openldap-devel December 2018

openldap-devel@openldap.org

3 participants
4 discussions

by Michael Ströder

HI! As discussed yesterday we could run a stand at FOSDEM which takes place 2 & 3 February 2019 at Brussels. The CfP for various kinds of contributions: https://fosdem.org/2019/news/ Application form for a stand: https://submission.fosdem.org/stands.php I'd be willing to spend some time at an OpenLDAP booth. @Howard: Would you like to apply for it? I'm not sure whether somebody requested a IAM devroom again. Will try to monitor that. Ciao, Michael.

2 years, 6 months

5
14
0 / 0

ITS#8286 round 2

by Quanah Gibson-Mount

Here's where I've ended up with for ITS#8286. Only 2 real remaining questions if this looks good (olcTLSCertificateKey and olcTLSVerifyClient). Commit is currently <https://github.com/quanah/openldap-scratch/commit/efef34db2f36e00a44c3f2d...> ---------------- servers/slapd/bconfig.c ----------------------- olcConfigFile -- Changed to case exact match olcConfigDir -- Changed to case exact match olcArgsFile -- Changed to case exact match olcLogFile -- case exact match olcModulePath -- case exact match olcPasswordCryptSaltFormat -- case ignore match olcPidFile -- case exact match olcPluginLogFile -- case exact match olcRootPw -- octetStringMatch olcSaslAuxprops -- case ignore match olcSaslHost -- case ignore match olcSaslRealm -- case exact match olcSaslSecProps -- case exact match olcSizeLimit -- case exact match olcSubordinate -- case exact match olcTCPBuffer -- case exact match olcTimeLimit -- case exact match olcTLSCACertificateFile -- case exact match olcTLSCACertificatePath -- case exact match olcTLSCertificateFile -- case exact match olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch? olcTLSCertificateKeyFile -- case exact match olcTLSCipherSuite -- case exact match olcTLSCRLCheck -- case exact match olcTLSCRLFile -- case exact match olcTLSRandFile -- case exact match olcTLSVerifyClient -- case exact match (Shouldn't this be an enum, like olcMemberOfDangling ?) olcTLSDHParamFile -- case exact match olcTLSECName -- case exact match olcTLSProtocolMin -- case exact match ---------------- BACKENDS ----------------------- --- back-asyncmeta olcDbURI -- case exact match olcDbStartTLS -- case exact match olcDbACLPasswd -- DELETE olcDbIDAssertBind -- case ignore match olcDbTFSupport -- case ignore match olcDbTimeout -- case ignore match olcDbIdleTimeout -- case ignore match olcDbNetworkTimeout -- case ignore match olcDbCancel -- case ignore match olcDbQuarantine -- case ignore match olcDbDefaultTarget -- case ignore match olcDbDnCacheTtl -- case ignore match olcDbBindTimeout -- integer match olcDbOnErr -- case ignore match olcDbNretries -- case ignore match olcDbClientPr -- case ignore match olcDbKeepalive -- case ignore match --- back-bdb/hdb olcDbCheckpoint -- case ignore match olcDbCryptFile -- case exact match olcDbCryptKey -- case exact match olcDbConfig -- IA5 case ignore match olcDbLockDetect -- case ignore match olcDbMode -- case ignore match --- back-ldap olcDbURI -- case exact match olcDbStartTLS -- case exact match olcDbACLPasswd -- DELETE olcDbACLBind -- case ignore match olcDbIDAssertPasswd -- DELETE olcDbIDAssertBind -- case ignore match olcDbIDAssertMode -- DELETE olcDbTFSupport -- case ignore match olcDbTimeout -- case ignore match olcDbIdleTimeout -- case ignore match olcDbConnTtl -- case ignore match olcDbNetworkTimeout -- case ignore match olcDbCancel -- case ignore match olcDbQuarantine -- case ignore match olcDbOnErr -- case ignore match olcDbKeepalive -- case ignore match --- back-mdb olcDbDirectory -- Changed to case exact match olcDbCheckpoint -- case ignore match olcDbMode -- case ignore match --- back-meta olcDbURI -- case exact match olcDbStartTLS -- case exact match olcDbACLPasswd -- DELETE olcDbIDAssertBind -- case ignore match olcDbTFSupport -- case ignore match olcDbTimeout -- case ignore match olcDbIdleTimeout -- case ignore match olcDbConnTtl -- case ignore match olcDbNetworkTimeout -- case ignore match olcDbCancel -- case ignore match olcDbQuarantine -- case ignore match olcDbDefaultTarget -- case ignore match olcDbDnCacheTtl -- case ignore match olcDbBindTimeout -- integer match olcDbOnErr -- case ignore match olcDbNretries -- case ignore match olcDbClientPr -- case ignore match olcDbKeepalive -- case ignore match --- back-sql olcDbHost -- case exact match olcDbName -- case exact match olcDbUser -- case exact match olcDbPass -- case exact match olcSqlConcatPattern -- case exact match olcSqlSubtreeCond -- case exact match olcSqlChildrenCond -- case exact match olcSqlDnMatchCond-- case exact match olcSqlOcQuery -- case exact match olcSqlAtQuery -- case exact match olcSqlInsEntryStmt -- case exact match olcSqlUpperFunc -- case exact match olcSqlStrcastFunc -- case exact match olcSqlDelEntryStmt -- case exact match olcSqlRenEntryStmt -- case exact match olcSqlDelObjclassesStmt -- case exact match olcSqlBaseObject -- case exact match olcSqlLayer -- case exact match olcSqlFetchAttrs -- case ignore match olcSqlAliasingKeyword -- case exact match olcSqlAliasingQuote -- case ignore match olcSqlIdQuery -- case exact match ---------------- OVERLAYS ----------------------- --- accesslog.c logpurge -- case ignore match logold -- case exact match --- auditlog.c olcAuditLogFile -- case exact match --- autoca.c olcACAuserClass -- case ignore match olcACAserverClass -- case ignore match --- dds.c olcDDSmaxTtl -- case ignore match olcDDSminTtl -- case ignore match olcDDSdefaultTtl -- case ignore match olcDDSinterval -- case ignore match olcDDStolerance -- case ignore match --- dyngroup.c olcDGAttrPair -- case ignore match --- memberof.c olcMemberOfDangling -- case ignore match olcMemberOfGroupOC -- case ignore match olcMemberOfMemberAD -- case ignore match olcMemberOfMemberOfAD -- case ignore match olcMemberOfDanglingError -- case ignore match --- pcache.c olcProxyCache -- case ignore match olcPcachePosition -- case ignore match olcPcacheMaxQueries -- case ignore match --- rwm.c olcRwmTFSupport -- case ignore match --- syncprov.c olcSpCheckpoint -- case ignore match --- translucent.c olcTranslucentLocal -- case ignore match olcTranslucentRemote -- case ignore match ---------------- CONTRIB ----------------------- --- adremap.c olcADremapDowncase -- case ignore match olcADremapDNmap -- case ignore match --- autogroup.c olcAGmemberOfAd -- case ignore match --- smbk5pwd.c olcSmbK5PwdEnable -- case ignore match --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 years, 7 months

2
5
0 / 0

Re: openldap.git branch master updated. 9cc97ea9e1c9ee2ee9f7d427ef9b950e890c219f

by Howard Chu

openldap-commit2devel(a)OpenLDAP.org wrote: > A ref change was pushed to the OpenLDAP (openldap.git) repository. > It will be available in the public mirror shortly. > > The branch, master has been updated > via 9cc97ea9e1c9ee2ee9f7d427ef9b950e890c219f (commit) > from 2731ff0c23ae29414d12658f31d9d3bde6b5c374 (commit) > > Those revisions listed above that are new to this repository have > not appeared on any other notification email; so we list those > revisions in full, below. > > - Log ----------------------------------------------------------------- > commit 9cc97ea9e1c9ee2ee9f7d427ef9b950e890c219f > Author: Howard Chu <hyc(a)openldap.org> > Date: Thu Dec 13 06:29:32 2018 -0800 > > MS AD DirSync support > > Requires "attribute_option range=" in config. Correction: "attributeoptions range=" > No test script provided yet, since testing requires an actual AD server. Here's a sample config, assuming the AD server's baseDN is "dc=ldapsync,dc=local" It's based on the consumer config from test017. include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema include ./schema/nis.schema include ./schema/msuser.schema attributeoptions range= database mdb suffix "dc=ldapsync,dc=local" rootdn "cn=Replica,dc=ldapsync,dc=local" rootpw secret directory ./testrun/db.2.a index objectClass eq index cn,sn,uid pres,eq,sub index entryUUID,entryCSN eq syncrepl rid=1 provider=ldap://ldapsync/ binddn="cn=Administrator,cn=users,dc=ldapsync,dc=local" bindmethod=simple credentials=MSAD-secret searchbase="dc=ldapsync,dc=local" filter="(|(objectClass=user)(objectclass=group))" schemachecking=off scope=sub type=dirSync interval=00:00:00:03 updateref ldap://ldapsync/ database monitor > > ----------------------------------------------------------------------- > > Summary of changes: > servers/slapd/schema/msuser.ldif | 4299 ++++++++++++++++++++++++++++++++++++ > servers/slapd/schema/msuser.schema | 4295 +++++++++++++++++++++++++++++++++++ > servers/slapd/syncrepl.c | 610 ++++- > 3 files changed, 9140 insertions(+), 64 deletions(-) > create mode 100644 servers/slapd/schema/msuser.ldif > create mode 100644 servers/slapd/schema/msuser.schema -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 years, 7 months

1
0
0 / 0

CVE-2017-17740 aka ITS#8759

by Michael Ströder

HI! This ITS was answered with won't fix / send patches: https://www.openldap.org/its/index.cgi?findid=8759 But in the mean-time somebody assigned a CVE number to it: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740 The SUSE folks added a patch: https://build.opensuse.org/package/view_file/network:ldap/openldap2/0017-... Could anybody review this and comment whether it makes sense at all? If the patch is correct would it make sense to release it with 2.4.47? Ciao, Michael.

2 years, 7 months

2
1
0 / 0

← Newer
1
Older →

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel December 2018