openldap-bugs

openldap-bugs@openldap.org

1 participants
20985 discussions

[Issue 9290] New: Trying to add new config to Ldap
by openldap-its＠openldap.org 14 Jul '20

14 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9290 Issue ID: 9290 Summary: Trying to add new config to Ldap Product: OpenLDAP Version: 2.4.49 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: koshlendra.singh(a)punchh.com Target Milestone: --- WHile i am trying to add new user config to the LDAP server getting following error: ldap_add: Invalid syntax (21) additional info: uidNumber: value #0 invalid per syntax Please share your ideas to getting resolve on this -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9265] New: modifying a schema beneath an overlay hits assert
by openldap-its＠openldap.org 10 Jul '20

10 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9265 Issue ID: 9265 Summary: modifying a schema beneath an overlay hits assert Product: OpenLDAP Version: 2.4.50 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs(a)openldap.org Reporter: ratness(a)gmail.com Target Milestone: --- I'm doing to demo this on debian-unstable so it's on 2.4.50, but I've also been able to achieve the following failure with CentOS7's package (openldap-servers-2.4.44-21.el7_6.x86_64), so I don't think it's packager-related. I apologize that I don't have a gdb run with this report, but I've been having poor luck compiling it or getting a non-stripped binary. Steps to reproduce: * grab a vm/droplet/whatever of debian, convert source to unstable, apt update / apt full-upgrade * apt-get install slapd ldap-utils * reboot * Add the ppolicy schema: ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif * Add the ppolicy module: ** ``` cat >/tmp/moduleadd <<EOF dn: cn=module{0},cn=config add: olcModuleLoad olcModuleLoad: ppolicy EOF ``` ** /usr/bin/ldapmodify -cQY EXTERNAL -H ldapi:/// -f /tmp/moduleadd * Add a super boring ppolicy overlay: ``` cat >/tmp/overlayadd <<EOF dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE EOF ``` ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/overlayadd * Halt slapd, and then start it up in debug mode: ** service slapd stop ** /usr/sbin/slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d -d any * now, the weird one. Run an attempted 'replace' ldif against the ppolicy schema that would result in no net change to it. ``` cat >/tmp/trauma <<EOF dn: cn={4}ppolicy,cn=schema,cn=config changetype: modify replace: olcAttributeTypes olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - replace: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) ) - EOF ``` ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/trauma The client comes back with: modifying entry "cn={4}ppolicy,cn=schema,cn=config" ldap_result: Can't contact LDAP server (-1) The server, however, has failed on an assertion. The tail of the debug stream is: 5ec71e94 => access_allowed: add access granted by manage(=mwrscxd) 5ec71e94 slap_queue_csn: queueing 0x7facb8105700 20200522003636.287264Z#000000#000#000000 5ec71e94 oc_check_required entry (cn={4}ppolicy,cn=schema,cn=config), objectClass "olcSchemaConfig" 5ec71e94 oc_check_allowed type "objectClass" 5ec71e94 oc_check_allowed type "cn" 5ec71e94 oc_check_allowed type "structuralObjectClass" 5ec71e94 oc_check_allowed type "entryUUID" 5ec71e94 oc_check_allowed type "creatorsName" 5ec71e94 oc_check_allowed type "createTimestamp" 5ec71e94 oc_check_allowed type "olcAttributeTypes" 5ec71e94 oc_check_allowed type "olcObjectClasses" 5ec71e94 oc_check_allowed type "entryCSN" 5ec71e94 oc_check_allowed type "modifiersName" 5ec71e94 oc_check_allowed type "modifyTimestamp" slapd: ../../../../servers/slapd/at.c:277: at_clean: Assertion `a->sat_syntax != NULL' failed. Aborted "Why do you have an overlay there?" Beats me. It was like that when I got here, and since it's enforcing password policies, I don't think I can change it. "Why would you ever run such a silly modify!?" I wouldn't. This stems from a Puppet module where any time it spots the timestamp of /etc/path/to/ldap/schema/foo.schema is newer than the 'modifyTimestamp' of schema 'foo' in slapd, it kicks off a modify so slapd will be timestamp-newer than what's on disk. It just happens that if you ever do something as simple as `touch /etc/ldap/slapd.d/ppolicy.schema`, it triggers this update process and crashes the server on the next Puppet run. And I bet most people don't have an overlay and so this is probably a not-often-seen edge case. But unfortunately I'm not a good C person so I don't see the issue well enough to offer a PR. Thanks for reading. -- You are receiving this mail because: You are on the CC list for the issue.

1 2

[Issue 9043] Improve loglevel sync logging
by openldap-its＠openldap.org 08 Jul '20

08 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=9043 --- Comment #2 from Quanah Gibson-Mount <quanah(a)openldap.org> --- • 31423439 by Ondřej Kuzník at 2020-07-08T12:54:08+01:00 ITS#9043 Make sure uuidstr is initialised on use -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7748] rare failure of test058
by openldap-its＠openldap.org 08 Jul '20

08 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=7748 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=5973, | |https://bugs.openldap.org/s | |how_bug.cgi?id=6531, | |https://bugs.openldap.org/s | |how_bug.cgi?id=9282, | |https://bugs.openldap.org/s | |how_bug.cgi?id=5470 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5973] Syncrepl can update more than one csn value
by openldap-its＠openldap.org 08 Jul '20

08 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=5973 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=7748 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 6531] Modify updateref to generate referrals on the backend
by openldap-its＠openldap.org 08 Jul '20

08 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=6531 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=7748 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 5470] Sporadic failures with RE24
by openldap-its＠openldap.org 08 Jul '20

08 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=5470 Ondřej Kuzník <ondra(a)mistotebe.net> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=7748 -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 7748] rare failure of test058
by openldap-its＠openldap.org 08 Jul '20

08 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=7748 --- Comment #5 from Ondřej Kuzník <ondra(a)mistotebe.net> --- There's a few issues that test058 triggers (not an exhaustive list): - ITS#9282/5740 - which would have the server attempt to remove the sm1ou2 entry - how subordinate databases seem to interact with syncprov - at the very least this prevents sm1ou2 above from being removed, masking that bug - cookies seem to be leaking across the syncrepl connections in a strange way and I suspect it's preventing some updates from being transmitted properly -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8701] account usability control for password less logins
by openldap-its＠openldap.org 07 Jul '20

07 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=8701 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|OL_2_5_REQ | Status|CONFIRMED |RESOLVED Resolution|--- |TEST --- Comment #5 from Quanah Gibson-Mount <quanah(a)openldap.org> --- Commits: • 1129df53 by Ondřej Kuzník at 2020-07-07T16:43:35+01:00 ITS#8701 Expose account usability in libldap • 63440f03 by Ondřej Kuzník at 2020-07-07T16:43:37+01:00 ITS#8701 Add account usability to ldapsearch • bdc9dbc5 by Ondřej Kuzník at 2020-07-07T16:43:37+01:00 ITS#8701 Implement account usability in ppolicy -- You are receiving this mail because: You are on the CC list for the issue.

1 0

[Issue 8762] Unlocking an account doesn't remove pwdFailureTime
by openldap-its＠openldap.org 06 Jul '20

06 Jul '20

https://bugs.openldap.org/show_bug.cgi?id=8762 Quanah Gibson-Mount <quanah(a)openldap.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Keywords|OL_2_5_REQ | Resolution|--- |TEST --- Comment #11 from Quanah Gibson-Mount <quanah(a)openldap.org> --- • 49504c16 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 Fix whitespace in ppolicy.c • 3e0447f4 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7089 Skip lockout checks/modifications if password attribute missing • 3ec005a0 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7788 Report if there is a policy that applies • 0b6ac3fd by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7788 Skip lockout processing if no policy applies • a030aacc by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7788 Allow pwdFailureTime tracking be disabled in policy • 376d5d65 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7084 ACL of 'manage' gives pasword administrator access Password administrators can bypass safeModify, password quality checks and trigger reset if policy instructs the server to. • e05c09b9 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#8762 Clear pwdFailureTime on unlock • 5bf16496 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7084, ITS#7089, ITS#7788 Update test to account for new functionality -- You are receiving this mail because: You are on the CC list for the issue.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs