- openldap-bugs - openldap.org

[Issue 9888] New: When using cn=config replication, schema updates can corrupt the index database(s)
by openldap-its＠openldap.org 19 Oct '23

19 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=9888 Issue ID: 9888 Summary: When using cn=config replication, schema updates can corrupt the index database(s) Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- Today I pushed a schema update out to the config node that holds schema that is replicated to the providers and consumers. Post schema update, 2/11 servers crashed in the mdb online indexing function. I fixed this by slapcat the db and slapadd the db. This is important because it was later revealed that on the 9/11 servers that did not crash or have their database reloaded, ldapsearch would return the wrong attribute names for some attribute:value pairs in the database, which caused mayhem in downstream systems and caused replication issues between the nodes. The 2 nodes that were reloaded immediately after the schema change had the only "good" copies of the database left. To give an example, say an entry was something like: dn: uid=joe,ou=people,dc=example,dc=com uid: joe sn: smith cn: joe smith givenName: joe After the change, the broken servers could return something like: dn: uid=joe,ou=people,dc=example,dc=com uid: joe posixGroup: smith cn: joe smith givenName joe It's not clear how deeply this bug ran in the database. It for sure affected 2 attributes used by the person objectClass. Both of the "replacement" attributes were not valid attributes for the person objectClasses in use. Maybe related to the changes in ITS#9858? -- You are receiving this mail because: You are on the CC list for the issue.

1 19

[Issue 7649] Feature request: numSubordinates attribute
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7649 --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- https://datatracker.ietf.org/doc/html/draft-boreham-numsubordinates-01 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7441] cn=config filters ignore {number}
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7441 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7422] olcExtraAttrs doesn't work with ACIs
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7422 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7422] olcExtraAttrs doesn't work with ACIs
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7422 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |--- Status|UNCONFIRMED |RESOLVED Resolution|--- |SUSPENDED --- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> --- patches still welcome -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7420] Possible to bypass overlay unique and constraint
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7420 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7392] ACL a_dn.a_self is skipped in case of "acl_mask: to all values ..."
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7392 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7347] Exclusive bit masks for: ACL_WADD, ACL_WDEL, and ACL_WRITE
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7347 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |hyc(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7345] New Feature : Add Connection Information in Access Log Entries
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7345 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7345] New Feature : Add Connection Information in Access Log Entries
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7345 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|has_patch, IPR_OK | Target Milestone|2.7.0 |--- Resolution|--- |WONTFIX Status|UNCONFIRMED |RESOLVED --- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Better to consume this information from the operational logs at stat level -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7249] slapd segfault with memberof overlay on frontend db
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7249 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7249] slapd segfault with memberof overlay on frontend db
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7249 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Target Milestone|2.7.0 |--- Status|IN_PROGRESS |RESOLVED --- Comment #17 from Quanah Gibson-Mount <quanah(a)openldap.org> --- memberof is deprecated, any remaining issues will not be fixed. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7091] Limit ppolicy_forward_updates
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7091 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7091] Limit ppolicy_forward_updates
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7091 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Target Milestone|2.7.0 |--- Status|UNCONFIRMED |RESOLVED --- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> --- This would result in broken policies -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7047] slapd crash on bad indexed translucent
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7047 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |quanah(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7046] OpenLDAP logs nothing at info priority, excessive at debug priority
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7046 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7046] OpenLDAP logs nothing at info priority, excessive at debug priority
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7046 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Status|UNCONFIRMED |RESOLVED Target Milestone|2.7.0 |--- --- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> --- better solution is to use local logging introduced with openldap 2.6 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7008] paged results against ldap-proxy errors with 'cookie is invalid'
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7008 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|SUSPENDED |WONTFIX --- Comment #17 from Quanah Gibson-Mount <quanah(a)openldap.org> --- See alternative solutions in comment #11 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7008] paged results against ldap-proxy errors with 'cookie is invalid'
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=7008 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7008] paged results against ldap-proxy errors with 'cookie is invalid'
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

1 0

[Issue 10112] New: We are working with the client that comes with openldap and cannot connect to TLS/SSL ldaps
by openldap-its＠openldap.org 12 Oct '23

12 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=10112 Issue ID: 10112 Summary: We are working with the client that comes with openldap and cannot connect to TLS/SSL ldaps Product: OpenLDAP Version: 2.6.6 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: 228844797(a)qq.com Target Milestone: --- Created attachment 985 --> https://bugs.openldap.org/attachment.cgi?id=985&action=edit slapd config Hello developers, Can you help me see how to solve this problem We are working with the client that comes with openldap and cannot connect to TLS/SSL ldaps,But I was able to access it using ldap:389 The server configuration information is as follows: Linux System version：Ubuntu 22.04.3 LTS OpenLDAP version：2.6.6 openssl version：OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) The slapd.ldif certificate is configured as follows: olcTLSCACertificateFile: /usr/local/openldap-2.6.6/cert/demoCA/newcerts/cacert.pem olcTLSCertificateFile: /usr/local/openldap-2.6.6/cert/demoCA/newcerts/slapd01-server.pem olcTLSCertificateKeyFile: /usr/local/openldap-2.6.6/cert/demoCA/private/slapd01-server-key.pem The server startup information is as follows: slapd -4 -F /usr/local/openldap-2.6.6/etc/openldap/slapd.d -h ldap:/// ldaps:/// ldapi:/// Configure the ldap.conf certificate on the client as follows: TLS_CACERT /usr/local/openldap-2.6.6/cert/demoCA/newcerts/ ####################################################################################################### Server local test failed: ldapwhoami -H ldaps://slapd.zxactions.com -d 1 The failure information is as follows: root@openldap-1:/usr/local/openldap-2.6.6/etc/openldap# ldapwhoami -H ldaps://slapd.zxactions.com -d 1 ldap_url_parse_ext(ldaps://slapd.zxactions.com) ldap_create ldap_url_parse_ext(ldaps://slapd.zxactions.com:636/??base) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP slapd.zxactions.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.174.128:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in error TLS: can't connect: error:0A000410:SSL routines::sslv3 alert handshake failure. ldap_err2string ldap_sasl_interactive_bind: Can't contact LDAP server (-1) additional info: error:0A000410:SSL routines::sslv3 alert handshake failure ####################################################################################################### Failed to use the openssl tool: openssl s_client -connect slapd.zxactions.com:636 -debug The failure information is as follows: root@openldap-1:/usr/local/openldap-2.6.6/etc/openldap# openssl s_client -connect slapd.zxactions.com:636 -debug CONNECTED(00000003) write to 0x556ccbdb5c40 [0x556ccbdc5b30] (321 bytes => 321 (0x141)) 0000 - 16 03 01 01 3c 01 00 01-38 03 03 1a eb eb eb ad ....<...8....... 0010 - 52 f0 12 36 b2 cd ad 9c-6f c9 de 67 54 13 e3 47 R..6....o..gT..G 0020 - 23 ac 44 5c d9 51 2f d4-a5 0b cf 20 e6 f9 c1 6c #.D\.Q/.... ...l 0030 - e5 ce 18 9c ea f1 d6 67-a2 1f 71 3c 78 d4 c6 fb .......g..q<x... 0040 - 25 23 98 bd 38 90 1f 8c-13 94 b1 00 00 3e 13 02 %#..8........>.. 0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........ 0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.' 0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3.. 0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 b1 ...=.<.5./...... 0090 - 00 00 00 18 00 16 00 00-13 73 6c 61 70 64 2e 7a .........slapd.z 00a0 - 78 61 63 74 69 6f 6e 73-2e 63 6f 6d 00 0b 00 04 xactions.com.... 00b0 - 03 00 01 02 00 0a 00 16-00 14 00 1d 00 17 00 1e ................ 00c0 - 00 19 00 18 01 00 01 01-01 02 01 03 01 04 00 23 ...............# 00d0 - 00 00 00 16 00 00 00 17-00 00 00 0d 00 2a 00 28 .............*.( 00e0 - 04 03 05 03 06 03 08 07-08 08 08 09 08 0a 08 0b ................ 00f0 - 08 04 08 05 08 06 04 01-05 01 06 01 03 03 03 01 ................ 0100 - 03 02 04 02 05 02 06 02-00 2b 00 05 04 03 04 03 .........+...... 0110 - 03 00 2d 00 02 01 01 00-33 00 26 00 24 00 1d 00 ..-.....3.&.$... 0120 - 20 92 75 81 9c 09 28 95-68 b4 eb b1 9e 2c d5 9b .u...(.h....,.. 0130 - e3 99 13 36 68 87 b5 72-4d d6 3e 60 0f 47 50 db ...6h..rM.>`.GP. 0140 - 15 . read from 0x556ccbdb5c40 [0x556ccbdbc913] (5 bytes => 5 (0x5)) 0000 - 15 03 03 00 02 ..... read from 0x556ccbdb5c40 [0x556ccbdbc918] (2 bytes => 2 (0x2)) 0000 - 02 28 .( 800B77514E7F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 321 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- read from 0x556ccbdb5c40 [0x556ccbd0d650] (8192 bytes => 0) -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 6912] support for case sensitive SASL usernames
by openldap-its＠openldap.org 09 Oct '23

09 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=6912 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6912] support for case sensitive SASL usernames
by openldap-its＠openldap.org 09 Oct '23

09 Oct '23

1 0

[Issue 6871] Feature Request: slapo-lastbind authTimeStamp attribute replicated in MMR deploy
by openldap-its＠openldap.org 09 Oct '23

09 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=6871 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6871] Feature Request: slapo-lastbind authTimeStamp attribute replicated in MMR deploy
by openldap-its＠openldap.org 09 Oct '23

09 Oct '23

https://bugs.openldap.org/show_bug.cgi?id=6871 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|UNCONFIRMED |RESOLVED --- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> --- This is already built into OpenLDAP 2.6 with the pwdLastSuccess attribute which supports chaining and replicates a consistent value to all nodes. *** This issue has been marked as a duplicate of issue 9863 *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs