February 2011 - openldap-devel

by Volker Lendecke

Hi! Out of several rumors I've heard that OpenLDAP converted it source repo to git. Is that true? www.openldap.org still speaks about cvs. If you changed to git, is the repo publically available? Thanks, Volker

12 years, 8 months

5
12
0 / 0

back-ldap assertion failure, LDAP proxy to Windows AD

by Ted Cheng

We encountered a back-ldap assertion failure with the back-ldap as a proxy to a remote Active Directory on Windows 2003 R2. The assertion failure occurred when the slapd server was checking ACLs via the rwm overlay. Snippet of the stack trace: Thread 1 (Thread 32267): .... #2 0x0000003c354296e6 in __assert_fail () from /lib64/libc.so.6 #3 0x00002ac57daaf6c1 in ldap_back_dobind_int (lcp=0x42f70170, op=0x42f702f0, rs=0x42f700a0, sendok=LDAP_BACK_GETCONN, retries=0, dolock=1) at /home/build/sol-2.4.23.101221/sol24x/ldap24/servers/slapd/back-ldap/bind.c:1389 #4 0x00002ac57daafda0 in ldap_back_dobind (lcp=0x42f70170, op=0x42f702f0, rs=0x42f700a0, sendok=LDAP_BACK_DONTSEND) at /home/build/sol-2.4.23.101221/sol24x/ldap24/servers/slapd/back-ldap/bind.c:1572 #5 0x00002ac57daac7a7 in ldap_back_entry_get (op=0x42f702f0, ndn=0x42f701d0, oc=0x0, at=0x135ad370, rw=0, ent=0x42f70a58) Analysis of the assertion failure: The ldap_back_entry_get() function, back-ldap/search.c, is called for ACL entries, via rwm overlay. The function sets op->o_do_not_cache to 1 before calling into ldap_back_dobind(): /* Tell getconn this is a privileged op */ do_not_cache = op->o_do_not_cache; tag = op->o_tag; /* do not cache */ op->o_do_not_cache = 1; /* ldap_back_entry_get() is an entry lookup, so it does not need * to know what the entry is being looked up for */ op->o_tag = LDAP_REQ_SEARCH; rc = ldap_back_dobind( &lc, op, &rs, LDAP_BACK_DONTSEND ); The ldap_back_dobind() function calls ldap_back_dobind_int() for bind, back-ldap/bind.c. The following ldap_back_dobind_int() code is destined for assertion failure, if op->o_do_not_cache flag is set and there is no valid binddn and bindcred returned by ldap_back_getconn(). Setting an invalid LDAP URI for the remote AD Windows box is such a case. ldap_back_dobind_int(…) { ... if (sendok & LDAP_BACK_GETCONN) { … lc = ldap_back_getconn(op, rs, sendoff, &binddn, &bindcred); ... } … if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) { if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) ) { /* if we got here, it shouldn't return result */ rc = ldap_back_is_proxy_authz( op, rs, LDAP_BACK_DONTSEND, &binddn, &bindcred ); /* ldap_back_is_proxy_authz always returns 0 when op->o_do_not_cache is set, see below */ assert( rc == 1 );------> assertion failure } rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn, &bindcred ); … } } When the op->o_do_not_cache flag is set, the ldap_back_is_proxy_authz() function always returns 0. ldap_back_is_proxy_authz( ... ) { ... int dobind = 0; if ( op->o_conn == NULL || op->o_do_not_cache ) { goto done; } ... done:; return dobind; <--- always returns 0 } Ted C. Cheng Symas Corporation

12 years, 9 months

3
2
0 / 0

Re: commit: ldap/servers/slapd Makefile.in

by masarati＠aero.polimi.it

> Update of /repo/OpenLDAP/pkg/ldap/servers/slapd > > Modified Files: > Makefile.in 1.198 -> 1.199 > > Log Message: > ITS#3272 link against libslapi.la Seems to have broken build with --enable-slapi. p.

12 years, 9 months

2
5
0 / 0

back-config support in remaining backends

by masarati＠aero.polimi.it

In order to support back-config in back-meta, I think each target's configuration should be in a specific child of the database's entry, because target configuration is way too complex to be stored in a single attribute. I'm not sure how this can be easily accomplished in back-config. p.

12 years, 9 months

2
1
0 / 0

RE24 testing call #5 (OL 2.4.24)

by Quanah Gibson-Mount

This should hopefully be the last testing call for 2.4.24. Please let us know your results. Thanks! --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

12 years, 9 months

4
3
0 / 0

RE24 status

by Howard Chu

We've picked up one or two additional regression fixes. Aside from that, the RE24 tree is now closed. We'll do a final call for testing Friday and aim to release 2.4.24 next week. Unless we run into crashers or some other major issue, this should be it. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

12 years, 10 months

2
2
0 / 0

RE24 testing call #4 (OL 2.4.24)

by Quanah Gibson-Mount

Hey folks, A bunch more bug fixes and features in RE24. Please give it a whirl. Thanks! --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

12 years, 10 months

5
4
0 / 0

Re: commit: ldap/doc/man/man5 slapd-perl.5

by Hallvard B Furuseth

hyc(a)OpenLDAP.org writes: > Note perlModuleConfig, break in compatibility with older versions Why? This sounds like it will break existing back-perl installations slightly, but maybe not so thoroughly that the admin realizes why his back-perl now misbehaves. If we are going to redesign the interface, it might be better do do it more thorougly. E.g. might to let backend perl perl-load foo load foo.pm which defines backend foo, usable with 'database foo'. -- Hallvard

12 years, 10 months

2
2
0 / 0

Re: commit: ldap/servers/slapd bconfig.c

by Pierangelo Masarati

hyc(a)OpenLDAP.org wrote: > Update of /repo/OpenLDAP/pkg/ldap/servers/slapd > > Modified Files: > bconfig.c 1.424 -> 1.425 > > Log Message: > Dynamic config for back-shell I guess you'll now notice that only back-meta and back-sql are missing, won't you? :) p.

12 years, 10 months

2
2
0 / 0

Re: commit: ldap/servers/slapd/back-sock config.c

by Howard Chu

hyc(a)OpenLDAP.org wrote: > Update of /repo/OpenLDAP/pkg/ldap/servers/slapd/back-sock > > Modified Files: > config.c 1.11 -> 1.12 > > Log Message: > As an overlay, always return SLAP_CB_CONTINUE Alternatively, we can use the actual return code from the external program, and document that those programs should return SLAP_CB_CONTINUE if they don't want to override the normal flow of processing. Thoughts? We could write a similar wrapper for back-perl, but a few other loose ends need to be addressed there still. First, this business of arbitrary junk in slapd.conf being fed into the perl module - I suggest this be replaced by an actual "perlconfig" directive whose arguments are passed on. Then we can convert all of that to cn=config without any further mess. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

12 years, 10 months

2
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel February 2011