openldap-devel September 2018

openldap-devel@openldap.org

1 participants
5 discussions

asserts and manadatory build instructions (was ITS#8240)
by Michael Ströder 04 Nov '21

04 Nov '21

hyc(a)symas.com wrote in ITS#8240: > Our patch response was too hasty. There is no OpenLDAP bug here, the real > issue is production binaries being built with asserts enabled instead of > compiling with -DNDEBUG. That's an issue for packagers and distros to resolve. > Closing this ITS, not an OpenLDAP bug. Maybe I missed something. But this is the first time I've heard about -DNDEBUG being mandatory when compiling binary packages for production use. Does it have other effects? And what are general rules for assert statements in OpenLDAP code? In my own (Python) code assert statements are supposed to be only triggered if something goes wrong *internally* (type issues etc.). If somebody manages to trigger an assert statement with invalid input from "outside" I always consider this to be a serious bug revealing insufficient error handling even though e.g. web2ldap just logs the exception but won't crash. YMMV, but please clarify. I also wonder whether there are more mandatory rules for building packages and where I can find them. Please don't get me wrong: My inquiry is in good faith to avoid unnecessary ITS based on misunderstanding. Ciao, Michael.

1 1

NanoLog for efficient logging?
by Howard Chu 16 Sep '18

16 Sep '18

I haven't read the code or paper yet, but after a quick skim, this sounds like they're doing what we want in a logging subsystem. https://twitter.com/copyconstruct/status/1041048701723009024 Anyone care to investigate? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 1

Fifth OpenLDAP Developer Day – Call for Registration!
by Howard Chu 13 Sep '18

13 Sep '18

Together with the University of Tübingen and Symas, DAASI International invites all stakeholders to meet in Tübingen and celebrate 20 years of OpenLDAP! The 5th OpenLDAP Developer Day is a great opportunity to come together as a community and exchange ideas with developers of OpenLDAP software, directory researchers and other OpenLDAP community members interested in discussing ongoing and future development efforts. Are you a stakeholder interested to join us for the 5th OpenLDAP Developer Day? Then please register by contacting us at odd-silverjubilee(a)daasi.de before September 28th. You are invited to listen to interesting speakers and to take part in fruitful discussions. Also, if you would like to present your own topic to the community, there are still some of the limited speaker slots of 15 to 45 minutes available. Just email us at odd-silverjubilee(a)daasi.de as soon as possible, but no later than the extended deadline of September 21st. The full Call for Content is available here. The OpenLDAP Developer Day will take place at the Computing Center of the University of Tübingen (Wächterstraße 76, 72074 Tübingen). Information on how to find the location of the OpenLDAP Developer Day is available here https://daasi.de/en/company/journey-and-stay/. We are looking forward to celebrate the OpenLDAP Silver Jubilee with you! If you have any questions, please do not hesitate to contact us at odd-silverjubilee(a)daasi.de. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

TLS 1.3 and 0-RTT
by Michael Ströder 06 Sep '18

06 Sep '18

HI! Are there any plans to support TLS 1.3? The 0-RTT feature could be a significant performance gain in case LDAP applications open a new TLS connection each time they check a password with a bind request. Ciao, Michael.

2 1

Re: Regarding the feature to introduce new LDAP option to set source bind IP address
by Howard Chu 06 Sep '18

06 Sep '18

Singam, Sudhir (Nokia - IN/Bangalore) wrote: > Hi Howard, > > Any comments ?? > > Hi, > > Can we go ahead and implement this ?? > > *Regards,* > *Sudhir Singam* > > *DELIVERING BEST-IN-CLASS PLATFORM is our vision* > > > _____________________________________________ > *From:* Singam, Sudhir (Nokia - IN/Bangalore) > *Sent:* Wednesday, August 08, 2018 8:48 AM > *To:* _openldap-devel(a)openldap.org_ <mailto:openldap-devel@openldap.org> > *Cc:* Sharma, Ramakant 2. (Nokia - IN/Bangalore) <_ramakant.2.sharma(a)nokia.com_ <mailto:ramakant.2.sharma@nokia.com>> > *Subject:* Regarding the feature to introduce new LDAP option to set source bind IP address > > > Hi, > > NOKIA has taken up this small feature for contribution. Previously patch was submitted via ITS#8847 but got rejected to take different approach. > Now I have raised ITS#8893. We want to conclude on the approach before taking for implementation. Please kindly let us know if following approach is OK and if > any comments. > > *Requirement:* > > User shall be able to set multiple IPv4/IPv6 socket bind addresses, to be able to route the LDAP traffic via desired network interface. Based on the target IP > address type, first matching and valid source IP address will be picked for explicit binding*//**at client side*. Not sure I understand the value of a list of multiple addresses here. > > *Work items:* > > > 1. *LDAP option to set the IPv4/IPv6 socket bind addresses.* > > /Format: space separated list of IP addresses/ > > New configuration option LDAP_OPT_SOCKET_BIND_ADDRESSES (0x5013) will be introduced (in ldap.h) to be used via ldap_set_option. > > For example, > > char* p = 10.24.56.34 2001:0db8:85a3:0000:0000:8a2e:0370:7334; > ldap_set_option(NULL, LDAP_OPT_SOCKET_BIND_ADDRESSES, p); > > Bind addresses can also be provided in ldap.conf file via the option SOCKET_BIND_ADDRESSES, for example, > > SOCKET_BIND_ADDRESSES 10.24.56.45 10.24.56.46 2001:0db8:85a3:0000:0000:8a2e:0370:7334 > > Note : > Option set to ldap handle will override the global option. > Setting the option multiple times will override the previous values but does not append. > > > 2. *Parsing & validations* > > > Space separated IP addresses will be parsed & validated. IPv4 and IPv6 addresses are stored separately for easy of access during connection. > Basic syntax validation will be done for IPv4 or IPv6 addresses, if any error, setting of the option will fail and LDAP client will use the default IP address. > > ldapoptions structure in ldap-int.h will be modified to add new members > "char *ldo_local_IPV4_addresses" -> to hold client local IPv4 bind addresses > "char *ldo_local_IPV6_addresses" -> to hold client local IPv6 bind addresses Seems like these should be char* arrays, especially since we already have str2charray(). > Any new function /ldap_options_parseBindAddress/ () will be introduced in options.c to parse, validate and store the IP addresses to respective variables. This > function will be similar to ldap_url_parseHosts. > > Memory for ldo_local_IPV4_addresses & ldo_local_IPV6_addresses is dynamically allocated in the form of array for easy access. If any validation failure, no new > memory will be allocated and existing values will be retained. > > > 3. *Using Bind IP addresses during connection* > > > File:os-ip.c > Function: ldap_connect_to_host > - After the connection socket is created (ldap_int_socket) and before it is connected (ldap_pvt_connect). > Check if the target address family type, > *I*f it is AF_INET, IPv4 bind address list will be used. > - If the list is empty and LDAP option was set successfully earlier (IPv6 was set), binding will fail and error is returned. > - If the list is not empty and not able to bind to any of the provided IPv4 addresses, connection will fail> - If the list is empty and LDAP option setting failed earlier (during syntax validation), LDAP client will continue to use the kernel provided IPv4 address. > If it is AF_INET6, IPv6 bind address list will be used. > - If the list is empty and LDAP option was set successfully earlier (IPv4 was set), binding will fail and error is returned. > - If the list is not empty and not able to bind to any of the provided IPv6 addresses, connection will fail. > - If the list is empty and LDAP option setting failed earlier (during syntax validation), LDAP client will continue to use the kernel provided IPv6 address. What specific LDAP API error code will be returned in each instance? > > > > > *Regards,* > *Sudhir Singam* > > *DELIVERING BEST-IN-CLASS PLATFORM is our vision* > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel September 2018