openldap-devel

openldap-devel@openldap.org

1418 discussions

Patch adding command line TLS support to the ldap utilities
by Quanah Gibson-Mount 31 Jan '17

31 Jan '17

In working on creating a TLS testsuite for OpenLDAP, a glaring omission in the abilities of the command line tools quickly became apparent. Specifically, the inability to set any TLS related options. I've written up a patch to allow setting various options via "-o", and tested it in my environment, where it is behaving as desired. Specifically, any option passed in via -o /overrides/ any LDAP* environment variable, any ~/.ldaprc, any system ldap.conf, etc. It also allows the ldap* utilities to work with TLS when LDAPNOINIT is set in the utility environment. Attached is the patch for general review. There are likely more options that would be useful to add, but this gives a basic framework for what I need initially in the TLS test suite. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

RE24 testing call #1 (2.4.44) LMDB RE0.9 testing call #1 (0.9.20)
by Quanah Gibson-Mount 22 Jan '17

22 Jan '17

For this testing call, we particularly need folks to test OpenLDAP with startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with the 1.1 series). There is currenly nothing in the test suite that covers encrypted connections (Although it's on my todo list). To build against OpenSSL 1.1 may also require cyrus-sasl HEAD out of the cyrus-sasl GIT repository, depending on your build options as the current cyrus-sasl release does not support the OpenSSL 1.1 series. It can be found at <https://github.com/cyrusimap/cyrus-sasl>. If you build with GSSAPI and use Heimdal, you will also need the Heimdal 7.1.0 or later release (as that is where OpenSSL 1.1 support was added). It can be obtained from <http://h5l.org/>. Also new with this release is the ability to run "make its" in the tests/ directory. This will run a specific set of tests around past bugs to ensure there are no regressions. While I've tested this with modular openldap builds, it has not been tested with the modules and backends built into slapd, so there could be some issues in that scenario. OpenLDAP 2.4.45 Engineering Added slapd support for OpenSSL 1.1.0 series (ITS#8353, ITS#8533) Fixed libldap handling of Diffie-Hellman parameters (ITS#7506) Fixed libldap GnuTLS use after free (ITS#8385) Fixed slapd sasl SEGV rebind in same session (ITS#8568) Fixed slapd syncrepl filter handling (ITS#8413) Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS#8432) Fixed slapd callback struct so older modules without writewait should function. Custom modules may need to be updated for sc_writewait callback (ITS#8435) Fixed slapd-mdb so it passes ITS6794 regression test (ITS#6794) Fixed slapd-meta uninitialized diagnostic message (ITS#8442) Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS#8423) Fixed slapo-relay to correctly initialize sc_writewait (ITS#8428) Build Environment Added test065 for proxyauthz (ITS#8571) Fix test008 to be portable (ITS#8414) Fix its4336 regression test (ITS#8534) Fix its4337 regression test (ITS#8535) Fix regression tests to execute on all backends (ITS#8539) Contrib Added slapo-autogroup(5) man page (ITS#8569) Added passwd missing conversion scripts for apr1 (ITS#6826) Fixed contrib modules where the writewait callback was not correctly initialized (ITS#8435) Fixed smbk5pwd to build with newer OpenSSL releases (ITS#8525) Documentation admin24 fixed tls_cipher_suite bindconf option (ITS#8099) admin24 fixed typo cn=config to be slapd.d (ITS#8449) Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS#8538) Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS#8565) Fixed various minor grammar issues in the man pages (ITS#8544) LMDB 0.9.20 Release Engineering Fix mdb_load with escaped plaintext (ITS#8558) Fix mdb_cursor_last / mdb_put interaction (ITS#8557) LMDB 0.9.19 Release (2016/12/28) Fix mdb_env_cwalk cursor init (ITS#8424) Fix robust mutexes on Solaris 10/11 (ITS#8339) Tweak Win32 error message buffer Fix MDB_GET_BOTH on non-dup record (ITS#8393) Optimize mdb_drop Fix xcursors after mdb_cursor_del (ITS#8406) Fix MDB_NEXT_DUP after mdb_cursor_del (ITS#8412) Fix mdb_cursor_put resetting C_EOF (ITS#8489) Fix mdb_env_copyfd2 to return EPIPE on SIGPIPE (ITS#8504) Fix mdb_env_copy with empty DB (ITS#8209) Fix behaviors with fork (ITS#8505) Fix mdb_dbi_open with mainDB cursors (ITS#8542) Fix robust mutexes on kFreeBSD (ITS#8554) Fix utf8_to_utf16 error checks (ITS#7992) Fix F_NOCACHE on MacOS, error is non-fatal (ITS#7682) Build Make shared lib suffix overridable (ITS#8481) Documentation Cleanup doxygen nits Note reserved vs actual mem/disk usage --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 2

RE: RE24 testing call #1 (2.4.45) LMDB RE0.9 testing call #1 (0.9.20)
by Quanah Gibson-Mount 20 Jan '17

20 Jan '17

--On Friday, January 20, 2017 6:51 PM +0100 Dieter Klünter <dieter(a)dkluenter.de> wrote: > $ make its > Testing (available) ITS regressions > make[1]: Verzeichnis „/home/dieter/build/openldap/tests" wird betreten > run configure with --enable-bdb to run BDB tests > make[1]: Verzeichnis „/home/dieter/build/openldap/tests" wird > verlassen make[1]: Verzeichnis „/home/dieter/build/openldap/tests" > wird betreten run configure with --enable-hdb to run BDB tests > make[1]: Verzeichnis „/home/dieter/build/openldap/tests" wird > verlassen make[1]: Verzeichnis „/home/dieter/build/openldap/tests" > wird betreten run configure with --enable-mdb to run BDB tests > make[1]: Verzeichnis „/home/dieter/build/openldap/tests" wird > verlassen Thanks, fixed. :) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

RE: RE24 testing call #1 (2.4.44) LMDB RE0.9 testing call #1 (0.9.20)
by Dieter Klünter 20 Jan '17

20 Jan '17

Datum: Thu, 19 Jan 2017 21:33:18 +0100 Von: Dieter Klünter <dieter(a)dkluenter.de> An: openldap-devel(a)openldap.org Betreff: Re: RE24 testing call #1 (2.4.44) LMDB RE0.9 testing call #1 (0.9.20) Am Wed, 18 Jan 2017 18:05:21 -0800 schrieb Quanah Gibson-Mount <quanah(a)symas.com>: > For this testing call, we particularly need folks to test OpenLDAP > with startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 > series and with the 1.1 series). There is currenly nothing in the > test suite that covers encrypted connections (Although it's on my > todo list). To build against OpenSSL 1.1 may also require cyrus-sasl > HEAD out of the cyrus-sasl GIT repository, depending on your build > options as the current cyrus-sasl release does not support the > OpenSSL 1.1 series. It can be found at > <https://github.com/cyrusimap/cyrus-sasl>. If you build with GSSAPI > and use Heimdal, you will also need the Heimdal 7.1.0 or later > release (as that is where OpenSSL 1.1 support was added). It can be > obtained from <http://h5l.org/>. > > Also new with this release is the ability to run "make its" in the > tests/ directory. This will run a specific set of tests around past > bugs to ensure there are no regressions. While I've tested this with > modular openldap builds, it has not been tested with the modules and > backends built into slapd, so there could be some issues in that > scenario. my configure: --enable-bdb=no \ --enable-hdb=no \ --enable-mdb=yes \ these are the issues: $ make its Testing (available) ITS regressions make[1]: Verzeichnis „/home/dieter/build/openldap/tests“ wird betreten run configure with --enable-bdb to run BDB tests make[1]: Verzeichnis „/home/dieter/build/openldap/tests“ wird verlassen make[1]: Verzeichnis „/home/dieter/build/openldap/tests“ wird betreten run configure with --enable-hdb to run BDB tests make[1]: Verzeichnis „/home/dieter/build/openldap/tests“ wird verlassen make[1]: Verzeichnis „/home/dieter/build/openldap/tests“ wird betreten run configure with --enable-mdb to run BDB tests make[1]: Verzeichnis „/home/dieter/build/openldap/tests“ wird verlassen -Dieter -- Dieter Klünter | Systemberatung https://sys4.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E

1 0

Re: OpenLDAP: syslog message not readability
by Quanah Gibson-Mount 04 Nov '16

04 Nov '16

--On Friday, October 21, 2016 8:24 PM +0300 Karatas Ozgur <mueddib(a)openldap.org> wrote: > This style a very primitive coding method, I know, sorry. > I'm waiting for help on how to Git. Hi Ozgur, That is a tag for the "what" command. It will not be removed. See <https://en.wikipedia.org/wiki/Source_Code_Control_System> for more information. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

OpenLDAP: syslog message not readability
by Karatas Ozgur 21 Oct '16

21 Oct '16

Hello all, How are you? We have installed to OpenLDAP server a few days ago and referred server logs to logserver. But couldn't not read to OpenLDAP log on the logserver. Logserver record all log to database and send e-mailing. Example: Oct 21 10:54:23 ldapserver slapd[1595]: @(#) $OpenLDAP: slapd 2.4.44 (Oct 21 2016 10:49:33) $#012#011mueddib@ldapserver:/home/mueddib/openldap-2.4.44/servers/slapd Oct 21 10:54:23 ldapserver slapd[1596]: mdb_monitor_db_open: monitoring disabled; configure monitor database to enable Oct 21 10:54:23 ldapserver slapd[1596]: slapd starting For example unnecessary rows: "@(#)" " $#012#011" I fixed it but I couldn't commit to git :) # git status On branch master Your branch is up-to-date with 'origin/master'. Changes to be committed: (use "git reset HEAD <file>..." to unstage) modified: build/mkvers.bat modified: build/mkversion # git push origin master fatal: remote error: access denied or repository not exported: /openldap.git # git push origin origin fatal: remote error: access denied or repository not exported: /openldap.git I don't know why don't have access to OpenLDAP Git Server (I would like your help). Please can you fix the below code? File: /build/mkvers.bat from: (echo "@(#) $" OPENLDAP_PACKAGE ": %3 " OPENLDAP_VERSION) >> %2 (echo " (" __DATE__ " " __TIME__ ") $\n") >> %2 (echo "\t%USERNAME%@%COMPUTERNAME% %CD:\=/%\n";) >> %2 to (please): (echo OPENLDAP_PACKAGE ": %3 " OPENLDAP_VERSION) >> %2 (echo " (" __DATE__ " " __TIME__ ") \n") >> %2 (echo "%USERNAME%@%COMPUTERNAME% %CD:\=/%\n";) >> %2 File: /build/mkversion from: $static $const char $SYMBOL[] = "@(#) \$$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") \$\n" "\t$WHOWHERE\n"; to (please): $static $const char $SYMBOL[] = "$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") \n" "$WHOWHERE\n"; This style a very primitive coding method, I know, sorry. I'm waiting for help on how to Git. Regards, -- Ozgur Karatas E: mueddib(a)openldap.org T: https://twitter.com/openldaporg F: http://facebook.com/openldap D: https://hub.docker.com/r/openldap/ G: https://github.com/openldap/

1 0

ITS8511 feedback
by Quanah Gibson-Mount 11 Oct '16

11 Oct '16

I've prepared a patch for ITS8511, that deprecates mirrormode/olcMirrorMode. I'd like to include it as part of the 2.5 release. What it does is rename the configuration parameter to be "multimaster" or olcMultiMaster. This changes makes the configuration reflect what is actually being done when this mode is enabled (set to TRUE). Mirrormode itself is a concept completely external to the openldap configuration (i.e., it's based off of some sort of load balancing configuration), and the current usage of the term mirrormode is misleading and leads to significant confusion. While we can update the docs in various ways, I believe the configuration term should accurately reflect what's is occurring when it is enabled. The current method simply leads to unnecessary confusion and is misleading. One potential issue is that it does change the cn=config schema. However, we've done this before when deprecating keywords. pcache.c is an example of where this has been done in the past. I've validated that my change is 100% backwards compatible, so that existing configurations continue to work. Thoughts welcome. Regards, Quanah -- Quanah Gibson-Mount Product Engineer Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: back-llog
by Howard Chu 09 Aug '16

09 Aug '16

Michael Ströder wrote: > Howard Chu wrote: >> Michael Ströder wrote: >>> Howard Chu wrote: >>>> Was just thinking we could do a quite simple backend for use with the accesslog >>>> overlay and delta-syncrepl. It would write into flat files and do typical >>>> logfile rotation on its own. The backing store would have a minimum of two files >>>> - one for the suffix entry, one for the current chunk of logs. There would be a >>>> configurable number of logfiles, with the oldest simply being deleted when it's >>>> time to purge. >>> >>> Two things I'd consider helpful for long-time archiving/auditing: >>> >>> 1. filenames to allow of "merging" different log flat files into one big file >>> store on a different slapd instance. >> >> Not sure what you mean by this. As sequential logs you could just cat them if >> you want to combine files into one, what does the filename have to do with it? > > Sorry for unclear wording. > I'd like to move archived files of all MMR replicas into another single > filesystem directory and let a special auditing slapd with back-llog search in > them without having to muck with file names. Then you would have to merge them entry-by-entry to preserve chronological order. >> If we just use datestamps for filenames YYYYMMDD it should be no problem for you >> to cat them in proper order. > > There could be conflicting timestamps from different MMR replicas. Maybe > appending the serverID could be a solution? Just keep them all in their own separate filesystem directories. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Re: back-llog
by Howard Chu 09 Aug '16

09 Aug '16

Michael Ströder wrote: > Howard Chu wrote: >> Was just thinking we could do a quite simple backend for use with the accesslog >> overlay and delta-syncrepl. It would write into flat files and do typical >> logfile rotation on its own. The backing store would have a minimum of two files >> - one for the suffix entry, one for the current chunk of logs. There would be a >> configurable number of logfiles, with the oldest simply being deleted when it's >> time to purge. > > Two things I'd consider helpful for long-time archiving/auditing: > > 1. filenames to allow of "merging" different log flat files into one big file > store on a different slapd instance. Not sure what you mean by this. As sequential logs you could just cat them if you want to combine files into one, what does the filename have to do with it? If we just use datestamps for filenames YYYYMMDD it should be no problem for you to cat them in proper order. > 2. instead of deleting moving files to an archive directory. Sounds fine as an option. > I know it's a different use-case but quite handy. > > Ciao, Michael. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

back-llog
by Howard Chu 09 Aug '16

09 Aug '16

Was just thinking we could do a quite simple backend for use with the accesslog overlay and delta-syncrepl. It would write into flat files and do typical logfile rotation on its own. The backing store would have a minimum of two files - one for the suffix entry, one for the current chunk of logs. There would be a configurable number of logfiles, with the oldest simply being deleted when it's time to purge. It would only support Add/Search in general, and Modify on the suffix entry. A rolling append-only format like this would allow much higher throughput for accesslog recording. Using a binary entry format would of course also help. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel