openldap-devel

openldap-devel@openldap.org

1416 discussions

Re: Revisiting the SHA1 default password hash
by Howard Chu 24 Feb '17

24 Feb '17

Michael Ströder wrote: > Quanah Gibson-Mount wrote: >> I think it would be wise to update OpenLDAP to a different default for userPassword. > > Yes! > >> We currently have the Contrib SHA2 module, > > SHA-2 hashes with one round are also way too fast to be a good password hash algorithm. > >> It may be time to move the SHA2 module into core, > > Yes, but there should be something stronger. > > How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core? Yeah at this point we can probably bypass SHA2 and just go straight to SHA3. There's a lot of crypto software out there already using it. pbkdf2 is still using SHA2. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Revisiting the SHA1 default password hash
by Quanah Gibson-Mount 24 Feb '17

24 Feb '17

The general weakness of SHA has been understood for some time, although progress advances on finding collisions (Such as <https://security.googleblog.com/2017/02/announcing-first-sha1-collision.htm…>). I think it would be wise to update OpenLDAP to a different default for userPassword. We currently have the Contrib SHA2 module, and there's a nice bcrypt(*) module on Github (I asked the author if they would be willing to contribute it, but they seem to have gone silent). It may be time to move the SHA2 module into core, but there has been some discussion of the limitations of the current SHA2 module in the past that would likely need addressing. What do other folks think? * <https://github.com/wclarie/openldap-bcrypt/issues/1> --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

ITS8529 -- Inclusion in RE24?
by Quanah Gibson-Mount 22 Feb '17

22 Feb '17

The patch for ITS8529 has been pushed to OpenLDAP master. Generally I'd push something like this to RE24 as well, except for the fact that it results in a behavior change vs prior releases (at least if OpenLDAP is linked to OpenSSL). On the plus side, the patch reveals potential misconfigurations that were previously not noted. On the minus side, it could affect someone's existing deployment. (Although that deployment would clearly be in error). I personally think it would be best to apply it to RE24, particularly given that it has security implications. I know Michael Stroeder already noted he would like to see it in RE24 as well. Does anyone have some good concrete reasons why it should not go into RE24? Thanks, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: test061 broken in HEAD for back-mdb
by Quanah Gibson-Mount 03 Feb '17

03 Feb '17

--On Friday, February 03, 2017 8:19 PM +0100 Dieter Klünter <dieter(a)dkluenter.de> wrote: > git branch -v > * OPENLDAP_REL_ENG_2_4 ab6f04c Fix comparison error > OPENLDAP_REL_ENG_2_5 0f7064d Merge remote-tracking branch > 'origin/master' into OPENLDAP_REL_ENG_2_5 > master c01bbc7 Tweak examples to use back-mdb > > anything else? 64 bit vs 32 bit? I've just done another 500 runs of test061 for RE24 with a fresh checkout, and it passed every time. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: test061 broken in HEAD for back-mdb
by Quanah Gibson-Mount 03 Feb '17

03 Feb '17

--On Friday, February 03, 2017 1:53 PM +0100 Dieter Klünter <dieter(a)dkluenter.de> wrote: > Am Wed, 01 Feb 2017 13:14:56 -0800 > schrieb Quanah Gibson-Mount <quanah(a)symas.com>: > >> For some reason, test061 routinely fails for back-mdb in HEAD. I've >> not had luck reproducing the issue with other backends or in RE24. >> >> To eliminate it being a replication delay, I increased the for loop >> to give 55 seconds time (1 through 10 seconds) chance to replicate. >> Most of the time the test fails in fewer than 50 iterations (most >> often fewer than 20), however one time it took as long as 85 >> iterations before failing. > [...] > > I now have intensively tested this issue and found occurrences in all > branches. Just some examples: > > ERROR: Entry 21 not replicated to ldap://localhost:9012/! (32)! > Error found after 1 of 1 iterations > Failed after 15 of 50 iterations > [dieter@pink tests (OPENLDAP_REL_ENG_2_4=)]$ > > ERROR: Entry 21 not replicated to ldap://localhost:9012/! (32)! > Error found after 1 of 1 iterations > Failed after 6 of 50 iterations > [dieter@pink tests (OPENLDAP_REL_ENG_2_5=)]$ > > I did about 100 test runs looping 50 times. In average every 7th > testrun failed. Interesting... I've had > 1000 passes and 0 failures in RE24. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

test061 broken in HEAD for back-mdb
by Quanah Gibson-Mount 03 Feb '17

03 Feb '17

For some reason, test061 routinely fails for back-mdb in HEAD. I've not had luck reproducing the issue with other backends or in RE24. To eliminate it being a replication delay, I increased the for loop to give 55 seconds time (1 through 10 seconds) chance to replicate. Most of the time the test fails in fewer than 50 iterations (most often fewer than 20), however one time it took as long as 85 iterations before failing. Interestingly, when the test fails, it is *always* entries 21 through 31 that are missing on slapd instance 2. From slapd.2.log, we can see the failure here: build@u12build:~/git/symas-packages/thirdparty/openldap/build/UBUNTU12_64/symas-openldap/tests/testrun$ grep syncrepl_message_to_entry slapd.2.log 5892455c syncrepl_message_to_entry: rid=001 DN: dc=example,dc=com, UUID: fe7b6d3e-7d08-1036-8b97-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=1,dc=example,dc=com, UUID: ff6f85e0-7d08-1036-8b98-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=2,dc=example,dc=com, UUID: ff8879a6-7d08-1036-8b99-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=3,dc=example,dc=com, UUID: ff993e26-7d08-1036-8b9a-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=4,dc=example,dc=com, UUID: ffa7a51a-7d08-1036-8b9b-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=5,dc=example,dc=com, UUID: ffb09206-7d08-1036-8b9c-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=6,dc=example,dc=com, UUID: ffc4c78a-7d08-1036-8b9d-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=7,dc=example,dc=com, UUID: ffd25c24-7d08-1036-8b9e-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=8,dc=example,dc=com, UUID: ffe0a4c8-7d08-1036-8b9f-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=9,dc=example,dc=com, UUID: fff34344-7d08-1036-8ba0-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=10,dc=example,dc=com, UUID: 00025b9a-7d09-1036-8ba1-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=11,dc=example,dc=com, UUID: 00142762-7d09-1036-8ba2-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=12,dc=example,dc=com, UUID: 00202eea-7d09-1036-8ba3-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=13,dc=example,dc=com, UUID: 00368172-7d09-1036-8ba4-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=14,dc=example,dc=com, UUID: 004e2fb6-7d09-1036-8ba5-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=15,dc=example,dc=com, UUID: 00641fce-7d09-1036-8ba6-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=16,dc=example,dc=com, UUID: 007a8b56-7d09-1036-8ba7-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=17,dc=example,dc=com, UUID: 00b48a5e-7d09-1036-8ba8-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=18,dc=example,dc=com, UUID: 00ccd636-7d09-1036-8ba9-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=19,dc=example,dc=com, UUID: 00df9186-7d09-1036-8baa-c1adc227e9e3 58924560 syncrepl_message_to_entry: rid=001 DN: ou=20,dc=example,dc=com, UUID: 00f0aef8-7d09-1036-8bab-c1adc227e9e3 58924564 syncrepl_message_to_entry: rid=001 DN: ou=10,dc=example,dc=com, UUID: 00025b9a-7d09-1036-8ba1-c1adc227e9e3 58924564 syncrepl_message_to_entry: rid=001 DN: ou=9,dc=example,dc=com, UUID: fff34344-7d08-1036-8ba0-c1adc227e9e3 58924564 syncrepl_message_to_entry: rid=001 DN: ou=8,dc=example,dc=com, UUID: ffe0a4c8-7d08-1036-8b9f-c1adc227e9e3 58924564 syncrepl_message_to_entry: rid=001 DN: ou=7,dc=example,dc=com, UUID: ffd25c24-7d08-1036-8b9e-c1adc227e9e3 58924564 syncrepl_message_to_entry: rid=001 DN: ou=6,dc=example,dc=com, UUID: ffc4c78a-7d08-1036-8b9d-c1adc227e9e3 58924564 syncrepl_message_to_entry: rid=001 DN: ou=5,dc=example,dc=com, UUID: ffb09206-7d08-1036-8b9c-c1adc227e9e3 58924564 syncrepl_message_to_entry: rid=001 DN: ou=4,dc=example,dc=com, UUID: ffa7a51a-7d08-1036-8b9b-c1adc227e9e3 58924564 syncrepl_message_to_entry: rid=001 DN: ou=3,dc=example,dc=com, UUID: ff993e26-7d08-1036-8b9a-c1adc227e9e3 58924564 syncrepl_message_to_entry: rid=001 DN: ou=2,dc=example,dc=com, UUID: ff8879a6-7d08-1036-8b99-c1adc227e9e3 58924565 syncrepl_message_to_entry: rid=001 DN: ou=1,dc=example,dc=com, UUID: ff6f85e0-7d08-1036-8b98-c1adc227e9e3 58924565 syncrepl_message_to_entry: rid=001 DN: ou=32,dc=example,dc=com, UUID: 032a0142-7d09-1036-8bb7-c1adc227e9e3 58924565 syncrepl_message_to_entry: rid=001 DN: ou=33,dc=example,dc=com, UUID: 0341a072-7d09-1036-8bb8-c1adc227e9e3 58924565 syncrepl_message_to_entry: rid=001 DN: ou=34,dc=example,dc=com, UUID: 03578cb6-7d09-1036-8bb9-c1adc227e9e3 58924565 syncrepl_message_to_entry: rid=001 DN: ou=35,dc=example,dc=com, UUID: 037302f2-7d09-1036-8bba-c1adc227e9e3 58924566 syncrepl_message_to_entry: rid=001 DN: ou=36,dc=example,dc=com, UUID: 03a60a58-7d09-1036-8bbb-c1adc227e9e3 58924566 syncrepl_message_to_entry: rid=001 DN: ou=37,dc=example,dc=com, UUID: 03c72558-7d09-1036-8bbc-c1adc227e9e3 58924566 syncrepl_message_to_entry: rid=001 DN: ou=38,dc=example,dc=com, UUID: 03e5f7b2-7d09-1036-8bbd-c1adc227e9e3 58924566 syncrepl_message_to_entry: rid=001 DN: ou=39,dc=example,dc=com, UUID: 040613e4-7d09-1036-8bbe-c1adc227e9e3 58924566 syncrepl_message_to_entry: rid=001 DN: ou=40,dc=example,dc=com, UUID: 0422b8d2-7d09-1036-8bbf-c1adc227e9e3 58924567 syncrepl_message_to_entry: rid=001 DN: ou=11,dc=example,dc=com, UUID: 00142762-7d09-1036-8ba2-c1adc227e9e3 58924567 syncrepl_message_to_entry: rid=001 DN: ou=12,dc=example,dc=com, UUID: 00202eea-7d09-1036-8ba3-c1adc227e9e3 58924567 syncrepl_message_to_entry: rid=001 DN: ou=13,dc=example,dc=com, UUID: 00368172-7d09-1036-8ba4-c1adc227e9e3 58924567 syncrepl_message_to_entry: rid=001 DN: ou=14,dc=example,dc=com, UUID: 004e2fb6-7d09-1036-8ba5-c1adc227e9e3 58924567 syncrepl_message_to_entry: rid=001 DN: ou=15,dc=example,dc=com, UUID: 00641fce-7d09-1036-8ba6-c1adc227e9e3 58924568 syncrepl_message_to_entry: rid=001 DN: ou=16,dc=example,dc=com, UUID: 007a8b56-7d09-1036-8ba7-c1adc227e9e3 58924568 syncrepl_message_to_entry: rid=001 DN: ou=17,dc=example,dc=com, UUID: 00b48a5e-7d09-1036-8ba8-c1adc227e9e3 58924568 syncrepl_message_to_entry: rid=001 DN: ou=18,dc=example,dc=com, UUID: 00ccd636-7d09-1036-8ba9-c1adc227e9e3 58924568 syncrepl_message_to_entry: rid=001 DN: ou=19,dc=example,dc=com, UUID: 00df9186-7d09-1036-8baa-c1adc227e9e3 58924568 syncrepl_message_to_entry: rid=001 DN: ou=20,dc=example,dc=com, UUID: 00f0aef8-7d09-1036-8bab-c1adc227e9e3 We can compare to a run where things were successful for slapd instance 2: build@u12build:~/git/symas-packages/thirdparty/openldap/build/UBUNTU12_64/symas-openldap/tests/testrun$ grep syncrepl_message_to_entry slapd.2.log 58924f17 syncrepl_message_to_entry: rid=001 DN: dc=example,dc=com, UUID: cb75b236-7d0e-1036-941d-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=1,dc=example,dc=com, UUID: cc5cfbb4-7d0e-1036-941e-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=2,dc=example,dc=com, UUID: cc70aa1a-7d0e-1036-941f-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=3,dc=example,dc=com, UUID: cc82f968-7d0e-1036-9420-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=4,dc=example,dc=com, UUID: cc9a1e90-7d0e-1036-9421-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=5,dc=example,dc=com, UUID: ccaf8384-7d0e-1036-9422-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=6,dc=example,dc=com, UUID: ccc7e14a-7d0e-1036-9423-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=7,dc=example,dc=com, UUID: ccdd19e8-7d0e-1036-9424-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=8,dc=example,dc=com, UUID: ccf30aa0-7d0e-1036-9425-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=9,dc=example,dc=com, UUID: cd0e4644-7d0e-1036-9426-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=10,dc=example,dc=com, UUID: cd1f0bc8-7d0e-1036-9427-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=11,dc=example,dc=com, UUID: cd301fee-7d0e-1036-9428-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=12,dc=example,dc=com, UUID: cd3fcde0-7d0e-1036-9429-eb3c99065fa9 58924f1a syncrepl_message_to_entry: rid=001 DN: ou=13,dc=example,dc=com, UUID: cd56e2b4-7d0e-1036-942a-eb3c99065fa9 58924f1b syncrepl_message_to_entry: rid=001 DN: ou=14,dc=example,dc=com, UUID: cd74d800-7d0e-1036-942b-eb3c99065fa9 58924f1b syncrepl_message_to_entry: rid=001 DN: ou=15,dc=example,dc=com, UUID: cd8d9e08-7d0e-1036-942c-eb3c99065fa9 58924f1b syncrepl_message_to_entry: rid=001 DN: ou=16,dc=example,dc=com, UUID: cdb00876-7d0e-1036-942d-eb3c99065fa9 58924f1b syncrepl_message_to_entry: rid=001 DN: ou=17,dc=example,dc=com, UUID: cdd2c776-7d0e-1036-942e-eb3c99065fa9 58924f1b syncrepl_message_to_entry: rid=001 DN: ou=18,dc=example,dc=com, UUID: cdf1b672-7d0e-1036-942f-eb3c99065fa9 58924f1c syncrepl_message_to_entry: rid=001 DN: ou=19,dc=example,dc=com, UUID: ce03233a-7d0e-1036-9430-eb3c99065fa9 58924f1c syncrepl_message_to_entry: rid=001 DN: ou=20,dc=example,dc=com, UUID: ce1650cc-7d0e-1036-9431-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=21,dc=example,dc=com, UUID: ce78b3ac-7d0e-1036-9432-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=22,dc=example,dc=com, UUID: ce88a49c-7d0e-1036-9433-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=23,dc=example,dc=com, UUID: ce95f8b8-7d0e-1036-9434-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=24,dc=example,dc=com, UUID: cea6e98e-7d0e-1036-9435-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=25,dc=example,dc=com, UUID: ceb97806-7d0e-1036-9436-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=26,dc=example,dc=com, UUID: cec86c44-7d0e-1036-9437-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=27,dc=example,dc=com, UUID: ced887be-7d0e-1036-9438-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=28,dc=example,dc=com, UUID: cee6a574-7d0e-1036-9439-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=29,dc=example,dc=com, UUID: ceef6434-7d0e-1036-943a-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=30,dc=example,dc=com, UUID: ceff70c2-7d0e-1036-943b-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=31,dc=example,dc=com, UUID: cfc37ada-7d0e-1036-943c-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=32,dc=example,dc=com, UUID: cfd1761c-7d0e-1036-943d-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=33,dc=example,dc=com, UUID: cff7f01c-7d0e-1036-943e-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=34,dc=example,dc=com, UUID: d00e5a78-7d0e-1036-943f-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=35,dc=example,dc=com, UUID: d022182e-7d0e-1036-9440-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=36,dc=example,dc=com, UUID: d032b4fe-7d0e-1036-9441-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=37,dc=example,dc=com, UUID: d0496654-7d0e-1036-9442-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=38,dc=example,dc=com, UUID: d05f15a8-7d0e-1036-9443-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=39,dc=example,dc=com, UUID: d07003fe-7d0e-1036-9444-eb3c99065fa9 58924f21 syncrepl_message_to_entry: rid=001 DN: ou=40,dc=example,dc=com, UUID: d0809476-7d0e-1036-9445-eb3c99065fa9 58924f22 syncrepl_message_to_entry: rid=001 DN: ou=15,dc=example,dc=com, UUID: cd8d9e08-7d0e-1036-942c-eb3c99065fa9 58924f23 syncrepl_message_to_entry: rid=001 DN: ou=16,dc=example,dc=com, UUID: cdb00876-7d0e-1036-942d-eb3c99065fa9 58924f23 syncrepl_message_to_entry: rid=001 DN: ou=17,dc=example,dc=com, UUID: cdd2c776-7d0e-1036-942e-eb3c99065fa9 58924f23 syncrepl_message_to_entry: rid=001 DN: ou=18,dc=example,dc=com, UUID: cdf1b672-7d0e-1036-942f-eb3c99065fa9 58924f23 syncrepl_message_to_entry: rid=001 DN: ou=19,dc=example,dc=com, UUID: ce03233a-7d0e-1036-9430-eb3c99065fa9 58924f23 syncrepl_message_to_entry: rid=001 DN: ou=20,dc=example,dc=com, UUID: ce1650cc-7d0e-1036-9431-eb3c99065fa9 58924f27 syncrepl_message_to_entry: rid=001 DN: ou=36,dc=example,dc=com, UUID: d032b4fe-7d0e-1036-9441-eb3c99065fa9 58924f27 syncrepl_message_to_entry: rid=001 DN: ou=37,dc=example,dc=com, UUID: d0496654-7d0e-1036-9442-eb3c99065fa9 58924f27 syncrepl_message_to_entry: rid=001 DN: ou=38,dc=example,dc=com, UUID: d05f15a8-7d0e-1036-9443-eb3c99065fa9 58924f27 syncrepl_message_to_entry: rid=001 DN: ou=39,dc=example,dc=com, UUID: d07003fe-7d0e-1036-9444-eb3c99065fa9 58924f27 syncrepl_message_to_entry: rid=001 DN: ou=40,dc=example,dc=com, UUID: d0809476-7d0e-1036-9445-eb3c99065fa9 --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Patch adding command line TLS support to the ldap utilities
by Quanah Gibson-Mount 31 Jan '17

31 Jan '17

--On Tuesday, January 31, 2017 5:07 PM +0100 Michael Ströder <michael(a)stroeder.com> wrote: > Hmm, up to now I thought setting LDAP_TLS_CACERT and friends overrides > whatever is set in ldap.conf or .ldaprc. Variables do override, however, I have no clue as to *what* things may be set somewhere. If I were to unset LDAPNOINIT, any test is subject to anything I don't specifically override that the user, system admin, etc, may have set. > And I also thought LDAPNOINIT disables all defaults from config files. It disables everything (config files, environment variables, etc). Thus the following files and variables are read, in order: variable $LDAPNOINIT, and if that is not set: system file /usr/local/etc/openldap/ldap.conf, user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc, system file $LDAPCONF, user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC, variables $LDAP<uppercase option name>. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Patch adding command line TLS support to the ldap utilities
by Quanah Gibson-Mount 31 Jan '17

31 Jan '17

--On Tuesday, January 31, 2017 4:24 PM +0100 Michael Ströder <michael(a)stroeder.com> wrote: > Quanah Gibson-Mount wrote: >> In working on creating a TLS testsuite for OpenLDAP, a glaring omission >> in the abilities of the command line tools quickly became apparent. >> Specifically, the inability to set any TLS related options. > > Just out of curiosity: > Wasn't using the env vars not enough in the test suite's shell scripts? No. I have no way of knowing what option(s)/conf files may exist in the environment of the user building OpenLDAP. We set LDAPNOINIT in the test suite to avoid this problem for the non-TLS portion, but there's no ability to do anything TLS related at that point w/o such a patch. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Patch adding command line TLS support to the ldap utilities
by Quanah Gibson-Mount 31 Jan '17

31 Jan '17

In working on creating a TLS testsuite for OpenLDAP, a glaring omission in the abilities of the command line tools quickly became apparent. Specifically, the inability to set any TLS related options. I've written up a patch to allow setting various options via "-o", and tested it in my environment, where it is behaving as desired. Specifically, any option passed in via -o /overrides/ any LDAP* environment variable, any ~/.ldaprc, any system ldap.conf, etc. It also allows the ldap* utilities to work with TLS when LDAPNOINIT is set in the utility environment. Attached is the patch for general review. There are likely more options that would be useful to add, but this gives a basic framework for what I need initially in the TLS test suite. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

RE24 testing call #1 (2.4.44) LMDB RE0.9 testing call #1 (0.9.20)
by Quanah Gibson-Mount 21 Jan '17

21 Jan '17

For this testing call, we particularly need folks to test OpenLDAP with startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with the 1.1 series). There is currenly nothing in the test suite that covers encrypted connections (Although it's on my todo list). To build against OpenSSL 1.1 may also require cyrus-sasl HEAD out of the cyrus-sasl GIT repository, depending on your build options as the current cyrus-sasl release does not support the OpenSSL 1.1 series. It can be found at <https://github.com/cyrusimap/cyrus-sasl>. If you build with GSSAPI and use Heimdal, you will also need the Heimdal 7.1.0 or later release (as that is where OpenSSL 1.1 support was added). It can be obtained from <http://h5l.org/>. Also new with this release is the ability to run "make its" in the tests/ directory. This will run a specific set of tests around past bugs to ensure there are no regressions. While I've tested this with modular openldap builds, it has not been tested with the modules and backends built into slapd, so there could be some issues in that scenario. OpenLDAP 2.4.45 Engineering Added slapd support for OpenSSL 1.1.0 series (ITS#8353, ITS#8533) Fixed libldap handling of Diffie-Hellman parameters (ITS#7506) Fixed libldap GnuTLS use after free (ITS#8385) Fixed slapd sasl SEGV rebind in same session (ITS#8568) Fixed slapd syncrepl filter handling (ITS#8413) Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS#8432) Fixed slapd callback struct so older modules without writewait should function. Custom modules may need to be updated for sc_writewait callback (ITS#8435) Fixed slapd-mdb so it passes ITS6794 regression test (ITS#6794) Fixed slapd-meta uninitialized diagnostic message (ITS#8442) Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS#8423) Fixed slapo-relay to correctly initialize sc_writewait (ITS#8428) Build Environment Added test065 for proxyauthz (ITS#8571) Fix test008 to be portable (ITS#8414) Fix its4336 regression test (ITS#8534) Fix its4337 regression test (ITS#8535) Fix regression tests to execute on all backends (ITS#8539) Contrib Added slapo-autogroup(5) man page (ITS#8569) Added passwd missing conversion scripts for apr1 (ITS#6826) Fixed contrib modules where the writewait callback was not correctly initialized (ITS#8435) Fixed smbk5pwd to build with newer OpenSSL releases (ITS#8525) Documentation admin24 fixed tls_cipher_suite bindconf option (ITS#8099) admin24 fixed typo cn=config to be slapd.d (ITS#8449) Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS#8538) Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS#8565) Fixed various minor grammar issues in the man pages (ITS#8544) LMDB 0.9.20 Release Engineering Fix mdb_load with escaped plaintext (ITS#8558) Fix mdb_cursor_last / mdb_put interaction (ITS#8557) LMDB 0.9.19 Release (2016/12/28) Fix mdb_env_cwalk cursor init (ITS#8424) Fix robust mutexes on Solaris 10/11 (ITS#8339) Tweak Win32 error message buffer Fix MDB_GET_BOTH on non-dup record (ITS#8393) Optimize mdb_drop Fix xcursors after mdb_cursor_del (ITS#8406) Fix MDB_NEXT_DUP after mdb_cursor_del (ITS#8412) Fix mdb_cursor_put resetting C_EOF (ITS#8489) Fix mdb_env_copyfd2 to return EPIPE on SIGPIPE (ITS#8504) Fix mdb_env_copy with empty DB (ITS#8209) Fix behaviors with fork (ITS#8505) Fix mdb_dbi_open with mainDB cursors (ITS#8542) Fix robust mutexes on kFreeBSD (ITS#8554) Fix utf8_to_utf16 error checks (ITS#7992) Fix F_NOCACHE on MacOS, error is non-fatal (ITS#7682) Build Make shared lib suffix overridable (ITS#8481) Documentation Cleanup doxygen nits Note reserved vs actual mem/disk usage --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 2

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel