- openldap-bugs - openldap.org

[Issue 9820] New: v2.5 and 2.6 closed (idletimeout) during ldapsearch (work fine with v2.4)
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9820 Issue ID: 9820 Summary: v2.5 and 2.6 closed (idletimeout) during ldapsearch (work fine with v2.4) Product: OpenLDAP Version: 2.6.1 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: jlbs.gregoire(a)gmail.com Target Milestone: --- Hello, Please excuse me for my bad English. Is there a bug with openldap 2.5 and 2.6 ? When I launch a ldapsearch on the whole directory, the connection is abruptly cut during the search (same problem with syncrepl). All work fine with openldap 2.4.48 and 2.4.59. Tested on Debian 10 buster and openssl 1.1.1n (also tested with openssl 1.1.1d and 1.1.1k). The directory contains over one million entries. OpenLDAP 2.6.1 compiled with the following options ./configure --prefix=/opt/openldap-2.6.1 --disable-ipv6 --enable-debug --enable-syslog --enable-slapd --enable-cleartext --enable-crypt --enable-wrappers --enable-backends=no --enable-mdb --enable-overlays --with-tls /opt/openldap-2.6.1/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w 'password' ... # numResponses: 50146 # numEntries: 50146 ldap_result: Can't contact LDAP server (-1) Apr 8 21:28:37 debian slapd[20880]: @(#) $OpenLDAP: slapd 2.6.1 (Apr 8 2022 20:34:26) $#012#011root@debian:/opt/src/openldap-2.6.1/servers/slapd Apr 8 21:28:37 debian slapd[20881]: slapd starting Apr 8 21:29:12 debian slapd[20881]: conn=1000 fd=11 ACCEPT from PATH=/opt/openldap-2.6.1/var/run/ldapi (PATH=/opt/openldap-2.6.1/var/run/ldapi) Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" method=128 Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" mech=SIMPLE bind_ssf=0 ssf=71 Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000041 text= Apr 8 21:29:12 debian slapd[20881]: conn=1000 op=1 SRCH base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)" Apr 8 21:29:57 debian slapd[20881]: conn=1000 fd=11 closed (idletimeout) OpenLDAP 2.5.11 compiled with the following options ./configure --prefix=/opt/openldap-2.5.11 --disable-ipv6 --enable-debug --enable-syslog --enable-slapd --enable-cleartext --enable-crypt --enable-wrappers --enable-backends=no --enable-mdb --enable-overlays --with-tls /opt/openldap-2.5.11/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w 'password' ... # numResponses: 44638 # numEntries: 44638 ldap_result: Can't contact LDAP server (-1) Apr 8 21:44:18 debian slapd[21063]: @(#) $OpenLDAP: slapd 2.5.11 (Apr 8 2022 20:55:50) $#012#011root@debian:/opt/src/openldap-2.5.11/servers/slapd Apr 8 21:44:18 debian slapd[21064]: slapd starting Apr 8 21:44:45 debian slapd[21064]: conn=1000 fd=11 ACCEPT from PATH=/opt/openldap-2.5.11/var/run/ldapi (PATH=/opt/openldap-2.5.11/var/run/ldapi) Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" method=128 Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" mech=SIMPLE bind_ssf=0 ssf=71 Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000006 etime=0.000045 text= Apr 8 21:44:45 debian slapd[21064]: conn=1000 op=1 SRCH base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)" Apr 8 21:45:30 debian slapd[21064]: conn=1000 fd=11 closed (idletimeout) OpenLDAP 2.4.59 compiled with the following options ./configure --prefix=/opt/openldap-2.4.59 --disable-ipv6 --enable-debug --enable-syslog --enable-slapd --enable-cleartext --enable-crypt --enable-wrappers --enable-backends=no --enable-mdb --enable-overlays --with-tls /opt/openldap-2.4.59/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w 'password' Apr 8 21:53:22 debian slapd[17963]: @(#) $OpenLDAP: slapd 2.4.59 (Apr 8 2022 21:51:41) $#012#011root@debian:/opt/src/openldap-2.4.59/servers/slapd Apr 8 21:53:22 debian slapd[17964]: slapd starting Apr 8 21:53:54 debian slapd[17964]: conn=1000 fd=11 ACCEPT from PATH=/opt/openldap-2.4.59/var/run/ldapi (PATH=/opt/openldap-2.4.59/var/run/ldapi) Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" method=128 Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" mech=SIMPLE ssf=0 Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=0 RESULT tag=97 err=0 text= Apr 8 21:53:54 debian slapd[17964]: conn=1000 op=1 SRCH base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)" Apr 8 22:06:02 debian slapd[17964]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1021397 text= Apr 8 22:06:02 debian slapd[17964]: conn=1000 op=2 UNBIND Apr 8 22:06:02 debian slapd[17964]: conn=1000 fd=11 closed OpenLDAP 2.4.48 compiled with the following options ./configure --prefix=/opt/openldap-2.4.48 --disable-ipv6 --enable-debug --enable-syslog --enable-slapd --enable-cleartext --enable-crypt --enable-wrappers --enable-backends=no --enable-mdb --enable-overlays --with-tls /opt/openldap-2.4.48/bin/ldapsearch -x -D cn=manager,dc=societe,dc=com -w 'password' Apr 8 21:30:44 debian slapd[20942]: @(#) $OpenLDAP: slapd 2.4.48 (Apr 8 2022 20:58:01) $#012#011root@debian:/opt/src/openldap-2.4.48/servers/slapd Apr 8 21:30:44 debian slapd[20943]: slapd starting Apr 8 21:31:05 debian slapd[20943]: conn=1000 fd=11 ACCEPT from PATH=/opt/openldap-2.4.48/var/run/ldapi (PATH=/opt/openldap-2.4.48/var/run/ldapi) Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" method=128 Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=0 BIND dn="cn=manager,dc=societe,dc=com" mech=SIMPLE ssf=0 Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=0 RESULT tag=97 err=0 text= Apr 8 21:31:05 debian slapd[20943]: conn=1000 op=1 SRCH base="dc=societe,dc=com" scope=2 deref=0 filter="(objectClass=*)" Apr 8 21:43:15 debian slapd[20943]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1021397 text= Apr 8 21:43:15 debian slapd[20943]: conn=1000 op=2 UNBIND Apr 8 21:43:15 debian slapd[20943]: conn=1000 fd=11 closed Content of slapd.conf : pidfile /opt/openldap/var/run/slapd.pid argsfile /opt/openldap/var/run/slapd.args tool-threads 2 require ldapv3 authc disallow bind_anon loglevel stats modulepath /opt/openldap/libexec/openldap moduleload back_mdb moduleload syncprov include /opt/openldap/etc/openldap/schema/core.schema include /opt/openldap/etc/openldap/schema/cosine.schema include /opt/openldap/etc/openldap/schema/inetorgperson.schema include /opt/openldap/etc/openldap/schema/dyngroup_cgi.schema include /opt/openldap/etc/openldap/schema/qmail_cgi.schema defaultsearchbase "dc=societe,dc=com" backend mdb database mdb directory "/ldap/base-ldap" suffix "dc=societe,dc=com" rootdn "cn=manager,dc=societe,dc=com" rootpw password maxsize 12884901888 mode 600 checkpoint 10240 2 dbnosync lastmod on include /opt/openldap/etc/openldap/acl.conf idletimeout 120 reverse-lookup off sizelimit 100 timelimit unlimited include /opt/openldap/etc/openldap/index.conf index_substr_if_minlen 2 index_substr_if_maxlen 4 index_substr_any_len 4 index_substr_any_step 2 When I set loglevel -1 it works correctly (but generates a very huge log file). It's very strange. If you need any further information, feel free to contact me. Jean-Loup Gregoire -- You are receiving this mail because: You are on the CC list for the issue.

1 12

[Issue 9815] Serious SQL injection vulnerability in back-sql
by openldap-its＠openldap.org 04 May '22

04 May '22

https://bugs.openldap.org/show_bug.cgi?id=9815 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Group|OpenLDAP-devs | Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9837] New: Don't throw exceptions when requesting empty integer fields
by openldap-its＠openldap.org 02 May '22

02 May '22

https://bugs.openldap.org/show_bug.cgi?id=9837 Issue ID: 9837 Summary: Don't throw exceptions when requesting empty integer fields Product: JLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: JDBC Assignee: bugs(a)openldap.org Reporter: fredrik(a)roubert.name Target Milestone: --- LibreOffice Base expects to be able to call LdapResultSet.getLong() on an empty Types.INTEGER field without any exception being thrown and the exception that Long.parseLong() throws when passed an empty string will terminate the query with an error message. While I don't know if the JDBC standard says anything about how this is supposed to be handled, it seems reasonable (and harmless) for JDBC-LDAP to accomodate the existing behaviour such a popular open source software package as LibreOffice Base. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9836] New: Support for TLS is needed
by openldap-its＠openldap.org 02 May '22

02 May '22

https://bugs.openldap.org/show_bug.cgi?id=9836 Issue ID: 9836 Summary: Support for TLS is needed Product: JLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: JDBC Assignee: bugs(a)openldap.org Reporter: fredrik(a)roubert.name Target Milestone: --- Using TLS is becoming increasingly more common and the LDAP library has support for this since a long time already, the JDBC connection string just needs to support a new property to allow this to be configured. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9835] New: LDAP aliases ought to always be dereferenced
by openldap-its＠openldap.org 02 May '22

02 May '22

https://bugs.openldap.org/show_bug.cgi?id=9835 Issue ID: 9835 Summary: LDAP aliases ought to always be dereferenced Product: JLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: JDBC Assignee: bugs(a)openldap.org Reporter: fredrik(a)roubert.name Target Milestone: --- No software connecting to an LDAP database through JDBC can be expected to know anything at all about LDAP, so no such software can be expected to be able to do anything useful with an LDAP alias entry. LDAP aliases must therefore always be dereferenced in the JDBC driver. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 3872] Issue with norwegian UTF-8 characters JDBC Bridge
by openldap-its＠openldap.org 02 May '22

02 May '22

https://bugs.openldap.org/show_bug.cgi?id=3872 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 3872] Issue with norwegian UTF-8 characters JDBC Bridge
by openldap-its＠openldap.org 02 May '22

02 May '22

https://bugs.openldap.org/show_bug.cgi?id=3872 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- • 245495e9 by Fredrik Roubert at 2022-05-01T15:12:42+02:00 ITS#3872 Always decode valid UTF-8 data, never Base64 encode it. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 3872] Issue with norwegian UTF-8 characters JDBC Bridge
by openldap-its＠openldap.org 01 May '22

01 May '22

https://bugs.openldap.org/show_bug.cgi?id=3872 --- Comment #4 from Fredrik Roubert <fredrik(a)roubert.name> --- This seems to be a simple mistake for which there is a simple fix: https://git.openldap.org/openldap/jdbcldap/-/merge_requests/1 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9834] New: Can not find admin user after setup openldap on debian
by openldap-its＠openldap.org 29 Apr '22

29 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9834 Issue ID: 9834 Summary: Can not find admin user after setup openldap on debian Product: OpenLDAP Version: 2.4.57 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: sparktour(a)outlook.com Target Milestone: --- Created attachment 897 --> https://bugs.openldap.org/attachment.cgi?id=897&action=edit the screenshot of phpldapadmin dashboard (doesn't have any entry under base) After install the openldap (slapd) from Debian package repository (using the version 2.4.57+dfsg-3~bpo10+1, database created by the dpkg configuration script provide by apt), the admin user (cn=admin,dc=example,dc=com) in could not be found either when performing ldapsearch or viewing the structure of the organisation in phpldapadmin / Apache directory studio. result of ldapsearch: ------------ root@ldap:~# ldapsearch -x -b "dc=example,dc=com" # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example.com dc: exmaple # search result search: 2 result: 0 Success ------------ However, using ldapwhoami (ldapwhoami -vvv -h ldap.example.com -D cn=admin,dc=example,dc=com -x -w password) can return a successful result. result of ldapwhoami: ------------ ldap_initialize( ldap://localhost ) dn:cn=admin,dc=example,dc=com Result: Success (0) ------------ A similar issue can be found here: https://github.com/osixia/docker-openldap/issues/555 on Github. According to the user in Github, this issue is first occurred in openldap 2.4.57 (https://github.com/osixia/docker-openldap/releases/tag/v1.5.0) -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 28 Apr '22

28 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8882 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 28 Apr '22

28 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8882 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.13 --- Comment #14 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Ship in contrib for 2.5.13+ -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 27 Apr '22

27 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8882 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |needs_review -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 27 Apr '22

27 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8882 --- Comment #13 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Tamim provided me the source code previously referenced, now attached to the ticket. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8882] Null Attribute Value Overlay
by openldap-its＠openldap.org 27 Apr '22

27 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8882 --- Comment #12 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Created attachment 896 --> https://bugs.openldap.org/attachment.cgi?id=896&action=edit source code for empty-directory-string overlay -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9833] New: Backup Restore issue
by openldap-its＠openldap.org 27 Apr '22

27 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9833 Issue ID: 9833 Summary: Backup Restore issue Product: OpenLDAP Version: 2.4.40 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: akshay.jain(a)shopclues.com Target Milestone: --- I Have restored backup from running ldap. data is restored but i am not able to login using directory manager account. This is hampering my production. Can anyone help in this. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9828] New: ldap_count_values_len broken
by openldap-its＠openldap.org 26 Apr '22

26 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9828 Issue ID: 9828 Summary: ldap_count_values_len broken Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Pointer confusion means ldap_count_values_len does not work as intended. Because there are no known users in the openldap project (except slapd-search), this has existed since its inception in UMich code. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9620] New: back-monitor: search can access a persistent entry freed in the meantime
by openldap-its＠openldap.org 25 Apr '22

25 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9620 Issue ID: 9620 Summary: back-monitor: search can access a persistent entry freed in the meantime Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- With ITS#9600 there is now code that adds and removes "persistent" monitor entries outside a server pause. A concurrent cn=monitor search lists all children first and sends them later - monitor is happy to free some of them in the meantime. It seems to me that the monitor cache should be protected by a rw mutex instead, which would be held for reading while a search is happening. -- You are receiving this mail because: You are on the CC list for the issue.

1 11

[Issue 9826] New: Openldap process stopped due to the 'segmentation fault'
by openldap-its＠openldap.org 21 Apr '22

21 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9826 Issue ID: 9826 Summary: Openldap process stopped due to the 'segmentation fault' Product: OpenLDAP Version: 2.4.59 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: rekha.shivsan(a)gmail.com Target Milestone: --- Created attachment 892 --> https://bugs.openldap.org/attachment.cgi?id=892&action=edit kernel logs with segmentation fault error Openldap process stopped due to the 'segmentation fault'. We have openldap process running as a service. /var/log/kern.log Mar 6 11:15:01 ip-x-x-x-x kernel: show_signal_msg: 48 callbacks suppressed Mar 6 11:15:01 ip-x-x-x-x kernel: slapd[8778]: segfault at 8 ip 00000000004afcc6 sp 00007fae42ffd400 error 4 in slapd[400000+130000] /var/log/daemon.log Mar 6 11:15:01 ip-x-x-x-xopenldap: 622497b5 connection_read(13): input error=-2 id=19912, closing. Mar 6 11:15:01 ip-x-x-x-xopenldap: 622497b5 connection_closing: readying conn=19912 sd=13 for close Mar 6 11:15:01 ip-x-x-x-xsystemd: openldap.service: main process exited, code=killed, status=11/SEGV Mar 6 11:15:01 ip-x-x-x-xsystemd: Unit openldap.service entered failed state. Mar 6 11:15:01 ip-x-x-x-xsystemd: openldap.service failed. If we restart the service, it runs fine for few days and again segmentation fault is seen in kernel logs and the service gets stopped. Please help us to resolve this issue. Thanks Rekha. -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9822] New: The hyperlink "JLDAP resources" needs to be updated
by openldap-its＠openldap.org 12 Apr '22

12 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9822 Issue ID: 9822 Summary: The hyperlink "JLDAP resources" needs to be updated Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: fredrik(a)roubert.name Target Milestone: --- On this page: https://www.openldap.org/jldap/ The hyperlink "JLDAP resources" used to go to this web page: https://web.archive.org/web/20060707012200/http://developer.novell.com/wiki… But that web page is nowadays to be found here instead: https://www.microfocus.com/documentation/edirectory-developer-documentation… -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9784] New: Adding our OpenLDAP support services
by openldap-its＠openldap.org 12 Apr '22

12 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9784 Issue ID: 9784 Summary: Adding our OpenLDAP support services Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: contact(a)linuxstans.com Target Milestone: --- Hi, We offer OpenLDAP support and we'd really appreciate it if you can add our details to your support page https://www.openldap.org/support/ Here are the details: <a href="https://linuxstans.com/support/">Linux Stans</a> - USA Provides installation, configuration, maintenance, and 24/7 support services for OpenLDAP. Let me know if you need more info. Thanks! -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9819] New: Bump version of ldapc++
by openldap-its＠openldap.org 11 Apr '22

11 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9819 Issue ID: 9819 Summary: Bump version of ldapc++ Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: contrib Assignee: bugs(a)openldap.org Reporter: jengelh(a)inai.de Target Milestone: --- In the *SUSE family of Linux distributions, we have had a standalone ldapcpp package, the code of which was authored by R. Haferkamp; the package is marked 0.3.1 inside and out and uses SONAME=libldapcpp.so.1. This ldapcpp package is being phased out in favor of building the software from the copy in openldap/contrib/ldapc++, which I find is also by Haferkamp. However, it is marked as 0.0.0 and uses SONAME=libldapcpp.so.0. ---- » abidiff /usr/lib64/libldapcpp.so.1 .libs/libldapcpp.so.0 ELF SONAME changed Functions changes summary: 0 Removed, 4 Changed, 2 Added (30 filtered out) functions Variables changes summary: 0 Removed, 0 Changed, 0 Added variable Function symbols changes summary: 0 Removed, 9 Added function symbols not referenced by debug info Variable symbols changes summary: 0 Removed, 1 Added variable symbol not referenced by debug info SONAME changed from 'libldapcpp.so.1' to 'libldapcpp.so.0' 2 Added functions: [A] 'method virtual LDAPMsg::~LDAPMsg(int)' {_ZN7LDAPMsgD0Ev} note that this adds a new entry to the vtable of class LDAPMsg [A] 'method virtual LDAPMsg::~LDAPMsg(int)' {_ZN7LDAPMsgD2Ev, aliases _ZN7LDAPMsgD1Ev} note that this adds a new entry to the vtable of class LDAPMsg 4 functions with some indirect sub-type change: [C] 'method void LDAPAsynConnection::unbind()' at LDAPAsynConnection.cpp:270:1 has some indirect sub-type changes: parameter 1 of type 'int' was added [C] 'method LDAPAttrType::LDAPAttrType()' at LDAPAttrType.cpp:11:1 has some indirect sub-type changes: parameter 1 of type 'int' was added [C] 'method LDAPAttributeList::LDAPAttributeList()' at LDAPAttributeList.cpp:24:1 has some indirect sub-type changes: parameter 1 of type 'int' was added [C] 'method LDAPSchema::LDAPSchema()' at LDAPSchema.cpp:18:1 has some indirect sub-type changes: parameter 1 of type 'int' was added 9 Added function symbols not referenced by debug info: [A] _ZN12LDAPAttrTypeC1ERKS_ [A] _ZN12LDAPAttrTypeC2ERKS_, aliases _ZN12LDAPAttrTypeC1ERKS_ [A] _ZN13LDAPExceptionC1ERKS_, aliases _ZN13LDAPExceptionC2ERKS_ [A] _ZN13LDAPExceptionC2ERKS_ [A] _ZN16LDAPUrlExceptionD1Ev [A] _ZN16LDAPUrlExceptionD2Ev, aliases _ZN16LDAPUrlExceptionD1Ev [A] _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED0Ev [A] _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED1Ev, aliases _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev [A] _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev 1 Added variable symbol not referenced by debug info: [A] _ZTV7LDAPMsg ---- This leads me to believe that contrib/ldapc++ is actually the newer one despite the inferior versioning. To avoid confusion going forward, I propose to bump the version (in the `version.var` file) to at least 0.3.1, and the SONAME should be changed to libldapcpp.so.2 (now), so that future maintainers won't accidentally reuse libldapcpp.so.1. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 8143] SegV in ~LDAPCtrl()
by openldap-its＠openldap.org 11 Apr '22

11 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=8143 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=7806 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7806] memory leak in contrib/ldapc++/LDAPAsynConnection.cpp
by openldap-its＠openldap.org 11 Apr '22

11 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=7806 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=8143 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9821] New: slapo-homedir.5 is installed despite --disable-homedir
by openldap-its＠openldap.org 10 Apr '22

10 Apr '22

https://bugs.openldap.org/show_bug.cgi?id=9821 Issue ID: 9821 Summary: slapo-homedir.5 is installed despite --disable-homedir Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- Even with ./configure --disable-homedir the man page file slapo-homedir.5 is installed. Worth to fix this for 2.6.2? -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9812] New: Registered SLAPI plugin functions are not called
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9812 Issue ID: 9812 Summary: Registered SLAPI plugin functions are not called Product: OpenLDAP Version: 2.6.1 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: guru(a)unixarea.de Target Milestone: --- We're running since ages with an OpenLDAP server 2.4.40 a plugin which publishes changes (add, modify, delete) in LDAP to an Identity Server (IDM). We compile on SuSE Linux from source. The configure options for 2.6.1 are: ./configure --enable-aci=yes --enable-dynacl --enable-spasswd=yes --enable-crypt=yes --enable-debug=yes --enable-shared=yes --enable-modules=yes --enable-slapi --enable-slapd=yes --with-tls --prefix=/opt/openldap-2.6.1 Our SLAPI plugin, written in C works fine for 2.4.40 and stopped working for 2.6.1. It is configured in slapd.conf as plugin postoperation /opt/openldap-2.6.1/lib64/idm.so idm_init "IDM Plugin" 10.23.33.52 3001 The function idm_init() registers static C functions the supposed way: int idm_init(Slapi_PBlock * pb) { int rc = LDAP_SUCCESS; log("idm-plugin:","now in idm_init()\n"); // first call, create new list and register the functions ... rc |= slapi_pblock_set( /* Plug-in API version */ pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_CURRENT_VERSION); rc |= slapi_pblock_set( /* Plug-in description */ pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &desc); rc |= slapi_pblock_set( /* Modify function */ pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *) modify_user); ... // read arguments and add list entry rc |= read_arguments(pb); log("idm-plugin", "idm_init() return rc:%d\n", rc); return rc; } The begin of the function for modify_user() looks like this: static int modify_user(Slapi_PBlock * pb) { Slapi_Entry *entry; log("idm-plugin:", "now in modify_user\n"); if (slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &entry) != LDAP_SUCCESS) { log("IDM-Connector Plugin", "entry modified, but couldn't get entry"); return -1; } ... But the function gets never called from slapd on changes in LDAP. The log shows only the registering: 03/16/22 10:52:26 idm-plugin:: now in idm_init() 03/16/22 10:52:26 IDM-Connector Plugin: idm_init: Initializing plugin 03/16/22 10:52:26 idm-plugin:: now in read_arguments() 03/16/22 10:52:26 IDM Plugin: added idm connector: ip=10.23.33.52, port=3001 03/16/22 10:52:26 idm-plugin: idm_init() returns rc:0 03/16/22 10:52:26 plugin_pblock_new: Registered plugin OCLC-IDM-Connector-Notifier 1.0 [OCLC.org] (Notify the OCLC IDM-Connector of changes) As I said, with OpenLDAP 2.4.40 this works fine. It does not work anymore with 2.6.1. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 6461] back-sql quote characters in query
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=6461 --- Comment #10 from Howard Chu <hyc(a)openldap.org> --- Escaping with a backslash appears to be non-portable. All the major SQL implementations escape a single quote by doubling it, as done in the patch for ITS#9815. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6461] back-sql quote characters in query
by openldap-its＠openldap.org 28 Mar '22

28 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=6461 Ryan Tandy <ryan(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9815 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7978] OpenLDAP 2.4 fails to build with LibreSSL
by openldap-its＠openldap.org 27 Mar '22

27 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7978 ismael(a)iodev.co.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ismael(a)iodev.co.uk --- Comment #13 from ismael(a)iodev.co.uk --- Created attachment 889 --> https://bugs.openldap.org/attachment.cgi?id=889&action=edit Fix building against LibreSSL OpenLDAP 2.6.1 works fine against LibreSSL 3.4+. The only problem is the configure script checks for a symbol LibreSSL doesn't implement yet. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7832] Proposing ppolicy extended module for OpenLDAP
by openldap-its＠openldap.org 22 Mar '22

22 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7832 --- Comment #25 from Quanah Gibson-Mount <quanah(a)openldap.org> --- (In reply to David Coutadeur from comment #24) > Hello, > I have just opened a new MR: > https://git.openldap.org/openldap/openldap/-/merge_requests/509 to upgrade > ppm to 2.1 release: > > Changes: > - Reject password if it contains tokens from an attribute of the LDAP entry > https://github.com/ltb-project/ppm/issues/17 You should file a new issue for this, rather than commenting in this issue. Thanks -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7832] Proposing ppolicy extended module for OpenLDAP
by openldap-its＠openldap.org 22 Mar '22

22 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7832 --- Comment #24 from David Coutadeur <david.coutadeur(a)gmail.com> --- Hello, I have just opened a new MR: https://git.openldap.org/openldap/openldap/-/merge_requests/509 to upgrade ppm to 2.1 release: Changes: - Reject password if it contains tokens from an attribute of the LDAP entry https://github.com/ltb-project/ppm/issues/17 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7089] ppolicy adds PWDFAILURETIME to organizationalUnit
by openldap-its＠openldap.org 22 Mar '22

22 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7089 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9813 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9810] New: slapacl peername
by openldap-its＠openldap.org 18 Mar '22

18 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9810 Issue ID: 9810 Summary: slapacl peername Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ratness(a)gmail.com Target Milestone: --- Found in 2.4.59 on a $WORK system, replicated in 2.6.1: [root@centos-s-1vcpu-1gb-ams3-01 ~]# rpm -qf /opt/symas/sbin/slapacl symas-openldap-servers-2.6.1-2.el7.x86_64 This is a box where I don't even have slapd running, but that's okay because my point is visible without it: [root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F /etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername.ip=127.0.0.1 entry/read usage: slapacl [-v] [-d debuglevel] [-f configfile] [-F configdir] [-o <name>[=<value>]] [-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>] -b DN [-u] [attr[/access][:value]] [...] When I ask for `-o peername.ip=127.0.0.1` the `slapacl` command bails out with usage, indicating a parse failure. If I then run `slapacl` with `-o peername=ip=127.0.0.1`, I get: [root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F /etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername=ip=127.0.0.1 entry/read invalid config directory /etc/openldap/slapd.d, error 2 slapacl: bad configuration directory! (which I would expect here since I have no server running) Demo on 2.4.59 at work: $ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D uid=replicator,ou=logins,dc=example -b 'mail=me(a)example.com,o=com,dc=mozilla' -o peername=ip=127.0.0.1 entry/read authcDN: "uid=replicator,ou=logins,dc=example" read access to entry: ALLOWED $ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D uid=replicator,ou=logins,dc=example -b 'mail=me(a)example.com,o=com,dc=mozilla' -o peername=ip=127.0.0.2 entry/read authcDN: "uid=replicator,ou=logins,dc=example" read access to entry: DENIED slapacl(8) mentions peername, but also aims us at slapd.access(5), which lists peername[.<peernamesytle>]. It's possible I'm dense and this isn't a bug, but minimally the equalsign repetition is really awkward to my eye. I'd suggest at least an example in slapacl(8) so it's easier to figure out. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9807] New: Cannot enable {ARGON2} passwd scheme support
by openldap-its＠openldap.org 13 Mar '22

13 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9807 Issue ID: 9807 Summary: Cannot enable {ARGON2} passwd scheme support Product: OpenLDAP Version: unspecified Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: gregory.widmer(a)gwidmer.fr Target Milestone: --- Created attachment 881 --> https://bugs.openldap.org/attachment.cgi?id=881&action=edit Trace of every executed command. I want to build OpenLDAP with argon2 support. Unfortunately, it doesn't work and I don't understand why. It seems to be a build issue. Here is how to reproduce the issue : I'm using a fresh install of Debian 11. The following packages were installed for this : - libargon2-dev - libltdl-dev - git - build-essential I am using the master branch of the git repository : https://git.openldap.org/openldap/openldap/-/commit/e8813b12b6188d5ba5f174f… I'm using root, and the repo is under /root/openldap. My objective is to : - Run slapd with {ARGON2} support - Set {ARGON2} as password-hash - Use slappasswd to create a password for LDAP admin in slapd.conf I ran the following commands : - apt install libltdl-dev libargon2-dev git build-essential -y - ./configure --with-argon2=libargon2 --enable-modules --enable-argon2=yes - make depend - make - make check - make install I then created a systemd service for slapd, reloaded daemons with systemctl then started the service. I got the following error : @(#) $OpenLDAP: slapd 2.X (Mar 12 2022 15:31:06) $ root@ldap:/root/openldap/servers/slapd /usr/local/etc/openldap/slapd.conf: line 65: <password-hash> scheme not available ({ARGON2}) /usr/local/etc/openldap/slapd.conf: line 65: <password-hash> no valid hashes found slapd stopped. connections_destroy: nothing to destroy. I don't understand how to build openldap with argon2. I did not find anything. You will find a global trace file for every command used with the program. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9805] New: member attributes managed by autogroup are lost when user attributes are adjusted
by openldap-its＠openldap.org 10 Mar '22

10 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9805 Issue ID: 9805 Summary: member attributes managed by autogroup are lost when user attributes are adjusted Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: contrib Assignee: bugs(a)openldap.org Reporter: michael.bobzin(a)baloise.ch Target Milestone: --- Hello OpenLDAP Team, we use nested groups in our OpenLDAP directory. User X is a member of group A. Group A is a member of group B. User X is therefore also a member of group B. To be able to find out all groups of user X with only one LDAP query we use the dynlist overlay together with the autogroup overlay. Group B is a dynamic group whose member attributes are set with autogroup, to allow a search for members. ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(member=cn=userx,ou=users,dc=basler,dc=ch)" dn Result: cn=groupA,ou=groups,dc=basler,dc=ch cn=groupB,ou=groups,dc=basler,dc=ch ----- Gruppe A ---------------------------------------------------------- dn: cn=groupA,ou=groups,dc=basler,dc=ch cn: groupA objectClass: top objectClass: groupOfNames member:cn=userX,ou=users,dc=basler,dc=ch ----- Gruppe B ---------------------------------------------------------- dn: cn=groupB,ou=groups,dc=basler,dc=ch cn: groupB objectClass: top objectClass: groupOfURLs memberURL: ldap:///ou=groups,dc=basler,dc=ch?member?one?(cn=groupA) # managed by autogroup member:cn=userX,ou=users,dc=basler,dc=ch ----------------------------------------------------------------------- This works until any attribute in the userX object is changed. The member attribute for userX created dynamically by autogroup is then deleted from groupB although userX is still a member of groupA and is therefore matched with the search in the memberURL attribute of groupB matched. The expected behaviour would be that the member attribute in groupB remains unchanged. ----------- configuration -------------------------- OpenLDAP 2.4.59 from https://www.ltb-project.org/download.html --------------- slapd.conf ------------------------- ... moduleload dynlist moduleload autogroup.so ... include /usr/local/openldap/etc/openldap/local-schema/dyngroup.schema ... overlay dynlist dynlist-attrset groupOfURLs memberURL overlay autogroup autogroup-attrset groupOfURLs memberURL member -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9497] New: back-ldif: test022-ppolicy failure
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9497 Issue ID: 9497 Summary: back-ldif: test022-ppolicy failure Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: hamano(a)osstech.co.jp Target Milestone: --- The test022-ppolicy with back-ldif fail for two issue. 1. too short pwdMaxAge ~~~ $ ./run -b ldif test022-ppolicy (snip) Testing password expiration Waiting seconds for password to expire... sleep: missing operand Try 'sleep --help' for more information. Password expiration test failed ~~~ The script tries test for lockout and then a test for password expiration. It will fail if the password has expired(pwdMaxAge: 30) by the time it starts the password expiration test. This is a timing issue and not directly caused by back-ldif. However, the issue is reproduced only with back-ldif in my environment. This test passed in my environment by extending pwdMaxAge by 5 seconds, but there may be a better way. 2. duplicate ldap control response ~~~ Reconfiguring policy to remove grace logins... Clearing forced reset... expr: syntax error: unexpected argument '15' Testing password expiration Waiting seconds for password to expire... sleep: missing operand Try 'sleep --help' for more information. ~~~ This is back-ldif issue. back-ldif responds duplicate ldap control response. -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 5840] mdb online indexing and shutdown
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=5840 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5840] mdb online indexing and shutdown
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=5840 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |DUPLICATE --- Comment #12 from Howard Chu <hyc(a)openldap.org> --- (In reply to Ondřej Kuzník from comment #11) > Is this resolved with ITS#8958? Yes *** This issue has been marked as a duplicate of issue 8958 *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8958] 2nd cn=config update blocks slapd while adding subordinate index
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=8958 Howard Chu <hyc(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ralf(a)openldap.org --- Comment #42 from Howard Chu <hyc(a)openldap.org> --- *** Issue 5840 has been marked as a duplicate of this issue. *** -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5840] mdb online indexing and shutdown
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=5840 --- Comment #11 from Ondřej Kuzník <ondra(a)mistotebe.net> --- Is this resolved with ITS#8958? -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9798] New: Clearing pending ops on Bind
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9798 Issue ID: 9798 Summary: Clearing pending ops on Bind Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Some context first. The only universal way of reset an arbitrary (SASL) bind in progress, at least in my reading of RFC4511 is to send an anonymous bind op, so that's what the load balancer does when needed (the client goes away, etc.). Incidentally, this is also what the balancer chooses to do when the pending bind needs to be "abandoned" when the backend doesn't respond within a configured timeout. That's skating the edge of what RFC4511 allows, probably just past it. The issue: When slapd receives a bind and another operation X (lloadd sends the above mentioned "reset" bind) before that first bind starts processing, X gets added into conn->c_ops_pending and does c_n_pending_ops++. Bind then eventually invokes connection_abandon which forgets to zero out c_n_pending_ops and the connection remains unusable forever. On the surface that's trivial to fix and a fix is coming. On the other hand, operation X in the pending list is actually discarded too, so that kind of defeats the idea of trying to "abandon" the original bind and completely reset the connection state. Question is, do we want to retain the last bind in the pending list or does the balancer have to destroy the connection unconditionally when a bind times out? -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 8524] cn=config + ditContentRule
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=8524 --- Comment #3 from Ondřej Kuzník <ondra(a)mistotebe.net> --- Just like with attribute and objectclass definitions, these are stored under cn=schema,cn=config as the file that defined them or directly in cn=config if defined in slapd.conf directly (as you're doing here). Maybe keep them in a file that you also include. Don't know if we should document this behaviour or change it in some way. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7441] cn=config filters ignore {number}
by openldap-its＠openldap.org 07 Mar '22

07 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=7441 --- Comment #2 from Ondřej Kuzník <ondra(a)mistotebe.net> --- The inconsistency part comes from bconfig not implementing be_compare. Instead, it relies on the frontend implementation, so while search goes through test_filter->...->ordered_value_match and other backends use slap_compare_entry which triggers the same, frontend's compare gets the actual values through backend_attribute and then calls value_find_ex, which doesn't care about SLAP_AT_ORDERED. Afterwards, allowing attr={index} assertions to match attr={index}value and attr={index}value to match itself only should be possible by adapting ordered_value_match (and value_find_ex or whatever we end up calling from the frontend). -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9748] New: Deleted values of pwdFailureTime seem to reappear
by openldap-its＠openldap.org 03 Mar '22

03 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9748 Issue ID: 9748 Summary: Deleted values of pwdFailureTime seem to reappear Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Created attachment 854 --> https://bugs.openldap.org/attachment.cgi?id=854&action=edit accesslog for uid=dm01-R2H2-956,ou=People,dc=example,dc=com Somehow, ppolicy seems to be able to reference values of pwdFailureTime that had been deleted before the actual bind even started. In the attached accesslog, trace, deletion of everything (including "20211115154510.478330Z") is recorded from reqSession: 3, then a bind comes in and the same value is explicitly removed again. -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 9800] New: ACL with set.expand in <who> clause does not work with deref control
by openldap-its＠openldap.org 03 Mar '22

03 Mar '22

https://bugs.openldap.org/show_bug.cgi?id=9800 Issue ID: 9800 Summary: ACL with set.expand in <who> clause does not work with deref control Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: michael(a)stroeder.com Target Milestone: --- This ACL returns correct values with a normal search requesting the attribute sudoUser: access to dn.subtree="ou=ae-dir" attrs=sudoUser val.regex="^%(.+)$" by set.expand="(user/-1 | user/aeSrvGroup)/aeLoginGroups & [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeGroup)(aeStatus=0)(cn=${v1}))]/entryDN" read by * none But it does not work with a search like this using deref control: ldapsearch -Q -E deref=aeVisibleSudoers:cn,sudoUser '(objectClass=aeSrvGroup)' For completeness see docs and schema for aeSrvGroup: https://www.ae-dir.com/docs.html#schema-oc-aeSrvGroup https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/master/fi… -- You are receiving this mail because: You are on the CC list for the issue.

1 1

[Issue 7335] Create process for updating man pages to handle both cn=config and slapd.conf configurations
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=7335 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.2 |2.7.0 Assignee|hyc(a)openldap.org |bugs(a)openldap.org -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6097] MMR problems with deletes
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=6097 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.2 |2.7.0 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8255 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #12 from Quanah Gibson-Mount <quanah(a)openldap.org> --- RE26: • 59605f9f by Ondřej Kuzník at 2022-02-28T17:36:11+00:00 ITS#8255 Clarify "sockresps result" behaviour -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8255] slapd-sock: response parsing in str2result() is broken
by openldap-its＠openldap.org 28 Feb '22

28 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8255 --- Comment #11 from Quanah Gibson-Mount <quanah(a)openldap.org> --- head: 73e882c8 by Ondřej Kuzník at 2022-02-24T15:32:36+00:00 ITS#8255 Clarify "sockresps result" behaviour -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 21 Feb '22

21 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #14 from Ondřej Kuzník <ondra(a)mistotebe.net> --- On Mon, Feb 21, 2022 at 10:46:12AM +0000, openldap-its(a)openldap.org wrote: > => The correct values for hashalgo should be described in the man-page. Since this depends entirely on the crypto library at runtime, not sure how we could do any better than saying "it depends", which is what I did in that linked commit, now at https://git.openldap.org/openldap/openldap/-/merge_requests/499 Can you suggest an alternate wording you think explains it better? Thanks, -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8753] Public key pinning support in libldap
by openldap-its＠openldap.org 21 Feb '22

21 Feb '22

https://bugs.openldap.org/show_bug.cgi?id=8753 --- Comment #13 from Michael Ströder <michael(a)stroeder.com> --- On 2/21/22 11:40, openldap-its(a)openldap.org wrote: > See the (commented) lines in the test: > https://code.stroeder.com/pymod/python-ldap0/src/branch/main/tests/test_lda… Ok, I've looked into the tests for TLS_PEERKEY_HASHALG to make it work. => The correct values for hashalgo should be described in the man-page. -- You are receiving this mail because: You are on the CC list for the issue.

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs