OpenLDAP git repo?
by Volker Lendecke
Hi!
Out of several rumors I've heard that OpenLDAP converted it
source repo to git. Is that true? www.openldap.org still
speaks about cvs. If you changed to git, is the repo
publically available?
Thanks,
Volker
12 years, 2 months
back-ldap assertion failure, LDAP proxy to Windows AD
by Ted Cheng
We encountered a back-ldap assertion failure with the back-ldap as a proxy to a remote Active Directory on Windows 2003 R2. The assertion failure occurred when the slapd server was checking ACLs via the rwm overlay. Snippet of the stack trace:
Thread 1 (Thread 32267):
....
#2 0x0000003c354296e6 in __assert_fail () from /lib64/libc.so.6
#3 0x00002ac57daaf6c1 in ldap_back_dobind_int (lcp=0x42f70170, op=0x42f702f0,
rs=0x42f700a0, sendok=LDAP_BACK_GETCONN, retries=0, dolock=1)
at /home/build/sol-2.4.23.101221/sol24x/ldap24/servers/slapd/back-ldap/bind.c:1389
#4 0x00002ac57daafda0 in ldap_back_dobind (lcp=0x42f70170, op=0x42f702f0,
rs=0x42f700a0, sendok=LDAP_BACK_DONTSEND)
at /home/build/sol-2.4.23.101221/sol24x/ldap24/servers/slapd/back-ldap/bind.c:1572
#5 0x00002ac57daac7a7 in ldap_back_entry_get (op=0x42f702f0, ndn=0x42f701d0,
oc=0x0, at=0x135ad370, rw=0, ent=0x42f70a58)
Analysis of the assertion failure:
The ldap_back_entry_get() function, back-ldap/search.c, is called for ACL entries, via rwm overlay. The function sets op->o_do_not_cache to 1 before calling into ldap_back_dobind():
/* Tell getconn this is a privileged op */
do_not_cache = op->o_do_not_cache;
tag = op->o_tag;
/* do not cache */
op->o_do_not_cache = 1;
/* ldap_back_entry_get() is an entry lookup, so it does not need
* to know what the entry is being looked up for */
op->o_tag = LDAP_REQ_SEARCH;
rc = ldap_back_dobind( &lc, op, &rs, LDAP_BACK_DONTSEND );
The ldap_back_dobind() function calls ldap_back_dobind_int() for bind, back-ldap/bind.c. The following ldap_back_dobind_int() code is destined for assertion failure, if op->o_do_not_cache flag is set and there is no valid binddn and bindcred returned by ldap_back_getconn(). Setting an invalid LDAP URI for the remote AD Windows box is such a case.
ldap_back_dobind_int(…)
{
...
if (sendok & LDAP_BACK_GETCONN) {
…
lc = ldap_back_getconn(op, rs, sendoff, &binddn, &bindcred);
...
}
…
if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) ) {
/* if we got here, it shouldn't return result */
rc = ldap_back_is_proxy_authz( op, rs,
LDAP_BACK_DONTSEND, &binddn, &bindcred );
/* ldap_back_is_proxy_authz always returns 0 when op->o_do_not_cache is set, see below */
assert( rc == 1 );------> assertion failure
}
rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok,
&binddn, &bindcred );
…
}
}
When the op->o_do_not_cache flag is set, the ldap_back_is_proxy_authz() function always returns 0.
ldap_back_is_proxy_authz( ... )
{
...
int dobind = 0;
if ( op->o_conn == NULL || op->o_do_not_cache ) {
goto done;
}
...
done:;
return dobind; <--- always returns 0
}
Ted C. Cheng
Symas Corporation
12 years, 3 months
Re: commit: ldap/servers/slapd Makefile.in
by masarati@aero.polimi.it
> Update of /repo/OpenLDAP/pkg/ldap/servers/slapd
>
> Modified Files:
> Makefile.in 1.198 -> 1.199
>
> Log Message:
> ITS#3272 link against libslapi.la
Seems to have broken build with --enable-slapi.
p.
12 years, 3 months
back-config support in remaining backends
by masarati@aero.polimi.it
In order to support back-config in back-meta, I think each target's
configuration should be in a specific child of the database's entry,
because target configuration is way too complex to be stored in a single
attribute.
I'm not sure how this can be easily accomplished in back-config.
p.
12 years, 3 months
RE24 testing call #5 (OL 2.4.24)
by Quanah Gibson-Mount
This should hopefully be the last testing call for 2.4.24. Please let us
know your results. Thanks!
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
12 years, 3 months
RE24 testing call #4 (OL 2.4.24)
by Quanah Gibson-Mount
Hey folks,
A bunch more bug fixes and features in RE24. Please give it a whirl.
Thanks!
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
12 years, 4 months
Re: commit: ldap/doc/man/man5 slapd-perl.5
by Hallvard B Furuseth
hyc(a)OpenLDAP.org writes:
> Note perlModuleConfig, break in compatibility with older versions
Why? This sounds like it will break existing back-perl installations
slightly, but maybe not so thoroughly that the admin realizes why
his back-perl now misbehaves.
If we are going to redesign the interface, it might be better do
do it more thorougly. E.g. might to let
backend perl
perl-load foo
load foo.pm which defines backend foo, usable with 'database foo'.
--
Hallvard
12 years, 4 months
Re: commit: ldap/servers/slapd bconfig.c
by Pierangelo Masarati
hyc(a)OpenLDAP.org wrote:
> Update of /repo/OpenLDAP/pkg/ldap/servers/slapd
>
> Modified Files:
> bconfig.c 1.424 -> 1.425
>
> Log Message:
> Dynamic config for back-shell
I guess you'll now notice that only back-meta and back-sql are missing,
won't you? :)
p.
12 years, 4 months
Re: commit: ldap/servers/slapd/back-sock config.c
by Howard Chu
hyc(a)OpenLDAP.org wrote:
> Update of /repo/OpenLDAP/pkg/ldap/servers/slapd/back-sock
>
> Modified Files:
> config.c 1.11 -> 1.12
>
> Log Message:
> As an overlay, always return SLAP_CB_CONTINUE
Alternatively, we can use the actual return code from the external program,
and document that those programs should return SLAP_CB_CONTINUE if they don't
want to override the normal flow of processing. Thoughts?
We could write a similar wrapper for back-perl, but a few other loose ends
need to be addressed there still. First, this business of arbitrary junk in
slapd.conf being fed into the perl module - I suggest this be replaced by an
actual "perlconfig" directive whose arguments are passed on. Then we can
convert all of that to cn=config without any further mess.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12 years, 4 months