openldap-devel December 2018

openldap-devel@openldap.org

3 participants
5 discussions

asserts and manadatory build instructions (was ITS#8240)

by Michael Ströder

hyc(a)symas.com wrote in ITS#8240: > Our patch response was too hasty. There is no OpenLDAP bug here, the real > issue is production binaries being built with asserts enabled instead of > compiling with -DNDEBUG. That's an issue for packagers and distros to resolve. > Closing this ITS, not an OpenLDAP bug. Maybe I missed something. But this is the first time I've heard about -DNDEBUG being mandatory when compiling binary packages for production use. Does it have other effects? And what are general rules for assert statements in OpenLDAP code? In my own (Python) code assert statements are supposed to be only triggered if something goes wrong *internally* (type issues etc.). If somebody manages to trigger an assert statement with invalid input from "outside" I always consider this to be a serious bug revealing insufficient error handling even though e.g. web2ldap just logs the exception but won't crash. YMMV, but please clarify. I also wonder whether there are more mandatory rules for building packages and where I can find them. Please don't get me wrong: My inquiry is in good faith to avoid unnecessary ITS based on misunderstanding. Ciao, Michael.

10 months, 4 weeks

1
1
0 / 0

OpenLDAP stand at FOSDEM

by Michael Ströder

HI! As discussed yesterday we could run a stand at FOSDEM which takes place 2 & 3 February 2019 at Brussels. The CfP for various kinds of contributions: https://fosdem.org/2019/news/ Application form for a stand: https://submission.fosdem.org/stands.php I'd be willing to spend some time at an OpenLDAP booth. @Howard: Would you like to apply for it? I'm not sure whether somebody requested a IAM devroom again. Will try to monitor that. Ciao, Michael.

3 years, 8 months

5
14
0 / 0

ITS#8286 round 2

by Quanah Gibson-Mount

Here's where I've ended up with for ITS#8286. Only 2 real remaining questions if this looks good (olcTLSCertificateKey and olcTLSVerifyClient). Commit is currently <https://github.com/quanah/openldap-scratch/commit/efef34db2f36e00a44c3f2d...> ---------------- servers/slapd/bconfig.c ----------------------- olcConfigFile -- Changed to case exact match olcConfigDir -- Changed to case exact match olcArgsFile -- Changed to case exact match olcLogFile -- case exact match olcModulePath -- case exact match olcPasswordCryptSaltFormat -- case ignore match olcPidFile -- case exact match olcPluginLogFile -- case exact match olcRootPw -- octetStringMatch olcSaslAuxprops -- case ignore match olcSaslHost -- case ignore match olcSaslRealm -- case exact match olcSaslSecProps -- case exact match olcSizeLimit -- case exact match olcSubordinate -- case exact match olcTCPBuffer -- case exact match olcTimeLimit -- case exact match olcTLSCACertificateFile -- case exact match olcTLSCACertificatePath -- case exact match olcTLSCertificateFile -- case exact match olcTLSCertificateKey -- ??? (Private SYNTAX OID) Shouldn't the SYNTAX be 1.3.6.1.4.1.1466.115.121.1.8? And use certificateExactMatch? olcTLSCertificateKeyFile -- case exact match olcTLSCipherSuite -- case exact match olcTLSCRLCheck -- case exact match olcTLSCRLFile -- case exact match olcTLSRandFile -- case exact match olcTLSVerifyClient -- case exact match (Shouldn't this be an enum, like olcMemberOfDangling ?) olcTLSDHParamFile -- case exact match olcTLSECName -- case exact match olcTLSProtocolMin -- case exact match ---------------- BACKENDS ----------------------- --- back-asyncmeta olcDbURI -- case exact match olcDbStartTLS -- case exact match olcDbACLPasswd -- DELETE olcDbIDAssertBind -- case ignore match olcDbTFSupport -- case ignore match olcDbTimeout -- case ignore match olcDbIdleTimeout -- case ignore match olcDbNetworkTimeout -- case ignore match olcDbCancel -- case ignore match olcDbQuarantine -- case ignore match olcDbDefaultTarget -- case ignore match olcDbDnCacheTtl -- case ignore match olcDbBindTimeout -- integer match olcDbOnErr -- case ignore match olcDbNretries -- case ignore match olcDbClientPr -- case ignore match olcDbKeepalive -- case ignore match --- back-bdb/hdb olcDbCheckpoint -- case ignore match olcDbCryptFile -- case exact match olcDbCryptKey -- case exact match olcDbConfig -- IA5 case ignore match olcDbLockDetect -- case ignore match olcDbMode -- case ignore match --- back-ldap olcDbURI -- case exact match olcDbStartTLS -- case exact match olcDbACLPasswd -- DELETE olcDbACLBind -- case ignore match olcDbIDAssertPasswd -- DELETE olcDbIDAssertBind -- case ignore match olcDbIDAssertMode -- DELETE olcDbTFSupport -- case ignore match olcDbTimeout -- case ignore match olcDbIdleTimeout -- case ignore match olcDbConnTtl -- case ignore match olcDbNetworkTimeout -- case ignore match olcDbCancel -- case ignore match olcDbQuarantine -- case ignore match olcDbOnErr -- case ignore match olcDbKeepalive -- case ignore match --- back-mdb olcDbDirectory -- Changed to case exact match olcDbCheckpoint -- case ignore match olcDbMode -- case ignore match --- back-meta olcDbURI -- case exact match olcDbStartTLS -- case exact match olcDbACLPasswd -- DELETE olcDbIDAssertBind -- case ignore match olcDbTFSupport -- case ignore match olcDbTimeout -- case ignore match olcDbIdleTimeout -- case ignore match olcDbConnTtl -- case ignore match olcDbNetworkTimeout -- case ignore match olcDbCancel -- case ignore match olcDbQuarantine -- case ignore match olcDbDefaultTarget -- case ignore match olcDbDnCacheTtl -- case ignore match olcDbBindTimeout -- integer match olcDbOnErr -- case ignore match olcDbNretries -- case ignore match olcDbClientPr -- case ignore match olcDbKeepalive -- case ignore match --- back-sql olcDbHost -- case exact match olcDbName -- case exact match olcDbUser -- case exact match olcDbPass -- case exact match olcSqlConcatPattern -- case exact match olcSqlSubtreeCond -- case exact match olcSqlChildrenCond -- case exact match olcSqlDnMatchCond-- case exact match olcSqlOcQuery -- case exact match olcSqlAtQuery -- case exact match olcSqlInsEntryStmt -- case exact match olcSqlUpperFunc -- case exact match olcSqlStrcastFunc -- case exact match olcSqlDelEntryStmt -- case exact match olcSqlRenEntryStmt -- case exact match olcSqlDelObjclassesStmt -- case exact match olcSqlBaseObject -- case exact match olcSqlLayer -- case exact match olcSqlFetchAttrs -- case ignore match olcSqlAliasingKeyword -- case exact match olcSqlAliasingQuote -- case ignore match olcSqlIdQuery -- case exact match ---------------- OVERLAYS ----------------------- --- accesslog.c logpurge -- case ignore match logold -- case exact match --- auditlog.c olcAuditLogFile -- case exact match --- autoca.c olcACAuserClass -- case ignore match olcACAserverClass -- case ignore match --- dds.c olcDDSmaxTtl -- case ignore match olcDDSminTtl -- case ignore match olcDDSdefaultTtl -- case ignore match olcDDSinterval -- case ignore match olcDDStolerance -- case ignore match --- dyngroup.c olcDGAttrPair -- case ignore match --- memberof.c olcMemberOfDangling -- case ignore match olcMemberOfGroupOC -- case ignore match olcMemberOfMemberAD -- case ignore match olcMemberOfMemberOfAD -- case ignore match olcMemberOfDanglingError -- case ignore match --- pcache.c olcProxyCache -- case ignore match olcPcachePosition -- case ignore match olcPcacheMaxQueries -- case ignore match --- rwm.c olcRwmTFSupport -- case ignore match --- syncprov.c olcSpCheckpoint -- case ignore match --- translucent.c olcTranslucentLocal -- case ignore match olcTranslucentRemote -- case ignore match ---------------- CONTRIB ----------------------- --- adremap.c olcADremapDowncase -- case ignore match olcADremapDNmap -- case ignore match --- autogroup.c olcAGmemberOfAd -- case ignore match --- smbk5pwd.c olcSmbK5PwdEnable -- case ignore match --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 years, 9 months

2
5
0 / 0

Re: openldap.git branch master updated. 9cc97ea9e1c9ee2ee9f7d427ef9b950e890c219f

by Howard Chu

openldap-commit2devel(a)OpenLDAP.org wrote: > A ref change was pushed to the OpenLDAP (openldap.git) repository. > It will be available in the public mirror shortly. > > The branch, master has been updated > via 9cc97ea9e1c9ee2ee9f7d427ef9b950e890c219f (commit) > from 2731ff0c23ae29414d12658f31d9d3bde6b5c374 (commit) > > Those revisions listed above that are new to this repository have > not appeared on any other notification email; so we list those > revisions in full, below. > > - Log ----------------------------------------------------------------- > commit 9cc97ea9e1c9ee2ee9f7d427ef9b950e890c219f > Author: Howard Chu <hyc(a)openldap.org> > Date: Thu Dec 13 06:29:32 2018 -0800 > > MS AD DirSync support > > Requires "attribute_option range=" in config. Correction: "attributeoptions range=" > No test script provided yet, since testing requires an actual AD server. Here's a sample config, assuming the AD server's baseDN is "dc=ldapsync,dc=local" It's based on the consumer config from test017. include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema include ./schema/nis.schema include ./schema/msuser.schema attributeoptions range= database mdb suffix "dc=ldapsync,dc=local" rootdn "cn=Replica,dc=ldapsync,dc=local" rootpw secret directory ./testrun/db.2.a index objectClass eq index cn,sn,uid pres,eq,sub index entryUUID,entryCSN eq syncrepl rid=1 provider=ldap://ldapsync/ binddn="cn=Administrator,cn=users,dc=ldapsync,dc=local" bindmethod=simple credentials=MSAD-secret searchbase="dc=ldapsync,dc=local" filter="(|(objectClass=user)(objectclass=group))" schemachecking=off scope=sub type=dirSync interval=00:00:00:03 updateref ldap://ldapsync/ database monitor > > ----------------------------------------------------------------------- > > Summary of changes: > servers/slapd/schema/msuser.ldif | 4299 ++++++++++++++++++++++++++++++++++++ > servers/slapd/schema/msuser.schema | 4295 +++++++++++++++++++++++++++++++++++ > servers/slapd/syncrepl.c | 610 ++++- > 3 files changed, 9140 insertions(+), 64 deletions(-) > create mode 100644 servers/slapd/schema/msuser.ldif > create mode 100644 servers/slapd/schema/msuser.schema -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3 years, 9 months

1
0
0 / 0

CVE-2017-17740 aka ITS#8759

by Michael Ströder

HI! This ITS was answered with won't fix / send patches: https://www.openldap.org/its/index.cgi?findid=8759 But in the mean-time somebody assigned a CVE number to it: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740 The SUSE folks added a patch: https://build.opensuse.org/package/view_file/network:ldap/openldap2/0017-... Could anybody review this and comment whether it makes sense at all? If the patch is correct would it make sense to release it with 2.4.47? Ciao, Michael.

3 years, 9 months

2
1
0 / 0

← Newer
1
Older →

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel December 2018