openldap-bugs

openldap-bugs@openldap.org

1 participants
21002 discussions

(ITS#8774) [PATCH] EVP_MD_CTX_create and EVP_MD_CTX_destroy have been replaced by EVP_MD_CTX_new and EVP_MD_CTX_free in openssl v1.1 and above.
by minfrin＠sharp.fm 16 Nov '17

16 Nov '17

Full_Name: Graham Leggett Version: git master OS: CentOS7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:470:18b1:1:c920:9f6:b546:7826) The addition of 8e34ed8c on the 7th of November broke the build for openssl < 1.1, as the patch used the newer versions of these functions. The following patch adds the associated autoconf stuff to fix this: >From e111db878300d60acdc295eec08e008a831f9895 Mon Sep 17 00:00:00 2001 From: Graham Leggett <minfrin(a)sharp.fm> Date: Sat, 23 Sep 2017 02:10:36 +0000 Subject: [PATCH] EVP_MD_CTX_create and EVP_MD_CTX_destroy have been replaced by EVP_MD_CTX_new and EVP_MD_CTX_free in openssl v1.1 and above. --- configure.in | 5 +++++ libraries/libldap/tls_o.c | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/configure.in b/configure.in index 46e5e8c..b3da5f1 100644 --- a/configure.in +++ b/configure.in @@ -1223,6 +1223,11 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then TLS_LIBS="-lssl -lcrypto" fi + save_LIBS="$LIBS" + LIBS="$LIBS $TLS_LIBS" + AC_CHECK_FUNCS(EVP_MD_CTX_create EVP_MD_CTX_destroy) + LIBS="$save_LIBS" + OL_SSL_COMPAT if test $ol_cv_ssl_crl_compat = yes ; then AC_DEFINE(HAVE_OPENSSL_CRL, 1, diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index d3b6ceb..14dffbd 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -867,7 +867,11 @@ tlso_session_pinning( LDAP *ld, tls_session *sess, char *hashalg, struct berval goto done; } +#ifdef HAVE_EVP_MD_CTX_CREATE + mdctx = EVP_MD_CTX_create(); +#else mdctx = EVP_MD_CTX_new(); +#endif if ( !mdctx ) { rc = -1; goto done; @@ -877,7 +881,11 @@ tlso_session_pinning( LDAP *ld, tls_session *sess, char *hashalg, struct berval EVP_DigestUpdate( mdctx, key.bv_val, key.bv_len ); EVP_DigestFinal_ex( mdctx, (unsigned char *)keyhash.bv_val, &len ); keyhash.bv_len = len; +#ifdef HAVE_EVP_MD_CTX_DESTROY + EVP_MD_CTX_destroy( mdctx ); +#else EVP_MD_CTX_free( mdctx ); +#endif } else { keyhash = key; } -- 1.8.3.1

1 0

(ITS#8773) slapo-deref: man page and test suite needed
by quanah＠openldap.org 16 Nov '17

16 Nov '17

Full_Name: Quanah Gibson-Mount Version: 2.4.45 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) The slapo-deref overlay is missing a man page and a corresponding test in the test suite. These should be added to the project.

1 0

(ITS#8772) Build fail: thr_posix.c:329:16: error: only weak aliases are supported on darwin
by minfrin＠sharp.fm 15 Nov '17

15 Nov '17

Full_Name: Graham Leggett Version: git master OS: MacOS Sierra URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (5.56.169.82) Hi all, I am seeing a build failure when trying to build openldap master on MacOS Sierra: cc -g -O2 -I../../include -I../../include -DLDAP_R_COMPILE -I./../libldap -DLDAP_LIBRARY -c thr_posix.c -fno-common -DPIC -o .libs/thr_posix.o thr_posix.c:329:16: error: only weak aliases are supported on darwin LDAP_GCCATTR((alias("ldap_pvt_thread_mutex_destroy"))); ^ thr_posix.c:331:16: error: only weak aliases are supported on darwin LDAP_GCCATTR((alias("ldap_pvt_thread_mutex_lock"))); ^ thr_posix.c:333:16: error: only weak aliases are supported on darwin LDAP_GCCATTR((alias("ldap_pvt_thread_mutex_trylock"))); ^ thr_posix.c:335:16: error: only weak aliases are supported on darwin LDAP_GCCATTR((alias("ldap_pvt_thread_mutex_unlock"))); ^ 4 errors generated. make[2]: *** [thr_posix.lo] Error 1 make[1]: *** [all-common] Error 1 make: *** [all-common] Error 1 Regards, Graham --

1 0

Re: (ITS#8767) Binddn issue with a comma in the DN
by clement.oudot＠savoirfairelinux.com 12 Nov '17

12 Nov '17

Le 02/11/2017 =C3=A0 07:26, clement.oudot(a)savoirfairelinux.com a =C3=A9cr= it : > Le 31/10/2017 =3DC3=3DA0 17:39, michael(a)stroeder.com a =3DC3=3DA9crit : >> The ITS is only for reporting bugs. >> This is not a bug. It's a usage question. >> >> You should post such questions to openldap-technical mailing list afte= r >> subscribing to it: >> >> https://www.openldap.org/lists/mm/listinfo/openldap-technical >> >> A short hint about escaping, e.g. a comma in DN string representation: >> >> https://tools.ietf.org/html/rfc4514#section-2.4 >> >> Note that depending on your client config system more escaping might b= e >> needed because of the config syntax. > > > > Hello Michael, > > it seems to be a bug, as if I escape the comma in slapd.conf, I still=3D= 20 > have the error. > > =3D3D=3D3D slapd.conf =3D3D=3D3D > idassert-bind bindmethod=3D3D"simple" binddn=3D3D"cn=3D3DLastname\,=3D2= 0 > Firstname,ou=3D3Dusers,dc=3D3Dexample,dc=3D3Dcom" credentials=3D3D"secr= et" mode=3D3D=3D > "legacy"=3D20 > flags=3D3D"non-prescriptive" > > =3D3D=3D3D slaptest -f slapd.conf =3D3D=3D3D > 59faba5e invalid bind config value binddn=3D3Dcn=3D3DLastname,=3D20 > Firstname,ou=3D3Dusers,dc=3D3Dexample,dc=3D3Dcom > 59faba5e slapd.conf: line 31: "idassert-bind <args>": unable to parse=3D= 20 > field "binddn=3D3Dcn=3D3DLastname, Firstname,ou=3D3Dusers,dc=3D3Dexampl= e,dc=3D3Dcom=3D > ". > slaptest: bad configuration file! > > > Seems the escaping is not taken into account. Hello, can someone confirm this is not a bug? In this case; how should we=20 escape the value? I tried several things, without success. Cl=C3=A9ment.

1 0

(ITS#8771) slapd.backends(5) needs updating
by quanah＠openldap.org 08 Nov '17

08 Nov '17

Full_Name: Quanah Gibson-Mount Version: 2.4.45 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) The man page for slapd.backends(5) says that back-hdb is the "recommended primary backend". This needs to be updated to note that back-mdb is the "recommended primary backend" and the text for the bdb & hdb backends updated along the same lines.

1 0

Re: (ITS#8461) Unable to import LDIF from back-hdb DB to back-mdb db
by quanah＠symas.com 08 Nov '17

08 Nov '17

--On Friday, July 08, 2016 5:33 PM +0000 quanah(a)openldap.org wrote: > In moving off of back-hdb, encountered a scenario where importing the = LDIF > exported via slapcat failed when loading into back-mdb via slapadd. > There is nothing technically wrong with the entry. Will provide the > problematic entry elsewhere, as it contains PII. To note, the problematic entry has an RDN value > 512 characters.=20 Anonymizing the problem DN, we have: dn=3D"zimbraSignatureName=3Dxxxxx xxxxxxxxxxxxx xxxxxx xx xxxx x xxxx! = ..xxxxxx=20 xx xxxxxxxx xxx'x xxxx xxxxx xxxxx xxxxxx=E2=80=A6 & xxxx xx x xxxxx xx xx = xxxx=20 xxxx xxxxx!?! =E2=80=A6x xxxx xxxxx xx xxxxxxxxxx xxxxxxxxx xxxxxxxxx = xxxxxxx:=20 xxxxxx & xxxxxxxx & xxxxxx xxxxx x xxxxxx xx xxx xxxxxx=20 xxxxxxx.,uid=3Dxxxxxxxxxxxx,ou=3Dpeople,dc=3Dxxxx,dc=3Dxx" = (line=3D89392876):=20 txn_aborted! MDB_BAD_VALSIZE: Too big key/data, key is empty, or wrong=20 DUPFIXED size (-30781) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8753) Public key pinning support in libldap
by ondra＠mistotebe.net 07 Nov '17

07 Nov '17

On Tue, Oct 10, 2017 at 10:43:42AM +0000, ondra(a)openldap.org wrote: > URL: https://github.com/mistotebe/openldap/tree/its8753 > > A new libldap option LDAP_OPT_X_TLS_PEERKEY_HASH that accepts a string > 'hashname/base64_hash_of_public_key'. If a TLS session is already present on the > main connection, it is also checked immediately. > > It introduces a dependency on liblutil by depending on the symbol > lutil_b64_pton. Somehow, this breaks the build for the ldap* tools, not sure why > or how to fix that yet. A new version is now at the same place (see above), it moves the ldif.c in-place base64 decoding into a separate function and reuses that. Other changes: - pin hash algorithm separator changes to ':' - pin can now be set from the environment - can now better deal with connection freeing and/or changes to the global ldap options -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8770) dsaschema seg faults
by michael＠stroeder.com 06 Nov '17

06 Nov '17

Canned config available: https://stroeder.com/temp/openldap-testbed-its8770.tar.gz Seg faults with 2.4.45 and current RE24 branch: $ cd openldap-testbed-its8770 $ ./start-slapd.sh [..] 5a009864 slapd.conf: line 19 (moduleload back_mdb) 5a009864 loaded module back_mdb 5a009864 mdb_back_initialize: initialize MDB backend 5a009864 mdb_back_initialize: LMDB 0.9.21: (June 1, 2017) 5a009864 module back_mdb: null module registered 5a009864 slapd.conf: line 22 (moduleload dsaschema.so schema/oath-ldap-dsa.schema) 5a009864 loaded module dsaschema.so ./start-slapd.sh: line 11: 29304 Segmentation fault (core dumped) ${OPENLDAP_PREFIX}/lib64/slapd -d config,stats,stats2,acl,args,trace,sync -h "ldap://0.0.0.0:2071 ldapi://slapd1-socket" -n slapd-its8770 -f slapd.conf

1 0

(ITS#8770) dsaschema seg faults
by michael＠stroeder.com 06 Nov '17

06 Nov '17

Full_Name: Version: RE24 OS: URL: Submission from: (NULL) (213.240.182.108) This leads to a seg fault: moduleload dsaschema.so /home/michael/Proj/oath-ldap/oath-ldap-dsa.schema More information to come...

1 0

(ITS#8769) Docs: Fix oid search extension syntax
by lukas.juhrich＠agdsn.de 03 Nov '17

03 Nov '17

Full_Name: Lukas Juhrich Version: 2.4.45 OS: Arch Linux, Debian Stretch URL: http://agdsn.me/~lukasjuhrich/openldap/ Submission from: (NULL) (141.76.119.134) This is a small syntax fix to adapt the documentation to how the code actually parses `-E <oid>` options. Quicklink to the code responsible for parsing: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=clients/to… I was not sure whether patches should also follow the naming convention, so I provided the same patch using two different names, the original one and the one adhering to the naming convention.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs