openldap-bugs

openldap-bugs@openldap.org

1 participants
20985 discussions

[Issue 9741] New: Meaningless out-of-bound read in ldif-filter.c
by openldap-its＠openldap.org 09 Nov '21

09 Nov '21

https://bugs.openldap.org/show_bug.cgi?id=9741 Issue ID: 9741 Summary: Meaningless out-of-bound read in ldif-filter.c Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: matthias.st.pierre(a)ncp-e.com Target Milestone: --- I just stumbled over the following compiler warning in ldif-filter.c (see [1]): 14:10:41 ldif-filter.c:209:16: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int] 14:10:41 sep = "\r\n" + 2 - line_len; /* sep = copy(line) */ 14:10:41 ~~~~~~~^~~ 14:10:41 ldif-filter.c:209:16: note: use array indexing to silence this warning 14:10:41 sep = "\r\n" + 2 - line_len; /* sep = copy(line) */ 14:10:41 ^ 14:10:41 & [ ] While the expression is valid pointer arithmetic, it does not make sense to me, because it calculates some (possibly negative) offset to the literal string "\r\n" in memory, not the address of the beginning of some line, as the comment `sep = copy(line)` suggests. (Originally added in commit [2]). [1] https://git.openldap.org/openldap/openldap/-/blob/master/tests/progs/ldif-f… [2] https://git.openldap.org/openldap/openldap/-/commit/725743abdb -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9734] New: database ldap does not use SSL client certs as configured
by openldap-its＠openldap.org 03 Nov '21

03 Nov '21

https://bugs.openldap.org/show_bug.cgi?id=9734 Issue ID: 9734 Summary: database ldap does not use SSL client certs as configured Product: OpenLDAP Version: unspecified Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: daniel(a)ylitalo.io Target Milestone: --- Created attachment 849 --> https://bugs.openldap.org/attachment.cgi?id=849&action=edit Generated config I'm trying to setup openldap to proxy against our account on ldap.google.com with backend ldap but it does not seem like slapd uses the client cert and key eventhough it's configured. I'm receiving response "result: 50 Insufficient access" from local proxy/google and the only way you can get that response is by not providing the client cert and key. I'm attaching the config used and the slapd.conf used to generate this config, as you can see the olcDbStartTLS options are there in the ldif file but seems not to be used. (I've replaced our suffix with example.com) The debug log entry is; Nov 02 10:26:20 dev.example.com slapd[864482]:conn=1012 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=daniel.ylitalo)" Nov 02 10:26:20 dev.example.com slapd[864482]: ==> limits_get: conn=1012 op=1 self="[anonymous]" this="dc=example,dc=com" Nov 02 10:26:20 dev.example.com slapd[864482]: =>ldap_back_getconn: conn 0x7fb6101044b0 fetched refcnt=1. Nov 02 10:26:20 dev.example.com slapd[864482]: => ldap_back_munge_filter "(uid=daniel.ylitalo)" Nov 02 10:26:20 dev.example.com slapd[864482]: <= ldap_back_munge_filter "(uid=daniel.ylitalo)" (0) Nov 02 10:26:20 dev.example.com slapd[864482]: conn=1012 op=1 ldap_back_retry: retrying URI="ldaps://ldap.google.com:636" DN="" Nov 02 10:26:20 dev.example.com slapd[864482]: => ldap_back_munge_filter "(uid=daniel.ylitalo)" Nov 02 10:26:20 dev.example.com slapd[864482]: <= ldap_back_munge_filter "(uid=daniel.ylitalo)" (0) Nov 02 10:26:20 dev.example.com slapd[864482]: send_ldap_result: conn=1012 op=1 p=3 Nov 02 10:26:20 dev.example.com slapd[864482]: send_ldap_result: err=50 matched="" text="" Nov 02 10:26:20 dev.example.com slapd[864482]: send_ldap_response: msgid=2 tag=101 err=50 Nov 02 10:26:20 dev.example.com slapd[864482]: conn=1012 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text= While using ldapsearch against same endpoint works just fine with the certs; LDAPTLS_CERT=/etc/ldap/google.crt LDAPTLS_KEY=/etc/ldap/google.key ldapsearch -H ldaps://ldap.google.com -b dc=example,dc=com '(uid=daniel.ylitalo)' -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9732] New: OpenLDAP TLS ciphersuite and groups limit issue
by openldap-its＠openldap.org 29 Oct '21

29 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9732 Issue ID: 9732 Summary: OpenLDAP TLS ciphersuite and groups limit issue Product: OpenLDAP Version: 2.4.54 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: narayananballem(a)gmail.com Target Milestone: --- Hi Team, Hope you can help with this issue. I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3 I added the below entry slapd.conf but when I tried to start slapd it's failing to start TLSCipherSuite HIGH:MEDIUM:!SSLv2:!SSLV3 errors as below slapd[19899]: main: TLS init def ctx failed: -1 slapd[19899]: slapd stopped. slapd[19899]: connections_destroy: nothing to destroy. debug logs restart as below TLS: could not set cipher list HIGH:MEDIUM:!SSLv2:!SSLV3. 617c64c1 main: TLS init def ctx failed: -1 617c64c1 slapd stopped. Also, did anybody notice this issue? I am facing the issue with a group display we have several users in group while looking for groups in getent group we are seeing a few groups not sure if there is any limit on group filed in Database -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9002] Add option to slapcat to honor rtxnsize setting
by openldap-its＠openldap.org 28 Oct '21

28 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9002 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=8226 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8226] long searches are bad for back-mdb
by openldap-its＠openldap.org 28 Oct '21

28 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=8226 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9002 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 9715] New: Consolidate code for loglevel/logfile for better shared usage between slapd and lloadd
by openldap-its＠openldap.org 26 Oct '21

26 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9715 Issue ID: 9715 Summary: Consolidate code for loglevel/logfile for better shared usage between slapd and lloadd Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- In a future release, consolidate logging code, loglevel bits to be better shared between slapd and stand-alone lloadd. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

[Issue 9723] New: C_EOF not reset in mdb_cursor_get with MDB_FIRST_DUP
by openldap-its＠openldap.org 26 Oct '21

26 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9723 Issue ID: 9723 Summary: C_EOF not reset in mdb_cursor_get with MDB_FIRST_DUP Product: LMDB Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: stephan.j.bircher(a)gmail.com Target Milestone: --- I'm on the master branch of lmdb. Steps to reproduce // search for an non-existent key rc = mdb_cursor_get(cursor, &key, &val, MDB_SET_RANGE); if (rc == MDB_NOTFOUND) { // C_EOF is not set on the cursor flags // go to the last. // C_EOF remains set which is ok mdb_cursor_get(mdbCursor, &key, &val, MDB_LAST); // go to the first dup of the last // C_EOF remains set which is NOT OK mdb_cursor_get(mdbCursor, &key, &val, MDB_FIRST_DUP); // return MDB_NOTFOUND in any case whether there are duplicates or not // because C_EOF was not cleared mdb_cursor_get(mdbCursor, &key, &val, MDB_NEXT_NODUP); } Possible fix: case MDB_FIRST_DUP: mfunc = mdb_cursor_first; mmove: if (data == NULL || !(mc->mc_flags & C_INITIALIZED)) { rc = EINVAL; break; } if (mc->mc_xcursor == NULL) { rc = MDB_INCOMPATIBLE; break; } if (mc->mc_ki[mc->mc_top] >= NUMKEYS(mc->mc_pg[mc->mc_top])) { mc->mc_ki[mc->mc_top] = NUMKEYS(mc->mc_pg[mc->mc_top]); rc = MDB_NOTFOUND; break; } { MDB_node *leaf = NODEPTR(mc->mc_pg[mc->mc_top], mc->mc_ki[mc->mc_top]); if (!F_ISSET(leaf->mn_flags, F_DUPDATA)) { MDB_GET_KEY(leaf, key); rc = mdb_node_read(mc, leaf, data); break; } } if (!(mc->mc_xcursor->mx_cursor.mc_flags & C_INITIALIZED)) { rc = EINVAL; break; } rc = mfunc(&mc->mc_xcursor->mx_cursor, data, NULL); // FIX: clear C_EOF if (rc == MDB_SUCCESS && mc->mc_flags & C_EOF && mfunc == mdb_cursor_first) { mc->mc_flags ^= C_EOF; } break; -- You are receiving this mail because: You are on the CC list for the issue.

1 10

[Issue 9492] New: Add local logging capa
by openldap-its＠openldap.org 26 Oct '21

26 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9492 Issue ID: 9492 Summary: Add local logging capa Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: mhardin(a)symas.com Target Milestone: --- Enhancement request: Add capability to slapd to log to a local file with log rotation features. Log format should not change from syslog-generated log style. -- You are receiving this mail because: You are on the CC list for the issue.

1 9

[Issue 9641] New: accesslog when logging failed operations interferes with deltasync
by openldap-its＠openldap.org 26 Oct '21

26 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=9641 Issue ID: 9641 Summary: accesslog when logging failed operations interferes with deltasync Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: replication Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Take delta-MPR setup and accesslog configured with logsuccess off. We encounter a conflicting write (one that fails to apply in the DB) and fall back to plain syncrepl. Since we are configured to log that write, syncprov sees it (it is a failure, so doesn't match filter, which should contain reqResult=0) and sends a LDAP_SYNC_NEW_COOKIE with that CSN to our delta-consumers. While we apply this write locally in the fallback session, the consumers will skip what they see as a duplicate and lose the change. My understanding is that for failed operations, we should ignore the CSN we received with the operation and instead set up a new one (with our own sid). -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 7215] Configuration Bug of index_substr_if_{max, min}len
by openldap-its＠openldap.org 26 Oct '21

26 Oct '21

https://bugs.openldap.org/show_bug.cgi?id=7215 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED Status|RESOLVED |VERIFIED -- You are receiving this mail because: You are on the CC list for the issue.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs