https://bugs.openldap.org/show_bug.cgi?id=9571
Issue ID: 9571 Summary: Add Behera Draft 8 compatibility flag to ppolicy overlay Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: mhardin@symas.com Target Milestone: ---
The RFC for Behera Password Policy, Draft, 10 changes modification semantics of certain policy attributes from those that were in effect in Draft 8. To preserve compatibility with applications that depend on the Draft 8 semantics, a compatibility flag needs to be added to the ppolicy configuration that restores the Draft 8 semantics.
https://bugs.openldap.org/show_bug.cgi?id=9571
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.6.0
https://bugs.openldap.org/show_bug.cgi?id=9571
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Behera v8 already specifies these requirements e.g. in 4.2.6 [0], just that ppolicy never implemented them. Also an application can: - have its identity set to "manage"/"write" accordingly so it is/not considered "password administrator" in the eyes of the draft - write the relevant attributes (pwdReset, ...) in the same operation overriding the defaults
Requiring the application to use the relax control to change certain attributes is not reversible AFAIK, which is why this was not done in 2.4...
Should we need to change any of this, we need to have a wider look at what it is we are trying to accomplish and how we want to do it.
[0]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-08#s...
https://bugs.openldap.org/show_bug.cgi?id=9571
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|--- |Normal Assignee|bugs@openldap.org |ondra@mistotebe.net
https://bugs.openldap.org/show_bug.cgi?id=9571
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9211
https://bugs.openldap.org/show_bug.cgi?id=9571
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Rather than draft 8 compatibility, it should be considered OpenLDAP 2.4 ppolicy compatibility.
https://bugs.openldap.org/show_bug.cgi?id=9571
--- Comment #3 from Ondřej Kuzník ondra@mistotebe.net --- Again, to my knowledge, pretty much all of the behaviour can be carried over to 2.5 as is, in some instances with a config/ACL adjustment. Do you have an example where that is not the case?
https://bugs.openldap.org/show_bug.cgi?id=9571
--- Comment #4 from Matthew Hardin mhardin@symas.com --- Enabling the Netscape password policy controls in the ppolicy10 module provides a suitable workaround for many applications. For cases where that is not an acceptable workaround, ACLs can be set up to permit attribute access techniques
This ITS can be suspended in case further needs arise to support client applications that depended on specific ppoilicy8 behavior.
https://bugs.openldap.org/show_bug.cgi?id=9571
Matthew Hardin mhardin@symas.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |SUSPENDED Status|UNCONFIRMED |RESOLVED
https://bugs.openldap.org/show_bug.cgi?id=9571
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=9571
--- Comment #5 from Mehmet gelisin mehmetgelisin@aol.com --- I've compiled with CFLAGS="-DNDEBUG" (also tried CPPFLAGS) but this did not
help. slapd still crashes when hitting the assert.
Yes, portable.h #undefs it by default. http://www-look-4.com/ OpenLDAP has always conflated logging, debug output and asserts behind LDAP_DEBUG. We've been saying for some time that we really ought to do something about that someday...
http://www.compilatori.com/ Yes, and that's more obviously a bug that we can fix.
Is it an easy fix? http://www.wearelondonmade.com/ I think that in opposite to the OpenLDAP project most people out there consider this to be a really serious bug to be fixed really soon. http://www.jopspeech.com/ For now with my own builds I apply the patch removing the assert statement. But I wonder how many asserts statements are in the code which can be hit by invalid input leading to a crash.
Even ignoring that, demanding -NDEBUG is backwards in so many ways: http://joerg.li/ Using C's features like <assert.h> is not the user's job, it's OpenLDAP's (i.e. configure and portable.hin). The person building OpenLDAP might not even be a C programmer who knows about the C language quirk that it has a feature makes errors crash by default.
http://connstr.net/ It is standard practice in C code. assert() and NDEBUG are part of the C standard. A person who doesn't know C has no business building the code. Certainly the libraries are of no use to them if they're not C programmers already.
This is a black-and-white-only statement which does not meet 90% of the cases out there.
A simple "./configure --prefix=/whatever" ought to be a reasonable way to build OpenLDAP, like with most other packages. There are installation instructions and they do not mention NDEBUG. http://www.slipstone.co.uk/
I strongly concur with Hallvard here.
Every use of assert is "assert(the code is correct)" - but that often depends on dynamic state, not just the statically written code.
Yes, dynamic state including invalid input. But IMO "assert(the code is correct)" should never be hit no matter how bad the input was. And it should definitely not crash the server (with system's ressource limits being a http://www.acpirateradio.co.uk/ unavoidable exception). Rephrasing: The meaning of the statement "the code is correct" should also include "invalid input is properly handled as error" - no matter what.
I've compiled with CFLAGS="-DNDEBUG" (also tried CPPFLAGS) but this did not
help. slapd still crashes when hitting the assert.
Yes, portable.h #undefs it by default. OpenLDAP has always conflated logging, debug output and asserts behind LDAP_DEBUG. We've been saying for some time that we really ought to do something about that someday...
Yes, and that's more obviously a bug that we can fix. https://waytowhatsnext.com/
Is it an easy fix?
I think that in opposite to the OpenLDAP project most people out there consider this to be a really serious bug to be fixed really soon.
For now with my own builds I apply the patch removing the assert statement. But I wonder how many asserts statements are in the code which can be hit by invalid input leading to a crash. https://www.webb-dev.co.uk/
Even ignoring that, demanding -NDEBUG is backwards in so many ways:
Using C's features like <assert.h> is not the user's job, it's OpenLDAP's (i.e. configure and portable.hin). The person building OpenLDAP might not even be a C programmer who knows about the C language quirk that it has a feature makes errors crash by default.
It is standard practice in C code. assert() and NDEBUG are part of the C standard. A person who doesn't know C has no business building the code. Certainly the libraries are of no use to them if they're not C programmers already. http://www.iu-bloomington.com/
This is a black-and-white-only statement which does not meet 90% of the cases out there.