June 2017 - openldap-devel

asserts and manadatory build instructions (was ITS#8240)

by Michael Ströder

hyc(a)symas.com wrote in ITS#8240: > Our patch response was too hasty. There is no OpenLDAP bug here, the real > issue is production binaries being built with asserts enabled instead of > compiling with -DNDEBUG. That's an issue for packagers and distros to resolve. > Closing this ITS, not an OpenLDAP bug. Maybe I missed something. But this is the first time I've heard about -DNDEBUG being mandatory when compiling binary packages for production use. Does it have other effects? And what are general rules for assert statements in OpenLDAP code? In my own (Python) code assert statements are supposed to be only triggered if something goes wrong *internally* (type issues etc.). If somebody manages to trigger an assert statement with invalid input from "outside" I always consider this to be a serious bug revealing insufficient error handling even though e.g. web2ldap just logs the exception but won't crash. YMMV, but please clarify. I also wonder whether there are more mandatory rules for building packages and where I can find them. Please don't get me wrong: My inquiry is in good faith to avoid unnecessary ITS based on misunderstanding. Ciao, Michael.

2 years

1
1
0 / 0

RE: ITS#8654 - Option for LDAP client to bind to a local address

by Quanah Gibson-Mount

Hi Daniel, I would suggest sending in a patch against master to the -devel list for review. For final inclusion if it is approved, see: <http://www.openldap.org/devel/contributing.html> Regards, Quanah --On Monday, June 12, 2017 8:34 PM +0000 Daniel Le <daniel.le(a)exfo.com> wrote: > I've got a chance to write (and test) the code to add API support for > socket binding addresses. > > Should I send the code diff to this openldap-devel email list for review? > How to submit a patch request? > > Daniel > > -----Original Message----- > From: Daniel Le > Sent: Tuesday, May 16, 2017 6:02 PM > To: 'openldap-devel(a)openldap.org' <openldap-devel(a)openldap.org> > Subject: ITS#8654 - Option for LDAP client to bind to a local address > > Hello, > > In reference to the enhancement request ITS#865, please comment on the > following to add support for binding a local IP address to client socket. > This is just an outline of changes for one local address. I am not sure > whether a list of local addresses is necessary. If it is, then a new > function, similarly to ldap_url_parsehosts, may be written to parse the > list of local addresses and store them into a linked list. In my use > case, only one IPv4 or IPv6 local address is used for binding. > > - Modify ldap.h and ldap_set_option to handle the new option > LDAP_OPT_LOCAL_ADDRESS. Should it be named LDAP_OPT_CLIENT_ADDRESS, > LDAP_OPT_SOCKET_BIND_ADDRESS...? > > - Modify struct ldapoptions in ldap-int.h to add element "char > *ldo_local_address" to hold client local address when > ldap_set_option(LDAP_OPT_LOCAL_ADDRESS...) is executed. This can char > pointer can point to an IPv4 address or IPv6 address. > > - ldap_connect_to_host() in os-ip.c > After the connection socket is created (ldap_int_socket) and before it > is connected (ldap_pvt_connect), extract the local IP address. If local > address family (AF_INET/ AF_INET6) matches the one of the host, bind > socket to the local address. > > Regards, > Daniel > > -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 3 months

3
3
0 / 0

Re: ITS#8573 code for review (command line TLS options)

by Quanah Gibson-Mount

--On Thursday, June 08, 2017 6:13 PM -0700 Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Thursday, June 08, 2017 5:53 PM -0700 Quanah Gibson-Mount > <quanah(a)symas.com> wrote: > >> Attached for review is code to add TLS command line options to the client >> tools. Included are documentation updates to the manual pages and a >> related test suite. > > Or here's a gzip'd version, since it appears to have gotten mangled. Alternatively, here's a link to the relevant branch in my github repo: <https://github.com/quanah/openldap-scratch/tree/its8573-tables> I've added a couple of new test cases, for validating TLS encryption of syncrepl, and expanded test067 to also confirm that reqcert=never works as expected. For those who might like to test the code against RE24, there is this branch as well: <https://github.com/quanah/openldap-scratch/tree/RE24-its8573-tables> --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 5 months

1
0
0 / 0

RE: ITS#8654 - Option for LDAP client to bind to a local address

by Quanah Gibson-Mount

--On Thursday, June 15, 2017 3:29 PM +0000 Daniel Le <daniel.le(a)exfo.com> wrote: > Could someone take a stab at reviewing this code change and/or let me > know questions you might have? The ldap_get_option, ldap_set_option and > socket binding functions were successfully validated using a test program > under Linux/Unix. > > Unfortunately, I don't have a set-up to test other operating systems, but > would be willing to further modidy ldap_connect_to_host in os-ip.c to > cover them if you can help verify it. Howard's been hoping someone would be able to review in addition to him. I gave it a lookover, but my C is quite rusty. I could test it out on Solaris, and possibly get it tested with windows. That's assuming you had it added as an option to the client utilities (ldapsearch, etc), similar to what I did with the TLS options I put out for review. Also, I would strongly advise creating your own git repository on somewhre like github, like I did with my openldap-scratch repo, where you can commit your changes and work on them, and then create a single diff containing the entire changeset. Example: <https://github.com/quanah/openldap-scratch/tree/its8573-tables> --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 5 months

1
0
0 / 0

ITS#8654 - Option for LDAP client to bind to a local address

by Daniel Le

Hello, In reference to the enhancement request ITS#865, please comment on the following to add support for binding a local IP address to client socket. This is just an outline of changes for one local address. I am not sure whether a list of local addresses is necessary. If it is, then a new function, similarly to ldap_url_parsehosts, may be written to parse the list of local addresses and store them into a linked list. In my use case, only one IPv4 or IPv6 local address is used for binding. - Modify ldap.h and ldap_set_option to handle the new option LDAP_OPT_LOCAL_ADDRESS. Should it be named LDAP_OPT_CLIENT_ADDRESS, LDAP_OPT_SOCKET_BIND_ADDRESS...? - Modify struct ldapoptions in ldap-int.h to add element "char *ldo_local_address" to hold client local address when ldap_set_option(LDAP_OPT_LOCAL_ADDRESS...) is executed. This can char pointer can point to an IPv4 address or IPv6 address. - ldap_connect_to_host() in os-ip.c After the connection socket is created (ldap_int_socket) and before it is connected (ldap_pvt_connect), extract the local IP address. If local address family (AF_INET/ AF_INET6) matches the one of the host, bind socket to the local address. Regards, Daniel

6 years, 5 months

1
1
0 / 0

Re: ITS#8573 code for review (command line TLS options)

by Quanah Gibson-Mount

--On Thursday, June 08, 2017 5:53 PM -0700 Quanah Gibson-Mount <quanah(a)symas.com> wrote: > Attached for review is code to add TLS command line options to the client > tools. Included are documentation updates to the manual pages and a > related test suite. Or here's a gzip'd version, since it appears to have gotten mangled. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 5 months

1
0
0 / 0

ITS#8573 code for review (command line TLS options)

by Quanah Gibson-Mount

Attached for review is code to add TLS command line options to the client tools. Included are documentation updates to the manual pages and a related test suite. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 5 months

1
0
0 / 0

Re: Fwd: LMDB and text encoding

by Howard Chu

Timur Kristóf wrote: > Hi Everyone, > > I've just came accross this old thread and am wondering, is this still an issue? No, it was resolved long ago. > Does LMDB have a way to use non-ASCII path names with mdb_env_open in a > cross-platform way? > > If not, would you guys accept patches to LMDB with this regard? There's no issue on POSIX filesystems, and on Windows we already convert pathnames from UTF-8 to UTF-16. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

6 years, 5 months

1
0
0 / 0

Fwd: LMDB and text encoding

by Timur Kristóf

> I just had a look at how BDB handled this. As you can see they used a > TO_TSTRING macro to convert incoming pathnames from UTF8 to UTF16. > > https://gitorious.org/berkeleydb/berkeleydb/source/347d239a1e44ed4f773ae9... > > https://gitorious.org/berkeleydb/berkeleydb/source/347d239a1e44ed4f773ae9... > > (And a FROM_TSTRING for the reverse, as well.) (Mea culpa, I accidentally hit "reply" instead of "reply all". Sorry. Now reposting to the mailing list.) Since we only need to do this on Windows, we could use MultiByteToWideChar with CP_UTF8. (That's what TO_TSTRING does, too.) I do not think we would ever need to do any such conversion on UNIX. https://msdn.microsoft.com/en-us/library/windows/desktop/dd319072%28v=vs.... I'm not sure if we can just copy-paste BDB's code. Probably not, that would lead to licensing issues, wouldn't it?

6 years, 5 months

4
16
0 / 0

Re: Status of ldap_init_fd and LDAP_PROTO_EXT?

by Howard Chu

Volker Lendecke wrote: > Hi! > > What's the status of those two? They are mentioned in the manpages of > for example Debian Jessie and FreeBSD 11 (maybe from ports?), but the > manpage explicitly says you have to #include <ldap_pvt.h>, which is > not shipped. > > What's the reason of them being in ldap_pvt.h? Are they supposed to > change in the future? The function is now more than 10 years old, > without too much change in that decade. Generally, <ldap.h> was only supposed to export the "official" LDAP API and anything that was specific to OpenLDAP's implementation was stashed in <ldap_pvt.h> as non-standard features. I suppose the distinction is somewhat meaningless these days since the last LDAP API RFC was only valid for LDAPv2 and a version for LDAPv3 was never approved. At this point, OpenLDAP's API is the de facto standard. As clumsy as it may be... > > Not being able to fully asynchronously connect to a server was my main > reason to start my own little ldap library a few years ago, so I think > this can be useful code :-) Talk to your distro folks about shipping the files then. The Project's policy is that we do source releases exclusively, and everything contained in a source release is intended for end-users to read and use. That is, again, the point of open source. It would also help if end-users read the scripts in the test suite and used them as examples of how to setup various configurations. > > Thanks, Volker > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

6 years, 5 months

3
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel June 2017