openldap-bugs

openldap-bugs@openldap.org

1 participants
21001 discussions

Re: (ITS#7746) adding weird cert crashes slapd
by hyc＠symas.com 14 Nov '13

14 Nov '13

michael(a)stroeder.com wrote: > Yes, this cert is weird. And I also consider empty subject-DN as invalid. > But you never know what people want to add. That's essentially declaring "I am anonymous" - who the heck uses a cert to do that? And who would trust a self-signed cert for an anonymous CA? > > Thanks for fixing the crash. > > Will test git master this evening. > > Ciao, Michael. > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7746) adding weird cert crashes slapd
by michael＠stroeder.com 14 Nov '13

14 Nov '13

Yes, this cert is weird. And I also consider empty subject-DN as invalid. But you never know what people want to add. Thanks for fixing the crash. Will test git master this evening. Ciao, Michael.

1 0

Re: (ITS#7746) adding weird cert crashes slapd
by hyc＠symas.com 14 Nov '13

14 Nov '13

michael(a)stroeder.com wrote: > Full_Name: > Version: 2.4.37 > OS: Debian Squeeze > URL: > Submission from: (NULL) (212.227.35.93) > > > Adding the following weird test cert to attribute 'userCertificate' of an > existing entry crashed slapd. I will provide more details later if needed. > > -----BEGIN CERTIFICATE----- > MIIBfjCCASSgAwIBAgIBATAKBggqhkjOPQQDAjAAMB4XDTEzMTExNDA4NTgzNloX > DTEzMTIxNDA4NTgzNlowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCaMbYk9 > kWfPT3gEKoIlQD6FPT+ea3PeB91l4c6reksafBuzWqG6tjZ9JhGf/AZNQEPhuaBg > KvppUO+AVpZXls6jgY4wgYswCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcD > AQYIKwYBBQUHAwIwHQYDVR0OBBYEFFh0Ssh8tqESHytVtEPHU1IoTSmbMCgGA1Ud > IwQhMB+AFFh0Ssh8tqESHytVtEPHU1IoTSmboQSkAjAAggEBMBYGA1UdEQQPMA2C > C2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICZVDrN0xlLkOv8odyXQASYy > Vy68ynjW3vZQndia3gQSAiEAvOn2JZEJmlfwPr3EglREs8CnXeqYfREqYfIfVufC > 0zM= > -----END CERTIFICATE----- > > This cert has a 0-length issuerDN. Didn't think that was allowed, but anyway, fixed now in master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7747) smbk5pwd with translucent overlay
by jdescamps＠capensis.fr 14 Nov '13

14 Nov '13

Full_Name: descamps jérémy Version: 2.4.28 OS: Linux Debian/RH URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (77.242.202.229) This is not an issue report but a enhancement idea for the smbk5pwd overlay. I'm having a translucent LDAP instance over a simple LDAP instance. This translucent instance performs the LDAP samba attributes and objectclasses on each entries. Thereby, I'm not able to use smbk5pwd overlay in order to change samba attributes when 'userPassword' attribute changed, cause 'userPassword' and 'sambaNTPassword' aren't on the same LDAP instance. It will be very useful to send a PasswordModify operation to a remote server in order to update samba attributes. Thank you team ! Regards,

1 0

(ITS#7746) adding weird cert crashes slapd
by michael＠stroeder.com 14 Nov '13

14 Nov '13

Full_Name: Version: 2.4.37 OS: Debian Squeeze URL: Submission from: (NULL) (212.227.35.93) Adding the following weird test cert to attribute 'userCertificate' of an existing entry crashed slapd. I will provide more details later if needed. -----BEGIN CERTIFICATE----- MIIBfjCCASSgAwIBAgIBATAKBggqhkjOPQQDAjAAMB4XDTEzMTExNDA4NTgzNloX DTEzMTIxNDA4NTgzNlowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCaMbYk9 kWfPT3gEKoIlQD6FPT+ea3PeB91l4c6reksafBuzWqG6tjZ9JhGf/AZNQEPhuaBg KvppUO+AVpZXls6jgY4wgYswCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwHQYDVR0OBBYEFFh0Ssh8tqESHytVtEPHU1IoTSmbMCgGA1Ud IwQhMB+AFFh0Ssh8tqESHytVtEPHU1IoTSmboQSkAjAAggEBMBYGA1UdEQQPMA2C C2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCICZVDrN0xlLkOv8odyXQASYy Vy68ynjW3vZQndia3gQSAiEAvOn2JZEJmlfwPr3EglREs8CnXeqYfREqYfIfVufC 0zM= -----END CERTIFICATE-----

1 0

Re: (ITS#7745) olcAuthzRegexp lowers cases substitution variables
by whm＠stanford.edu 13 Nov '13

13 Nov '13

--On Wednesday, November 13, 2013 11:07:55 PM +0100 Pierangelo Masarati <pierangelo.masarati(a)polimi.it> wrote: > On 11/13/2013 07:11 PM, whm(a)stanford.edu wrote: >> Full_Name: Bill MacAllister >> Version: 2.4.35 >> OS: Debian 7 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (67.180.239.194) >> >> >> We have noticed a problem with authentication for some Kerberos >> principals. The olcAuthzRegexp processing seems to be lower casing >> the input when forming substition variables. Since Kerberos >> principals are case sensitive this causes authentications to fail. >> >> We have the following olcAuthzRegexp entries in our directory. >> >> % ldapsearch -b cn=config -LLL -Q "olcAuthzRegexp=*" olcAuthzRegexp >> dn: cn=config >> olcAuthzRegexp: {0}"uid=(.*)(a)win.stanford.edu,cn=stanford.edu,cn=gssapi,cn=aut >> h" "ldap:///cn=service-win,cn=Applications,dc=stanford,dc=edu??sub?krb5Princi >> palName=$1(a)WIN.STANFORD.EDU" >> olcAuthzRegexp: {1}"uid=(.*)/cgi,cn=stanford.edu,cn=gssapi,cn=auth" "ldap:///c >> n=cgi,cn=applications,dc=stanford,dc=edu??sub?krb5PrincipalName=$1/cgi@stanfo >> rd.edu" >> olcAuthzRegexp: {2}"uid=host/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap:/// >> cn=Host,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=host/$1@sta >> nford.edu" >> olcAuthzRegexp: {3}"uid=service/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap: >> ///cn=Service,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=servi >> ce/$1(a)stanford.edu" >> olcAuthzRegexp: {4}"uid=smtp/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap:/// >> cn=smtp,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=smtp/$1@sta >> nford.edu" >> olcAuthzRegexp: {5}"uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap: >> ///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=webau >> th/$1(a)stanford.edu" >> olcAuthzRegexp: {6}"uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap:///uid=$ >> 1,cn=Accounts,dc=stanford,dc=edu??sub?suSeasStatus=active" >> >> We have the following entries in the directory holding Kerberos >> principals. >> >> % ldapsearch -Q -LLL -b cn=service-win,cn=Applications,dc=stanford,dc=edu >> "krb5PrincipalName=*" krb5PrincipalName >> dn: cn=adharvservice,cn=service-win,cn=applications,dc=stanford,dc=edu >> krb5PrincipalName: adharvservice(a)WIN.STANFORD.EDU >> >> dn: cn=EmailGroupMgr.svc,cn=service-win,cn=applications,dc=stanford,dc=edu >> krb5PrincipalName: EmailGroupMgr.svc(a)WIN.STANFORD.EDU >> >> Searches using adharvservice(a)WIN.STANFORD.EDU work as expected, but searches >> using EmailGroupMgr.svc(a)WIN.STANFORD.EDU fail. Here is what we see in >> the log for a EmailGroupMgr.svc(a)WIN.STANFORD.EDU search: >> >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 fd=572 ACCEPT from >> IP=171.64.18.139:3902 (IP=0.0.0.0:389) >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=0 SRCH base="" scope=0 >> deref=0 filter="(objectClass=*)" >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=0 SRCH >> attr=subschemaSubentry dsServiceName namingContexts defaultNamingContext >> schemaNamingContext configurationNamingContext rootDomainNamingContext >> supportedControl supportedLDAPVersion supportedLDAPPolicies >> supportedSASLMechanisms dnsHostName ldapServiceName serverName >> supportedCapabilities >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=0 SEARCH RESULT tag=101 >> err=0 nentries=1 text= >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=1 BIND dn="" method=163 >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=1 RESULT tag=97 err=14 >> text=SASL(0): successful result: mech EXTERNAL is too weak >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=2 BIND dn="" method=163 >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=2 RESULT tag=97 err=14 >> text=SASL(0): successful result: mech EXTERNAL is too weak >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 BIND dn="" method=163 >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 BIND >> authcid="EmailGroupMgr.svc(a)WIN.STANFORD.EDU" >> authzid="EmailGroupMgr.svc(a)WIN.STANFORD.EDU" >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 BIND >> dn="uid=emailgroupmgr.svc(a)win.stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth" >> mech=GSSAPI sasl_ssf=56 ssf=56 >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 RESULT tag=97 err=0 >> text= >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=4 SRCH >> base="cn=accounts,dc=stanford,dc=edu" scope=2 deref=0 filter="(uid=whm)" >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=4 SRCH attr=uid >> suSeasLocal >> Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=4 SEARCH RESULT tag=101 >> err=0 nentries=0 text= >> Nov 12 14:37:43 directory1 slapd[8804]: conn=2649928 op=5 UNBIND >> Nov 12 14:37:43 directory1 slapd[8804]: conn=2649928 fd=572 closed >> >> Note that the authcid is EmailGroupMgr.svc(a)WIN.STANFORD.EDU, but it >> gets mapped into: >> >> uid=emailgroupmgr.svc(a)win.stanford.edu,cn=stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth > > This is because the construction of such DN makes use of "uid", whose matching rule is case insensitive. > > As a workaround (assuming this is acceptable for you), you could probably modify your olcAuthzRegexp rules to force case-insensitive lookup of krb5PrincipalName, something like > > olcAuthzRegexp: {0}"uid=(.*)(a)win.stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth" "ldap:///cn=service-win,cn=Applications,dc=stanford,dc=edu??sub?(krb5PrincipalName:caseIgnoreIA5Match:=$1@WIN.STANFORD.EDU)" > > or something like that. Much more elegant work around than I had in mind. Thanks. Bill -- Bill MacAllister Infrastructure Delivery Group, Stanford University

1 0

Re: (ITS#7745) olcAuthzRegexp lowers cases substitution variables
by pierangelo.masarati＠polimi.it 13 Nov '13

13 Nov '13

On 11/13/2013 07:11 PM, whm(a)stanford.edu wrote: > Full_Name: Bill MacAllister > Version: 2.4.35 > OS: Debian 7 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (67.180.239.194) > > > We have noticed a problem with authentication for some Kerberos > principals. The olcAuthzRegexp processing seems to be lower casing > the input when forming substition variables. Since Kerberos > principals are case sensitive this causes authentications to fail. > > We have the following olcAuthzRegexp entries in our directory. > > % ldapsearch -b cn=config -LLL -Q "olcAuthzRegexp=*" olcAuthzRegexp > dn: cn=config > olcAuthzRegexp: {0}"uid=(.*)(a)win.stanford.edu,cn=stanford.edu,cn=gssapi,cn=aut > h" "ldap:///cn=service-win,cn=Applications,dc=stanford,dc=edu??sub?krb5Princi > palName=$1(a)WIN.STANFORD.EDU" > olcAuthzRegexp: {1}"uid=(.*)/cgi,cn=stanford.edu,cn=gssapi,cn=auth" "ldap:///c > n=cgi,cn=applications,dc=stanford,dc=edu??sub?krb5PrincipalName=$1/cgi@stanfo > rd.edu" > olcAuthzRegexp: {2}"uid=host/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap:/// > cn=Host,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=host/$1@sta > nford.edu" > olcAuthzRegexp: {3}"uid=service/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap: > ///cn=Service,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=servi > ce/$1(a)stanford.edu" > olcAuthzRegexp: {4}"uid=smtp/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap:/// > cn=smtp,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=smtp/$1@sta > nford.edu" > olcAuthzRegexp: {5}"uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap: > ///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=webau > th/$1(a)stanford.edu" > olcAuthzRegexp: {6}"uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap:///uid=$ > 1,cn=Accounts,dc=stanford,dc=edu??sub?suSeasStatus=active" > > We have the following entries in the directory holding Kerberos > principals. > > % ldapsearch -Q -LLL -b cn=service-win,cn=Applications,dc=stanford,dc=edu > "krb5PrincipalName=*" krb5PrincipalName > dn: cn=adharvservice,cn=service-win,cn=applications,dc=stanford,dc=edu > krb5PrincipalName: adharvservice(a)WIN.STANFORD.EDU > > dn: cn=EmailGroupMgr.svc,cn=service-win,cn=applications,dc=stanford,dc=edu > krb5PrincipalName: EmailGroupMgr.svc(a)WIN.STANFORD.EDU > > Searches using adharvservice(a)WIN.STANFORD.EDU work as expected, but searches > using EmailGroupMgr.svc(a)WIN.STANFORD.EDU fail. Here is what we see in > the log for a EmailGroupMgr.svc(a)WIN.STANFORD.EDU search: > > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 fd=572 ACCEPT from > IP=171.64.18.139:3902 (IP=0.0.0.0:389) > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=0 SRCH base="" scope=0 > deref=0 filter="(objectClass=*)" > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=0 SRCH > attr=subschemaSubentry dsServiceName namingContexts defaultNamingContext > schemaNamingContext configurationNamingContext rootDomainNamingContext > supportedControl supportedLDAPVersion supportedLDAPPolicies > supportedSASLMechanisms dnsHostName ldapServiceName serverName > supportedCapabilities > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=0 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=1 BIND dn="" method=163 > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=1 RESULT tag=97 err=14 > text=SASL(0): successful result: mech EXTERNAL is too weak > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=2 BIND dn="" method=163 > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=2 RESULT tag=97 err=14 > text=SASL(0): successful result: mech EXTERNAL is too weak > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 BIND dn="" method=163 > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 BIND > authcid="EmailGroupMgr.svc(a)WIN.STANFORD.EDU" > authzid="EmailGroupMgr.svc(a)WIN.STANFORD.EDU" > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 BIND > dn="uid=emailgroupmgr.svc(a)win.stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth" > mech=GSSAPI sasl_ssf=56 ssf=56 > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 RESULT tag=97 err=0 > text= > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=4 SRCH > base="cn=accounts,dc=stanford,dc=edu" scope=2 deref=0 filter="(uid=whm)" > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=4 SRCH attr=uid > suSeasLocal > Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=4 SEARCH RESULT tag=101 > err=0 nentries=0 text= > Nov 12 14:37:43 directory1 slapd[8804]: conn=2649928 op=5 UNBIND > Nov 12 14:37:43 directory1 slapd[8804]: conn=2649928 fd=572 closed > > Note that the authcid is EmailGroupMgr.svc(a)WIN.STANFORD.EDU, but it > gets mapped into: > > uid=emailgroupmgr.svc(a)win.stanford.edu,cn=stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth This is because the construction of such DN makes use of "uid", whose matching rule is case insensitive. As a workaround (assuming this is acceptable for you), you could probably modify your olcAuthzRegexp rules to force case-insensitive lookup of krb5PrincipalName, something like olcAuthzRegexp: {0}"uid=(.*)(a)win.stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth" "ldap:///cn=service-win,cn=Applications,dc=stanford,dc=edu??sub?(krb5PrincipalName:caseIgnoreIA5Match:=$1@WIN.STANFORD.EDU)" or something like that. p. > > I guessed that the substitution in the olcAuthzRegex is the problem > and that the principal is being converted to lower case. > > Our attribute definition for krb5PrincipalName is: > > olcAttributeTypes: {0}( 1.3.6.1.4.1.5322.10.1.1 > NAME 'krb5PrincipalName' > DESC 'The unparsed Kerberos principal name' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > But, if I change the krb5PrincipalName in the directory to be all > lower case as follows: > > % ldapsearch -Q -LLL -b cn=service-win,cn=Applications,dc=stanford,dc=edu > krb5PrincipalName=* krb5PrincipalName > dn: cn=adharvservice,cn=service-win,cn=applications,dc=stanford,dc=edu > krb5PrincipalName: adharvservice(a)WIN.STANFORD.EDU > > dn: cn=EmailGroupMgr.svc,cn=service-win,cn=applications,dc=stanford,dc=edu > krb5PrincipalName: emailgroupmgr.svc(a)WIN.STANFORD.EDU > > Then the authentication succeeds: > > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 fd=46 ACCEPT from > IP=171.64.18.139:5897 (IP=0.0.0.0:389) > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=0 SRCH base="" scope=0 > deref=0 filter="(objectClass=*)" > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=0 SRCH > attr=subschemaSubentry dsServiceName namingContexts defaultNamingContext > schemaNamingContext configurationNamingContext rootDomainNamingContext > supportedControl supportedLDAPVersion supportedLDAPPolicies > supportedSASLMechanisms dnsHostName ldapServiceName serverName > supportedCapabilities > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=0 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=1 BIND dn="" > method=163 > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=1 RESULT tag=97 err=14 > text=SASL(0): successful result: mech EXTERNAL is too weak > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=2 BIND dn="" > method=163 > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=2 RESULT tag=97 err=14 > text=SASL(0): successful result: mech EXTERNAL is too weak > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=3 BIND dn="" > method=163 > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=3 BIND > authcid="EmailGroupMgr.svc(a)WIN.STANFORD.EDU" > authzid="EmailGroupMgr.svc(a)WIN.STANFORD.EDU" > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=3 BIND > dn="cn=emailgroupmgr.svc,cn=service-win,cn=applications,dc=stanford,dc=edu" > mech=GSSAPI sasl_ssf=56 ssf=56 > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=3 RESULT tag=97 err=0 > text= > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=4 SRCH > base="cn=accounts,dc=stanford,dc=edu" scope=2 deref=0 filter="(uid=whm)" > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=4 SRCH attr=uid > suSeasLocal > Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=4 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Nov 13 08:15:16 directory2 slapd[31590]: conn=3197185 op=5 UNBIND > Nov 13 08:15:16 directory2 slapd[31590]: conn=3197185 fd=46 closed > > > > -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano

1 0

(ITS#7745) olcAuthzRegexp lowers cases substitution variables
by whm＠stanford.edu 13 Nov '13

13 Nov '13

Full_Name: Bill MacAllister Version: 2.4.35 OS: Debian 7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (67.180.239.194) We have noticed a problem with authentication for some Kerberos principals. The olcAuthzRegexp processing seems to be lower casing the input when forming substition variables. Since Kerberos principals are case sensitive this causes authentications to fail. We have the following olcAuthzRegexp entries in our directory. % ldapsearch -b cn=config -LLL -Q "olcAuthzRegexp=*" olcAuthzRegexp dn: cn=config olcAuthzRegexp: {0}"uid=(.*)(a)win.stanford.edu,cn=stanford.edu,cn=gssapi,cn=aut h" "ldap:///cn=service-win,cn=Applications,dc=stanford,dc=edu??sub?krb5Princi palName=$1(a)WIN.STANFORD.EDU" olcAuthzRegexp: {1}"uid=(.*)/cgi,cn=stanford.edu,cn=gssapi,cn=auth" "ldap:///c n=cgi,cn=applications,dc=stanford,dc=edu??sub?krb5PrincipalName=$1/cgi@stanfo rd.edu" olcAuthzRegexp: {2}"uid=host/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap:/// cn=Host,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=host/$1@sta nford.edu" olcAuthzRegexp: {3}"uid=service/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap: ///cn=Service,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=servi ce/$1(a)stanford.edu" olcAuthzRegexp: {4}"uid=smtp/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap:/// cn=smtp,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=smtp/$1@sta nford.edu" olcAuthzRegexp: {5}"uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap: ///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=webau th/$1(a)stanford.edu" olcAuthzRegexp: {6}"uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth" "ldap:///uid=$ 1,cn=Accounts,dc=stanford,dc=edu??sub?suSeasStatus=active" We have the following entries in the directory holding Kerberos principals. % ldapsearch -Q -LLL -b cn=service-win,cn=Applications,dc=stanford,dc=edu "krb5PrincipalName=*" krb5PrincipalName dn: cn=adharvservice,cn=service-win,cn=applications,dc=stanford,dc=edu krb5PrincipalName: adharvservice(a)WIN.STANFORD.EDU dn: cn=EmailGroupMgr.svc,cn=service-win,cn=applications,dc=stanford,dc=edu krb5PrincipalName: EmailGroupMgr.svc(a)WIN.STANFORD.EDU Searches using adharvservice(a)WIN.STANFORD.EDU work as expected, but searches using EmailGroupMgr.svc(a)WIN.STANFORD.EDU fail. Here is what we see in the log for a EmailGroupMgr.svc(a)WIN.STANFORD.EDU search: Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 fd=572 ACCEPT from IP=171.64.18.139:3902 (IP=0.0.0.0:389) Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=0 SRCH attr=subschemaSubentry dsServiceName namingContexts defaultNamingContext schemaNamingContext configurationNamingContext rootDomainNamingContext supportedControl supportedLDAPVersion supportedLDAPPolicies supportedSASLMechanisms dnsHostName ldapServiceName serverName supportedCapabilities Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=1 BIND dn="" method=163 Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: mech EXTERNAL is too weak Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=2 BIND dn="" method=163 Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=2 RESULT tag=97 err=14 text=SASL(0): successful result: mech EXTERNAL is too weak Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 BIND dn="" method=163 Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 BIND authcid="EmailGroupMgr.svc(a)WIN.STANFORD.EDU" authzid="EmailGroupMgr.svc(a)WIN.STANFORD.EDU" Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 BIND dn="uid=emailgroupmgr.svc(a)win.stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56 Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=3 RESULT tag=97 err=0 text= Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=4 SRCH base="cn=accounts,dc=stanford,dc=edu" scope=2 deref=0 filter="(uid=whm)" Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=4 SRCH attr=uid suSeasLocal Nov 12 14:36:04 directory1 slapd[8804]: conn=2649928 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text= Nov 12 14:37:43 directory1 slapd[8804]: conn=2649928 op=5 UNBIND Nov 12 14:37:43 directory1 slapd[8804]: conn=2649928 fd=572 closed Note that the authcid is EmailGroupMgr.svc(a)WIN.STANFORD.EDU, but it gets mapped into: uid=emailgroupmgr.svc(a)win.stanford.edu,cn=stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth I guessed that the substitution in the olcAuthzRegex is the problem and that the principal is being converted to lower case. Our attribute definition for krb5PrincipalName is: olcAttributeTypes: {0}( 1.3.6.1.4.1.5322.10.1.1 NAME 'krb5PrincipalName' DESC 'The unparsed Kerberos principal name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) But, if I change the krb5PrincipalName in the directory to be all lower case as follows: % ldapsearch -Q -LLL -b cn=service-win,cn=Applications,dc=stanford,dc=edu krb5PrincipalName=* krb5PrincipalName dn: cn=adharvservice,cn=service-win,cn=applications,dc=stanford,dc=edu krb5PrincipalName: adharvservice(a)WIN.STANFORD.EDU dn: cn=EmailGroupMgr.svc,cn=service-win,cn=applications,dc=stanford,dc=edu krb5PrincipalName: emailgroupmgr.svc(a)WIN.STANFORD.EDU Then the authentication succeeds: Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 fd=46 ACCEPT from IP=171.64.18.139:5897 (IP=0.0.0.0:389) Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=0 SRCH attr=subschemaSubentry dsServiceName namingContexts defaultNamingContext schemaNamingContext configurationNamingContext rootDomainNamingContext supportedControl supportedLDAPVersion supportedLDAPPolicies supportedSASLMechanisms dnsHostName ldapServiceName serverName supportedCapabilities Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=1 BIND dn="" method=163 Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: mech EXTERNAL is too weak Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=2 BIND dn="" method=163 Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=2 RESULT tag=97 err=14 text=SASL(0): successful result: mech EXTERNAL is too weak Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=3 BIND dn="" method=163 Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=3 BIND authcid="EmailGroupMgr.svc(a)WIN.STANFORD.EDU" authzid="EmailGroupMgr.svc(a)WIN.STANFORD.EDU" Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=3 BIND dn="cn=emailgroupmgr.svc,cn=service-win,cn=applications,dc=stanford,dc=edu" mech=GSSAPI sasl_ssf=56 ssf=56 Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=3 RESULT tag=97 err=0 text= Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=4 SRCH base="cn=accounts,dc=stanford,dc=edu" scope=2 deref=0 filter="(uid=whm)" Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=4 SRCH attr=uid suSeasLocal Nov 13 08:13:38 directory2 slapd[31590]: conn=3197185 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Nov 13 08:15:16 directory2 slapd[31590]: conn=3197185 op=5 UNBIND Nov 13 08:15:16 directory2 slapd[31590]: conn=3197185 fd=46 closed

1 0

(ITS#7744) [Patch] TLS_REQCERT section in ldap.conf is confusing
by jsynacek＠redhat.com 13 Nov '13

13 Nov '13

Full_Name: Jan Synacek Version: master OS: Linux - Fedora 19 URL: http://jsynacek.fedorapeople.org/openldap/jsynacek-20131113-0001-Fix-client… Submission from: (NULL) (209.132.186.34) Quoting ldap.conf(5): TLS_REQCERT <level> ... try The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated. There is currently no way how to "provide no server certificate" and successfully connect via a client (e.g. ldapsearch). For additional discussion, see http://www.openldap.org/lists/openldap-technical/201311/msg00099.html.

1 0

Re: (ITS#7723) slapd crashes on multi core machines if a search request is *immediately* followed by an unbind
by jsynacek＠redhat.com 13 Nov '13

13 Nov '13

On 11/04/2013 03:11 PM, hyc(a)symas.com wrote: > jsynacek(a)redhat.com wrote: >> On 10/15/2013 01:10 PM, michael.vishchers(a)7p-group.com wrote: >>> It is not the client loop that is multithreading but the ldap server. >>> >>> And it is not a misuse of the API but a problem that may be raised by day t= >>> o day network problems. >>> >>> I've boiled down the problem to a few simple configurations that work (or b= >>> etter, fail ;-) with both 2.4.23 and 2.4.36. A tgz file containing a setup = >>> with start script and testclient is attached. It should be sufficient to re= >>> produce the fault. >>> >>> The problem occurs only if we use session variable substitution in the rwm = >>> overlay, and only if a search is *immediately* (e.g. caused by network loss= >>> and client timeout) followed by an unbind. >>> >> >> I modified the reproducer a bit (the start script) and find out a few things. >> You can find the reproducer I'm using at [1]. >> >> Valgrind's helgrind shows some lock problems in the rwm overlay and also in >> back-ldap and connection.c. After correcting those the issue seems to be gone. >> >> You can find helgrind logs at [2] (before the fix) and [3] (after). >> >> Also, ElectricFence reveals some problems [4], which I didn't fix yet. >> >> A fix attempt can be found at [5]. I'm not sure if that is a correct fix, or it >> just masked the real issue. But I didn't to manage to reproduce the problem >> after applying it. > > I already explained the problem. The other issues you identified are not > relevant, and your patch is not correct. Reread Followup #4 of this ITS. > Another take on the fix: http://jsynacek.fedorapeople.org/openldap/its7723/0001-ITS-7723-fix-referen… -- Jan Synacek Software Engineer, Red Hat

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs