openldap-bugs

openldap-bugs@openldap.org

1 participants
21003 discussions

Re: (ITS#7359) [PATCH] MozNSS: prefer unlocked slot when getting private key
by jvcelak＠redhat.com 22 Aug '12

22 Aug '12

On Tuesday 21 of August 2012 13:38:41, Howard Chu wrote: > The quality of this code seems to be getting progressively worse. It seems > I've been accepting the last several patches without giving feedback though. So thank you for feedback on this patch. > 1) the recent patches do not adhere to the existing whitespace conventions. > Please fix this. Sorry for that. Looks like you already committed the patch. I will send you a patch fixing just the whitespaces in my recent changes. > 2) the code in this patch is unnecessarily clumsy: It's a matter of opinion. In general, I rather see less levels of indentation. That's why I used this construct. But right, you are the maintainer. This code is too short to say that it is more readable and the code produced by the compiler will be the same. Jan

1 0

RE: (ITS#7357) Pass-through radius auth. with RFC2865
by jet＠transniaga.co.th 21 Aug '12

21 Aug '12

Howard Chu wrote: > > jet(a)transniaga.co.th wrote: > > Full_Name: Jetasik Anantakunupakorn > > Version: 2.4.32 > > OS: FreeBSD 9.0-RELEASE amd64 > > URL: > > http://www.openldap.org/lists/openldap-technical/201208/msg00172.html > > Submission from: (NULL) (58.11.65.20) > > > > > > Pass-through radius authentication in contrib's passwd > > module(radius.c) does not include either a NAS-IP or a NAS-Identifier, > > according to radius RFC 2865 one of these attributes is mandatory in the > access request. > > > > The thing is that the previous version of Radius RFC standard(RFC > > 2138) specified that the access request "SHOULD" contain either a > > NAS-IP or a NAS-Identifier but the current version use "MUST" instead. > > > A patch for this is now in git master, please test. > Awesome!Thanks a lot. Properly tested with no error. -- JET JETASIK

1 0

Re: (ITS#7358) Patch to fix Visual Studio build broken by 2.4.32
by hyc＠symas.com 21 Aug '12

21 Aug '12

mbooth(a)apache.org wrote: > Full_Name: Mat Booth > Version: 2.4.32 > OS: Windows XP > URL: http://people.apache.org/~mbooth/0001-Fix-build-error-syntax-error-missing-… > Submission from: (NULL) (77.86.30.139) > > > The provided patch fixes a build problem for Visual Studio 2005 that was > introduced with OpenLDAP 2.4.32. Thanks for the report. A different fix is now in git master. > * libraries/libldap/init.c > Use C89-style variable declarations because Visual C does not support C99-style > declarations. Avoids a "syntax error : missing ; before type" compile-time error > with Microsoft compilers. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7359) [PATCH] MozNSS: prefer unlocked slot when getting private key
by hyc＠symas.com 21 Aug '12

21 Aug '12

jvcelak(a)redhat.com wrote: > Full_Name: Jan Vcelak > Version: git master > OS: Linux > URL: ftp://ftp.openldap.org/incoming/jvcelak-20120820-nss-prefer-unlocked-slot-p… > Submission from: (NULL) (94.113.220.43) > > > With last MozNSS patches for OpenLDAP, the library explicitly opens the > certificate database when retrieving the certificates, even if the database is > already opened. (Requried for safe certificate lookup from a nickname.) This > might also require a re-authentication to a slot, which holds the private key. > > Some application might expect that the slot with private key is already unlocked > before passing the control to libldap. This got broken with the recent changes. The quality of this code seems to be getting progressively worse. It seems I've been accepting the last several patches without giving feedback though. 1) the recent patches do not adhere to the existing whitespace conventions. Please fix this. 2) the code in this patch is unnecessarily clumsy: +static SECKEYPrivateKey * +tlsm_find_unlocked_key(tlsm_ctx *ctx, void *pin_arg) +{ + SECKEYPrivateKey *result = NULL; + + PK11SlotList *slots = PK11_GetAllSlotsForCert(ctx->tc_certificate, NULL); + if (!slots) { + PRErrorCode errcode = PR_GetError(); + Debug(LDAP_DEBUG_ANY, + "TLS: cannot get all slots for certificate '%s' (error %d: %s)", + tlsm_ctx_subject_name(ctx), errcode, + PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT)); + return result; + } + + PK11SlotListElement *le; + for (le = slots->head; le && !result; le = le->next) { + PK11SlotInfo *slot = le->slot; + if (!PK11_IsLoggedIn(slot, NULL)) + continue; + + result = PK11_FindKeyByDERCert(slot, ctx->tc_certificate, pin_arg); + } + + PK11_FreeSlotList(slots); + return result; +} This should just be: + for (le = slots->head; le; le = le->next) { + PK11SlotInfo *slot = le->slot; + if (PK11_IsLoggedIn(slot, NULL)) { + result = PK11_FindKeyByDERCert(slot, ctx->tc_certificate, pin_arg); + break; + } + } > I'm attaching a patch which fixes it. If the certificate (and corresponding key) > is held in multiple slots, libldap will take the key from an already > authenticated slot. > > > The attached file is derived from OpenLDAP Software. All of the modifications to > OpenLDAP Software represented in the following patch(es) were developed by Red > Hat. Red Hat has not assigned rights and/or interest in this work to any party. > I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under > the following terms. > > Red Hat hereby place the following modifications to OpenLDAP Software (and only > these modifications) into the public domain. Hence, these modifications may be > freely used and/or redistributed for any purpose with or without attribution > and/or other notice. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7357) Pass-through radius auth. with RFC2865
by hyc＠symas.com 21 Aug '12

21 Aug '12

jet(a)transniaga.co.th wrote: > Full_Name: Jetasik Anantakunupakorn > Version: 2.4.32 > OS: FreeBSD 9.0-RELEASE amd64 > URL: http://www.openldap.org/lists/openldap-technical/201208/msg00172.html > Submission from: (NULL) (58.11.65.20) > > > Pass-through radius authentication in contrib's passwd module(radius.c) does not > include either a NAS-IP or a NAS-Identifier, according to radius RFC 2865 one of > these attributes is mandatory in the access request. > > The thing is that the previous version of Radius RFC standard(RFC 2138) > specified that the access request "SHOULD" contain either a NAS-IP or a > NAS-Identifier but the current version use "MUST" instead. > A patch for this is now in git master, please test. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7352) openldap not supporting CAMELLIA ciphers
by hyc＠symas.com 21 Aug '12

21 Aug '12

goodgoingswati(a)gmail.com wrote: > Full_Name: Swati > Version: 2.4.32 > OS: RHEL5 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (115.113.153.34) > > > openldap is not supporting CAMELLIA based ciphers(both RSA and DSA based) > I have configured SSL LDAP(LDAPS) and on checking SSL connection with LDAPS > server with CAMELLIA based cipher leads to failure in handshake: Sounds like something is wrong with your config. openssl s_client -connect localhost:9011 -showcerts -cipher CAMELLIA256-SHA -state -CAfile ~/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:unknown state SSL_connect:SSLv3 read server hello A depth=1 C = US, ST = California, L = Los Angeles, O = Symas Corp., CN = Symas Keymaster verify return:1 depth=0 C = US, ST = California, L = Los Angeles, O = Symas Corp., OU = R&D, CN = violino.symas.net verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=California/L=Los Angeles/O=Symas Corp./OU=R&D/CN=violino.symas.net i:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster -----BEGIN CERTIFICATE----- MIIDeDCCAuGgAwIBAgIBBDANBgkqhkiG9w0BAQQFADBoMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNV BAoTC1N5bWFzIENvcnAuMRgwFgYDVQQDEw9TeW1hcyBLZXltYXN0ZXIwHhcNMTAw NTA4MTMxMTQwWhcNMTUwNTA3MTMxMTQwWjB4MQswCQYDVQQGEwJVUzETMBEGA1UE CBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxFDASBgNVBAoTC1N5 bWFzIENvcnAuMQwwCgYDVQQLFANSJkQxGjAYBgNVBAMTEXZpb2xpbm8uc3ltYXMu bmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+UzX69iQfiHqFsfmbft8r bbJ1B0khAMIyzbvAq+0TTXBl1z3vh/0zewfa2eXx75A+4j85VhJbmunKQtpGNZoU j78qmlZyyadr1JDV/IP1VdkvimAY/ms/AIN7VXKbo/dMvvE2/Wlz1k6uyARHKRO0 HuDSXR+/y8wxmbssonIaoQIDAQABo4IBIDCCARwwCQYDVR0TBAIwADARBglghkgB hvhCAQEEBAMCBkAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl cnRpZmljYXRlMB0GA1UdDgQWBBRiK30dAs2UKMa0nqGuZ/ZOvHy/SzCBmgYDVR0j BIGSMIGPgBR8WtuSd1849yXVcEj7z1a5fdXhAKFspGowaDELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMRQwEgYD VQQKEwtTeW1hcyBDb3JwLjEYMBYGA1UEAxMPU3ltYXMgS2V5bWFzdGVyggkAlRwa GgnLxpUwEgYDVR0RBAswCYIHdmlvbGlubzANBgkqhkiG9w0BAQQFAAOBgQBsQgtW fd3sjH3kou2QVI0YVh13mUdgLcFvyfI615cvhomttIfrHny2WYb9ktp7yBjsSni5 x6J0s0Xi0NnBgdfh0LNamQL06UXzEPhBwf90n+LyUq+F+9jbHSkQWlAfg+vaBWCs NpPOOvgFPpKkzMouLrc4hVDm9yvPnCh1jV5CKQ== -----END CERTIFICATE----- 1 s:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster i:/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster -----BEGIN CERTIFICATE----- MIIDHDCCAoWgAwIBAgIJAJUcGhoJy8aVMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5nZWxl czEUMBIGA1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1hc3Rl cjAeFw0xMDAyMjMwMTE0MTVaFw0yMDAyMjEwMTE0MTVaMGgxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5nZWxlczEUMBIG A1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1hc3RlcjCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtdAxWHaiQVRn4ulkvQ/kWdeQRTlmDp0I 6ROd8UTdZWgG8pdaaSjic3oRrzXGu3yci7oCTeJj//wL6QuAiP3RAd34nvAF3G+J 4fp4AUCYhT7kM1jdGe94omQZeEjVwgr33ugvUYEbVU/fPIn/T3bnmKLifrNcPF30 UimTPNCoTvMCAwEAAaOBzTCByjAdBgNVHQ4EFgQUfFrbkndfOPcl1XBI+89WuX3V 4QAwgZoGA1UdIwSBkjCBj4AUfFrbkndfOPcl1XBI+89WuX3V4QChbKRqMGgxCzAJ BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtMb3MgQW5n ZWxlczEUMBIGA1UEChMLU3ltYXMgQ29ycC4xGDAWBgNVBAMTD1N5bWFzIEtleW1h c3RlcoIJAJUcGhoJy8aVMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA MtI45poCh3L8xk0g56WGxroIPMGPZvrHDo1XIj6ALxlhpSLIcTDPFbidJ0tD9aL3 7aNlCZQ7DeJx18BhIUUgSYZj/Sfb0oXZw9Vj59c1AA7UFGnvyjKuJx4G8sIYTFFx rYXCmXraOoB9x0+DcD/7I9ed5Ogid/tZklF9ORPjUgs= -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Los Angeles/O=Symas Corp./OU=R&D/CN=violino.symas.net issuer=/C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster --- Acceptable client certificate CA names /C=US/ST=California/L=Los Angeles/O=Symas Corp./CN=Symas Keymaster --- SSL handshake has read 2166 bytes and written 290 bytes --- New, TLSv1/SSLv3, Cipher is CAMELLIA256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.1 Cipher : CAMELLIA256-SHA Session-ID: 430EAC39338B25DF6D1CC63928DB20830BA5A034F13EAF3BE3BED715015D33C1 Session-ID-ctx: Master-Key: F38B9781E21339675D80CDC3561B4ED906A15F5A6F5A9D1A9CCFFF9E16B912D270E2E1F44135FA6CA15D5A24DB720F67 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - f0 95 1a 3f 67 bf cd 43-d7 dc 70 ce a3 19 5a 4e ...?g..C..p...ZN 0010 - c7 2b 4e cc d5 48 df a9-7f d1 a7 b5 53 e0 35 28 .+N..H......S.5( 0020 - fa 7f 9c 70 37 b7 65 01-b6 27 bf 88 d6 dc 8a 36 ...p7.e..'.....6 0030 - 95 a8 2f fb 22 a6 26 3e-07 d3 9b 94 88 b7 99 de ../.".&>........ 0040 - 78 9b ee cb 52 51 5a 50-0a 53 a2 b8 05 f6 63 de x...RQZP.S....c. 0050 - c4 8e e1 2e 03 1c 5d a5-6a e2 6d 05 8e 62 aa 21 ......].j.m..b.! 0060 - f8 0e d0 5e 9f d4 89 3e-85 db b9 8f ed 04 9e 39 ...^...>.......9 0070 - a1 3e b1 44 a2 c3 48 5c-f8 d2 ff 5f 45 ad a0 d6 .>.D..H\..._E... 0080 - d7 c3 3b 4a bd 6e c6 09-9d 08 74 d9 1c c5 6b 1b ..;J.n....t...k. 0090 - b1 f3 eb dc 26 ac 10 31-66 d3 fb bb 6b 9e 4b 8d ....&..1f...k.K. 00a0 - df ef 17 69 97 7b 56 0d-a7 32 bf 6c c6 49 fa b5 ...i.{V..2.l.I.. Compression: 1 (zlib compression) Start Time: 1345578708 Timeout : 300 (sec) Verify return code: 0 (ok) --- > > openssl s_client -connect localhost:636 -showcerts -cipher > DHE-DSS-CAMELLIA256-SHA -state -CAfile /path_to_cert -cert /path_to_client_cert > -key /path_to_client_key > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL3 alert read:fatal:handshake failure > SSL_connect:error in SSLv2/v3 read server hello A > 47726707455072:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > handshake failure:s23_clnt.c:741: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 102 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > > Handshake is failing with all camellia ciphers. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7340) Regression in slapo-constraint
by michael＠stroeder.com 21 Aug '12

21 Aug '12

This is a cryptographically signed message in MIME format. --------------ms050203080706090204030402 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Jan Synacek wrote: > Ok, here is an attempt to fix this: >=20 > ftp://ftp.openldap.org/incoming/jsynacek-20120821-slapo-constraint-set-= fix.patch >=20 > Done on top of the latest OPENLDAP_REL_ENG_2_4 (7da024d80). Michael, ca= n you > please give it a quick try? Short test seems to be ok. Ciao, Michael. --------------ms050203080706090204030402 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/ kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB 1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0 Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1 c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/ BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3 LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2 KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4 B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF MRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRl ciBVbml2ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJ MB4XDTA5MTEwMzE0MDgxOVoXDTI1MTIzMTIxNTk1OVowfDELMAkGA1UEBhMCREUxHDAaBgNV BAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNVBAsTHFRDIFRydXN0Q2VudGVyIENsYXNz IDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75pBuz2Lp6QuqthDVR+V8XSsncZpozVVt 5KLv5P7yemMRwleKyH3PjmYfZUVL64Biab1GjovFblqVGCrep/EfdRonq20yU+P7TVhiLP8Z 5cegDZotIYhZhM0d8cPIij6w5d4IJM/8QCy6QSOUu4ASiTVItoYE4AFPjLqpmPwcie0fiqHH hpgmHnJla/7PZdkMZEsaCfVDEWBmJuMzVprJPT40anjG5VBLyM2I5DlsUCaeQCy2O3w3sqf1 3dyzUcv03IICuNc63towXA31Qt0TaVNU6YAmQjMepdfMbspmCZ+G8D2+xophEPPR/1vkstst smUMqX0XrLonTUJczglPAgMBAAGjggJZMIICVTCBmgYIKwYBBQUHAQEEgY0wgYowUgYIKwYB BQUHMAKGRmh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2VydHMv dGNfdW5pdmVyc2FsX3Jvb3RfSS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLnRjdW5p dmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQ dXMwEgYDVR0TAQH/BAgwBgEB/wIBADBSBgNVHSAESzBJMAYGBFUdIAAwPwYJKoIUACwBAQEB MDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAO BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMIH9BgNVHR8E gfUwgfIwge+ggeyggemGRmh0dHA6Ly9jcmwudGN1bml2ZXJzYWwtSS50cnVzdGNlbnRlci5k ZS9jcmwvdjIvdGNfdW5pdmVyc2FsX3Jvb3RfSS5jcmyGgZ5sZGFwOi8vd3d3LnRydXN0Y2Vu dGVyLmRlL0NOPVRDJTIwVHJ1c3RDZW50ZXIlMjBVbml2ZXJzYWwlMjBDQSUyMEksTz1UQyUy MFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/ Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAOcjE m+6+mO5Icm+N53G2DpCM07LBFSGoRpBoX0oE8TrJaIQh2KXmBHVdn9LU8kt3QzLclctgvwJV 0KwcsMUUl5tlCsMPpR3s2Ek5lbWpvvr0HqtW56blAQiINV9nBd1EJFASIkRjefGbV2nOq9Yz UU+N8HA7jq1ROhd/NZZraGhjthwKyfjfHV7PKxGlY+3M0MbTIG+q/GhIfm0euDpFqhKG88e9 ALXr/uoSn3MzeOcoOWjTpW3adtFO4VWVgKbgG7jNrFbvRVlHmFLbOm4msjE5aXWxLiTwpJ2X iF4zKca1vAdAOgw9us90jEtOeiH6GzjNxEMvb7TfeO6Zkuc6HDGCA84wggPKAgEBMIGPMHwx CzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQLExxU QyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRlciBD bGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wCQYFKw4DAhoFAKCCAhMwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwODIxMTcwNTUxWjAjBgkq hkiG9w0BCQQxFgQUHxRibOORi2JQfrRj8jVM8z2SgfgwbAYJKoZIhvcNAQkPMV8wXTALBglg hkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBoAYJKwYBBAGCNxAEMYGSMIGP MHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYDVQQL ExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENlbnRl ciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wgaIGCyqGSIb3DQEJEAILMYGS oIGPMHwxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSUwIwYD VQQLExxUQyBUcnVzdENlbnRlciBDbGFzcyAxIEwxIENBMSgwJgYDVQQDEx9UQyBUcnVzdENl bnRlciBDbGFzcyAxIEwxIENBIElYAg8ApksAAQACAIr42UPEgb8wDQYJKoZIhvcNAQEBBQAE ggEAbpYRbeLQ716KJyZwzpTpKDTHu28mIhhMMfGXNeHF7o0u5jsi5MrX1sp8MbaoA0r7pCQ5 k+G+irXT8fwCJ419Ydz2lxLJxgLaEmMsCMKElGfnk/gTwrKDq5FD+2rXJZ+Rw8fGyE6qxMnC a3exTDwIu6kWyP0sWrLkY0hnhC+ZoHz/H6WycJHh6DOdaBOJM2CJxlbMbsdV62t3l6aLaHcv k9Ij3Dg6/Eq7Vpzo+W27ByZx5yHGMnwZPA8ZiB+MDqziJAY4i6E7n3eoIQ8e5+gPP8LEvqYN MG4jJG3om4/rtmzaH0Qhn82D/YLTa1SWXQ15Jt/2yqw6WGHkvzEdjmV//AAAAAAAAA== --------------ms050203080706090204030402--

1 0

Re: (ITS#7340) Regression in slapo-constraint
by jsynacek＠redhat.com 21 Aug '12

21 Aug '12

On 08/21/2012 09:51 AM, michael(a)stroeder.com wrote: > It seems the following set-based constraints falsely fail even with valid > modifications: > > ---------------------------- snip ---------------------------- > # cn value has to be concatenated givenName SP sn > constraint_attribute cn,sn,givenName set > "(this/givenName + [ ] + this/sn) & this/cn" > > restrict="ldap:///ou=People,dc=infraldap,dc=onlinebrief,dc=de??sub?(objectClass=dpagE2Person)" > > # homeDirectory value has to be concatenated "/home/" uid > constraint_attribute uid,homeDirectory set > "([/home/] + this/uid) & this/homeDirectory" > > restrict="ldap:///ou=People,dc=infraldap,dc=onlinebrief,dc=de??sub?(objectClass=posixAccount)" > ---------------------------- snip ---------------------------- > > When I disable both valid modifications work. > > Ciao, Michael. > > Ok, here is an attempt to fix this: ftp://ftp.openldap.org/incoming/jsynacek-20120821-slapo-constraint-set-fix.… Done on top of the latest OPENLDAP_REL_ENG_2_4 (7da024d80). Michael, can you please give it a quick try? I will update the testsuit as well. -- Jan Synacek Software Engineer, BaseOS team Brno, Red Hat

1 0

(ITS#7361) alock is broken on Windows
by hyc＠OpenLDAP.org 21 Aug '12

21 Aug '12

Full_Name: Howard Chu Version: 2.4.32 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.94.188.8) Submitted by: hyc alock assumes (wrongly) that it can always read from a locked region. That's true for POSIX advisory locks, but Windows locks are mandatory. I.e., attempting to read from a region with a write lock returns EACCES. Because alock doesn't detect this situation correctly, it will end up waiting forever to acquire a lock on a region that's already locked. (E.g., if slapd is already running and slapcat is started, slapcat will hang trying to get the region lock.) A fix is coming shortly.

1 0

Re: (ITS#7340) Regression in slapo-constraint
by michael＠stroeder.com 21 Aug '12

21 Aug '12

It seems the following set-based constraints falsely fail even with valid modifications: ---------------------------- snip ---------------------------- # cn value has to be concatenated givenName SP sn constraint_attribute cn,sn,givenName set "(this/givenName + [ ] + this/sn) & this/cn" restrict="ldap:///ou=People,dc=infraldap,dc=onlinebrief,dc=de??sub?(objectClass=dpagE2Person)" # homeDirectory value has to be concatenated "/home/" uid constraint_attribute uid,homeDirectory set "([/home/] + this/uid) & this/homeDirectory" restrict="ldap:///ou=People,dc=infraldap,dc=onlinebrief,dc=de??sub?(objectClass=posixAccount)" ---------------------------- snip ---------------------------- When I disable both valid modifications work. Ciao, Michael.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs