openldap-bugs

openldap-bugs@openldap.org

1 participants
20891 discussions

[Issue 10171] New: Incompatible pointer type assignments
by openldap-its＠openldap.org 21 May '24

21 May '24

https://bugs.openldap.org/show_bug.cgi?id=10171 Issue ID: 10171 Summary: Incompatible pointer type assignments Product: OpenLDAP Version: 2.6.6 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: sgallagh(a)redhat.com Target Milestone: --- When building with -Werror=incompatible-pointer-types, numerous implicit casts are made from (void**) types. For example: ``` make[3]: Entering directory '/builddir/build/BUILD/openldap-2.6.6/openldap-2.6.6/servers/slapd/back-asyncmeta' /bin/sh ../../../libtool --tag=disable-static --mode=compile gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -Wl,--as-needed -DLDAP_CONNECTIONLESS -I../../../include -I../../../include -I.. -I./.. -DSLAPD_IMPORT -c conn.c libtool: compile: gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -Wl,--as-needed -DLDAP_CONNECTIONLESS -I../../../include -I../../../include -I.. -I./.. -DSLAPD_IMPORT -c conn.c -fPIC -DPIC -o .libs/conn.o make[3]: Leaving directory '/builddir/build/BUILD/openldap-2.6.6/openldap-2.6.6/servers/slapd/back-asyncmeta' make[3]: Entering directory '/builddir/build/BUILD/openldap-2.6.6/openldap-2.6.6/servers/slapd/overlays' /bin/sh ../../../libtool --tag=disable-static --mode=compile gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -Wl,--as-needed -DLDAP_CONNECTIONLESS -I../../../include -I../../../include -I.. -I./.. -DSLAPD_IMPORT -c constraint.c libtool: compile: gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -Wl,--as-needed -DLDAP_CONNECTIONLESS -I../../../include -I../../../include -I.. -I./.. -DSLAPD_IMPORT -c constraint.c -fPIC -DPIC -o .libs/constraint.o make[3]: Leaving directory '/builddir/build/BUILD/openldap-2.6.6/openldap-2.6.6/servers/slapd/overlays' constraint.c:90:38: warning: missing braces around initializer [-Wmissing-braces] 90 | static ConfigTable constraintcfg[] = { | ^ constraint.c:90:38: warning: missing braces around initializer [-Wmissing-braces] constraint.c:90:38: warning: missing braces around initializer [-Wmissing-braces] constraint.c: In function ‘constraint_cf_gen’: constraint.c:327:40: warning: unused variable ‘size’ [-Wunused-variable] 327 | size_t size; | ^~~~ constraint.c:335:40: warning: unused variable ‘count’ [-Wunused-variable] 335 | size_t count; | ^~~~~ constraint.c:560:43: error: assignment to ‘constraint **’ from incompatible pointer type ‘void **’ [-Wincompatible-pointer-types] 560 | for ( app = &on->on_bi.bi_private; *app; app = &(*app)->ap_next ) | ^ constraint.c: In function ‘constraint_check_count_violation’: constraint.c:891:19: warning: unused variable ‘b’ [-Wunused-variable] 891 | BerVarray b = NULL; | ^ constraint.c: In function ‘constraint_update’: constraint.c:1016:26: warning: unused variable ‘ce’ [-Wunused-variable] 1016 | unsigned ce = 0; | ^~ ``` Most of these can be resolved with a simple explicit cast. I have submitted a patch to do so at https://git.openldap.org/openldap/openldap/-/merge_requests/683 -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10208] New: build test failure: test076-authid-rewrite (2.6.8 (RE26)
by openldap-its＠openldap.org 21 May '24

21 May '24

https://bugs.openldap.org/show_bug.cgi?id=10208 Issue ID: 10208 Summary: build test failure: test076-authid-rewrite (2.6.8 (RE26) Product: OpenLDAP Version: unspecified Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: brett(a)gladserv.com Target Milestone: --- Testing RE26 on Gentoo Linux. Test 076 fails with "generic failure: internal error: failed to init cipher 'rc4'" >>>>> 00:07:19 Starting test076-authid-rewrite for mdb... running defines.sh Starting slapd on TCP/IP port 9011... /home/bacs/src/openldap-OPENLDAP_REL_ENG_2_6/tests Using ldapsearch to check that slapd is running... Checking whether DIGEST-MD5 is supported... Adding schema and database... Using ldapadd to populate the database... Adding olcAuthzRegexp rule for static mapping... Testing ldapwhoami as Manager... ldap_sasl_interactive_bind: Local error (-2) additional info: SASL(-1): generic failure: internal error: failed to init cipher 'rc4' ldapwhoami failed (254)! >>>>> 00:07:20 Failed test076-authid-rewrite for mdb after 1 seconds (exit 254) make[2]: *** [Makefile:320: mdb-yes] Error 254 make[2]: Leaving directory '/home/bacs/src/openldap-OPENLDAP_REL_ENG_2_6/tests' make[1]: *** [Makefile:287: test] Error 2 make[1]: Leaving directory '/home/bacs/src/openldap-OPENLDAP_REL_ENG_2_6/tests' make: *** [Makefile:298: test] Error 2 -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10209] New: OpenBSD Build failure (2.6.8 (RE26)
by openldap-its＠openldap.org 21 May '24

21 May '24

https://bugs.openldap.org/show_bug.cgi?id=10209 Issue ID: 10209 Summary: OpenBSD Build failure (2.6.8 (RE26) Product: OpenLDAP Version: unspecified Hardware: All OS: Other Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: brett(a)gladserv.com Target Milestone: --- Build failure on OpenBSD 7.2. NB: OpenBSD uses LibreSSL, not OpenSSL, and I have no idea if that's supported, but configure should at least pick that up I think. libtool: compile: cc -g -O2 -I../../include -I../../include -DLDAP_LIBRARY -c tls_o.c -fPIC -DPIC -o .libs/tls_o.o tls_o.c:228:19: error: use of undeclared identifier 'OPENSSL_INIT_NO_ATEXIT' OPENSSL_init_ssl(OPENSSL_INIT_NO_ATEXIT, NULL); ^ 1 error generated. *** Error 1 in libraries/libldap (Makefile:432 'tls_o.lo') *** Error 2 in libraries (Makefile:317 'all-common': @for i in liblutil liblber liblunicode libldap librewrite ; do echo " Entering ...) *** Error 2 in /home/bacs/openldap-OPENLDAP_REL_ENG_2_6 (Makefile:325 'all-common': @for i in include libraries clients servers tests doc ; ...) -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10166] New: 2.6.7: not redy for gcc 14.x
by openldap-its＠openldap.org 21 May '24

21 May '24

https://bugs.openldap.org/show_bug.cgi?id=10166 Issue ID: 10166 Summary: 2.6.7: not redy for gcc 14.x Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: kloczko.tomasz(a)gmail.com Target Milestone: --- Looks like last version build fails with latest gcc 14.x which is now used in fedora rawhide. cd slapi && make -k all make[3]: Entering directory '/home/tkloczko/rpmbuild/BUILD/openldap-2.6.7/servers/slapd/slapi' /bin/sh ../../../libtool --mode=compile /usr/bin/gcc -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -g -grecord-gcc-switches -pipe -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fdata-sections -ffunction-sections -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -flto=auto -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -Wall -Werror=format-security -DLDAP_CONNECTIONLESS -I../../../include -I.. -I. -I../../../include -I./.. -I. -DSLAPI_LIBRARY -c plugin.c libtool: compile: /usr/bin/gcc -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -O2 -g -grecord-gcc-switches -pipe -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fdata-sections -ffunction-sections -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -flto=auto -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -Wall -Werror=format-security -DLDAP_CONNECTIONLESS -I../../../include -I.. -I. -I../../../include -I./.. -I. -DSLAPI_LIBRARY -c plugin.c -fPIC -DPIC -o .libs/plugin.o plugin.c: In function 'slapi_int_read_config': plugin.c:697:69: error: passing argument 3 of 'plugin_pblock_new' from incompatible pointer type [-Wincompatible-pointer-types] 697 | pPlugin = plugin_pblock_new( iType, numPluginArgc, c->argv ); | ~^~~~~~ | | | char ** plugin.c:71:21: note: expected 'ConfigArgs *' {aka 'struct config_args_s *'} but argument is of type 'char **' 71 | ConfigArgs *c ) | ~~~~~~~~~~~~^ make[3]: *** [Makefile:387: plugin.lo] Error 1 -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 10214] New: Reduce library dependencies
by openldap-its＠openldap.org 21 May '24

21 May '24

https://bugs.openldap.org/show_bug.cgi?id=10214 Issue ID: 10214 Summary: Reduce library dependencies Product: OpenLDAP Version: unspecified Hardware: All OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: hamano(a)osstech.co.jp Target Milestone: --- Currently, slapd links libsystemd to notify service state to systemd. However, libsystemd link several unnecessary libraries, which increases security risks. The systemd documentation provides a method to send state notifications to systemd using a simple protocol without the need to link against libsystemd. https://www.freedesktop.org/software/systemd/man/devel/sd_notify.html I propose removing libsystemd and its depended libraries, similar to the approach taken by OpenSSH. Applying this fix reduced the following ten dependencies in the RHEL 8 environment. - libsystemd.so.0 - libblkid.so.1 - libcap.so.2 - libgcc_s.so.1 - libgcrypt.so.20 - libgpg-error.so.0 - liblz4.so.1 - liblzma.so.5 - libmount.so.1 - librt.so.1 -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10179] New: back-asyncmeta(5) man page incorrectly mentions "rewrite"
by openldap-its＠openldap.org 21 May '24

21 May '24

https://bugs.openldap.org/show_bug.cgi?id=10179 Issue ID: 10179 Summary: back-asyncmeta(5) man page incorrectly mentions "rewrite" Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: nivanova(a)symas.com Target Milestone: --- Man page for back-asyncmeta mentions the rewrite options, yet asyncmeta does not support the rewrite engine at the moment. -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 10164] New: back-meta hangs when used with dynlist overlay
by openldap-its＠openldap.org 21 May '24

21 May '24

https://bugs.openldap.org/show_bug.cgi?id=10164 Issue ID: 10164 Summary: back-meta hangs when used with dynlist overlay Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs(a)openldap.org Reporter: nivanova(a)symas.com Target Milestone: --- When back-meta is configured with the dynlist overlay, on a search request that triggers dynlist, it will hang. This happens because of a bug in back-meta that is only revealed when an overlay issues an internal operation while processing a result or an entry, as dynlist does, as apposed to issuing it when the client op is first received ( on the way "down" to the backend). The issue is reproduced by configuring dynlist over a back-meta database, and sending a subtree search request with the database suffix as dn. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 10216] New: Channel binding enforced on AD with AD cert using EDCSA-SHA384 fails
by openldap-its＠openldap.org 21 May '24

21 May '24

https://bugs.openldap.org/show_bug.cgi?id=10216 Issue ID: 10216 Summary: Channel binding enforced on AD with AD cert using EDCSA-SHA384 fails Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: simon.pichugin(a)gmail.com Target Milestone: --- Secure LDAP connections to the target Windows server 2019 DC began failing after the Windows Server DC certificate was updated to an Elliptic Curve Public Key (384 bits) with the sha384ECDSA signature algorithm and sha384 signature hash algorithm specified. The connections were previously successful when the Windows server DC certificate specified an RSA Public Key certificate with signature algorithm sha256RSA and signature hash algorithm sha256 specified. Once the Windows server domain controller certificate is upgraded to the ECC public key, subsequent secure ldap connection attempts fail. If channel binding is turned off on the Windows AD target server, secure ldap connections will succeed using starttls. If Windows server domain controller certificate is upgraded to ECC public key and ldap channel binding is enforced, subsequent secure ldap connection attempts fail with this error message: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 80090346: LdapErr: DSID-0C09070F, comment: AcceptSecurityContext error, data 80090346, v4563 Expected results: Kerberos SASL should work with STARTTLS even when AD certificate is ECC and SASL_CBINDING is set to "tls-endpoint" Actual results: Kerberos SASL only works with STARTTLS even when AD certificate is RSA and SASL_CBINDING is set to "tls-endpoint"; it fails when AD certificate is ECC Additional information: According to the OpenSSL maintainer, there might be a bug in the OpenLDAP code: it uses EVP_get_digestbynid() to find a digest algorithm based on the signature algorithm, but there might be no such mapping in EC compared to the RSA case. OpenLDAP needs to use OBJ_find_sigid_algs() to find the right algorithm. Possibly, this is the failing code: https://git.openldap.org/openldap/openldap/-/blob/master/libraries/libldap/… Instead of X509_get_signature_nid() OpenLDAP code probably should call something like OBJ_find_sigid_algs(X509_get_signature_nid(cert), &md_nid, &pk_nid). The former only supports mapping for a few known signature algorithms, but everything did work, most likely due to a fallback to sha256 in case the digest wasn't really found. Judging by https://github.com/openssl/openssl/issues/14278 and https://github.com/openssl/openssl/issues/14467, a better API is coming but not currently available (and as it was in the state for a few years, it probably won't be coming soon) -- You are receiving this mail because: You are on the CC list for the issue.

1 8

[Issue 10212] New: read-only tools may use wrong meta page
by openldap-its＠openldap.org 14 May '24

14 May '24

https://bugs.openldap.org/show_bug.cgi?id=10212 Issue ID: 10212 Summary: read-only tools may use wrong meta page Product: LMDB Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs(a)openldap.org Reporter: hyc(a)openldap.org Target Milestone: --- On a quiescent database that's only used for read-only txns, the txnid won't be initialized so it remains set to zero. Then only meta page zero will get used, even if page one is newer. Thus all information retrieved will be stale by one txn. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9921] New: Tautology in clients/tools/common.c:print_vlv()
by openldap-its＠openldap.org 08 May '24

08 May '24

https://bugs.openldap.org/show_bug.cgi?id=9921 Issue ID: 9921 Summary: Tautology in clients/tools/common.c:print_vlv() Product: OpenLDAP Version: 2.6.3 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs(a)openldap.org Reporter: dpa-openldap(a)aegee.org Target Milestone: --- https://git.openldap.org/openldap/openldap/-/blob/master/clients/tools/comm… contains: tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE, ldif ? "vlvResult" : "vlvResult", buf, rc ); The second parameter is always vlvResult, irrespective of the value of ldif. -- You are receiving this mail because: You are on the CC list for the issue.

1 7

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs