openldap-bugs

openldap-bugs@openldap.org

1 participants
20960 discussions

Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
by rmeggins＠redhat.com 14 Jul '10

14 Jul '10

Howard Chu wrote: > rmeggins(a)redhat.com wrote: >> Full_Name: Rich Megginson >> Version: 2.4.23 >> OS: Fedora >> URL: >> ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.p… >> >> Submission from: (NULL) (76.113.111.209) >> >> >> MozNSS doesn't like self-signed CA certs that are also used for >> TLS/SSL server certs (such as generated by openssl req -x509) >> CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that >> case >> so, see if the cert and issuer are the same cert, and allow the >> use of it (with a warning) > > If you checked to see if the issuer is already trusted, I guess the > patch is OK. > > But that aside, MozNSS's behavior sounds correct to me, and our > documentation says to use explicit CA certs, separate from the server > cert. Is it really a good idea to break this validation check? Probably not, but openssl seems to allow it. This provides parity with the openssl implementation. This issue came up when testing openldap with NSS support in Fedora. The Fedora package creates a self signed CA cert using openssl req -x509. This works with openldap+openssl, but fails with openldap+moznss. > > Also, where does this check occur in the main sequence of verification > - has the BasicConstraints, KeyUsage, and/or NetscapeCertType already > been checked successfully? Yes. This check occurs in the cert chain processing, which is done last. > >> This patch file is derived from OpenLDAP Software. All of the >> modifications to OpenLDAP Software represented in the following >> patch(es) were developed by Red Hat. Red Hat has not assigned rights >> and/or interest in this work to any party. I, Rich Megginson am >> authorized by Red Hat, my employer, to release this work under the >> following terms. >> >> Red Hat hereby place the following modifications to OpenLDAP Software >> (and only these modifications) into the public domain. Hence, these >> modifications may be freely used and/or redistributed for any purpose >> with or without attribution and/or other notice. >

1 0

Re: (ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
by hyc＠symas.com 14 Jul '10

14 Jul '10

rmeggins(a)redhat.com wrote: > Full_Name: Rich Megginson > Version: 2.4.23 > OS: Fedora > URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.p… > Submission from: (NULL) (76.113.111.209) > > > MozNSS doesn't like self-signed CA certs that are also used for > TLS/SSL server certs (such as generated by openssl req -x509) > CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case > so, see if the cert and issuer are the same cert, and allow the > use of it (with a warning) If you checked to see if the issuer is already trusted, I guess the patch is OK. But that aside, MozNSS's behavior sounds correct to me, and our documentation says to use explicit CA certs, separate from the server cert. Is it really a good idea to break this validation check? Also, where does this check occur in the main sequence of verification - has the BasicConstraints, KeyUsage, and/or NetscapeCertType already been checked successfully? > This patch file is derived from OpenLDAP Software. All of the > modifications to OpenLDAP Software represented in the following > patch(es) were developed by Red Hat. Red Hat has not assigned rights > and/or interest in this work to any party. I, Rich Megginson am > authorized by Red Hat, my employer, to release this work under the > following terms. > > Red Hat hereby place the following modifications to OpenLDAP Software > (and only these modifications) into the public domain. Hence, these > modifications may be freely used and/or redistributed for any purpose > with or without attribution and/or other notice. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#6589) Patch - Mozilla NSS - support use of self signed CA certs as server certs
by rmeggins＠redhat.com 14 Jul '10

14 Jul '10

Full_Name: Rich Megginson Version: 2.4.23 OS: Fedora URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-selfsignedcacert-20100714.p… Submission from: (NULL) (76.113.111.209) MozNSS doesn't like self-signed CA certs that are also used for TLS/SSL server certs (such as generated by openssl req -x509) CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case so, see if the cert and issuer are the same cert, and allow the use of it (with a warning) This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Rich Megginson am authorized by Red Hat, my employer, to release this work under the following terms. Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Re: (ITS#6588) Change log not up to date on www.openldap.org
by Kurt＠OpenLDAP.org 13 Jul '10

13 Jul '10

On Jul 13, 2010, at 2:39 AM, jonathan(a)phillipoux.net wrote: > Full_Name: Jonathan Clarke > Version: 2.4.23 > OS:=20 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (84.14.151.50) >=20 >=20 > The page at http://www.openldap.org/software/release/changes.html only = lists > changes for the 2.4.22 release, although 2.4.23 is now released. Fixed. -- Kurt

1 0

(ITS#6588) Change log not up to date on www.openldap.org
by jonathan＠phillipoux.net 13 Jul '10

13 Jul '10

Full_Name: Jonathan Clarke Version: 2.4.23 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.14.151.50) The page at http://www.openldap.org/software/release/changes.html only lists changes for the 2.4.22 release, although 2.4.23 is now released. This should be updated, I guess! In the mean time, changes can be consulted here: http://www.openldap.org/devel/cvsweb.cgi/~checkout~/Attic/CHANGES?rev=1.5.1…

1 0

Re: (ITS#6585) close is called from dap_unbind_s with fd = -1
by asifiqbal.desai＠gmail.com 12 Jul '10

12 Jul '10

Can somebody take a look at this issue. Note that the issue here is with close() being called from ldap_unbind_s with fd = (-1). Please read the first line in my original bug description email as: This is a consulation bug for clarification on close() being called from ldap_unbind_s with fd = -1.

1 0

Re: (ITS#6587) lconn_refcnt is not thread-safe
by hyc＠symas.com 10 Jul '10

10 Jul '10

test.007(a)seznam.cz wrote: > Full_Name: Test Seven > Version: 2.4.22 > OS: Windows > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (195.113.184.10) > > > lconn_refcnt is read and written without any sync mechanism, which may cause > subtle multi-threading issues. You're mistaken. ld->ld_res_mutex is owned in all cases where lc->lconn_refcnt is touched. > E.g. libldap/result.c -r1.172 > #ifdef LDAP_R_COMPILE > ldap_pvt_thread_mutex_unlock(&ld->ld_conn_mutex ); > #endif > rc = try_read1msg( ld, msgid, all, lc, result ); > lnext = lc->lconn_next; > /* Only take locks if we're really freeing */ > if ( lc->lconn_refcnt<= 1 ) { > #ifdef LDAP_R_COMPILE > ldap_pvt_thread_mutex_lock(&ld->ld_req_mutex ); > #endif > ldap_free_connection( ld, lc, 0, 1 ); > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#6587) lconn_refcnt is not thread-safe
by test.007＠seznam.cz 09 Jul '10

09 Jul '10

Full_Name: Test Seven Version: 2.4.22 OS: Windows URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (195.113.184.10) lconn_refcnt is read and written without any sync mechanism, which may cause subtle multi-threading issues. E.g. libldap/result.c -r1.172 #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_unlock( &ld->ld_conn_mutex ); #endif rc = try_read1msg( ld, msgid, all, lc, result ); lnext = lc->lconn_next; /* Only take locks if we're really freeing */ if ( lc->lconn_refcnt <= 1 ) { #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex ); #endif ldap_free_connection( ld, lc, 0, 1 );

1 0

(ITS#6586) PASSMOD operations are not getting chained correctly
by moenoel＠informatik.uni-bremen.de 01 Jul '10

01 Jul '10

Full_Name: Christian Manal Version: 2.4.21 OS: SunOS 5.10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:638:708:30dd:221:85ff:fe3f:1775) I have noticed a problem regarding ExOp PASSMOD and chaining in my OpenLDAP environment. Maybe some of the other overlays are doing their part in this as well. Password changes started behaving weird at some point: When a slave runs for a few days and some user tries to change his password, the change is done in the local database only (no chaining done or referral returned), resulting in an inconsistent database between the slave and all the other servers. That way logging in to services which connect to the LDAP servers in a round-robin fashion sometimes works with the "new" password and sometimes with the old one. After I restart the slapd on the slaves, everything works again for a few days, before it goes bad again. Every other write gets chained just fine when a slave is in this condition. It's only the PASSMOD operations that are stuck. I have one master and four slaves running on Solaris 10. One of them SPARC, the others x86. Software Versions are: OpenLDAP 2.4.21 BDB 4.8.26 Cyrus SASL 2.1.23 Heimdal Kerberos 1.3.3 All the configs and the sourcecode of my self-made pwdCheckModule for ppolicy can be found here: http://www.informatik.uni-bremen.de/~moenoel/ldap/ As pointed out by Pierangelo Masarati, this may be the same issue as reported here: <http://www.openldap.org/lists/openldap-technical/201003/msg00019.html> Regards, Christian Manal

1 0

(ITS#6585) close is called from dap_unbind_s with fd = -1
by asifiqbal.desai＠gmail.com 01 Jul '10

01 Jul '10

Full_Name: Asif Iqbal Desai Version: 2.4.16 OS: Solaris 10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (130.214.64.6) This is a consulation bug for clarification on close() being called from ldap_unbind_s with fd = 1. The application uses ldap client apis for user authentication. We recently upgraded to use OpenLDAP version 2.4.16 and are getting an unexpected AIO error issue when ldap user authentication is enabled. Investigating further revealed that from ldap_unbind_s ( close(-1) is getting called. However the close function of solaris libaio does a special handling when fd < 0 which causes AIO errors. The application needs solaris aio support and hence cannot link libc before libaio. Is there any specific reason for close being called with fd = -1 from ldap_unbind_s. This issue didnot exist with OpenLDAP 2.3.27. Following is the stacktrace: [1] _libaio_close(0xffffffffffffffff, 0x2, 0x1, 0xffffffff7f300200, 0x0, 0x0), at 0xffffffff7f406a64 [2] sb_stream_close(0x100151d80, 0x0, 0x0, 0xffffffff7f300200, 0x0, 0x0), at 0xffffffff7d21eafc [3] ber_int_sb_close(0x100151d00, 0x0, 0x0, 0xffffffff7f300200, 0x0, 0x0), at 0xffffffff7d21e160 [4] ber_sockbuf_free(0x100151d00, 0x1001497d0, 0x1, 0x1, 0xffffffff7dbad2ec, 0xd), at 0xffffffff7d21cebc [5] ldap_ld_free(0x100149520, 0x1, 0x0, 0x0, 0x100117020, 0xdc3), at 0xffffffff7d26a4bc [6] ldap_unbind_ext(0x100149520, 0x0, 0x0, 0x1001219e0, 0x1001219f8, 0x100121a00), at 0xffffffff7d26a048 [7] ldap_unbind_s(0x100149520, 0x1001471d0, 0x100149520, 0xfffffffffffffff2, 0x0, 0x100117728), at 0xffffffff7d26a55c ... ... Thanks in Advance, Asif Iqbal Desai

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs