- openldap-bugs - openldap.org

[Issue 9635] New: Delete back-ndb
by openldap-its＠openldap.org 26 Oct '21

26 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9635 Issue ID: 9635 Summary: Delete back-ndb Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- The back-ndb backend is deprecated and given Oracle's unwillingness to further defvelopment it is a dead project. Time to remove it. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 7080] post read control in back-config
by openldap-its＠openldap.org 26 Oct '21

26 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=7080 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6949] OpenLDAP Logging
by openldap-its＠openldap.org 26 Oct '21

26 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=6949 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9720] New: accesslog mincsn needs initialization
by openldap-its＠openldap.org 26 Oct '21

26 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9720 Issue ID: 9720 Summary: accesslog mincsn needs initialization Product: OpenLDAP Version: 2.5.8 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- As reported on the -technical list, if using slapcat/slapadd to migrate an accesslog db from 2.4 to 2.5, the mincsn attribute will not be initialized causing a segfault on startup. -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 9670] New: Roadmap has bogus items for 2.6/2.7
by openldap-its＠openldap.org 25 Oct '21

25 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9670 Issue ID: 9670 Summary: Roadmap has bogus items for 2.6/2.7 Product: website Version: unspecified Hardware: All URL: https://openldap.org/software/roadmap.html OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- - lloadd has supported "all" LDAP operation types since being merged in 2.5 - both ppolicy enhancements are bogus too - logging landed in 2.6 already -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9724] New: FreeBSD: fetch(3) should not require com_err library
by openldap-its＠openldap.org 25 Oct '21

25 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9724 Issue ID: 9724 Summary: FreeBSD: fetch(3) should not require com_err library Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: delphij(a)freebsd.org Target Milestone: --- This is reported at https://bugs.freebsd.org/259345 . fetch(3) support was added in 48d5465ab76af3739294584e25985b0cf368ad05 and com_err library was added as a dependency, at the time it was a dependency. However, shortly after that in 2000 (https://cgit.freebsd.org/src/commit/?id=ba101983d5c240f191e3f233907ebb4a6c7…), the dependency was removed, and beginning from FreeBSD 5.0 (released on January 14, 2003), the dependency was gone and do not exist in modern FreeBSD versions. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 8874] --with-fetch incorrectly links libcom_err
by openldap-its＠openldap.org 24 Oct '21

24 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=8874 Xin Li <delphij(a)freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |delphij(a)freebsd.org --- Comment #6 from Xin Li <delphij(a)freebsd.org> --- *** Issue 9724 has been marked as a duplicate of this issue. *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9722] New: UX defect in screen to specify new password
by openldap-its＠openldap.org 22 Oct '21

22 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9722 Issue ID: 9722 Summary: UX defect in screen to specify new password Product: OpenLDAP Version: unspecified Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: christos.hayward(a)gmail.com Target Milestone: --- On a Debian 10 Linode, I ran: "aptitude install slapd ldap-utils". The screen prompting for a password was written in a way that led me to believe I was being asked for a password previously set as an LDAP password. This reflects a UX defect. I suggest a wording that shows clearly that one is being asked to assign a new password to LDAP, not enter a pre-existing password already assigned to LDAP. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9721] New: How To Add Lazy Loading Image In WordPress? (2 Effective Ways To Follow In 2021)
by openldap-its＠openldap.org 19 Oct '21

19 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9721 Issue ID: 9721 Summary: How To Add Lazy Loading Image In WordPress? (2 Effective Ways To Follow In 2021) Product: JLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: JLDAP Assignee: bugs(a)openldap.org Reporter: marklevisebook(a)gmail.com Target Milestone: --- Mainly if you are into the e-commerce industry then lazy loading will help you in a number of ways. As it allows websites to load images only when users state to scroll the website. A well-optimized website always comes with lazy loading because it allows site owners to offer the best experience by improving WordPress website speed. That is the reason why most of the businesses today look to hire experienced WordPress website design for their business. Read More: https://www.sfwpexperts.com/how-to-add-lazy-loading-image-in-wordpress-2-ef… https://www.sfwpexperts.com/ -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8623] test022-ppolicy can fail due to timing dependency between lockout and expiration tests
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=8623 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9718 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9645] New: Documentation upgrading from 2.4 - two descriptions
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9645 Issue ID: 9645 Summary: Documentation upgrading from 2.4 - two descriptions Product: OpenLDAP Version: 2.5.4 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- Searching in Internet for “upgrade openldap 2.5” finds • https://www.openldap.org/devel/admin/appendix-upgrading.html, and • https://www.openldap.org/doc/admin25/appendix-upgrading.html The text at the former link is incomplete, compared to the latter link. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9711] New: olcTLSVerifyClient set incorrectly on conversion
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9711 Issue ID: 9711 Summary: olcTLSVerifyClient set incorrectly on conversion Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- When converting the following slapd.conf to cn=config via slaptest, the olcTLSVerifyClient parameter is set to "demand" instead of "never". The slapd.conf man page clearly states that "never" is supposed to be the default. This causes startTLS operations to fail from the client. slapd.conf: include /opt/symas/etc/openldap/schema/core.schema pidfile /var/symas/run/slapd.pid argsfile /var/symas/run/slapd.args loglevel stats TLSCACertificateFile /opt/symas/ssl/CA/certs/testsuiteCA.crt TLSCertificateFile /opt/symas/ssl/certs/ub18.crt TLSCertificateKeyFile /opt/symas/ssl/private/ub18.key modulepath /opt/symas/lib/openldap moduleload back_mdb.la database config rootpw secret database mdb maxsize 1073741824 suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" rootpw secret directory /var/symas/openldap-data index objectClass eq database monitor With the above slapd.conf, the following ldapsearch command succeeds: /opt/symas/bin/ldapsearch -x -ZZ -H ldap://ub18.quanah.org/^ However, after converting it to cn=config: slaptest -f slapd.conf -F /opt/symas/etc/openldap/slapd.d olcTLSVerifyClient has an incorrect value of "demand" instead of "never": cn=config.ldif:olcTLSVerifyClient: demand -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9679] New: On mariadb 10.5 the sql for creating the main definitions fails with errno: 150 "Foreign key constraint is incorrectly formed
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9679 Issue ID: 9679 Summary: On mariadb 10.5 the sql for creating the main definitions fails with errno: 150 "Foreign key constraint is incorrectly formed Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: lukav(a)lukav.com Target Milestone: --- Created attachment 841 --> https://bugs.openldap.org/attachment.cgi?id=841&action=edit Attached patch that fixes the issue When you try to execute servers/slapd/back-sql/rdbms_depend/mysql/backsql_create.sql in mariadb 10.5 you get an error: Fix Can't create table `ldap`.`ldap_entry_objclasses` (errno: 150 "Foreign key constraint is incorrectly formed") That is because entry_id column is not declared unsigned as the ldap_entries(id) column. This patch fixed the definition. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9678] New: slapadd prints “olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix” and then crashes
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9678 Issue ID: 9678 Summary: slapadd prints “olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix” and then crashes Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- Created attachment 840 --> https://bugs.openldap.org/attachment.cgi?id=840&action=edit Valgrind output Calling ``` slapadd -n0 -F/home/d/ldap/conf <<ABC dn: cn=config objectClass: olcGlobal cn: config olcAuthzRegexp: uid=([^@,]+)@example.org,cn=[^,]*,cn=auth uid=$1,cn=users,dc=example,dc=org dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcRootDN: uid=yyy,cn=users,dc=example,dc=org olcRootPW: zzz ABC ``` prints PROXIED attributeDescription "DC" inserted. olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=12): Segmentation fault (core dumped) The output of valgrind, when it runs the above command, is attached. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9671] New: pwdPolicySubentry: no user modification allowed
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9671 Issue ID: 9671 Summary: pwdPolicySubentry: no user modification allowed Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- Without using Relax Rules control it is not possible to set attribute pwdPolicySubentry anymore. This was possible with 2.4.x. # ldapadd -Q -f aehost.ldif adding new entry "host=foobar42.example.com,cn=test-hosts-1,cn=test,ou=ae-dir" ldap_add: Constraint violation (19) additional info: pwdPolicySubentry: no user modification allowed This is a really serious regression for existing admin processes. -- You are receiving this mail because: You are on the CC list for the issue.

1 14

[Issue 9664] New: Hiding namingContexts in the root DSE, when these are not in small letters
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9664 Issue ID: 9664 Summary: Hiding namingContexts in the root DSE, when these are not in small letters Product: OpenLDAP Version: 2.5.6 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- Below are the ACL for the frontend database. They are supposed to hide the cn=krbconfig from the namingContexts on the root DSE. dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend #olcAccess: to dn.base="" attrs=namingContexts val/distinguishedNameMatch="cn=krbcontainer" by * none olcAccess: to dn.base="" attrs=namingContexts val="cn=krbcontainer" by * none olcAccess: to dn.exact="" by * read dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 10485760 olcSuffix: cn=krbcontainer olcRootDN: uid=zzz,cn=krbcontainer olcRootPW: zzz olcDbDirectory: ldap/uuu olcDbIndex: objectClass eq olcAccess: to dn.sub="cn=krbContainer" by * read It does work! However, if change the case in (container ⇒ Container): olcSuffix: cn=krbContainer no matter how I set olcAccess in the frontend database, $ ldapsearch -xb "" -s base namingContexts always prints dn: namingContexts: cn=krbContainer In particular olcAccess: to dn.base="" attrs=namingContexts val/distinguishedNameMatch="cn=krbcontainer" by * none does not hide it. • It shall be possible to find olcSuffix from the DSE/namingContexts, even if the suffix is mixCased. Since the case is known at the time, when the rules are written, OpenLDAP shall offer an option for exact match, without converting data to lowercase. (as shown by sladp -d -1 ) -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 9659] New: slapd fails to compile with LDAP_PF_LOCAL_SENDMSG: redefinition of 'peerbv'
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9659 Issue ID: 9659 Summary: slapd fails to compile with LDAP_PF_LOCAL_SENDMSG: redefinition of 'peerbv' Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ryan(a)openldap.org Target Milestone: --- Thanks for fixing issue 9658. The same test environment (Debian GNU/Hurd 11.0) now fails to compile slapd (RE25 and master): cc -g -O2 -I../../include -I. -I./slapi -I. -I../../include -c -o daemon.o daemon.c daemon.c: In function 'slap_listener': daemon.c:2113:16: error: redefinition of 'peerbv' 2113 | struct berval peerbv = BER_BVNULL; | ^~~~~~ daemon.c:2110:16: note: previous definition of 'peerbv' was here 2110 | struct berval peerbv = BER_BVC(peername); | ^~~~~~ <builtin>: recipe for target 'daemon.o' failed make[2]: *** [daemon.o] Error 1 The relevant code in daemon.c: char peername[LDAP_IPADDRLEN]; struct berval peerbv = BER_BVC(peername); #ifdef LDAP_PF_LOCAL_SENDMSG char peerbuf[8]; struct berval peerbv = BER_BVNULL; #endif When LDAP_PF_LOCAL_SENDMSG is defined, the variable 'peerbv' is declared twice. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9696] New: OpenSSL implementation of LDAP_OPT_X_TLS_PEERCERT leaks memory
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9696 Issue ID: 9696 Summary: OpenSSL implementation of LDAP_OPT_X_TLS_PEERCERT leaks memory Product: OpenLDAP Version: 2.4.57 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: cheimes(a)redhat.com Target Milestone: --- The OpenSSL implementation of ldap_get_option() LDAP_OPT_X_TLS_PEERCERT leaks memory. The internal function tlso_session_peercert() uses SSL_get_peer_certificate() to access the server certificate. SSL_get_peer_certificate() increases the reference counter of the peer cert by one. The code is missing a X509_free() call to decref the internal reference counter by one. I also recommend that you check the return value of SSL_get_peer_certificate() for NULL. There are cases when a TLS session does not have access to a peer certificate, e.g. session resumption. Valgrind log: ==586962== 16,044 (1,056 direct, 14,988 indirect) bytes in 3 blocks are definitely lost in loss record 6,355 of 6,374 ==586962== at 0x484086F: malloc (vg_replace_malloc.c:380) ==586962== by 0x16981A4D: CRYPTO_zalloc (mem.c:230) ==586962== by 0x168CC823: asn1_item_embed_new (tasn_new.c:122) ==586962== by 0x168CE12A: asn1_item_embed_d2i (tasn_dec.c:325) ==586962== by 0x168CE341: ASN1_item_ex_d2i (tasn_dec.c:124) ==586962== by 0x168CE3CE: ASN1_item_d2i (tasn_dec.c:114) ==586962== by 0x1744B7CC: tls_process_server_certificate (statem_clnt.c:1853) -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9668] New: undefined behavior for isdigit in tls2.c
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9668 Issue ID: 9668 Summary: undefined behavior for isdigit in tls2.c Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: roland.illig(a)gmx.de Target Milestone: --- tls2.c says: > isdigit( *c ) This invokes undefined behavior if someone manages to pass a non-ASCII character. Depending on the platform, the process may crash or wrongly classify the host name as either numeric or non-numeric. While here, I noticed that both sni and c have type 'char *', but they should rather be 'const char *'. Was there a specific reason to suggest to the reader the host name would be modifiable? -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9706] New: monitoringslapd.sdf: typo Backends
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9706 Issue ID: 9706 Summary: monitoringslapd.sdf: typo Backends Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- doc/guide/admin/monitoringslapd.sdf contains: H3: Backends The {{EX:cn=Backends,cn=Monitor}} object, itself, provides a list of available backends. The list of available backends all builtin backends, as well as backends loaded by modules. For example: … The second sentence has no verb. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9699] New: doc/admin25/loadbalancer.html: typo “between a a set of running slapd instances”
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9699 Issue ID: 9699 Summary: doc/admin25/loadbalancer.html: typo “between a a set of running slapd instances” Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9693] New: Section 9.6 html formatting issue
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9693 Issue ID: 9693 Summary: Section 9.6 html formatting issue Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: mnormann(a)symas.com Target Milestone: --- Section 9.6 of documentation is missing a closing anchor tag and closing title tag (Glued/Subordinate database configurations) -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9689] New: Redundancy in the description of syncprov-nopresent
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9689 Issue ID: 9689 Summary: Redundancy in the description of syncprov-nopresent Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- https://www.openldap.org/devel/admin/replication.html#Set%20up%20the%20prov… says: “““ The nonpresent option **should only be configured if the overlay is being placed on top of a log database**, such as when used with delta-syncrepl. The nonpresent option is configured by the syncprov-nopresent <TRUE|FALSE> directive. This value **should only be set TRUE for a syncprov instance on top of a log database** (such as one managed by the accesslog overlay). The default is FALSE. ””” I think, the circumstances when the option shall be used, are repeated twice. One of the repetitions can be shortened. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9688] New: Is EQ index on entryCSN mandatory for replication?
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9688 Issue ID: 9688 Summary: Is EQ index on entryCSN mandatory for replication? Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- https://www.openldap.org/devel/admin/replication.html says about the EQ index on entryCSN: “On databases which support inequality indexing, setting an eq index on the entryCSN attribute and configuring contextCSN checkpoints will greatly speed up this scanning step.” → The index is recommended, but not mandatory, and not always possible. man 5 slapo-syncprov / https://www.openldap.org/software/man.cgi?query=slapo-syncprov&apropos=0&se… says “On databases that support inequality indexing, it is mandatory to set an eq index on the entryCSN attribute when using this overlay.” Between both documents there is a discrepancy, whether the EQ index is mandatory or not. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9687] New: olcTLSECName is not required in order to use ECDHE-based cipher suites in OpenSSL
by openldap-its＠openldap.org 11 Oct '21

11 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9687 Issue ID: 9687 Summary: olcTLSECName is not required in order to use ECDHE-based cipher suites in OpenSSL Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- SLAPD-CONFIG(5) says that olcTLSECName is used to set the names of the Elliptic Curves. It does not say, that the option is required, nor does it say what happens, when the option is not set. https://www.openldap.org/doc/admin25/tls.html#TLS%20Configuration says for TLSECName: This is required in order to use ECDHE-based cipher suites in OpenSSL. I do not set TLSECName and call ./testssl.sh ldap.aegee.org:636 which prints: Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- TLSv1 (server order) xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLSv1.1 (server order) xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLSv1.2 (server order) xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLSv1.3 (server order) x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 This means, that when olcTLSECName is not set, OpenSSL defaults are used, and ECDHE-based cipher suites are still offered. testssl.sh can be obtianed from https://github.com/drwetter/testssl.sh . -- You are receiving this mail because: You are on the CC list for the issue.

1 8

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs