openldap-bugs

openldap-bugs@openldap.org

1 participants
21065 discussions

Start a nNew thread

(ITS#8553) LMDB Windows UWP Patch
by temp＠zeropass-app.io 29 Jan '18

29 Jan '18

Hi, why is this not merged yet? Any particular reason?

1 0

Re: (ITS#8486) Syncprov sessionlog is inefficient, kills perf
by hyc＠symas.com 26 Jan '18

26 Jan '18

quanah(a)zimbra.com wrote: > --On Monday, August 29, 2016 9:16 PM +0000 quanah(a)openldap.org wrote: > >> Full_Name: Quanah Gibson-Mount >> Version: 2.4.44 >> OS: Linux 2.6 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (75.111.52.177) > > In doing testing for ITS#8491, I encountered this problem in my lab. Any > time a single replica is parsing the session log, all other operations on > the server come to a complete halt. I.e., slapd does *nothing* other than > handle the sessionlog query. This seems like a fatal problem. A patch for this is available for testing in https://github.com/quanah/openldap-scratch/tree/its8486. It no longer keeps the sessionlog mutex locked for the entire time that it's playing the log. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8100) Empty accesslog causes issues with delta-syncrepl MMR configurations
by hyc＠symas.com 26 Jan '18

26 Jan '18

quanah(a)symas.com wrote: > --On Thursday, April 09, 2015 5:42 AM +0000 quanah(a)openldap.org wrote: > >> Full_Name: Quanah Gibson-Mount >> Version: 2.4.39 >> OS: Linux 2.6 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (50.25.188.166) >> >> >> When one has an MMR setup using delta-syncrepl, and the masters get into a >> situation where one is out of sync, or adding a new MMR node to an >> existing cluster, things will be broken until the new/reloaded node has a >> write op that goes to the accesslog DB. In an existing cluster, where a >> node is being reloaded, it causes all nodes to go into an endless looping >> fallback sync until that write occurs. > > One possible fix for this, would be to refuse to delete the final entry in > the accesslog during the purge phase. That way, the accesslog would never > be empty. I'm not sure how difficult this would be to implement, code wise. A patch which skips deleting the final entry, and creates an initial dummy log entry if needed, is available in https://github.com/quanah/openldap-scratch/tree/its8100 for testing. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8791) OpenSSL 1.1.1 compat issue
by quanah＠symas.com 25 Jan '18

25 Jan '18

Hi Bradley, I believe it's waiting on a review from Howard. I also plan on throwing it into my scratch repo and testing when I get the time, but my primary focus at the moment is migrating the OpenLDAP project to new infrastructure and a new bug tracking system. ;) --Quanah --On Wednesday, January 24, 2018 10:23 PM +0000 bbaetz(a)google.com wrote: > --089e082f9ab494ea2405638d1cae > Content-Type: text/plain; charset="UTF-8" > > Is there anything else I need to do in order to get this committed? > > Bradley > > On Fri, 15 Dec 2017 at 12:08 Bradley Baetz <bbaetz(a)google.com> wrote: > >> Done in ftp://ftp.openldap.org/incoming/bradley-baetz-20171215.patch >> >> >> On Fri, 15 Dec 2017 at 04:36 Howard Chu <hyc(a)symas.com> wrote: >> >>> bbaetz(a)google.com wrote: >>> > Full_Name: Bradley Baetz >>> > Version: 2.4.45 >>> > OS: linux >>> > URL: ftp://ftp.openldap.org/incoming/bradley-baetz-20171214.patch >>> > Submission from: (NULL) (2401:fa00:9:11:7ac0:58b5:299c:bebb) >>> >>> Thanks for the patch. The initialization of the static tlso_bio_method >>> is racy. One-time initializations should be done in tlso_init, and the >>> allocated >>> memory should be freed in tlso_destroy. >>> >>> > >>> > ITS#8533 added support for the OpenSSL's hiding of the bio_method_st >>> struct. >>> > >>> > However, it did this by re-defining the now-private structure, using >>> the OpenSSL >>> > 1.0 version. That will fail when OpenSSL changes their structure, >>> > which >>> they >>> > have already done for v1.1.1 - see >>> > >>> https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=include/internal >>> /bio.h;hb=e1dd8fa00a1e06d27c8b024dac7657a8d8a9b451#l16 >>> > >>> > It also fails with BoringSSL, which has v1.0's OPENSSL_VERSION_NUMBER >>> define, >>> > but has not yet hidden the struct definition. >>> > >>> > The attached file is derived from OpenLDAP Software. All of the >>> modifications to >>> > OpenLDAP Software represented in the following patch(es) were >>> > developed >>> by >>> > Google, LLC. Google, LLC has not assigned rights and/or interest in >>> this work to >>> > any party. I, Bradley Baetz am authorized by Google, LLC, my employer, >>> to >>> > release this work under the following terms. >>> > >>> > The attached modifications to OpenLDAP Software are subject to the >>> following >>> > notice: >>> > Copyright 2017 Google, LLC. >>> > Redistribution and use in source and binary forms, with or without >>> modification, >>> > are permitted only as authorized by the OpenLDAP Public License. >>> > >>> > >>> >>> >>> -- >>> -- Howard Chu >>> CTO, Symas Corp. http://www.symas.com >>> Director, Highland Sun http://highlandsun.com/hyc/ >>> Chief Architect, OpenLDAP http://www.openldap.org/project/ >>> >> > > --089e082f9ab494ea2405638d1cae > Content-Type: text/html; charset="UTF-8" > Content-Transfer-Encoding: quoted-printable > > <div dir=3D"ltr">Is there anything else I need to do in order to get this > c= ommitted?<div><br></div><div>Bradley</div></div><br><div > class=3D"gmail_quo= te"><div dir=3D"ltr">On Fri, 15 Dec 2017 at 12:08 > Bradley Baetz <<a href= > =3D"mailto:bbaetz@google.com">bbaetz(a)google.com</a>> > wrote:<br></div><bl= ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 > .8ex;border-left:1px #= ccc solid;padding-left:1ex"><div > dir=3D"ltr"><span style=3D"font-size:small= ">Done in=C2=A0</span><a > href=3D"ftp://ftp.openldap.org/incoming/bradley-ba= etz-20171215.patch" > style=3D"font-size:small" target=3D"_blank">ftp://ftp.o= > penldap.org/incoming/bradley-baetz-20171215.patch</a><br><br > class=3D"m_906= > 2438285945864329inbox-inbox-Apple-interchange-newline"></div><br><div > class= =3D"gmail_quote"><div dir=3D"ltr">On Fri, 15 Dec 2017 at 04:36 > Howard Chu &= lt;<a href=3D"mailto:hyc@symas.com" > target=3D"_blank">hyc(a)symas.com</a>>= wrote:<br></div><blockquote > class=3D"gmail_quote" style=3D"margin:0 0 0 .8= ex;border-left:1px #ccc > solid;padding-left:1ex"><a href=3D"mailto:bbaetz@go= ogle.com" > target=3D"_blank">bbaetz(a)google.com</a> wrote:<br> > > Full_Name: Bradley Baetz<br> > > Version: 2.4.45<br> > > OS: linux<br> > > URL: <a > href=3D"ftp://ftp.openldap.org/incoming/bradley-baetz-20171214= .patch" > rel=3D"noreferrer" target=3D"_blank">ftp://ftp.openldap.org/incomin= > g/bradley-baetz-20171214.patch</a><br> > > Submission from: (NULL) (2401:fa00:9:11:7ac0:58b5:299c:bebb)<br> > <br> > Thanks for the patch. The initialization of the static tlso_bio_method > is<b= r> > racy. One-time initializations should be done in tlso_init, and the > allocat= ed<br> > memory should be freed in tlso_destroy.<br> > <br> > ><br> > > ITS#8533 added support for the OpenSSL's hiding of the > bio_method_= st struct.<br> > ><br> > > However, it did this by re-defining the now-private structure, using > t= he OpenSSL<br> > > 1.0 version. That will fail when OpenSSL changes their structure, > whic= h they<br> > > have already done for v1.1.1 - see<br> > > <a > href=3D"https://git.openssl.org/gitweb/?p=3Dopenssl.git;a=3Dblob;f= > =3Dinclude/internal/bio.h;hb=3De1dd8fa00a1e06d27c8b024dac7657a8d8a9b451#l > 16= " rel=3D"noreferrer" > target=3D"_blank">https://git.openssl.org/gitweb/?p=3D= > openssl.git;a=3Dblob;f=3Dinclude/internal/bio.h;hb=3De1dd8fa00a1e06d27c8b > 02= 4dac7657a8d8a9b451#l16</a><br> > ><br> > > It also fails with BoringSSL, which has v1.0's > OPENSSL_VERSION_NUM= BER define,<br> > > but has not yet hidden the struct definition.<br> > ><br> > > The attached file is derived from OpenLDAP Software. All of the > modifi= cations to<br> > > OpenLDAP Software represented in the following patch(es) were > develope= d by<br> > > Google, LLC. Google, LLC has not assigned rights and/or interest in > th= is work to<br> > > any party. I, Bradley Baetz am authorized by Google, LLC, my > employer,= to<br> > > release this work under the following terms.<br> > ><br> > > The attached modifications to OpenLDAP Software are subject to the > fol= lowing<br> > > notice:<br> > > Copyright 2017 Google, LLC.<br> > > Redistribution and use in source and binary forms, with or without > mod= ification,<br> > > are permitted only as authorized by the OpenLDAP Public License.<br> > ><br> > ><br> > <br> > <br> > --<br> > =C2=A0 =C2=A0-- Howard Chu<br> > =C2=A0 =C2=A0CTO, Symas Corp.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a > hr= ef=3D"http://www.symas.com" rel=3D"noreferrer" > target=3D"_blank">http://www= .symas.com</a><br> > =C2=A0 =C2=A0Director, Highland Sun=C2=A0 =C2=A0 =C2=A0<a > href=3D"http://hi= ghlandsun.com/hyc/" rel=3D"noreferrer" > target=3D"_blank">http://highlandsun= .com/hyc/</a><br> > =C2=A0 =C2=A0Chief Architect, OpenLDAP=C2=A0 <a > href=3D"http://www.openldap= .org/project/" rel=3D"noreferrer" > target=3D"_blank">http://www.openldap.org= /project/</a><br> > </blockquote></div></blockquote></div> > > --089e082f9ab494ea2405638d1cae-- > > > -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8791) OpenSSL 1.1.1 compat issue
by bbaetz＠google.com 24 Jan '18

24 Jan '18

--089e082f9ab494ea2405638d1cae Content-Type: text/plain; charset="UTF-8" Is there anything else I need to do in order to get this committed? Bradley On Fri, 15 Dec 2017 at 12:08 Bradley Baetz <bbaetz(a)google.com> wrote: > Done in ftp://ftp.openldap.org/incoming/bradley-baetz-20171215.patch > > > On Fri, 15 Dec 2017 at 04:36 Howard Chu <hyc(a)symas.com> wrote: > >> bbaetz(a)google.com wrote: >> > Full_Name: Bradley Baetz >> > Version: 2.4.45 >> > OS: linux >> > URL: ftp://ftp.openldap.org/incoming/bradley-baetz-20171214.patch >> > Submission from: (NULL) (2401:fa00:9:11:7ac0:58b5:299c:bebb) >> >> Thanks for the patch. The initialization of the static tlso_bio_method is >> racy. One-time initializations should be done in tlso_init, and the >> allocated >> memory should be freed in tlso_destroy. >> >> > >> > ITS#8533 added support for the OpenSSL's hiding of the bio_method_st >> struct. >> > >> > However, it did this by re-defining the now-private structure, using >> the OpenSSL >> > 1.0 version. That will fail when OpenSSL changes their structure, which >> they >> > have already done for v1.1.1 - see >> > >> https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=include/internal/bio… >> > >> > It also fails with BoringSSL, which has v1.0's OPENSSL_VERSION_NUMBER >> define, >> > but has not yet hidden the struct definition. >> > >> > The attached file is derived from OpenLDAP Software. All of the >> modifications to >> > OpenLDAP Software represented in the following patch(es) were developed >> by >> > Google, LLC. Google, LLC has not assigned rights and/or interest in >> this work to >> > any party. I, Bradley Baetz am authorized by Google, LLC, my employer, >> to >> > release this work under the following terms. >> > >> > The attached modifications to OpenLDAP Software are subject to the >> following >> > notice: >> > Copyright 2017 Google, LLC. >> > Redistribution and use in source and binary forms, with or without >> modification, >> > are permitted only as authorized by the OpenLDAP Public License. >> > >> > >> >> >> -- >> -- Howard Chu >> CTO, Symas Corp. http://www.symas.com >> Director, Highland Sun http://highlandsun.com/hyc/ >> Chief Architect, OpenLDAP http://www.openldap.org/project/ >> > --089e082f9ab494ea2405638d1cae Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Is there anything else I need to do in order to get this c= ommitted?<div><br></div><div>Bradley</div></div><br><div class=3D"gmail_quo= te"><div dir=3D"ltr">On Fri, 15 Dec 2017 at 12:08 Bradley Baetz <<a href= =3D"mailto:bbaetz@google.com">bbaetz(a)google.com</a>> wrote:<br></div><bl= ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #= ccc solid;padding-left:1ex"><div dir=3D"ltr"><span style=3D"font-size:small= ">Done in=C2=A0</span><a href=3D"ftp://ftp.openldap.org/incoming/bradley-ba= etz-20171215.patch" style=3D"font-size:small" target=3D"_blank">ftp://ftp.o= penldap.org/incoming/bradley-baetz-20171215.patch</a><br><br class=3D"m_906= 2438285945864329inbox-inbox-Apple-interchange-newline"></div><br><div class= =3D"gmail_quote"><div dir=3D"ltr">On Fri, 15 Dec 2017 at 04:36 Howard Chu &= lt;<a href=3D"mailto:hyc@symas.com" target=3D"_blank">hyc(a)symas.com</a>>= wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8= ex;border-left:1px #ccc solid;padding-left:1ex"><a href=3D"mailto:bbaetz@go= ogle.com" target=3D"_blank">bbaetz(a)google.com</a> wrote:<br> > Full_Name: Bradley Baetz<br> > Version: 2.4.45<br> > OS: linux<br> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/bradley-baetz-20171214= .patch" rel=3D"noreferrer" target=3D"_blank">ftp://ftp.openldap.org/incomin= g/bradley-baetz-20171214.patch</a><br> > Submission from: (NULL) (2401:fa00:9:11:7ac0:58b5:299c:bebb)<br> <br> Thanks for the patch. The initialization of the static tlso_bio_method is<b= r> racy. One-time initializations should be done in tlso_init, and the allocat= ed<br> memory should be freed in tlso_destroy.<br> <br> ><br> > ITS#8533 added support for the OpenSSL's hiding of the bio_method_= st struct.<br> ><br> > However, it did this by re-defining the now-private structure, using t= he OpenSSL<br> > 1.0 version. That will fail when OpenSSL changes their structure, whic= h they<br> > have already done for v1.1.1 - see<br> > <a href=3D"https://git.openssl.org/gitweb/?p=3Dopenssl.git;a=3Dblob;f= =3Dinclude/internal/bio.h;hb=3De1dd8fa00a1e06d27c8b024dac7657a8d8a9b451#l16= " rel=3D"noreferrer" target=3D"_blank">https://git.openssl.org/gitweb/?p=3D= openssl.git;a=3Dblob;f=3Dinclude/internal/bio.h;hb=3De1dd8fa00a1e06d27c8b02= 4dac7657a8d8a9b451#l16</a><br> ><br> > It also fails with BoringSSL, which has v1.0's OPENSSL_VERSION_NUM= BER define,<br> > but has not yet hidden the struct definition.<br> ><br> > The attached file is derived from OpenLDAP Software. All of the modifi= cations to<br> > OpenLDAP Software represented in the following patch(es) were develope= d by<br> > Google, LLC. Google, LLC has not assigned rights and/or interest in th= is work to<br> > any party. I, Bradley Baetz am authorized by Google, LLC, my employer,= to<br> > release this work under the following terms.<br> ><br> > The attached modifications to OpenLDAP Software are subject to the fol= lowing<br> > notice:<br> > Copyright 2017 Google, LLC.<br> > Redistribution and use in source and binary forms, with or without mod= ification,<br> > are permitted only as authorized by the OpenLDAP Public License.<br> ><br> ><br> <br> <br> --<br> =C2=A0 =C2=A0-- Howard Chu<br> =C2=A0 =C2=A0CTO, Symas Corp.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a hr= ef=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">http://www= .symas.com</a><br> =C2=A0 =C2=A0Director, Highland Sun=C2=A0 =C2=A0 =C2=A0<a href=3D"http://hi= ghlandsun.com/hyc/" rel=3D"noreferrer" target=3D"_blank">http://highlandsun= .com/hyc/</a><br> =C2=A0 =C2=A0Chief Architect, OpenLDAP=C2=A0 <a href=3D"http://www.openldap= .org/project/" rel=3D"noreferrer" target=3D"_blank">http://www.openldap.org= /project/</a><br> </blockquote></div></blockquote></div> --089e082f9ab494ea2405638d1cae--

1 0

Re: (ITS#8799) slaptest fails to properly convert chain configuration
by ondra＠mistotebe.net 22 Jan '18

22 Jan '18

On Mon, Jan 22, 2018 at 09:59:21PM +0000, quanah(a)openldap.org wrote: > The process for converting a slapd configuration to cn=config making use of > slapo-chain at a global level is seriously broken. It's not as bad, just a little bit broken: > This can be trivially illustrated by using the slapd.conf generated by test032. > > After doing conversion, the resulting cn=config database has *two* ldap backends > defined: > > dn: olcDatabase={-1}frontend,cn=config > dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config > dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf This is the catchall database used to handle referrals that are not handled by any other database you configure by hand. It collects all the chain-* settings that appear before the first chain-uri. > dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf > > The first instance ({0}ldap,...) isn't even valid. If you remove the entire > chain configuration from this database, and then attempt to import it, you get > the following: Yeah that is a problem. > ldap_add: Object class violation (65) > > This is because the first instance ({0}) is *missing* the required olcDbURI > attribute. In addition, it generates completely bogus attribute values (See > ITS#8693) Maybe we just need to inherit objectclass: olcLdapDatabase somehow in olcChainOverlay and keep these settings in the overlay entry, or specify a bogus URI to be configured there. Whatever is most useable and still allows for seamless expansion. > The *second* generated LDAP backend database is what is correct. > > Here's the LDIF for the incorrect database: > > [...] > > Here's the LDIF for the *correct* database: > > [...] -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

(ITS#8799) slaptest fails to properly convert chain configuration
by quanah＠openldap.org 22 Jan '18

22 Jan '18

Full_Name: Quanah Gibson-Mount Version: 2.4.45 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) The process for converting a slapd configuration to cn=config making use of slapo-chain at a global level is seriously broken. This can be trivially illustrated by using the slapd.conf generated by test032. After doing conversion, the resulting cn=config database has *two* ldap backends defined: dn: olcDatabase={-1}frontend,cn=config dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=conf The first instance ({0}ldap,...) isn't even valid. If you remove the entire chain configuration from this database, and then attempt to import it, you get the following: ldapadd -H ldap:/// -D cn=config -w secret -f ./olcOverlay\=\{0\}chain.ldif adding new entry "olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config" ldapadd -H ldap:/// -D cn=config -w secret -f ./olcDatabase\=\{0\}ldap.ldif adding new entry "olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config" ldap_add: Object class violation (65) This is because the first instance ({0}) is *missing* the required olcDbURI attribute. In addition, it generates completely bogus attribute values (See ITS#8693) The *second* generated LDAP backend database is what is correct. Here's the LDIF for the incorrect database: dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbStartTLS: none starttls=no olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 Here's the LDIF for the *correct* database: dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {1}ldap olcDbURI: "ldap://localhost:9012" olcDbStartTLS: none starttls=no olcDbIDAssertBind: mode=self flags=non-prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0 network-timeout=0 binddn="cn=manager,dc=exampl e,dc=com" credentials="secret" keepalive=0:0:0 olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 However, even in the case of the *correct* LDIF, the bogus olcDbStartTLS attribute is defined (Again, ITS#8693) This is the slapd.conf used to convert: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /tmp/slapd.1.pid argsfile /tmp/slapd.1.args modulepath /usr/local/libexec/openldap moduleload back_mdb.la moduleload back_ldap.la moduleload back_monitor.la overlay chain chain-uri ldap://localhost:9012/ chain-idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=secret mode=self flags=non-prescriptive database mdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret directory /tmp/db.1.a index objectClass eq index cn,sn,uid pres,eq,sub database monitor

1 0

Re: (ITS#8798) slapd-tester tools improvements
by hyc＠symas.com 16 Jan '18

16 Jan '18

ondra(a)openldap.org wrote: > Full_Name: Ondrej Kuznik > Version: master > OS: > URL: https://github.com/mistotebe/openldap/tree/ITS8798 > Submission from: (NULL) (82.10.24.68) > > > The above branch unifies most of the configuration/set-up between the tester > programs and adds support for the following: > - retry support for binds > - debug level (-d option) > - SASL bind support > > slapd-tester and slapd-auth (a slamd helper) are left intact. > > Looks great. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8798) slapd-tester tools improvements
by ondra＠openldap.org 16 Jan '18

16 Jan '18

Full_Name: Ondrej Kuznik Version: master OS: URL: https://github.com/mistotebe/openldap/tree/ITS8798 Submission from: (NULL) (82.10.24.68) The above branch unifies most of the configuration/set-up between the tester programs and adds support for the following: - retry support for binds - debug level (-d option) - SASL bind support slapd-tester and slapd-auth (a slamd helper) are left intact.

1 0

Re: (ITS#8797) improper use of gnutls causes segfault
by hyc＠symas.com 16 Jan '18

16 Jan '18

lukas(a)selfnet.de wrote: >> PAM should be using nss-pam-ldapd, not calling libldap directly. This >> is an architectural flaw in both GnuTLS and PAM, not an OpenLDAP bug. >> This ITS is invalid. > > It's called _lib_ldap after all, so are other projects linking against / > dlopen()ing libldap doing the wrong thing? PAM should not be polluting the application namespace with libraries that the application may itself be using. The same type of problems arise if e.g. the application uses Kerberos and PAM also uses Kerberos, and the application and PAM want to use different configurations. The only correct way for a PAM module to work is to never expose its underlying libraries to the calling application. This is not an OpenLDAP issue. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs