asserts and manadatory build instructions (was ITS#8240)
by Michael Ströder
hyc(a)symas.com wrote in ITS#8240:
> Our patch response was too hasty. There is no OpenLDAP bug here, the real
> issue is production binaries being built with asserts enabled instead of
> compiling with -DNDEBUG. That's an issue for packagers and distros to resolve.
> Closing this ITS, not an OpenLDAP bug.
Maybe I missed something. But this is the first time I've heard about -DNDEBUG
being mandatory when compiling binary packages for production use. Does it
have other effects?
And what are general rules for assert statements in OpenLDAP code?
In my own (Python) code assert statements are supposed to be only triggered if
something goes wrong *internally* (type issues etc.). If somebody manages to
trigger an assert statement with invalid input from "outside" I always
consider this to be a serious bug revealing insufficient error handling even
though e.g. web2ldap just logs the exception but won't crash. YMMV, but please
clarify.
I also wonder whether there are more mandatory rules for building packages and
where I can find them.
Please don't get me wrong: My inquiry is in good faith to avoid unnecessary
ITS based on misunderstanding.
Ciao, Michael.
2 years, 1 month
Fifth OpenLDAP Developer Day – Call for Registration!
by Howard Chu
Together with the University of Tübingen and Symas, DAASI International invites all stakeholders to meet in Tübingen and celebrate 20 years of OpenLDAP!
The 5th OpenLDAP Developer Day is a great opportunity to come together as a community and exchange ideas with developers of OpenLDAP software, directory
researchers and other OpenLDAP community members interested in discussing ongoing and future development efforts. Are you a stakeholder interested to join us
for the 5th OpenLDAP Developer Day? Then please register by contacting us at odd-silverjubilee(a)daasi.de before September 28th. You are invited to listen to
interesting speakers and to take part in fruitful discussions.
Also, if you would like to present your own topic to the community, there are still some of the limited speaker slots of 15 to 45 minutes available. Just email
us at odd-silverjubilee(a)daasi.de as soon as possible, but no later than the extended deadline of September 21st. The full Call for Content is available here.
The OpenLDAP Developer Day will take place at the Computing Center of the University of Tübingen (Wächterstraße 76, 72074 Tübingen). Information on how to find
the location of the OpenLDAP Developer Day is available here https://daasi.de/en/company/journey-and-stay/.
We are looking forward to celebrate the OpenLDAP Silver Jubilee with you! If you have any questions, please do not hesitate to contact us at
odd-silverjubilee(a)daasi.de.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5 years, 2 months
TLS 1.3 and 0-RTT
by Michael Ströder
HI!
Are there any plans to support TLS 1.3?
The 0-RTT feature could be a significant performance gain in case LDAP
applications open a new TLS connection each time they check a password
with a bind request.
Ciao, Michael.
5 years, 3 months
Re: Regarding the feature to introduce new LDAP option to set source bind IP address
by Howard Chu
Singam, Sudhir (Nokia - IN/Bangalore) wrote:
> Hi Howard,
>
> Any comments ??
>
> Hi,
>
> Can we go ahead and implement this ??
>
> *Regards,*
> *Sudhir Singam*
>
> *DELIVERING BEST-IN-CLASS PLATFORM is our vision*
>
>
> _____________________________________________
> *From:* Singam, Sudhir (Nokia - IN/Bangalore)
> *Sent:* Wednesday, August 08, 2018 8:48 AM
> *To:* _openldap-devel(a)openldap.org_ <mailto:openldap-devel@openldap.org>
> *Cc:* Sharma, Ramakant 2. (Nokia - IN/Bangalore) <_ramakant.2.sharma(a)nokia.com_ <mailto:ramakant.2.sharma@nokia.com>>
> *Subject:* Regarding the feature to introduce new LDAP option to set source bind IP address
>
>
> Hi,
>
> NOKIA has taken up this small feature for contribution. Previously patch was submitted via ITS#8847 but got rejected to take different approach.
> Now I have raised ITS#8893. We want to conclude on the approach before taking for implementation. Please kindly let us know if following approach is OK and if
> any comments.
>
> *Requirement:*
>
> User shall be able to set multiple IPv4/IPv6 socket bind addresses, to be able to route the LDAP traffic via desired network interface. Based on the target IP
> address type, first matching and valid source IP address will be picked for explicit binding*//**at client side*.
Not sure I understand the value of a list of multiple addresses here.
>
> *Work items:*
>
>
> 1. *LDAP option to set the IPv4/IPv6 socket bind addresses.*
>
> /Format: space separated list of IP addresses/
>
> New configuration option LDAP_OPT_SOCKET_BIND_ADDRESSES (0x5013) will be introduced (in ldap.h) to be used via ldap_set_option.
>
> For example,
>
> char* p = 10.24.56.34 2001:0db8:85a3:0000:0000:8a2e:0370:7334;
> ldap_set_option(NULL, LDAP_OPT_SOCKET_BIND_ADDRESSES, p);
>
> Bind addresses can also be provided in ldap.conf file via the option SOCKET_BIND_ADDRESSES, for example,
>
> SOCKET_BIND_ADDRESSES 10.24.56.45 10.24.56.46 2001:0db8:85a3:0000:0000:8a2e:0370:7334
>
> Note :
> Option set to ldap handle will override the global option.
> Setting the option multiple times will override the previous values but does not append.
>
>
> 2. *Parsing & validations*
>
>
> Space separated IP addresses will be parsed & validated. IPv4 and IPv6 addresses are stored separately for easy of access during connection.
> Basic syntax validation will be done for IPv4 or IPv6 addresses, if any error, setting of the option will fail and LDAP client will use the default IP address.
>
> ldapoptions structure in ldap-int.h will be modified to add new members
> "char *ldo_local_IPV4_addresses" -> to hold client local IPv4 bind addresses
> "char *ldo_local_IPV6_addresses" -> to hold client local IPv6 bind addresses
Seems like these should be char* arrays, especially since we already have str2charray().
> Any new function /ldap_options_parseBindAddress/ () will be introduced in options.c to parse, validate and store the IP addresses to respective variables. This
> function will be similar to ldap_url_parseHosts.
>
> Memory for ldo_local_IPV4_addresses & ldo_local_IPV6_addresses is dynamically allocated in the form of array for easy access. If any validation failure, no new
> memory will be allocated and existing values will be retained.
>
>
> 3. *Using Bind IP addresses during connection*
>
>
> File:os-ip.c
> Function: ldap_connect_to_host
> - After the connection socket is created (ldap_int_socket) and before it is connected (ldap_pvt_connect).
> Check if the target address family type,
> *I*f it is AF_INET, IPv4 bind address list will be used.
> - If the list is empty and LDAP option was set successfully earlier (IPv6 was set), binding will fail and error is returned.
> - If the list is not empty and not able to bind to any of the provided IPv4 addresses, connection will fail> - If the list is empty and LDAP option setting failed earlier (during syntax validation), LDAP client will continue to use the kernel provided IPv4 address.
> If it is AF_INET6, IPv6 bind address list will be used.
> - If the list is empty and LDAP option was set successfully earlier (IPv4 was set), binding will fail and error is returned.
> - If the list is not empty and not able to bind to any of the provided IPv6 addresses, connection will fail.
> - If the list is empty and LDAP option setting failed earlier (during syntax validation), LDAP client will continue to use the kernel provided IPv6 address.
What specific LDAP API error code will be returned in each instance?
>
>
>
>
> *Regards,*
> *Sudhir Singam*
>
> *DELIVERING BEST-IN-CLASS PLATFORM is our vision*
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5 years, 3 months