https://bugs.openldap.org/show_bug.cgi?id=9668
Issue ID: 9668
Summary: undefined behavior for isdigit in tls2.c
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: libraries
Assignee: bugs(a)openldap.org
Reporter: roland.illig(a)gmx.de
Target Milestone: ---
tls2.c says:
> isdigit( *c )
This invokes undefined behavior if someone manages to pass a non-ASCII
character. Depending on the platform, the process may crash or wrongly classify
the host name as either numeric or non-numeric.
While here, I noticed that both sni and c have type 'char *', but they should
rather be 'const char *'. Was there a specific reason to suggest to the reader
the host name would be modifiable?
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9706
Issue ID: 9706
Summary: monitoringslapd.sdf: typo Backends
Product: OpenLDAP
Version: 2.5.7
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: dpa-openldap(a)aegee.org
Target Milestone: ---
doc/guide/admin/monitoringslapd.sdf contains:
H3: Backends
The {{EX:cn=Backends,cn=Monitor}} object, itself, provides a list
of available backends. The list of available backends all builtin
backends, as well as backends loaded by modules. For example: …
The second sentence has no verb.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9699
Issue ID: 9699
Summary: doc/admin25/loadbalancer.html: typo “between a a set
of running slapd instances”
Product: OpenLDAP
Version: 2.5.7
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: dpa-openldap(a)aegee.org
Target Milestone: ---
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9693
Issue ID: 9693
Summary: Section 9.6 html formatting issue
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: mnormann(a)symas.com
Target Milestone: ---
Section 9.6 of documentation is missing a closing anchor tag and closing title
tag (Glued/Subordinate database configurations)
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9689
Issue ID: 9689
Summary: Redundancy in the description of syncprov-nopresent
Product: OpenLDAP
Version: 2.5.7
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: dpa-openldap(a)aegee.org
Target Milestone: ---
https://www.openldap.org/devel/admin/replication.html#Set%20up%20the%20prov…
says:
“““
The nonpresent option **should only be configured if the overlay is being
placed on top of a log database**, such as when used with delta-syncrepl.
The nonpresent option is configured by the
syncprov-nopresent <TRUE|FALSE>
directive. This value **should only be set TRUE for a syncprov instance on top
of a log database** (such as one managed by the accesslog overlay). The default
is FALSE.
”””
I think, the circumstances when the option shall be used, are repeated twice.
One of the repetitions can be shortened.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9688
Issue ID: 9688
Summary: Is EQ index on entryCSN mandatory for replication?
Product: OpenLDAP
Version: 2.5.7
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: dpa-openldap(a)aegee.org
Target Milestone: ---
https://www.openldap.org/devel/admin/replication.html says about the EQ index
on entryCSN: “On databases which support inequality indexing, setting an eq
index on the entryCSN attribute and configuring contextCSN checkpoints will
greatly speed up this scanning step.” → The index is recommended, but not
mandatory, and not always possible.
man 5 slapo-syncprov /
https://www.openldap.org/software/man.cgi?query=slapo-syncprov&apropos=0&se…
says “On databases that support inequality indexing, it is mandatory to set an
eq index on the entryCSN attribute when using this overlay.”
Between both documents there is a discrepancy, whether the EQ index is
mandatory or not.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9687
Issue ID: 9687
Summary: olcTLSECName is not required in order to use
ECDHE-based cipher suites in OpenSSL
Product: OpenLDAP
Version: 2.5.7
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: dpa-openldap(a)aegee.org
Target Milestone: ---
SLAPD-CONFIG(5) says that olcTLSECName is used to set the names of the Elliptic
Curves. It does not say, that the option is required, nor does it say what
happens, when the option is not set.
https://www.openldap.org/doc/admin25/tls.html#TLS%20Configuration says for
TLSECName: This is required in order to use ECDHE-based cipher suites in
OpenSSL.
I do not set TLSECName and call
./testssl.sh ldap.aegee.org:636
which prints:
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits
Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
TLSv1 (server order)
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLSv1.1 (server order)
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLSv1.2 (server order)
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLSv1.3 (server order)
x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256
TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256
TLS_CHACHA20_POLY1305_SHA256
x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128
TLS_AES_128_GCM_SHA256
Testing robust forward secrecy (FS) -- omitting Null
Authentication/Encryption, 3DES, RC4
Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448
This means, that when olcTLSECName is not set, OpenSSL defaults are used, and
ECDHE-based cipher suites are still offered.
testssl.sh can be obtianed from https://github.com/drwetter/testssl.sh .
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9674
Issue ID: 9674
Summary: Is olcMonitoring enabled by default for MDB?
Product: OpenLDAP
Version: 2.5.7
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: dpa-openldap(a)aegee.org
Target Milestone: ---
The manual page doc/man/man5/slapd-config.5 misses a .TP before .B
olcMonitoring. In turn at
https://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&sekt…
olcMonitoring appears in the description of olcMultiProvider .
The same man page says, that only MBD supports the olcMonitoring mechanims and
the default for olcMonitoring depends on the backend. The documentation for
mdb does not say, if olcMonitoring is by default enabled or disabled
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9669
Issue ID: 9669
Summary: Incorrect Heimdal download site in OpenLDAP
Administrator's Guide
Product: OpenLDAP
Version: 2.5.7
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: dewayne.geraghty(a)heuristicsystems.com.au
Target Milestone: ---
In section 4.2.3 page 18 of latest OpenLDAP 2.5 Admin Guide has Heimdal
available from http://www.pdc.kth.se/heimdal/ which is a dead link.
The more correct location is
https://github.com/heimdal/heimdal
(Thank-you for your great software!)
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9646
Issue ID: 9646
Summary: slapd-meta: deprecations in 2.4: “try-propagate is
highly deprecated”
Product: OpenLDAP
Version: 2.5.4
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: dpa-openldap(a)aegee.org
Target Milestone: ---
The upgrade instructions from 2.4 at
https://www.openldap.org/doc/admin25/appendix-upgrading.html says
> B.4. ldap and meta backends
>
> Several deprecated configuration directives for slapd-ldap(5) and slapd-meta(5) have been removed. Configurations using those directive must be updated to use supported directives prior to upgrade. See the slapd-ldap(5) and slapd-meta(5) man pages from OpenLDAP 2.4 for a list of deprecated directives.
The slapd-meta(5) for 2.4 says at
https://www.openldap.org/software/man.cgi?query=slapd-meta&apropos=0&sektio…
, when I search for “deprecated”:
> tls {[try-]start|[try-]propagate}
> The try- prefix instructs the proxy to continue operations if the StartTLS operation failed; its use is highly deprecated.
...
> DEPRECATED STATEMENTS
> The following statements have been deprecated and should no longer be used.
> pseudorootdn <substitute DN in case of rootdn bind>
> Use idassert-bind instead.
>
> pseudorootpw <substitute password in case of rootdn bind>
> Use idassert-bind instead.
I object the wording “highly deprecated”. It should be “highly discouraged”.
With the current wording it is not very clear, whether the try- variants
disappeared in 2.5
--
You are receiving this mail because:
You are on the CC list for the issue.