- openldap-bugs - openldap.org

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 19 Feb '22

19 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #9 from Michael Ströder <michael(a)stroeder.com> --- (In reply to Michael Ströder from comment #8) > What are valid values or is the format of the <hashalg> field? It seems crypto(7) should be referenced by ldap_set_option(3) in case of OpenSSL? https://www.openssl.org/docs/manmaster/man7/crypto.html -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 19 Feb '22

19 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #8 from Michael Ströder <michael(a)stroeder.com> --- What are valid values or is the format of the <hashalg> field? -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9502] New: Implement TCP_USER_TIMEOUT in meta and asyncmeta
by openldap-its＠openldap.org 19 Feb '22

19 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=9502 Issue ID: 9502 Summary: Implement TCP_USER_TIMEOUT in meta and asyncmeta Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: nivanova(a)symas.com Target Milestone: --- Implement TCP_USER_TIMEOUT as an option to libldap and as a configuration option in back-meta and back-asyncmeta -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Bug 9189] New: Add GSSAPI channel-bindings support
by openldap-its＠openldap.org 19 Feb '22

19 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=9189 Bug ID: 9189 Summary: Add GSSAPI channel-bindings support Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: iboukris(a)gmail.com Target Milestone: --- Recently MS has announce they plan to enforce channel-bindings for LDAP over TLS (ADV190023). To support it on client side, we need to pass "tls-endpoint" bindings (RFC 5929) to the SASL plugin, and make use of that in GSSAPI. See also: https://github.com/cyrusimap/cyrus-sasl/pull/601 -- You are receiving this mail because: You are on the CC list for the bug.

1 13

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 19 Feb '22

19 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #7 from Quanah Gibson-Mount <quanah(a)openldap.org> --- RE25: • 680affe6 by Ondřej Kuzník at 2022-02-18T23:20:09+00:00 ITS#8753 Document LDAP_OPT_X_TLS_PEERKEY_HASH -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 19 Feb '22

19 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #6 from Quanah Gibson-Mount <quanah(a)openldap.org> --- RE26: • 394f6ad5 by Ondřej Kuzník at 2022-02-18T23:18:31+00:00 ITS#8753 Document LDAP_OPT_X_TLS_PEERKEY_HASH -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 19 Feb '22

19 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- head: • a2a2ebba by Ondřej Kuzník at 2022-02-14T20:32:29+00:00 ITS#8753 Document LDAP_OPT_X_TLS_PEERKEY_HASH -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9797] New: userPrincipalName doesn't work with OpenLDAP
by openldap-its＠openldap.org 06 Feb '22

06 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=9797 Issue ID: 9797 Summary: userPrincipalName doesn't work with OpenLDAP Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: akshay.polji(a)gmail.com Target Milestone: --- Recently I was trying to perform a POC that included the Hashicorp vault. I tried to configure Hashicorp Vault LDAP login using OpenLDAP. However, I failed to do so as the Hashicorp vault was trying to query the OpenLDAP with filter="(?userPrincipalName=test1(a)example.com)" I got the query o/p as conn=1146 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= onn=1146 fd=12 closed (connection lost) Even though the ldapsearch worked for the same user. The problem seems to be the fact that OpenLDAP doesn't support "userPrincipalName" as the attribute. Wanted to understand if 'userPrincipalName' could be added? -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9000] memberOf value is lost when group DN is modified with only case change
by openldap-its＠openldap.org 04 Feb '22

04 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=9000 --- Comment #8 from Quanah Gibson-Mount <quanah(a)openldap.org> --- (In reply to sebastien.chaumat from comment #7) > This bug is still present in 2.4.49 (ubuntu). The OpenLDAP 2.4 series is historic and out of support. The memberof overlay is deprecated in OpenLDAP 2.5 and later and the dynlist overlay should be used to provide memberOf support. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9000] memberOf value is lost when group DN is modified with only case change
by openldap-its＠openldap.org 04 Feb '22

04 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=9000 --- Comment #7 from sebastien.chaumat(a)qspin.be --- This bug is still present in 2.4.49 (ubuntu). -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8375] paged results control results in full db search?
by openldap-its＠openldap.org 31 Jan '22

31 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=8375 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.2 |2.7.0 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 31 Jan '22

31 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=8255 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs(a)openldap.org |ondra(a)mistotebe.net -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9792] New: During replication, slapd tries to modify hasSubordinates (and fails)
by openldap-its＠openldap.org 31 Jan '22

31 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=9792 Issue ID: 9792 Summary: During replication, slapd tries to modify hasSubordinates (and fails) Product: OpenLDAP Version: 2.5.9 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: christophe(a)armaghast.eu Target Milestone: --- During relication, this strange error occurs: Jan 25 14:46:42 annu slapd[471040]: conn=1001 op=2796 MOD attr=userPassword pwdChangedTime pwdHistory entryCSN modifiersName modifyTimestamp hasSubordinates Jan 25 14:46:42 annu slapd[471040]: conn=1001 op=2796 RESULT tag=103 err=16 qtime=0.000030 etime=0.000462 text=modify/delete: hasSubordinates: no such attribute Why does slapd try to modify this (virtual) attribute ? -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9350] New: Expand test suite for null base
by openldap-its＠openldap.org 31 Jan '22

31 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=9350 Issue ID: 9350 Summary: Expand test suite for null base Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- Currently we have no tests that use the empty suffix (null base). This is an entirely valid configuration setup, and there are unique challenges and bugs that crop up with this usage. We need to ensure we're covering this use case, particularly with syncrepl and delta-syncrepl configurations. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 31 Jan '22

31 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=8255 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1 --- Comment #10 from Ondřej Kuzník <ondra(a)mistotebe.net> --- https://git.openldap.org/openldap/openldap/-/merge_requests/487 for the clarification. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 31 Jan '22

31 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=8255 --- Comment #9 from Ondřej Kuzník <ondra(a)mistotebe.net> --- (In reply to Ondřej Kuzník from comment #8) > and probably need to stop referencing the slapd-shell manpage too. Ah, we already did that, forgot I was reading the installed, not the local manpage. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 31 Jan '22

31 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=8255 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|backends |documentation --- Comment #8 from Ondřej Kuzník <ondra(a)mistotebe.net> --- (In reply to Howard Chu from comment #7) > (In reply to Ondřej Kuzník from comment #6) >> str2result() doesn't expect "msgid:" to be passed in the response, even >> though that's part of the protocol as documented. > > Incorrect. The docs clearly show msgid: is not part of the response message. True, I misread the manpage because there is little structure in there to support quick reference. I think we should put the "sockresp result" string in the relevant paragraph and probably need to stop referencing the slapd-shell manpage too. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 28 Jan '22

28 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=8255 --- Comment #7 from Howard Chu <hyc(a)openldap.org> --- (In reply to Ondřej Kuzník from comment #6) > str2result() doesn't expect "msgid:" to be passed in the response, even > though that's part of the protocol as documented. Incorrect. The docs clearly show msgid: is not part of the response message. >>>> The commands - except unbind - should output: RESULT code: <integer> matched: <matched DN> info: <text> where only RESULT is mandatory, and then close the socket. <<<< The msgid: is only included in messages from back-sock to the external program. There is no bug in back-sock or in its documentation. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 28 Jan '22

28 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=8255 --- Comment #6 from Ondřej Kuzník <ondra(a)mistotebe.net> --- str2result() doesn't expect "msgid:" to be passed in the response, even though that's part of the protocol as documented. Now that back-sock is its only user, it should just be added. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9793] New: Question regarding password dictionary rules for when a user changes their password.
by openldap-its＠openldap.org 27 Jan '22

27 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=9793 Issue ID: 9793 Summary: Question regarding password dictionary rules for when a user changes their password. Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: alan_andrea(a)yahoo.com Target Milestone: --- I have a question regarding password rules that are enforced when a user changes their password. We have a need to implement a dictionary rule whereby words and phrases in a dictionary are not allowed in a users password. I am not able to see currently where such functionality exists in OpenLDAP and am wondering if there are any extensions to OPenLDAP that were developed to support this or if it would be required to write code to support this feature. If you can please give me some guidelines here, that would be really great ! -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9742] New: syncprov-nopresent is harmful
by openldap-its＠openldap.org 27 Jan '22

27 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=9742 Issue ID: 9742 Summary: syncprov-nopresent is harmful Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- If setting up a new delta-MPR environment such that: - server A has been slapadd-ed the seed data - accesslog is set to "logops all" There is a sequence of events where servers are started and replicate from each other before they get a chance to talk to A, they will each generate a CSN and replicate it. Once they start talking to A, it will see that it has a CSN (its own) that none of them have sent and "syncprov-nopresent" makes it just go ahead where the only sane outcome is to send SYNC_REFRESH_REQUIRED. Am I missing a usecase for this or should it just have been this way all along? -- You are receiving this mail because: You are on the CC list for the issue.

1 13

[Issue 9750] New: global vs. frontend config in slapd.conf - misleading warning message
by openldap-its＠openldap.org 20 Jan '22

20 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=9750 Issue ID: 9750 Summary: global vs. frontend config in slapd.conf - misleading warning message Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- Since the fix for ITS#9575 there is this misleading message even when invoking slapcat: /opt/openldap-ms/etc/openldap/slapd.conf: line 126: setting password scheme in the global entry is deprecated. The server may refuse to start if it is provided by a loadable module, please move it to the frontend database instead There is currently no way to rearrange something in slapd.conf to make this confusing message go away. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9738] New: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL' failed.
by openldap-its＠openldap.org 20 Jan '22

20 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=9738 Issue ID: 9738 Summary: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL' failed. Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- slapd 2.6.0 exits when an LDAP client sends an add operation with invalid data: 2021-11-04T22:07:36.790594+01:00 itn-dir-1 slapd[32415]: 61844b98.2ef8df5c 0x7fe42d9a6700 Entry (mail=michael(a)stroeder.com,ou=ext,ou=metadir,o=itn): object class 'itnmetaPerson' requires attribute 'displayName' 2021-11-04T22:07:36.790694+01:00 itn-dir-1 slapd[32415]: slapd: schema_check.c:89: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL' failed. -- You are receiving this mail because: You are on the CC list for the issue.

1 13

[Issue 9730] New: logfile-rotate directive fails in 2.6.0
by openldap-its＠openldap.org 20 Jan '22

20 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=9730 Issue ID: 9730 Summary: logfile-rotate directive fails in 2.6.0 Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: david.coutadeur(a)gmail.com Target Milestone: --- Hello, When setting the logfile-rotate, I get: 617bc9ae.1b73de17 0x7f44f87c9740 /usr/local/openldap/etc/openldap/slapd.conf: line 12 (logfile-rotate 10 100 24) 617bc9ae.1b759154 0x7f44f87c9740 /usr/local/openldap/etc/openldap/slapd.conf: line 12: <logfile-rotate> handler exited with 16384! My configuration file is below. I am using the 2.6.0 release. The strange part is that the same configuration converted into cn=config seems to work well. # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/dyngroup.schema logfile-rotate 10 100 24 logfile /var/log/slapd-ltb/slapd.log logLevel 256 sasl-host ldap.my-domain.com pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args # Load dynamic backend modules: # moduleload back_ldap.la modulepath /usr/local/openldap/libexec/openldap moduleload argon2.la moduleload back_mdb.la moduleload dynlist.la moduleload memberof.la moduleload ppolicy.la moduleload syncprov.la moduleload unique.la access to dn.base="" by * read access to dn.base="cn=subschema" by * read ####################################################################### # config database definitions ####################################################################### database config rootdn cn=config rootpw secret access to attrs="userPassword" by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth =wdx by * auth access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage ####################################################################### # MDB database definitions ####################################################################### database mdb maxsize 4294967296 suffix dc=my-domain,dc=com rootdn cn=Manager,dc=my-domain,dc=com rootpw secret directory /usr/local/openldap/var/openldap-data index objectClass eq index cn eq,sub index uid pres,eq index givenName pres,eq,sub index l pres,eq index employeeType pres,eq index mail pres,eq,sub index sn pres,eq,sub limits group="cn=admin,ou=groups,dc=my-domain,dc=com" size=unlimited time=unlimited access to attrs="userPassword" by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth =wdx by group.exact="cn=admin,ou=groups,dc=my-domain,dc=com" =wdx by self =wdx by * auth access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by group.exact="cn=admin,ou=groups,dc=my-domain,dc=com" write by users read -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9725] New: attribute olcLastBindPrecision redefined in slapo-lastbind
by openldap-its＠openldap.org 20 Jan '22

20 Jan '22

https://bugs.openldap.org/show_bug.cgi?id=9725 Issue ID: 9725 Summary: attribute olcLastBindPrecision redefined in slapo-lastbind Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- An attribute type description for 'olcLastBindPrecision' is present in servers/slapd/bconfig.c and contrib/slapd-modules/lastbind/lastbind.c. Thus the migration of deployments using slapo-lastbind is not as smooth as it should be. With release 2.6.0 one is forced to disable slapo-lastbind. Removing the attribute type description for 'olcLastBindPrecision' from contrib/slapd-modules/lastbind/lastbind.c should work. -- You are receiving this mail because: You are on the CC list for the issue.

1 10

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs