openldap-bugs

openldap-bugs@openldap.org

1 participants
20967 discussions

Re: (ITS#8870) SASL_NOCANON changing default to ON
by quanah＠symas.com 22 Jun '18

22 Jun '18

--On Friday, June 22, 2018 9:01 PM +0000 alexandr.nedvedicky(a)oracle.com wrote: > Full_Name: Alexandr Nedvedicky > Version: 2.46 > OS: Solaris 11.3 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (141.143.193.76) > > > Disclaimer: I understand I'm asking for change, which might be disruptive > for many OpenLDAP users. Hi, This has already been covered extensively in <http://www.openldap.org/its/index.cgi/?findid=5812>. If you prefer to have it turned off for all clients on a system, you can use your global ldap.conf file to do so. The project will not be changing long-standing behavior. But I appreciate your time in filing the ITS. Warm regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8870) SASL_NOCANON changing default to ON
by alexandr.nedvedicky＠oracle.com 22 Jun '18

22 Jun '18

Full_Name: Alexandr Nedvedicky Version: 2.46 OS: Solaris 11.3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (141.143.193.76) Disclaimer: I understand I'm asking for change, which might be disruptive for many OpenLDAP users. The issue popped up as a fallout of transition from Mozilla LDAP to OpenLDAP. The mozilla ldap does not canonicalize hostname using DNS by default, while OpenLDAP does the exact opposite. Using DNS to canonicalize hosts to domain name opens potential attack vector via. DNS spoofing. For example samba client opts out from name canonicalization, snippet comes from lib/libsmbns/common/smbns_ads.c: 1539 /* 1540 * smb_ads_open 1541 * 1542 * Open an LDAP connection to a discovered AD server for the specified domain. 1543 * Specify our capability to support LDAP_VERSION3 when binding to the AD 1544 * server. On success, returns an AD handle. Otherwise, returns NULL. 1545 * 1546 * By default, 'encrypt_ldap' property is set to B_TRUE. For debugging 1547 * purposes, it can be set to B_FALSE to disable LDAP encryption. 1548 * 1549 * Pre-condition: 1550 * A Kerberos TGT ticket must be found in ccache in order to acquire a LDAP 1551 * service ticket. 1552 * 1553 * Parameters: 1554 * domain - fully-qualified domain name 1555 */ 1556 static smb_ads_handle_t * 1557 smb_ads_open(char *domain) 1558 { .... 1590 (void) ldap_unbind(ld); 1591 return (NULL); 1592 } 1593 1594 (void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); 1595 (void) ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); 1596 1597 ah->ld = ld; 1598 ah->domain = strdup(domain); 1599 1600 if (ah->domain == NULL) { 1601 smb_ads_close(ah); 1602 smb_ads_free_host(ads_host); 1603 return (NULL); 1604 } 1605 I can't tell how other projects are handling/prefer handling of NOCANON option. The Solaris considers to tight the knob and say 'yes to NOCANON' in order to suppress hostname canonicalization. As I've said I fully understand if you decide not to change the current default as the change might hurt many users. I just rather want to share our experience we got when switching from mozilla ldap to OpenLDAP.

1 0

(ITS#8869) Gentoo QA notice
by fturco＠fastmail.fm 22 Jun '18

22 Jun '18

Full_Name: Francesco Turco Version: 2.4.45 OS: Gentoo Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:b07:2eb:c9ed:21c:c0ff:fead:3d70) My GNU/Linux distribution is Gentoo Linux. When installing net-nds/openldap-2.4.45 the Portage package manager reports the following warning: * QA Notice: Package triggers severe warnings which indicate that it * may exhibit random runtime failures. * /var/tmp/portage/net-nds/openldap-2.4.45/work/openldap-2.4.45/libraries/libldap/open.c:251:7: warning: implicit declaration of function ldap_is_ldapc_url; did you mean ldap_is_ldapi_url? [-Wimplicit-function-declaration] * /var/tmp/portage/net-nds/openldap-2.4.45/work/openldap-2.4.45/libraries/libldap_r/thr_posix.c:93:9: warning: implicit declaration of function pthread_setconcurrency; did you mean pthread_setcanceltype? [-Wimplicit-function-declaration] * /var/tmp/portage/net-nds/openldap-2.4.45/work/openldap-2.4.45/libraries/libldap_r/thr_posix.c:107:9: warning: implicit declaration of function pthread_getconcurrency; did you mean ldap_pvt_thread_get_concurrency? [-Wimplicit-function-declaration] * open.c:251:7: warning: implicit declaration of function ldap_is_ldapc_url; did you mean ldap_is_ldapi_url? [-Wimplicit-function-declaration] * /var/tmp/portage/net-nds/openldap-2.4.45/work/openldap-2.4.45/servers/slapd/back-ldap/bind.c:722:2: warning: implicit declaration of function slap_client_keepalive; did you mean slap_client_connect? [-Wimplicit-function-declaration] * /var/tmp/portage/net-nds/openldap-2.4.45/work/openldap-2.4.45/servers/slapd/back-meta/conn.c:424:2: warning: implicit declaration of function slap_client_keepalive; did you mean slap_client_connect? [-Wimplicit-function-declaration] * cloak.c:246:4: warning: implicit declaration of function attr_clean; did you mean entry_clean? [-Wimplicit-function-declaration] * Please do not file a Gentoo bug and instead report the above QA * issues directly to the upstream developers of this software. * Homepage: http://www.OpenLDAP.org/

1 0

Re: (ITS#8573) ldap* tools should be able to function w/o a conf file
by ondra＠mistotebe.net 22 Jun '18

22 Jun '18

Other tests might need to use the ldaps urls added with ITS#8573, the patch at https://github.com/mistotebe/openldap/tree/its8573-tables makes them available to scripts and $CONFFILTER users. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8772) Build fail: thr_posix.c:329:16: error: only weak aliases are supported on darwin
by ondra＠mistotebe.net 22 Jun '18

22 Jun '18

On Wed, Nov 15, 2017 at 04:59:57PM +0000, minfrin(a)sharp.fm wrote: > Hi all, > > I am seeing a build failure when trying to build openldap master on MacOS > Sierra: Hi Graham, a proposed patch series is available here: https://github.com/mistotebe/openldap/tree/its8772 Does it fix the build issues for you? Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#7336) Ldapmodify crashes slapd when updating olcTLSVerifyClient attribute via TLS authentication
by ck＠cksoft.de 22 Jun '18

22 Jun '18

This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --214647081-852979057-1529664529=:67666 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT Hi, On Fri, 22 Jun 2018, Ondřej Kuzník wrote: > On Sun, Mar 23, 2014 at 09:32:22AM +0000, ck(a)cksoft.de wrote: >> Hi, >> >> I can confirm that openldap-2.4.39 still has in issue with this. >> >> When connecting via TLS I tried to modify olcTLSVerifyClient from never >> to try with following ldif: >> >> dn: cn=config >> changetype: modify >> replace: olcTLSVerifyClient >> olcTLSVerifyClient: try >> >> this caused slapd to hang indefinetely. >> >> I was able to successfully modify above when connecting without TLS. >> >> I need to complete my current task but will set up a small proof of >> concept later on in my lab. > > Hi Christian, > have you been able to set up a test configuration that reproduces it > with latest OpenLDAP? A cursory test here doesn't seem to do anything of > the sort. this is 4 years old and I had totally forgetten about it. But I just happen to have a developement cluster running with both the affected 2.4.39 and new 2.4.46 nodes. I will try to test over the weekend and will give you feedback. Greetings Christian -- Christian Kratzer CK Software GmbH Email: ck(a)cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ --214647081-852979057-1529664529=:67666--

1 0

Re: (ITS#7336) Ldapmodify crashes slapd when updating olcTLSVerifyClient attribute via TLS authentication
by ondra＠mistotebe.net 22 Jun '18

22 Jun '18

On Sun, Mar 23, 2014 at 09:32:22AM +0000, ck(a)cksoft.de wrote: > Hi, > > I can confirm that openldap-2.4.39 still has in issue with this. > > When connecting via TLS I tried to modify olcTLSVerifyClient from never > to try with following ldif: > > dn: cn=config > changetype: modify > replace: olcTLSVerifyClient > olcTLSVerifyClient: try > > this caused slapd to hang indefinetely. > > I was able to successfully modify above when connecting without TLS. > > I need to complete my current task but will set up a small proof of > concept later on in my lab. Hi Christian, have you been able to set up a test configuration that reproduces it with latest OpenLDAP? A cursory test here doesn't seem to do anything of the sort. Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

(ITS#8868) Inefficiency when processing certain search filters
by quanah＠openldap.org 21 Jun '18

21 Jun '18

Full_Name: Quanah Gibson-Mount Version: 2.4.46 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) Certain search filters are not processed efficiently in the back-{bhm}db code base. An example is: "(|(&(subscriberid=1)(objectClass=XYZ))(&(subscriberid=2)(objectClass=XYZ)))" In this situation, the contiguous list of possibilities for the objectClass result gets turned into a range, causing each entry to be examined as a match. This significantly increases CPU load and causes a delay in returning the result. Re-arranging the search in the following manner bypasses this issue: (&(objectClass=XYZ)(|(subscriberid=1)(subscriberid=2)))" General timing with back-mdb: .477 seconds for the expensive search .020 seconds for the optimized search For back-bdb, the timing was: .665 seconds for the expensive search .020 seconds for the optimized search

1 0

Re: (ITS#8867) ldap_sasl_bind_s failed error during replication
by michael＠stroeder.com 21 Jun '18

21 Jun '18

The ITS is for reporting bugs only. Please subscribe to the openldap-technical mailing list and post your usage questions there: https://www.openldap.org/lists/mm/listinfo/openldap-technical Ciao, Michael.

1 0

(ITS#8867) ldap_sasl_bind_s failed error during replication
by appana.anil＠gmail.com 21 Jun '18

21 Jun '18

Full_Name: anil kumar appanna Version: 2.4 OS: RHEL URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (143.112.32.4) I configured multi master replication. The configuration went well without any errors, but the data is not replicated from one server to another one. When i looked at the log file, i am getting the below errors slap_client_connect: URI=ldap://***.com DN="cn=config" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=001 rc -1 retrying slap_client_connect: URI=ldap://***.com DN="cn=ldapadm,dc=****,dc=com" ldap_sasl_bind_s failed (-1) appreciate any quick help. I am very new to openldap.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs