ga506f893519db2= 05966f7988c03c920f5<br /> Doc (see method description):&=23160;http://www.lmdb.tech/doc/group=5F=5F= mdb.html=23gaa2506ec8dab3d969b0e609cd82e619e5<br /></blockquote> <br /> Yes, this is known. The point is to force you to explicitly set a sane va= lue, therefore this<br /> will never be changed.<br /> <br /> --<br /> -- Howard Chu<br /> CTO, Symas Corp. http://www.symas.com<br /> Director, Highland Sun http://highlandsun.com/hyc/<br /> Chief Architect, OpenLDAP http://www.openldap.org/project/<br /></blockqu= ote> </div> </body> </html> --5dccf546_46e87ccd_19a8--

1 0

Re: (ITS#9117) LMDB incorrect value for mapsize [Docs]
by hyc＠symas.com 14 Nov '19

14 Nov '19

progr-d(a)yandex.ru wrote: > Full_Name: Denis > Version: lmdb 0.9.24 > OS: macOS > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (80.211.15.98) >=20 >=20 > Incorrect value in documentation or code for DEFAULT_MAPSIZE: in code i= s > 1048576, but in doc: 10485760. >=20 > Code: http://www.lmdb.tech/doc/group__internal.html#ga506f893519db20596= 6f7988c03c920f5 > Doc (see method description):=C2=A0http://www.lmdb.tech/doc/group__mdb.= html#gaa2506ec8dab3d969b0e609cd82e619e5 Yes, this is known. The point is to force you to explicitly set a sane va= lue, therefore this will never be changed. --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#9117) LMDB incorrect value for mapsize [Docs]
by progr-d＠yandex.ru 13 Nov '19

13 Nov '19

Full_Name: Denis Version: lmdb 0.9.24 OS: macOS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (80.211.15.98) Incorrect value in documentation or code for DEFAULT_MAPSIZE: in code is 1048576, but in doc: 10485760. Code: http://www.lmdb.tech/doc/group__internal.html#ga506f893519db205966f7988c03c… Doc (see method description): http://www.lmdb.tech/doc/group__mdb.html#gaa2506ec8dab3d969b0e609cd82e619e5

1 0

Re: (ITS#8575) Argon2 Password hashing contrib module
by ondra＠mistotebe.net 12 Nov '19

12 Nov '19

On Mon, Nov 11, 2019 at 05:48:05PM +0000, ondra(a)mistotebe.net wrote: > An implementation using libsodium is now available at > https://github.com/mistotebe/openldap/tree/its8575-argon > > Not configurable yet as to what parameters are chosen when a plaintext > password is being hashed, however. That branch now supports parameters being passed in at module load time. It won't help slappasswd as that one doesn't know how to pass parameters to modules but that is a different issue. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8575) Argon2 Password hashing contrib module
by ondra＠mistotebe.net 11 Nov '19

11 Nov '19

On Thu, Jan 31, 2019 at 03:20:22PM +0000, simon(a)slevermann.de wrote: > Hi, > > I have essentially given up on doing this, because I no longer work for > the employer that had me work on this, and at the time I did, I never > got the thing done. The code itself worked when I tried it, but it has > the caveat of not being configurable. I never quite found out how to > properly implement configuration of a module that isn't an overlay, so I > never got that done. Feel free to adjust the existing code, it should be > adaptable to libsodium relatively easily. An implementation using libsodium is now available at https://github.com/mistotebe/openldap/tree/its8575-argon Not configurable yet as to what parameters are chosen when a plaintext password is being hashed, however. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#9116) LMDB: Bogus BAD_DBI result on read-only txn
by hyc＠symas.com 10 Nov '19

10 Nov '19

hyc(a)openldap.org wrote: > Full_Name: Howard Chu > Version: 0.9.24 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (84.203.24.208) > Submitted by: hyc > > > There are some cases when renewing a cursor in a read-only txn that may return > MDB_BAD_DBI if the DBI has gone stale. This error is spurious, the check is only > supposed to be done in writable txns (see ITS#7825). A patch was pushed to mdb.master, but it is apparently not actually needed. The actual problem was caused by reusing a readtxn that had been left open after its original env had been closed and re-opened. This is a misuse of the API, all txns must be closed before closing the env. Ignore this issue. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#9116) LMDB: Bogus BAD_DBI result on read-only txn
by hyc＠openldap.org 10 Nov '19

10 Nov '19

Full_Name: Howard Chu Version: 0.9.24 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.203.24.208) Submitted by: hyc There are some cases when renewing a cursor in a read-only txn that may return MDB_BAD_DBI if the DBI has gone stale. This error is spurious, the check is only supposed to be done in writable txns (see ITS#7825).

1 0

Re: (ITS#9115) It seems like the parameters about tlsCipherSuite not work
by quanah＠symas.com 08 Nov '19

08 Nov '19

--On Wednesday, November 6, 2019 8:14 AM +0000 bjmoya(a)cn.ibm.com wrote: > Full_Name: nancy.mo > Version: 2.4.46 > OS: redhat7 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (129.42.208.182) Hello, The ITS system is for bug reports, not help requests. Please redirect your question to the openldap-technical list for further assistance. <https://www.openldap.org/lists/mm/listinfo/openldap-technical> Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#9114) pagedResultsControl not available in openldap search response
by quanah＠symas.com 08 Nov '19

08 Nov '19

--On Monday, November 4, 2019 11:52 AM +0000 prashanthmadduri(a)gmail.com wrote: > Full_Name: Prashanth Madduri > Version: 2.4.40 > OS: Windows > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (103.6.33.5) > > > Hi Team, > > I have huge data in OpenLDAP server and retrieve data using pagination. I > am using LDAPJS client library search functionality with paging to > retrieve the data. However as per my observation the response is not > returning pagedResultsControl in response. Hello, The ITS system is for bug reports, not help requests. Please redirect your question to the openldap-technical list for further assistance. <https://www.openldap.org/lists/mm/listinfo/openldap-technical> Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#9113) i can not find memberOf.la file
by quanah＠symas.com 08 Nov '19

08 Nov '19

--On Tuesday, October 29, 2019 2:47 AM +0000 machao0605(a)qq.com wrote: > Full_Name: ma > Version: 2.4.44 > OS: centos 7.5 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (119.253.39.18) Hello, The ITS system is for bug reports, not help requests. Please redirect your question to the openldap-technical list for further assistance. <https://www.openldap.org/lists/mm/listinfo/openldap-technical> Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#9115) It seems like the parameters about tlsCipherSuite not work
by bjmoya＠cn.ibm.com 06 Nov '19

06 Nov '19

Full_Name: nancy.mo Version: 2.4.46 OS: redhat7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (129.42.208.182) Hi, I set the parameter about cipher suite in client(ldap.conf) and server (slapd.conf) and restart the service, the tcp/ip log, find the cipher not changed. In ldap.conf: TLS_CIPHER_SUITE ALL:!TLSv1.3 In slapd.conf: TLSCipherSuite !TLSv1.3 openssl provide those cipher suites: [root@ ~]# openssl ciphers -v 'TLSv1.3' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD when openldap worked as a client, it send 4 cipher suites to server in TLS1.3 client hello. Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303) Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) When openldap worked as a server, it used TLS_AES_256_GCM_SHA384 to connect in TLS server hello. And when i set one specific cipher in client, TLS_CIPHER_SUITE TLS_CHACHA20_POLY1305_SHA256 It also send same four suites in client hello. Could you help me to have a look? thanks.

1 0

(ITS#9114) pagedResultsControl not available in openldap search response
by prashanthmadduri＠gmail.com 04 Nov '19

04 Nov '19

Full_Name: Prashanth Madduri Version: 2.4.40 OS: Windows URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (103.6.33.5) Hi Team, I have huge data in OpenLDAP server and retrieve data using pagination. I am using LDAPJS client library search functionality with paging to retrieve the data. However as per my observation the response is not returning pagedResultsControl in response. Please assist. Thanks in advance. Regards, Prashanth

1 0

(ITS#9113) i can not find memberOf.la file
by machao0605＠qq.com 29 Oct '19

29 Oct '19

Full_Name: ma Version: 2.4.44 OS: centos 7.5 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (119.253.39.18) Dear develops: I hava some trouble use openldap . I use openldap-2.4.44.tgz package. when i install this software . I can not find olcModulePath. i see /usr/local/etc/openldap/slapd.ldif it show this dir is /usr/local/libexec/openldap but i can not find it . i need a file name is memberOf.la . so could you help me to find it ? thanks ! This is me install openldap step: 1../configure --with-tls=openssl --enable-syslog --enable-module -- enable-debug CPPFLAGS="-I/usr/local/bdb_5.2.42/include" LDFLAGS="- L/usr/local/bdb_5.2.42/lib -Wl,-rpath,/usr/local/bdb_5.2.42/lib" 2.make depend 3.make 4.make install

1 0

(ITS#9112) Fixup socket error handling
by hyc＠openldap.org 29 Oct '19

29 Oct '19

Full_Name: Howard Chu Version: 2.4 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.203.24.208) Submitted by: hyc During connection setup, there are a couple of places where we perform operations on a socket and log an error if it fails, but otherwise keep going. It turns out, if the error is EBADF, eventually this gets back to the event loop, which always does a clean shutdown on any socket error. We should instead stop init'ing the socket, and not hand it over to the event loop. This situation only arose because of a long-standing bug in 3rd party code that was double-closing an fd. https://github.com/heimdal/heimdal/issues/431 . In normal situations, none of this can ever occur. Regardless, tracking this here and committing the debug code we used to track it down, in case we ever need it again in the future.

1 0

Re: (ITS#9107) new feature
by quanah＠symas.com 28 Oct '19

28 Oct '19

--On Monday, October 28, 2019 2:33 AM +0000 ydgdsnn(a)163.com wrote: > Full_Name: Nannan Song I would ask in the future that you not spam the bug system with 8 copies of the same report. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#9100) Issue with domainScope controlValue implementation
by hyc＠symas.com 28 Oct '19

28 Oct '19

Philip Brusten wrote: >=20 > On 25/10/2019 18:41, Howard Chu wrote: >> philip.brusten(a)kuleuven.be wrote: >>> That fix was based on (old?) documentation of MS from >>> https://msdn.microsoft.com/en-us/library/aa366979%28v=3Dvs.85%29.aspx >>> The is no current version of this document. >> The above URL redirects me to https://docs.microsoft.com/en-us/previou= s-versions/windows/desktop/ldap/ldap-server-domain-scope-oid >> >> Our implementation conforms to the above spec. > Correct, but the URL path contains "previous-versions", hence I was loo= king for the current version, which does not exist. >> This is the correct response to a malformed message according to RFC45= 11. >=20 > Could you please quote the RFC4511 on this?=C2=A0 This is not 100% clea= r to me... This is simply the definition of the protocolError result code. RFC 4511 = Appendix A, section A.2. >>> We observed that the controlValue is than missing via Wireshark. So w= e see a >>> difference on the line for empty octet strings, but should it matter? >> Yes, in ASN.1 "empty value" and "absent value" are not the same thing.= E.g., you can >> store zero-length strings as attribute values. Those values are "prese= nt" even though >> they are empty. >=20 > IMHO Microsoft and OpenLDAP are doing the same thing on a protocol leve= l. You are both setting the controlValue to a struct {0,NULL}. >=20 > However with Microsoft, this is still translated to the network level, = whereas with OpenLDAP this controlValue is omitted. >=20 > The "value" of the "controlValue" struct is however still NULL. So it's= not clear to me why it's translated to empty, not null. (is there an som= ewhere an > assumption that translates zero-length octet string to non null values?= ) See the ASN.1 specification of controls, RFC 4511 section 4.1.11. The val= ue must be absent if there is no value information that is associated with a control of its= type. >> MS is playing fast and loose with their specifications and implementat= ion. This is >> at the very least a doc bug in their control specification, if it's no= t just a bug >> in their client libraries. You should at least open a bug report with = them so that >> it's on the record somewhere (even if they ultimately ignore it). >> >> We can alter our parser to relax this check, I guess. Along with a com= ment explaining >> that this is done for compatibility with MS's broken clients. This is = not the first >> time we've run into MS spec and implementation disagreeing with each o= ther... >=20 > We will submit the issue to MS. But in the case of this domainScope con= trol, it should not matter if the value is empty or missing, only the con= trolType is > relevant. Could Postel's law be applied in this case? As I already said, we can relax this check. But considering that Microsoft are the authors of both the spec and their= implementation of this control, and the two don't agree, and this is not the only instance = of such occurrences (the pagedResults control also comes to mind) you have to wonder - are th= ey just too stupid and incompetent to implement their own spec, or have they broken things i= ntentionally, to prevent their clients from working with non-Microsoft servers... --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#9100) Issue with domainScope controlValue implementation
by philip.brusten＠kuleuven.be 28 Oct '19

28 Oct '19

On 25/10/2019 18:41, Howard Chu wrote: > philip.brusten(a)kuleuven.be wrote: >> That fix was based on (old?) documentation of MS from >> https://msdn.microsoft.com/en-us/library/aa366979%28v=vs.85%29.aspx >> The is no current version of this document. > The above URL redirects me to https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/lda… > > Our implementation conforms to the above spec. Correct, but the URL path contains "previous-versions", hence I was looking for the current version, which does not exist. > This is the correct response to a malformed message according to RFC4511. Could you please quote the RFC4511 on this? This is not 100% clear to me... >> The LDAP Extended Control spec of MS states [2]: >>> If the controlValue field contains data that is not in conformance with the >>> specification of the control, including the case where the controlValue field contains data and the specification of the control states that the controlValue field is omitted, then if the control is marked critical the server returns the error unavailableCriticalExtension / ERROR_INVALID_PARAMETER. If the controlValue field is incorrect but the control is not marked critical, the server ignores the control. > MS seems to be inventing their own protocol here since RFC4511 contains no such language. >> So the server should only return an error when the control is marked critical. >> Otherwise it should *ignore* the control. >> >> Is it possible to relax the validation of the LDAP control at [3]? Since there >> is no value associated with this control, it should not matter if the >> controlValue is missing or an empty octet string {0,NULL}... >> >> The ldapsearch code sets the controlValue to [4]: >>> c[i].ldctl_value.bv_val = NULL; >>> c[i].ldctl_value.bv_len = 0; >> We observed that the controlValue is than missing via Wireshark. So we see a >> difference on the line for empty octet strings, but should it matter? > Yes, in ASN.1 "empty value" and "absent value" are not the same thing. E.g., you can > store zero-length strings as attribute values. Those values are "present" even though > they are empty. IMHO Microsoft and OpenLDAP are doing the same thing on a protocol level. You are both setting the controlValue to a struct {0,NULL}. However with Microsoft, this is still translated to the network level, whereas with OpenLDAP this controlValue is omitted. The "value" of the "controlValue" struct is however still NULL. So it's not clear to me why it's translated to empty, not null. (is there an somewhere an assumption that translates zero-length octet string to non null values?) > MS is playing fast and loose with their specifications and implementation. This is > at the very least a doc bug in their control specification, if it's not just a bug > in their client libraries. You should at least open a bug report with them so that > it's on the record somewhere (even if they ultimately ignore it). > > We can alter our parser to relax this check, I guess. Along with a comment explaining > that this is done for compatibility with MS's broken clients. This is not the first > time we've run into MS spec and implementation disagreeing with each other... We will submit the issue to MS. But in the case of this domainScope control, it should not matter if the value is empty or missing, only the controlType is relevant. Could Postel's law be applied in this case? Regards, Philip

1 0

ITS#9106 published: SECURITY: new feature
by openldap-its＠OpenLDAP.org 28 Oct '19

28 Oct '19

Private ITS#9106 is now publicly readable URL: http://www.OpenLDAP.org/its/?findid=9106

1 0

ITS#9105 published: SECURITY: new feature
by openldap-its＠OpenLDAP.org 28 Oct '19

28 Oct '19

Private ITS#9105 is now publicly readable URL: http://www.OpenLDAP.org/its/?findid=9105

1 0

ITS#9104 published: SECURITY: new feature
by openldap-its＠OpenLDAP.org 28 Oct '19

28 Oct '19

Private ITS#9104 is now publicly readable URL: http://www.OpenLDAP.org/its/?findid=9104

1 0

ITS#9103 published: SECURITY: new feature
by openldap-its＠OpenLDAP.org 28 Oct '19

28 Oct '19

Private ITS#9103 is now publicly readable URL: http://www.OpenLDAP.org/its/?findid=9103

1 0

Re: (ITS#9107) new feature
by hyc＠symas.com 28 Oct '19

28 Oct '19

ydgdsnn(a)163.com wrote: > Full_Name: Nannan Song > Version: 2.4.44 > OS: SUSE > URL: > Submission from: (NULL) (221.226.97.96) > > > When LDAP is used to manage user and user group information, openldap only > supports the configuration of the plain text password of the read-only user in > the '/etc/ldap.conf/'. The password of the read-only user only supports plain > text storage. so there is a security issue that the authentication credential > file is readable to all users. > Now we hope ldap can support the feature that using the encrypted text to save > password for read only user. We saw this the first time, no need to resubmit it 10 times. Supposing you could put an encrypted password into ldap.conf - where would you put the key for decrypting the password, so that the software can use it? When LDAP is *correctly* used to manage user and group information, the credentials used to contact the LDAP server belong to a low-privilege account, so that theft of those credentials is of minimal harm. And they are used by a single authentication daemon (like nslcd in the nss-pam-ldapd package) and as such never appear in any world-readable files. Closing this ITS and all the other copies of it. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#9111) new feature:using the encrypted text to save password for read only user
by ydgdsnn＠163.com 28 Oct '19

28 Oct '19

Full_Name: Nannan Song Version: 2.4.44 OS: SUSE URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (221.226.97.96) When LDAP is used to manage user and user group information, openldap only supports the configuration of the plain text password of the read-only user in the '/etc/ldap.conf/'. The password of the read-only user only supports plain text storage. so there is a security issue that the authentication credential file is readable to all users. Now we hope ldap can support the feature that using the encrypted text to save password for read only user.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs