asserts and manadatory build instructions (was ITS#8240)
by Michael Ströder
hyc(a)symas.com wrote in ITS#8240:
> Our patch response was too hasty. There is no OpenLDAP bug here, the real
> issue is production binaries being built with asserts enabled instead of
> compiling with -DNDEBUG. That's an issue for packagers and distros to resolve.
> Closing this ITS, not an OpenLDAP bug.
Maybe I missed something. But this is the first time I've heard about -DNDEBUG
being mandatory when compiling binary packages for production use. Does it
have other effects?
And what are general rules for assert statements in OpenLDAP code?
In my own (Python) code assert statements are supposed to be only triggered if
something goes wrong *internally* (type issues etc.). If somebody manages to
trigger an assert statement with invalid input from "outside" I always
consider this to be a serious bug revealing insufficient error handling even
though e.g. web2ldap just logs the exception but won't crash. YMMV, but please
clarify.
I also wonder whether there are more mandatory rules for building packages and
where I can find them.
Please don't get me wrong: My inquiry is in good faith to avoid unnecessary
ITS based on misunderstanding.
Ciao, Michael.
2 years
RE: ITS#8654 - Option for LDAP client to bind to a local address
by Quanah Gibson-Mount
Hi Daniel,
I would suggest sending in a patch against master to the -devel list for
review.
For final inclusion if it is approved, see:
<http://www.openldap.org/devel/contributing.html>
Regards,
Quanah
--On Monday, June 12, 2017 8:34 PM +0000 Daniel Le <daniel.le(a)exfo.com>
wrote:
> I've got a chance to write (and test) the code to add API support for
> socket binding addresses.
>
> Should I send the code diff to this openldap-devel email list for review?
> How to submit a patch request?
>
> Daniel
>
> -----Original Message-----
> From: Daniel Le
> Sent: Tuesday, May 16, 2017 6:02 PM
> To: 'openldap-devel(a)openldap.org' <openldap-devel(a)openldap.org>
> Subject: ITS#8654 - Option for LDAP client to bind to a local address
>
> Hello,
>
> In reference to the enhancement request ITS#865, please comment on the
> following to add support for binding a local IP address to client socket.
> This is just an outline of changes for one local address. I am not sure
> whether a list of local addresses is necessary. If it is, then a new
> function, similarly to ldap_url_parsehosts, may be written to parse the
> list of local addresses and store them into a linked list. In my use
> case, only one IPv4 or IPv6 local address is used for binding.
>
> - Modify ldap.h and ldap_set_option to handle the new option
> LDAP_OPT_LOCAL_ADDRESS. Should it be named LDAP_OPT_CLIENT_ADDRESS,
> LDAP_OPT_SOCKET_BIND_ADDRESS...?
>
> - Modify struct ldapoptions in ldap-int.h to add element "char
> *ldo_local_address" to hold client local address when
> ldap_set_option(LDAP_OPT_LOCAL_ADDRESS...) is executed. This can char
> pointer can point to an IPv4 address or IPv6 address.
>
> - ldap_connect_to_host() in os-ip.c
> After the connection socket is created (ldap_int_socket) and before it
> is connected (ldap_pvt_connect), extract the local IP address. If local
> address family (AF_INET/ AF_INET6) matches the one of the host, bind
> socket to the local address.
>
> Regards,
> Daniel
>
>
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 3 months
Re: ITS#8573 code for review (command line TLS options)
by Quanah Gibson-Mount
--On Thursday, June 08, 2017 6:13 PM -0700 Quanah Gibson-Mount
<quanah(a)symas.com> wrote:
> --On Thursday, June 08, 2017 5:53 PM -0700 Quanah Gibson-Mount
> <quanah(a)symas.com> wrote:
>
>> Attached for review is code to add TLS command line options to the client
>> tools. Included are documentation updates to the manual pages and a
>> related test suite.
>
> Or here's a gzip'd version, since it appears to have gotten mangled.
Alternatively, here's a link to the relevant branch in my github repo:
<https://github.com/quanah/openldap-scratch/tree/its8573-tables>
I've added a couple of new test cases, for validating TLS encryption of
syncrepl, and expanded test067 to also confirm that reqcert=never works as
expected.
For those who might like to test the code against RE24, there is this
branch as well:
<https://github.com/quanah/openldap-scratch/tree/RE24-its8573-tables>
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 5 months
RE: ITS#8654 - Option for LDAP client to bind to a local address
by Quanah Gibson-Mount
--On Thursday, June 15, 2017 3:29 PM +0000 Daniel Le <daniel.le(a)exfo.com>
wrote:
> Could someone take a stab at reviewing this code change and/or let me
> know questions you might have? The ldap_get_option, ldap_set_option and
> socket binding functions were successfully validated using a test program
> under Linux/Unix.
>
> Unfortunately, I don't have a set-up to test other operating systems, but
> would be willing to further modidy ldap_connect_to_host in os-ip.c to
> cover them if you can help verify it.
Howard's been hoping someone would be able to review in addition to him. I
gave it a lookover, but my C is quite rusty. I could test it out on
Solaris, and possibly get it tested with windows. That's assuming you had
it added as an option to the client utilities (ldapsearch, etc), similar to
what I did with the TLS options I put out for review.
Also, I would strongly advise creating your own git repository on somewhre
like github, like I did with my openldap-scratch repo, where you can commit
your changes and work on them, and then create a single diff containing the
entire changeset.
Example:
<https://github.com/quanah/openldap-scratch/tree/its8573-tables>
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 5 months
ITS#8654 - Option for LDAP client to bind to a local address
by Daniel Le
Hello,
In reference to the enhancement request ITS#865, please comment on the following to add support for binding a local IP address to client socket. This is just an outline of changes for one local address. I am not sure whether a list of local addresses is necessary. If it is, then a new function, similarly to ldap_url_parsehosts, may be written to parse the list of local addresses and store them into a linked list. In my use case, only one IPv4 or IPv6 local address is used for binding.
- Modify ldap.h and ldap_set_option to handle the new option LDAP_OPT_LOCAL_ADDRESS.
Should it be named LDAP_OPT_CLIENT_ADDRESS, LDAP_OPT_SOCKET_BIND_ADDRESS...?
- Modify struct ldapoptions in ldap-int.h to add element "char *ldo_local_address" to hold client local address when ldap_set_option(LDAP_OPT_LOCAL_ADDRESS...) is executed.
This can char pointer can point to an IPv4 address or IPv6 address.
- ldap_connect_to_host() in os-ip.c
After the connection socket is created (ldap_int_socket) and before it is connected (ldap_pvt_connect), extract the local IP address.
If local address family (AF_INET/ AF_INET6) matches the one of the host, bind socket to the local address.
Regards,
Daniel
6 years, 5 months
Re: ITS#8573 code for review (command line TLS options)
by Quanah Gibson-Mount
--On Thursday, June 08, 2017 5:53 PM -0700 Quanah Gibson-Mount
<quanah(a)symas.com> wrote:
> Attached for review is code to add TLS command line options to the client
> tools. Included are documentation updates to the manual pages and a
> related test suite.
Or here's a gzip'd version, since it appears to have gotten mangled.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 5 months
ITS#8573 code for review (command line TLS options)
by Quanah Gibson-Mount
Attached for review is code to add TLS command line options to the client
tools. Included are documentation updates to the manual pages and a
related test suite.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 5 months
Re: Fwd: LMDB and text encoding
by Howard Chu
Timur Kristóf wrote:
> Hi Everyone,
>
> I've just came accross this old thread and am wondering, is this still an issue?
No, it was resolved long ago.
> Does LMDB have a way to use non-ASCII path names with mdb_env_open in a
> cross-platform way?
>
> If not, would you guys accept patches to LMDB with this regard?
There's no issue on POSIX filesystems, and on Windows we already convert
pathnames from UTF-8 to UTF-16.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 5 months
Re: Status of ldap_init_fd and LDAP_PROTO_EXT?
by Howard Chu
Volker Lendecke wrote:
> Hi!
>
> What's the status of those two? They are mentioned in the manpages of
> for example Debian Jessie and FreeBSD 11 (maybe from ports?), but the
> manpage explicitly says you have to #include <ldap_pvt.h>, which is
> not shipped.
>
> What's the reason of them being in ldap_pvt.h? Are they supposed to
> change in the future? The function is now more than 10 years old,
> without too much change in that decade.
Generally, <ldap.h> was only supposed to export the "official" LDAP API and
anything that was specific to OpenLDAP's implementation was stashed in
<ldap_pvt.h> as non-standard features. I suppose the distinction is somewhat
meaningless these days since the last LDAP API RFC was only valid for LDAPv2
and a version for LDAPv3 was never approved. At this point, OpenLDAP's API is
the de facto standard. As clumsy as it may be...
>
> Not being able to fully asynchronously connect to a server was my main
> reason to start my own little ldap library a few years ago, so I think
> this can be useful code :-)
Talk to your distro folks about shipping the files then. The Project's policy
is that we do source releases exclusively, and everything contained in a
source release is intended for end-users to read and use. That is, again, the
point of open source. It would also help if end-users read the scripts in the
test suite and used them as examples of how to setup various configurations.
>
> Thanks, Volker
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 5 months