For this testing call, we particularly need folks to test OpenLDAP with startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with the 1.1 series). There is currenly nothing in the test suite that covers encrypted connections (Although it's on my todo list). To build against OpenSSL 1.1 may also require cyrus-sasl HEAD out of the cyrus-sasl GIT repository, depending on your build options as the current cyrus-sasl release does not support the OpenSSL 1.1 series. It can be found at https://github.com/cyrusimap/cyrus-sasl. If you build with GSSAPI and use Heimdal, you will also need the Heimdal 7.1.0 or later release (as that is where OpenSSL 1.1 support was added). It can be obtained from http://h5l.org/.
Also new with this release is the ability to run "make its" in the tests/ directory. This will run a specific set of tests around past bugs to ensure there are no regressions. While I've tested this with modular openldap builds, it has not been tested with the modules and backends built into slapd, so there could be some issues in that scenario.
Generally, get the code for RE24:
Configure & build.
Execute the test suite (via make test) after it is built. Optionally, cd tests && make its run through the regression suite.
Thanks!
OpenLDAP 2.4.45 Engineering Added slapd support for OpenSSL 1.1.0 series (ITS#8353, ITS#8533) Fixed libldap handling of Diffie-Hellman parameters (ITS#7506) Fixed libldap GnuTLS use after free (ITS#8385) Fixed slapd sasl SEGV rebind in same session (ITS#8568) Fixed slapd syncrepl filter handling (ITS#8413) Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS#8432) Fixed slapd callback struct so older modules without writewait should function. Custom modules may need to be updated for sc_writewait callback (ITS#8435) Fixed slapd-mdb so it passes ITS6794 regression test (ITS#6794) Fixed slapd-meta uninitialized diagnostic message (ITS#8442) Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS#8423) Fixed slapo-relay to correctly initialize sc_writewait (ITS#8428) Build Environment Added test065 for proxyauthz (ITS#8571) Fix test008 to be portable (ITS#8414) Fix its4336 regression test (ITS#8534) Fix its4337 regression test (ITS#8535) Fix regression tests to execute on all backends (ITS#8539) Contrib Added slapo-autogroup(5) man page (ITS#8569) Added passwd missing conversion scripts for apr1 (ITS#6826) Fixed contrib modules where the writewait callback was not correctly initialized (ITS#8435) Fixed smbk5pwd to build with newer OpenSSL releases (ITS#8525) Documentation admin24 fixed tls_cipher_suite bindconf option (ITS#8099) admin24 fixed typo cn=config to be slapd.d (ITS#8449) Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS#8538) Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS#8565) Fixed various minor grammar issues in the man pages (ITS#8544)
LMDB 0.9.20 Release Engineering Fix mdb_load with escaped plaintext (ITS#8558) Fix mdb_cursor_last / mdb_put interaction (ITS#8557)
LMDB 0.9.19 Release (2016/12/28) Fix mdb_env_cwalk cursor init (ITS#8424) Fix robust mutexes on Solaris 10/11 (ITS#8339) Tweak Win32 error message buffer Fix MDB_GET_BOTH on non-dup record (ITS#8393) Optimize mdb_drop Fix xcursors after mdb_cursor_del (ITS#8406) Fix MDB_NEXT_DUP after mdb_cursor_del (ITS#8412) Fix mdb_cursor_put resetting C_EOF (ITS#8489) Fix mdb_env_copyfd2 to return EPIPE on SIGPIPE (ITS#8504) Fix mdb_env_copy with empty DB (ITS#8209) Fix behaviors with fork (ITS#8505) Fix mdb_dbi_open with mainDB cursors (ITS#8542) Fix robust mutexes on kFreeBSD (ITS#8554) Fix utf8_to_utf16 error checks (ITS#7992) Fix F_NOCACHE on MacOS, error is non-fatal (ITS#7682) Build Make shared lib suffix overridable (ITS#8481) Documentation Cleanup doxygen nits Note reserved vs actual mem/disk usage
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Am Mon, 30 Jan 2017 12:49:56 -0800 schrieb Quanah Gibson-Mount quanah@symas.com: [...]
Generally, get the code for RE24:
Configure & build.
Execute the test suite (via make test) after it is built. Optionally, cd tests && make its run through the regression suite.
[...]
Starting test061-syncreplication-initiation for mdb... Running defines.sh ...
ERROR: Entry 21 not replicated to ldap://localhost:9012/! (32)! Error found after 1 of 1 iterations
test061-syncreplication-initiation failed for mdb
(exit 1) Makefile:310: recipe for target 'mdb-yes' failed make: *** [mdb-yes] Error 1
-Dieter
Am 30.01.2017 um 21:49 schrieb Quanah Gibson-Mount:
Configure & build.
* I noticed 33x "warning: unused variable" should I write a patch?
* Very interesting to me how you modified my patch http://www.openldap.org/its/index.cgi?findid=8533 ... Thanks!
* This (and earlier) openldap-releases do not force server side cipher preference. there is a technical simple way to achieve this:
--- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -366,6 +366,8 @@ tlso_ctx_init( struct ldapoptions *lo, s } } #endif + /* maybe some # ifdef is needed */ + SSL_CTX_set_options( ctx, SSL_OP_CIPHER_SERVER_PREFERENCE ); return 0; }
As far as I know there is no ITS item opened. It it worth to add one?
* An other point I'm interested is compilation of libraries/liblmdb/mdb_* tools. While all other binaries are build using external defined CFLAGS and LDFLAGS "make -C libraries/liblmdb/" use other values.
Any chance, these tools are integrated in the common build process maybe enabled/disabled by a ./configure option?
* compilation against openssl-1.1.0d works without issues and at a first startup it also work :-) I'll report on further success...
* but last: make test failed ( attached make_test_result.txt )
Andreas
Am 31.01.2017 um 22:21 schrieb A. Schulze:
- but last: make test failed ( attached make_test_result.txt )
the failing test was test059
Starting test059-slave-config for mdb...
running defines.sh Starting provider slapd on TCP/IP port 9011... Using ldapsearch to check that provider slapd is running... Inserting syncprov overlay on provider... Configuring slave config DB on provider... ldapmodify failed for slave DB config (80)!
test059-slave-config failed for mdb
$ cat openldap-2.4.45~rc20170130.test/tests/testrun/test.out adding new entry "olcOverlay=syncprov,olcDatabase={0}config,cn=config"
ldap_modify: Other (e.g., implementation specific) error (80) additional info: Error: parse_syncrepl_line: unable to parse "suffixmassage=cn=schema,cn=config,cn=slave"
modifying entry "cn=config"
adding new entry "olcDatabase={1}ldif,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={1}ldif,cn=config"
adding new entry "cn=config,cn=slave"
adding new entry "cn=schema,cn=config,cn=slave"
adding new entry "olcDatabase={0}config,cn=config,cn=slave"
modifying entry "olcDatabase={1}ldif,cn=config"
Andreas
Am 30.01.2017 um 21:49 schrieb Quanah Gibson-Mount:
Optionally, cd tests && make its run through the regression suite.
this set of tests pass, but I noticed one line:
./data/regressions/its8521/its8521: 268: test: 1: unexpected operator
here is the complete log:
Starting its8521 ...
running defines.sh
This test tracks a case where a consumer fails to replicate from the provider when the provider is dynamically configured for replication. See http://www.openldap.org/its/index.cgi/?findid=8521 and See http://www.openldap.org/its/index.cgi/?findid=8281 for more information.
Starting provider slapd on TCP/IP port 9011... Using ldapsearch to check that provider slapd is running... Starting consumer slapd on TCP/IP port 9012... Using ldapsearch to check that consumer slapd is running... Setting serverID on provider... Populating database on provider... Configuring replication on the provider... Configuring replication on the consumer... Sleeping 10 seconds to allow replication to initiate... Using ldapsearch to read all the entries from the provider... Using ldapsearch to read all the entries from the consumer... Filtering provider results... Filtering consumer results... Comparing retrieved entries from provider and consumer... ./data/regressions/its8521/its8521: 268: test: 1: unexpected operator Modifying provider to force generation of a contextCSN Sleeping 30 seconds to allow consumer to reconnect and replicate... Using ldapsearch to read all the entries from the provider... Using ldapsearch to read all the entries from the consumer... Filtering provider results... Filtering consumer results... Comparing retrieved entries from provider and consumer...
Test succeeded ./data/regressions/its8521/its8521 completed OK.
Andreas
From: Quanah Gibson-Mount Subject: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
For this testing call, we particularly need folks to test OpenLDAP with startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with the 1.1 series).
Compiled successfully with Gentoo linux and openSSL 1.02j/cyrus-sasl 2.1.26, configured as:
--prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --disable-dependency-tracking --disable-silent-rules --libdir=/usr/lib64 --libexecdir=/usr/lib64/openldap --disable-static --enable-ldap --enable-slapd --enable-bdb --enable-hdb --enable-dnssrv=mod --enable-ldap=mod --enable-mdb=mod --enable-meta=mod --enable-monitor=mod --enable-null=mod --enable-passwd=mod --enable-relay=mod --enable-shell=mod --enable-sock=mod --disable-perl --disable-sql --disable-crypt --disable-slp --disable-lmpasswd --enable-syslog --enable-aci --enable-cleartext --enable-modules --enable-rewrite --enable-rlookups --enable-slapi --enable-syncprov=yes --enable-overlays=mod --enable-ipv6 --with-cyrus-sasl --enable-spasswd --disable-wrappers --with-tls=openssl --enable-dynamic --enable-local --enable-proctitle --enable-shared
make test completed successfully, is there any particular way to verify all the tests were okay? Does the make itself fail if any of the tests do, I did not see a summary at the end. make its was not as happy:
Starting its4326 ...
running defines.sh Running slapadd to build slapd database... Starting slapd on TCP/IP port 9011... Using ldapsearch to check that slapd is running... Starting proxy slapd on TCP/IP port 9012... Using ldapsearch to check that proxy slapd is running... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... ldapsearch failed (255)! ./data/regressions/its4326/its4326: line 93: kill: (28780) - No such process
./data/regressions/its4326/its4326 failed (exit 255)
I see the fix for ITS8432 is included in this release (yay); I was wondering if you've had any luck tracking down the underlying issue behind ITS8444? So far I still haven't seen any corruption or operational issues from it, but the rampant noise in the logs and errors being generated are quite disconcerting :). Plus they will potentially mask any errors that are actually indicative of a real problem.
Thanks.
Am 30.01.2017 um 21:49 schrieb Quanah Gibson-Mount:
For this testing call, we particularly need folks to test OpenLDAP with startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with the 1.1 series).
Hello,
nearly a week I now run that release without any noise. It's compiled against openssl-1.1.0d and run on a ipv6 only host. but: it's a small private server, no load, no replication...
One point is worth to mention: I exposed the server also on port 443 and did a scan with ssllabs.com. While I'm pretty sure to configure certificates properly, ssllabs proof, the server deliver not only certificate and intermediate but also the root as part of the initial SSL handshake.
my TLS settings are: TLSCertificateFile /path/to/cert.pem TLSCertificateKeyFile /path/to/key.pem TLSCACertificateFile /path/to/intermediate.pem TLSCACertificatePath /path/to/an/empty/directory/ TLSProtocolMin 3.3
$ openssl x509 -noout -in /path/to/cert.pem -issuer -subject issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 subject= /CN=ldap-test.example.org
$openssl x509 -noout -in /path/to/intermediate.pem -issuer -subject issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
a manual test using openssl s_client also proof the root is wrongly delivered: $ echo | openssl11 s_client -connect ldap-test.example.org:443 -showcerts CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = ldap-test.example.org verify return:1 --- Certificate chain ...
Ultimate features would be OCSP stapling ( OK, no ldap client currently implement that ) and setting ecdh_curve via SSL_CTX_set1_curves_list
Andreas
On Thu, Feb 09, 2017 at 08:27:29PM +0100, A. Schulze wrote:
One point is worth to mention: I exposed the server also on port 443 and did a scan with ssllabs.com. While I'm pretty sure to configure certificates properly, ssllabs proof, the server deliver not only certificate and intermediate but also the root as part of the initial SSL handshake.
Is there an ITS for this issue?
Ryan Tandy:
On Thu, Feb 09, 2017 at 08:27:29PM +0100, A. Schulze wrote:
One point is worth to mention: I exposed the server also on port 443 and did a scan with ssllabs.com. While I'm pretty sure to configure certificates properly, ssllabs proof, the server deliver not only certificate and intermediate but also the root as part of the initial SSL handshake.
Is there an ITS for this issue?
yes, http://www.openldap.org/its/index.cgi?findid=8586
Andreas
openldap-technical@openldap.org
-
A. Schulze -
Dieter Klünter -
Paul B. Henson -
Quanah Gibson-Mount -
Ryan Tandy