subject:"ITS review"

Re: ITS#8866 (was: ITS review 6/14/2019)

2019-06-27 Thread Michael Ströder

On 6/27/19 6:37 PM, Howard Chu wrote:
> Michael Ströder wrote:
>> On 6/27/19 6:23 PM, Michael Ströder wrote:
>>> On 6/27/19 6:18 PM, Howard Chu wrote:
 Michael Ströder wrote:
> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
>> Thanks to Ondrej, this list is a bit shorter now. :)
>
> But one more I'd love to see in 2.4.48:
>
> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic 
> message
>
> https://www.openldap.org/its/index.cgi?findid=8866

 I don't believe the information disclosure issues have been
 sufficiently answered there. Overall it's a bad idea and goes against
 our standing policy of minimal disclosure.
>>> Sorry, you already have the disclosure.
>>>
>>> Citing from my old e-mail found here:
>>> https://www.openldap.org/lists/openldap-devel/201711/msg3.html
>>>
 But this problem exists anyway because an attacker can probe
 values by adding entries with non-unique attributes and determine
 whether an attribute value exists or not by distinguishing the result
 code constraintViolation(19) vs. insufficientAccessRights(50).
 Even worse this even works in case the attacker does not have read
 access anywhere!
> 
> Then that's a bug that should be fixed.

If you really want to fix this bug then you have to fully enforce access
control when processing the write operation *before* enforcing the
constraints. (I guess this is not easily done with the current overlay
stack processing.)

But if you fixed it then the disclosure will only happen if the user is
authorized to modify the entry. So same fix for the very same problem. ;-)

Conclusion:
1. Applying ITS#8866 patch to RE24 will not make things worse.
2. The real fix will also fix the disclosure issue.

Ciao, Michael.

Re: ITS#8866 (was: ITS review 6/14/2019)

2019-06-27 Thread Howard Chu

Michael Ströder wrote:
> On 6/27/19 6:23 PM, Michael Ströder wrote:
>> On 6/27/19 6:18 PM, Howard Chu wrote:
>>> Michael Ströder wrote:
 On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
> Thanks to Ondrej, this list is a bit shorter now. :)

 But one more I'd love to see in 2.4.48:

 ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message

 https://www.openldap.org/its/index.cgi?findid=8866
>>>
>>> I don't believe the information disclosure issues have been
>>> sufficiently answered there. Overall it's a bad idea and goes against
>>> our standing policy of minimal disclosure.
>> Sorry, you already have the disclosure.
>>
>> Citing from my old e-mail found here:
>> https://www.openldap.org/lists/openldap-devel/201711/msg3.html
>>
>>> But this problem exists anyway because an attacker can probe
>>> values by adding entries with non-unique attributes and determine
>>> whether an attribute value exists or not by distinguishing the result
>>> code constraintViolation(19) vs. insufficientAccessRights(50).
>>> Even worse this even works in case the attacker does not have read
>>> access anywhere!

Then that's a bug that should be fixed.
> 
> Furthermore the security of a system should not rely on confidentiality
> of the configuration. E.g. with Æ-DIR the config is publicly known.

That was your choice to decide for yourself. Not for everyone else though.
The default behavior has always been to restrict viewing of the config
to administrators. I see no reason to change this policy.

> Also note I'm usually blamed for making directory contents too confidential.
> 
> Ciao, Michael.
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: ITS#8866 (was: ITS review 6/14/2019)

2019-06-27 Thread Michael Ströder

On 6/27/19 6:23 PM, Michael Ströder wrote:
> On 6/27/19 6:18 PM, Howard Chu wrote:
>> Michael Ströder wrote:
>>> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
 Thanks to Ondrej, this list is a bit shorter now. :)
>>>
>>> But one more I'd love to see in 2.4.48:
>>>
>>> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
>>>
>>> https://www.openldap.org/its/index.cgi?findid=8866
>>
>> I don't believe the information disclosure issues have been
>> sufficiently answered there. Overall it's a bad idea and goes against
>> our standing policy of minimal disclosure.
> Sorry, you already have the disclosure.
> 
> Citing from my old e-mail found here:
> https://www.openldap.org/lists/openldap-devel/201711/msg3.html
> 
>> But this problem exists anyway because an attacker can probe
>> values by adding entries with non-unique attributes and determine
>> whether an attribute value exists or not by distinguishing the result
>> code constraintViolation(19) vs. insufficientAccessRights(50).
>> Even worse this even works in case the attacker does not have read
>> access anywhere!

Furthermore the security of a system should not rely on confidentiality
of the configuration. E.g. with Æ-DIR the config is publicly known.

Also note I'm usually blamed for making directory contents too confidential.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: ITS#8866 (was: ITS review 6/14/2019)

2019-06-27 Thread Michael Ströder

On 6/27/19 6:18 PM, Howard Chu wrote:
> Michael Ströder wrote:
>> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
>>> Thanks to Ondrej, this list is a bit shorter now. :)
>>
>> But one more I'd love to see in 2.4.48:
>>
>> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
>>
>> https://www.openldap.org/its/index.cgi?findid=8866
> 
> I don't believe the information disclosure issues have been
> sufficiently answered there. Overall it's a bad idea and goes against
> our standing policy of minimal disclosure.
Sorry, you already have the disclosure.

Citing from my old e-mail found here:
https://www.openldap.org/lists/openldap-devel/201711/msg3.html

> But this problem exists anyway because an attacker can probe
> values by adding entries with non-unique attributes and determine
> whether an attribute value exists or not by distinguishing the result
> code constraintViolation(19) vs. insufficientAccessRights(50).
> Even worse this even works in case the attacker does not have read
> access anywhere!

Ciao, Michael.

Re: ITS#8866 (was: ITS review 6/14/2019)

2019-06-27 Thread Howard Chu

Michael Ströder wrote:
> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
>> Thanks to Ondrej, this list is a bit shorter now. :)
> 
> But one more I'd love to see in 2.4.48:
> 
> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
> 
> https://www.openldap.org/its/index.cgi?findid=8866

I don't believe the information disclosure issues have been sufficiently 
answered there.
Overall it's a bad idea and goes against our standing policy of minimal 
disclosure.

At most you would expect something relevant in syslog. The actual rules in play 
are
only the sysadmin's business, not any end user's.

> I have a back-port patch for this in my own 2.4.47 packages because it
> is very useful.
> 
> Ciao, Michael.
> 
> 

-- 
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

ITS#8866 (was: ITS review 6/14/2019)

2019-06-22 Thread Michael Ströder

On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
> Thanks to Ondrej, this list is a bit shorter now. :)

But one more I'd love to see in 2.4.48:

ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message

https://www.openldap.org/its/index.cgi?findid=8866

I have a back-port patch for this in my own 2.4.47 packages because it
is very useful.

Ciao, Michael.

Re: ITS review 6/14/2019

2019-06-17 Thread Quanah Gibson-Mount


--On Monday, June 17, 2019 2:23 PM +0100 Howard Chu  wrote:


The following ITSes have a patch or have been committed already.
---

ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with
updateref (44e9bda0e42f40e0baf0a2c0ef733eb757abd366)


This is an enhancement, not a bugfix.


Generally we've allowed that for contrib modules.



ITS#7770 - back-monitor - Add mdb_stat info
(e19c683c41e14365d28e82278eec1d8b12c71d4c ,
6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )


This is also an enhancement, not a bugfix.

Already discussed adding #7770 to RE24, seems like a good idea. Are we
allowing other enhancements into RE24?


We've done a few: back-sock enhancements in 2.4.47, for example, support 
for OpenSSL 1.1.0+ in 2.4.45, support for "nordahead" flag in 2.4.37 with 
back-mdb.  So it's your call.




ITS#8695 - slapd - "sleep" is deprecated (WINDOWS ONLY) (has patch, IPR
OK)


Needs version checks.


Ok, will work on that bit. :)


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 6/14/2019

2019-06-17 Thread Howard Chu

Quanah Gibson-Mount wrote:
> Thanks to Ondrej, this list is a bit shorter now. :)
> 
> 
> The following ITSes have a patch or have been committed already.
> ---
> 
> ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with updateref 
> (44e9bda0e42f40e0baf0a2c0ef733eb757abd366)

This is an enhancement, not a bugfix.
> 
> ITS#7770 - back-monitor - Add mdb_stat info 
> (e19c683c41e14365d28e82278eec1d8b12c71d4c , 
> 6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )

This is also an enhancement, not a bugfix.

Already discussed adding #7770 to RE24, seems like a good idea. Are we allowing 
other enhancements into RE24?

>  ITS#8037 - slapd - Fix delta-syncrepl with relax 
> (cb9a4d01bc1ecf1eeb3fb7ef39067b2b30b6c545)

OK.
> 
> ITS#8349 - Fix ppolicy behavior with pwdHistory

OK.
> 
> ITS#8508 - liblunicode - Fix ucgendat 
> (cc99da182f53d3d4f3874703643b23717af3)

OK.
> 
>  ITS#8637 - slapd-ldap - Correctly reject invalid config with 
> slapd-config (has patch, IPR OK)

OK.
> 
>  ITS#8671 - libldap - ldap_init_fd() in ldap.h 
> (6a5e30674b63b17587738ba9a3d1ea3633c33fb1)

already merged
> 
> ITS#8695 - slapd - "sleep" is deprecated (WINDOWS ONLY) (has patch, IPR OK)

Needs version checks.
> 
>  ITS#8755 - libldap - leaking file descriptor when closing connection 
> (has patch, IPR OK)

OK.
> 
> ITS#8794 - libraries/libldap - Fix implicit declaration (has minor patch)

OK.
> 
>  ITS#8799 - back-chain - Fix conversion from slapd.conf (has patch, IPR 
> OK)

OK.
> 
>  ITS#8864 - liblber - fix ber_flush 
> (fb49d486a35fd4b2e993398c1eea0c8f7bc6ac40)

OK.
> 
> ITS#8875 - back-mdb - fix performance problems with large DIT and many 
> aliases (has patch, RE25 only)
> 
>  ITS#8997 - slapd-ldap - Fix segfault (Howard already wrote the patch, 
> just needs to be committed)

OK.
> 
> ITS#9000 - slapo-memberof - Fix group rename issue (Ondrej has already 
> written the patch, just needs to be committed?)

OK.

-- 
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

ITS review 6/14/2019

2019-06-14 Thread Quanah Gibson-Mount


Thanks to Ondrej, this list is a bit shorter now. :)


The following ITSes have a patch or have been committed already.
---

ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with updateref 
(44e9bda0e42f40e0baf0a2c0ef733eb757abd366)


ITS#7770 - back-monitor - Add mdb_stat info 
(e19c683c41e14365d28e82278eec1d8b12c71d4c , 
6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )


 ITS#8037 - slapd - Fix delta-syncrepl with relax 
(cb9a4d01bc1ecf1eeb3fb7ef39067b2b30b6c545)


ITS#8349 - Fix ppolicy behavior with pwdHistory

ITS#8508 - liblunicode - Fix ucgendat 
(cc99da182f53d3d4f3874703643b23717af3)


 ITS#8637 - slapd-ldap - Correctly reject invalid config with 
slapd-config (has patch, IPR OK)


 ITS#8671 - libldap - ldap_init_fd() in ldap.h 
(6a5e30674b63b17587738ba9a3d1ea3633c33fb1)


ITS#8695 - slapd - "sleep" is deprecated (WINDOWS ONLY) (has patch, IPR OK)

 ITS#8755 - libldap - leaking file descriptor when closing connection 
(has patch, IPR OK)


ITS#8794 - libraries/libldap - Fix implicit declaration (has minor patch)

 ITS#8799 - back-chain - Fix conversion from slapd.conf (has patch, IPR 
OK)


 ITS#8864 - liblber - fix ber_flush 
(fb49d486a35fd4b2e993398c1eea0c8f7bc6ac40)


ITS#8875 - back-mdb - fix performance problems with large DIT and many 
aliases (has patch, RE25 only)


 ITS#8997 - slapd-ldap - Fix segfault (Howard already wrote the patch, 
just needs to be committed)


ITS#9000 - slapo-memberof - Fix group rename issue (Ondrej has already 
written the patch, just needs to be committed?)




--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 6/4/2019

2019-06-13 Thread Quanah Gibson-Mount

--On Thursday, June 13, 2019 7:47 PM +0200 Ondřej Kuzník 
 wrote:



 ITS#9001 - libraries/libldap - Use new Tavl bits to reduce search
time (has patch, IPR OK)


This one isn't ready yet, might not belong to 2.4 anyway, also pending
answer on
https://www.openldap.org/lists/openldap-devel/201903/msg00011.html


Yep, that was in there by mistake. :)  I've removed it from my ITS document.

--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 6/4/2019

2019-06-13 Thread Ondřej Kuzník

On Tue, Jun 04, 2019 at 02:05:13PM -0700, Quanah Gibson-Mount wrote:
> All of the following have patches and need review/approval.  Any with  I
> consider desired for the next releases of LMDB & OpenLDAP:

For the ones I had a look at this week (others are written by me or
wasn't sure):

> LMDB related ITSes
> --
>  ITS#8986 - Fix LMDB for FreeBSD12 (has patch, IPR OK)
> ITS#8739 - liblmdb - Fixes fsync check on FreeBSD (has patch, IPR not
> needed)
> 
> 
> OpenLDAP related ITSes for RE24
> ---
> ITS#7042 - slapd/syncrepl - Allow disconfiguring TLS settings (has patch,
> IPR OK)

Pushed to master with a followup patch, should be ok for 2.4

> ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with updateref
> (44e9bda0e42f40e0baf0a2c0ef733eb757abd366)
> 
> ITS#7770 - back-monitor - Add mdb_stat info
> (e19c683c41e14365d28e82278eec1d8b12c71d4c ,
> 6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )
> 
>  ITS#7996, ITS#8450 - libldap - Fix race condition (has patch, IPR OK)

ITS#7996 is in master now, ok for 2.4

Will look at ITS#8450 soon

>  ITS#8037 - slapd - Fix delta-syncrepl with relax
> (cb9a4d01bc1ecf1eeb3fb7ef39067b2b30b6c545)

I'd say this looks ok, but check with Howard whether to backport this.

>  ITS#8167 - libldap - fix non-blocking TLS
> (46c93e41f43da7f16270179c6eff75e450617329)

Looks ok for 2.4

> ITS#8349 - Fix ppolicy behavior with pwdHistory
> 
>  ITS#8427 - slapd/syncrepl - Fix broken behavor for TLS options (has
> patch, IPR OK)

Pushed to master with a followup patch, should be ok for 2.4

> ITS#8508 - liblunicode - Fix ucgendat
> (cc99da182f53d3d4f3874703643b23717af3)
> 
>  ITS#8637 - slapd-ldap - Correctly reject invalid config with
> slapd-config (has patch, IPR OK)
> 
>  ITS#8671 - libldap - ldap_init_fd() in ldap.h (has patch, for Samba
> project, IPR OK)

Will create openldap.h and deal with this soon.

>  ITS#8674 - libldap - Fix leak (has patch, IPR not needed)

In master, ok for 2.4

> ITS#8695 - slapd - "sleep" is deprecated (WINDOWS ONLY) (has patch, IPR OK)
> 
> ITS#8754 - libldap - Correctly ignore IPv6 if IPv6 is disabled (has patch)

In master, ok for 2.4

>  ITS#8755 - libldap - leaking file descriptor when closing connection
> (has patch, IPR OK)
> 
> ITS#8794 - libraries/libldap - Fix implicit declaration (has minor patch)
> 
>  ITS#8841 - back-meta - Fix assertion if the network interface goes down
> (17f1e32b65c332f7a33b77ebe6e20b47188a88aa)

That looks fine for 2.4

>  ITS#8864 - liblber - fix ber_flush
> (fb49d486a35fd4b2e993398c1eea0c8f7bc6ac40)
> 
>  ITS#8997 - slapd-ldap - Fix segfault (Howard already wrote the patch,
> just needs to be committed)
> 
>  ITS#9001 - libraries/libldap - Use new Tavl bits to reduce search time
> (has patch, IPR OK)

This one isn't ready yet, might not belong to 2.4 anyway, also pending
answer on https://www.openldap.org/lists/openldap-devel/201903/msg00011.html

> OpenLDAP related ITSes for RE25
> ---
> ITS#8875 - back-mdb - fix performance problems with large DIT and many
> aliases (has patch)

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation   http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Re: ITS review 6/4/2019

2019-06-05 Thread Clément OUDOT

Hello,

this issue is also opened and could be easy to fix:
http://www.openldap.org/its/index.cgi?findid=9000

We can provide a patch but I would like therefore your point of view
about the proposed solution (removing old value before adding the new one).

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: ITS review 4/17/2019

2019-04-19 Thread Quanah Gibson-Mount

--On Wednesday, April 17, 2019 5:16 PM -0700 Quanah Gibson-Mount 
 wrote:



Some of these items are RE24 + master, a couple are master only.  Some
are for LMDB, not sure if they should be 0.9+master or master only.


---
The following ITSes have a patch or have been committed already.
---


ITS#7326 - use AI_ADDRCONFIG, addresses a fixme.  (Has patch and IPR)

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

ITS review 4/17/2019

2019-04-17 Thread Quanah Gibson-Mount

Some of these items are RE24 + master, a couple are master only.  Some are 
for LMDB, not sure if they should be 0.9+master or master only.



---
The following ITSes have a patch or have been committed already.
---

ITS#8875 - back-mdb - fix performance problems with large DIT and many 
aliases (has patch)


ITS#8864 - liblber - fix ber_flush 
(fb49d486a35fd4b2e993398c1eea0c8f7bc6ac40)


ITS#8508 - liblunicode - Fix ucgendat 
(cc99da182f53d3d4f3874703643b23717af3)


ITS#8167 - libldap - fix non-blocking TLS 
(46c93e41f43da7f16270179c6eff75e450617329)


ITS#8037 - slapd - Fix delta-syncrepl with relax 
(cb9a4d01bc1ecf1eeb3fb7ef39067b2b30b6c545)


ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with updateref 
(44e9bda0e42f40e0baf0a2c0ef733eb757abd366)


ITS#7770 - back-monitor - Add mdb_stat info 
(e19c683c41e14365d28e82278eec1d8b12c71d4c , 
6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )


ITS#8841 - back-meta - Fix assertion if the network interface goes down 
(17f1e32b65c332f7a33b77ebe6e20b47188a88aa)


ITS#8999 - slapd - Fix telephoneNumberNormalize, cert DN validation 
(d8c90a2feebb9eeecc69cd0c4411f51cb75a7dbb, 
8b7f21c7aa8c99065977b3dd4eb41f9f41eeadde)


ITS#8695 - slapd -"sleep" is deprecated (WINDOWS ONLY) (has patch)

ITS#8637 - slapd-ldap - Correctly reject invalid config with slapd-config 
(has patch)


ITS#8674 - libldap - Fix leak (has patch)

ITS#7996, ITS#8450 - libldap - Fix race condition (has patch)

ITS#8427 - slapd/syncrepl - Fix broken behavor for TLS options (has patch)

ITS#8417 - liblmdb - Add -T option to mdb_load to specify the mapsize (has 
patch)


ITS#8739 - liblmdb - Fixes fsync check on FreeBSD (has patch)

ITS#8748 - liblmdb - New feature for write ops (has patch, IPR OK)

ITS#8754 - libldap - Correctly ignore IPv6 if IPv6 is disabled (has patch)

ITS#8671 - libldap - ldap_init_fd() in ldap.h (has patch, for Samba project)

ITS#7042 - slapd/syncrepl - Allow disconfiguring TLS settings (has patch)

ITS#8794 - libraries/libldap - Fix implicit declaration (has minor patch)

ITS#9001 - libraries/libldap - Use new Tavl bits to reduce search time (has 
patch)


ITS#9008 - slapd-modules - Fix rpath in module builds (has patch)

ITS#8997 - slapd-ldap - Fix segfault (Howard already wrote the patch, just 
needs to be committed)


---
The following commits have no associated ITS, but apply to RE24
---

3bda24173df9b071aafc7c3f294c17af3ea2c7d0 -- Do not leak memory in slappasswd

593512bb7b2b5d23a658d3a8d05bdeeb15d7611f -- Just the first commit (there is 
significant divergence in the tests/slapd-progs between RE24 and master)



--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review

2019-03-12 Thread Michael Ströder

On 1/31/19 3:50 AM, Quanah Gibson-Mount wrote:
> There have been some reports coming in to the ITS system that likely
> should go into OpenLDAP 2.4.48/LMDB 0.9.23.

I know feature requests are not welcome.
But it would help to have this in RE24:

ITS#7770 - mdb_stat in cn=monitor

Ciao, Michael.

Re: ITS review

2019-02-06 Thread Howard Chu

Clément OUDOT wrote:
> 
> 
> Le 03/02/2019 à 14:30, Clément OUDOT a écrit :
>> Hello,
>>
>> I faced a regression with the fix of
>> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8840 in 2.4.47,
>> the script of one of my customer is now failing with:
>>
>> Feb  1 06:30:21 deimos slapd[12751]: conn=324820 op=2 SEARCH RESULT
>> tag=101 err=2 nentries=0 text=domainScope control value not absent
>>
>> I will look next week if this can be fixed on script side, I will let
>> you know. Does anybody else hit this issue?
> 
> ITS#8973 opened: http://www.openldap.org/its/index.cgi?findid=8973
> 
>>From my point of view this is a regression in 2.4.47, but maybe the bug
> is inside the C# LDAP API.
> 
There is no regression in 2.4.47 here.

-- 
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: ITS review

2019-02-03 Thread Clément OUDOT

Hello,

I faced a regression with the fix of
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8840 in 2.4.47,
the script of one of my customer is now failing with:

Feb  1 06:30:21 deimos slapd[12751]: conn=324820 op=2 SEARCH RESULT
tag=101 err=2 nentries=0 text=domainScope control value not absent

I will look next week if this can be fixed on script side, I will let
you know. Does anybody else hit this issue?

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: ITS review

2019-02-02 Thread Michael Ströder


On 1/31/19 3:50 AM, Quanah Gibson-Mount wrote:
There have been some reports coming in to the ITS system that likely 
should go into OpenLDAP 2.4.48/LMDB 0.9.23.


Probably this should also be added:

(ITS#8971) slapo-accesslog hits assert

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: ITS review

2019-01-31 Thread Quanah Gibson-Mount


Done.

Looks like just ITS#8967 remains from this list.  I forgot yesterday to add 
ITS#8875 to this list, but that also needs some attention I think.


--Quanah

--On Thursday, January 31, 2019 11:04 PM + Howard Chu  
wrote:



Quanah Gibson-Mount wrote:

There have been some reports coming in to the ITS system that likely
should go into OpenLDAP 2.4.48/LMDB 0.9.23.  These are:

ITS#8969 - Tweak to LMDB page splits (already committed to LMDB RE0.9)

ITS#8968 - ASYNC connect mode does not work on Solaris
()

ITS#8967 - back-mdb "unchecked" limits broken with particular search
scopes. Needs fix.

ITS#8957 - ASYNC TLS mode is broken
()

ITS#8963 - StartTLS failures with back-ldap due to bug in timeout
calculation. Needs fix.


Looking at this now. Go ahead and merge the ones with existing fixes.


ITS#8472 - only do index DB cleanup if DB is running (fix committed to
master)

ITS#8952 - High CPU usage when idletime is < 4 (fix committed to master)

Any objections to me syncing these over into RE24?

--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:







--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/




--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review

2019-01-31 Thread Howard Chu

Quanah Gibson-Mount wrote:
> There have been some reports coming in to the ITS system that likely should 
> go into OpenLDAP 2.4.48/LMDB 0.9.23.  These are:
> 
> ITS#8969 - Tweak to LMDB page splits (already committed to LMDB RE0.9)
> 
> ITS#8968 - ASYNC connect mode does not work on Solaris 
> ()
> 
> ITS#8967 - back-mdb "unchecked" limits broken with particular search scopes. 
> Needs fix.
> 
> ITS#8957 - ASYNC TLS mode is broken 
> ()
> 
> ITS#8963 - StartTLS failures with back-ldap due to bug in timeout 
> calculation. Needs fix.

Looking at this now. Go ahead and merge the ones with existing fixes.
> 
> ITS#8472 - only do index DB cleanup if DB is running (fix committed to master)
> 
> ITS#8952 - High CPU usage when idletime is < 4 (fix committed to master)
> 
> Any objections to me syncing these over into RE24?
> 
> --Quanah
> 
> 
> 
> -- 
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> 
> 
> 
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

ITS review

2019-01-30 Thread Quanah Gibson-Mount

There have been some reports coming in to the ITS system that likely should 
go into OpenLDAP 2.4.48/LMDB 0.9.23.  These are:


ITS#8969 - Tweak to LMDB page splits (already committed to LMDB RE0.9)

ITS#8968 - ASYNC connect mode does not work on Solaris 
()


ITS#8967 - back-mdb "unchecked" limits broken with particular search 
scopes. Needs fix.


ITS#8957 - ASYNC TLS mode is broken 
()


ITS#8963 - StartTLS failures with back-ldap due to bug in timeout 
calculation. Needs fix.


ITS#8472 - only do index DB cleanup if DB is running (fix committed to 
master)


ITS#8952 - High CPU usage when idletime is < 4 (fix committed to master)

Any objections to me syncing these over into RE24?

--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 9/29/2017

2017-10-11 Thread Quanah Gibson-Mount

--On Thursday, October 12, 2017 1:03 AM +0200 Michael Ströder 
 wrote:



Quanah Gibson-Mount wrote:

---
Purely for RE25:
---


What about ITS#8714?
RFE: Sendout EXTENDED operation message in back-sock


This is already in master.  Anything currently in master will be part of 
RE25, unless it is behind LDAP_DEVEL.



Another one which really strikes me:
(ITS#7796) LDAP_DEBUG_TRACE for "not indexed" log messages
With Æ-DIR's set-based ACLs *lots* of stupid "not indexed" messages are
sent to syslog.


I'll add it to my list of items to look at for 2.5.  There has not been an 
exhaustive pass through of the ITS system for items to add to 2.5.  I'm 
going through it in batches.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 9/29/2017

2017-10-11 Thread Michael Ströder

Quanah Gibson-Mount wrote:
> --On Friday, October 06, 2017 5:43 PM -0700 Quanah Gibson-Mount
>  wrote:
> 
>>> This is debatable:
>>>
>>> 1. OpenLDAP 2.4.x accepts modify operations with LDAP_MOD_INCREMENT
>>>
>>> 2. OpenLDAP 2.4.x sends modify operations via back-sock to external
>>> listeners
>>>
>>> Therefore I'd consider this rather a fix than a new feature.
>>
>> Convince Howard. ;)
> 
> This is now in RE24 for the 2.4.46 release.

Thanks! :-)

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: ITS review 9/29/2017

2017-10-11 Thread Michael Ströder

Quanah Gibson-Mount wrote:
> ---
> Purely for RE25:
> ---

What about ITS#8714?
RFE: Sendout EXTENDED operation message in back-sock

Could this make it into RE25?

Another one which really strikes me:
(ITS#7796) LDAP_DEBUG_TRACE for "not indexed" log messages
With Æ-DIR's set-based ACLs *lots* of stupid "not indexed" messages are
sent to syslog.

Ciao, Michael.

smime.p7s
Description: S/MIME Cryptographic Signature

Re: ITS review 9/29/2017

2017-10-11 Thread Quanah Gibson-Mount

--On Friday, October 06, 2017 5:43 PM -0700 Quanah Gibson-Mount 
 wrote:



This is debatable:

1. OpenLDAP 2.4.x accepts modify operations with LDAP_MOD_INCREMENT

2. OpenLDAP 2.4.x sends modify operations via back-sock to external
listeners

Therefore I'd consider this rather a fix than a new feature.


Convince Howard. ;)


This is now in RE24 for the 2.4.46 release.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 9/29/2017

2017-10-06 Thread Hallvard Breien Furuseth


On 06/10/17 23:24, Quanah Gibson-Mount wrote:

--On Friday, October 06, 2017 10:16 PM +0100 Howard Chu 
 wrote:



its7442 - Add debug statements when index_intlen values are out of
range 


Looks pointless.


Well, the man page is not clear on this point.  I'm fine dropping the
debug  statements, but what about the manpage updates which clarify the
min/max  allowed values?


Then we should also document all the other places where for example our
integers accept a max value of 4294967295 or 18446744073709551615 too?
It's stupid. Nobody is using 256 byte integers. Nobody is using integers
bigger than 256 bytes. (Come on, 2^2048? really?) It's a limit that no
one will ever hit in practice.


Well, I can certainly see why someone might expect they could set the 
minimum lower than 4 (even if that would be less than optimal). ;)  
I.e., you're focussed on maxsize, but the report covers both min & 
max.  Any reason not to document that the default value of 4 is also 
the minimum allowed?  I'm fine with dropping the patch as well.


II like the original patch: Don't _silently_ change the user's config,
report the changes.

Document "4 is default and minimum value".

The max - I suppose it fell out of the implementation somewhere.
Don't lock us to that implementation.  If it's even true - there's a
char ibuf[64] in integerIndexer(), so maybe the 255 should be 64.
Haven't looked closely.  Anyway, remember keys of large integers get
a floating format.  Max integer _value_ is only limited by supported
attribute value size.

Re: ITS review 9/29/2017

2017-10-06 Thread Quanah Gibson-Mount

--On Saturday, October 07, 2017 1:13 AM +0200 Michael Ströder 
 wrote:



Quanah Gibson-Mount wrote:

its8692 - Support LDAP_MOD_INCREMENT with back-sock



Why is this super-trivial patch postponed to RE25?


It's a new feature.


This is debatable:

1. OpenLDAP 2.4.x accepts modify operations with LDAP_MOD_INCREMENT

2. OpenLDAP 2.4.x sends modify operations via back-sock to external
listeners

Therefore I'd consider this rather a fix than a new feature.


Convince Howard. ;)

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 9/29/2017

2017-10-06 Thread Michael Ströder

Quanah Gibson-Mount wrote:
>>> its8692 - Support LDAP_MOD_INCREMENT with back-sock
>>> 
>>
>> Why is this super-trivial patch postponed to RE25?
> 
> It's a new feature.

This is debatable:

1. OpenLDAP 2.4.x accepts modify operations with LDAP_MOD_INCREMENT

2. OpenLDAP 2.4.x sends modify operations via back-sock to external
listeners

Therefore I'd consider this rather a fix than a new feature.

Ciao, Michael.

smime.p7s
Description: S/MIME Cryptographic Signature

Re: ITS review 9/29/2017

2017-10-06 Thread Quanah Gibson-Mount

--On Friday, October 06, 2017 10:16 PM +0100 Howard Chu  
wrote:



its7442 - Add debug statements when index_intlen values are out of
range 


Looks pointless.


Well, the man page is not clear on this point.  I'm fine dropping the
debug  statements, but what about the manpage updates which clarify the
min/max  allowed values?


Then we should also document all the other places where for example our
integers accept a max value of 4294967295 or 18446744073709551615 too?
It's stupid. Nobody is using 256 byte integers. Nobody is using integers
bigger than 256 bytes. (Come on, 2^2048? really?) It's a limit that no
one will ever hit in practice.


Well, I can certainly see why someone might expect they could set the 
minimum lower than 4 (even if that would be less than optimal). ;)  I.e., 
you're focussed on maxsize, but the report covers both min & max.  Any 
reason not to document that the default value of 4 is also the minimum 
allowed?  I'm fine with dropping the patch as well.




its8511 - Fix documentation for multimaster, deprecate mirrormode



Gratuitous change, existing docs and practices are already established.
Hard enough to get people to update their docs, this is a bad idea.


This change is not gratuitous in the least.  The misinformation in our
current  documentation leads to constant confusion among end users, who
often do not  want to go to the lengths necessary to deploy the
*concept* that is mirror  mode, and instead just want to do
"multimaster", so they leave our current  misnamed 'mirrormode'
parameter set to false.  Fixing the documentation to  match the reality
of what's being configured is a positive step to removing  confusion and
to stop misleading end users on what is being done.  I've  provided
numerous links from the mailing list where this caused problems for  end
users before.  Our parameters should reflect what they actually do.


You're talking about confusion for new users, meanwhile you're just
creating confusion for existing users. Existing users tend to complain
more because they have more invested into their running deployments. This
is a bad idea.


Since it deprecates the existing parameter, it has no effect on current 
deployments.  If anyone ends up confused due to the fact that the 
documentation was clarified to reflect objective reality, I'll be more than 
happy to help them.  We already have endless complaints that our 
documentation is overly confusing.  This fix helps address that problem.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 9/29/2017

2017-10-06 Thread Howard Chu


Quanah Gibson-Mount wrote:

--On Friday, October 06, 2017 2:27 PM +0100 Howard Chu  wrote:


Quanah Gibson-Mount wrote:


Suggested for RE24:
---



its7389 - Fix MozNSS to fallback to PEM if cert not found in certdb
(RE24 ONLY) 


Questionable, since the required PEM support module is 3rd party and not
included in MozNSS. We have no way to test or support this patch.



This appears to be a fix for ITS#7276 (Added 2.4.32, 2012/07/31), which we 
already accepted into RE24.  So it seems a legitimate fix to include in RE24.


OK.


its7442 - Add debug statements when index_intlen values are out of range



Looks pointless.


Well, the man page is not clear on this point.  I'm fine dropping the debug 
statements, but what about the manpage updates which clarify the min/max 
allowed values?


Then we should also document all the other places where for example our 
integers accept a max value of 4294967295 or 18446744073709551615 too? It's 
stupid. Nobody is using 256 byte integers. Nobody is using integers bigger 
than 256 bytes. (Come on, 2^2048? really?) It's a limit that no one will ever 
hit in practice.



its8037 - Fix delta-syncrepl with relax



Looks like an enhancement, not a bugfix


I included this for RE24 as the reporter hit this problem with RE24.  If we 
don't want to put it in RE24, are we OK for RE25/master?


Already approved it for RE25/master.


its8167 - Fix nonblocking TLS with referrals



OK, but non-blocking TLS was LDAP_DEVEL, not supported in RE24. This
patch should be master/RE25 only.


I noted this for RE24 because the reporter was using the feature in RE24 
(I.e., they specifically enabled it).  Is there any harm in including (but not 
documenting via the changes file) it in RE24?


OK, leave it undoc'd in RE24.


its8605 - Fix various spelling errors



Introduces trailing whitespace - kill that before committing.
In general, this patch falls under the "do not improve" rule
http://www.openldap.org/devel/programming.html and should be rejected for
not fixing any actual bugs. Many of the typos being fixed are in comments
that are never user-visible anyway. Pollutes git history for a large
number of files without any significant benefit.

Better leave it out of re24.



Is this ok for master/RE25 then?


It's still a bunch of changes that don't actually fix anything.

I guess we can take this in master. As a general rule, we should just reject 
patches like this in the future.



its8511 - Fix documentation for multimaster, deprecate mirrormode



Gratuitous change, existing docs and practices are already established.
Hard enough to get people to update their docs, this is a bad idea.


This change is not gratuitous in the least.  The misinformation in our current 
documentation leads to constant confusion among end users, who often do not 
want to go to the lengths necessary to deploy the *concept* that is mirror 
mode, and instead just want to do "multimaster", so they leave our current 
misnamed 'mirrormode' parameter set to false.  Fixing the documentation to 
match the reality of what's being configured is a positive step to removing 
confusion and to stop misleading end users on what is being done.  I've 
provided numerous links from the mailing list where this caused problems for 
end users before.  Our parameters should reflect what they actually do.


You're talking about confusion for new users, meanwhile you're just creating 
confusion for existing users. Existing users tend to complain more because 
they have more invested into their running deployments. This is a bad idea.



its8573 - Add TLS options to ldap* tools



The manpage updates are a bit excessive. Maybe we need a single manpage
just for common options, that we can refer to from all of the individual
commands' pages.


Ok, I'll add that to my RE25 stack of rework.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:







--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: ITS review 9/29/2017

2017-10-06 Thread Quanah Gibson-Mount

--On Friday, October 06, 2017 2:27 PM +0100 Howard Chu  
wrote:



Quanah Gibson-Mount wrote:


Suggested for RE24:
---



its7389 - Fix MozNSS to fallback to PEM if cert not found in certdb
(RE24 ONLY) 


Questionable, since the required PEM support module is 3rd party and not
included in MozNSS. We have no way to test or support this patch.



This appears to be a fix for ITS#7276 (Added 2.4.32, 2012/07/31), which we 
already accepted into RE24.  So it seems a legitimate fix to include in 
RE24.





its7442 - Add debug statements when index_intlen values are out of range



Looks pointless.


Well, the man page is not clear on this point.  I'm fine dropping the debug 
statements, but what about the manpage updates which clarify the min/max 
allowed values?



its8037 - Fix delta-syncrepl with relax



Looks like an enhancement, not a bugfix


I included this for RE24 as the reporter hit this problem with RE24.  If we 
don't want to put it in RE24, are we OK for RE25/master?



its8167 - Fix nonblocking TLS with referrals



OK, but non-blocking TLS was LDAP_DEVEL, not supported in RE24. This
patch should be master/RE25 only.


I noted this for RE24 because the reporter was using the feature in RE24 
(I.e., they specifically enabled it).  Is there any harm in including (but 
not documenting via the changes file) it in RE24?



its8605 - Fix various spelling errors



Introduces trailing whitespace - kill that before committing.
In general, this patch falls under the "do not improve" rule
http://www.openldap.org/devel/programming.html and should be rejected for
not fixing any actual bugs. Many of the typos being fixed are in comments
that are never user-visible anyway. Pollutes git history for a large
number of files without any significant benefit.

Better leave it out of re24.



Is this ok for master/RE25 then?


its8511 - Fix documentation for multimaster, deprecate mirrormode



Gratuitous change, existing docs and practices are already established.
Hard enough to get people to update their docs, this is a bad idea.


This change is not gratuitous in the least.  The misinformation in our 
current documentation leads to constant confusion among end users, who 
often do not want to go to the lengths necessary to deploy the *concept* 
that is mirror mode, and instead just want to do "multimaster", so they 
leave our current misnamed 'mirrormode' parameter set to false.  Fixing the 
documentation to match the reality of what's being configured is a positive 
step to removing confusion and to stop misleading end users on what is 
being done.  I've provided numerous links from the mailing list where this 
caused problems for end users before.  Our parameters should reflect what 
they actually do.



its8573 - Add TLS options to ldap* tools



The manpage updates are a bit excessive. Maybe we need a single manpage
just for common options, that we can refer to from all of the individual
commands' pages.


Ok, I'll add that to my RE25 stack of rework.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 9/29/2017

2017-10-06 Thread Quanah Gibson-Mount

--On Saturday, September 30, 2017 11:42 AM +0200 Michael Ströder 
 wrote:



Quanah Gibson-Mount wrote:

---
Purely for RE25:
---

its8692 - Support LDAP_MOD_INCREMENT with back-sock



Why is this super-trivial patch postponed to RE25?


It's a new feature.  New features are RE25 only.

We are actively working on solidifying RE25 so it can go into alpha and 
eventual full release.  RE24 is purely maintenance.


--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 9/29/2017

2017-10-06 Thread Howard Chu


Quanah Gibson-Mount wrote:

Howard -- Looking for a thumbs up/down on these.

The following ITSes were mostly supplied with patches and are IPR ok.  I've 
imported them into my openldap-scratch repo for easy review.  If they didn't 
have a supplied patch, I did the related work.  Branch names are by ITS.


---
Suggested for LMDB 0.9:
---
its8612 - Fix LMDB builds on Solaris & derivative OSes



OK.


---

Suggested for RE24:
---

its5048 - Fix documentation for entryCSN with syncprov



OK


its7100 - Fix slapo-dds with entryTTL currently not decreasing



OK


its7373 - Fix tls_session reuse when hostname check fails



OK


its7374 - Fix MozNSS file matching for hashed CA cert directory (RE24 ONLY)



OK


its7389 - Fix MozNSS to fallback to PEM if cert not found in certdb (RE24 ONLY)



Questionable, since the required PEM support module is 3rd party and not 
included in MozNSS. We have no way to test or support this patch.



its7442 - Add debug statements when index_intlen values are out of range



Looks pointless.


its7520 - Omit unknown schema option for back-ldap



OK


its8037 - Fix delta-syncrepl with relax



Looks like an enhancement, not a bugfix


its8121 - Add LDAP_SASL_SIMPLE to ldap_bind(3)



OK


its8167 - Fix nonblocking TLS with referrals



OK, but non-blocking TLS was LDAP_DEVEL, not supported in RE24. This patch 
should be master/RE25 only.


its8404 - Fix assertion with back-meta when olcDbRewrite is changed



OK


its8578 - Remove unused variables in RE24



OK


its8583 - Fix C++ LDAPCtrl structure



OK


its8605 - Fix various spelling errors



Introduces trailing whitespace - kill that before committing.
In general, this patch falls under the "do not improve" rule 
http://www.openldap.org/devel/programming.html and should be rejected for not 
fixing any actual bugs. Many of the typos being fixed are in comments that are 
never user-visible anyway. Pollutes git history for a large number of files 
without any significant benefit.


Better leave it out of re24.


its8687 - OpenSSL 1.1 compatibility, fix build when cross-compiling



Squash into a single commit.



---
Purely for RE25:
---

its6035 - Fix slapd so it doesn't require restart after modifying olcAuthzRegexp



OK


its6300 - Add support for kqueue



OK


its6475 - Add documentation to slapd.conf(5) and slapd-config(5) for 
SASLDONTUSECOPY




OK


its7042 - Make it possible to unset TLS options with syncrepl



OK


its7532 - Add ldap_connection function for asynchronous clients



OK
Ondrej was just asking about this one yesterday anyway.


its7721 - Allow authTimestamp to be forwarded via updateref



OK


its8037 - Fixes delta-sync replication when "relax" is used to modify the 
structural OC of an entry




OK


its8153 - olcTimeLimit should be SINGLE-VALUE



OK


its8291 - Fix slapmodify with BDB backends



OK


its8508 - ucgendat.c properly add title-case characters without upper-case 
equivalents (e.g. greek letters with iota subscript)




OK


its8511 - Fix documentation for multimaster, deprecate mirrormode



Gratuitous change, existing docs and practices are already established. Hard 
enough to get people to update their docs, this is a bad idea.



its8527 - Improve SYNC debug output in certain situations

Re: ITS review 9/29/2017

2017-09-30 Thread Michael Ströder

Quanah Gibson-Mount wrote:
> ---
> Purely for RE25:
> ---
> 
> its8692 - Support LDAP_MOD_INCREMENT with back-sock
> 

Why is this super-trivial patch postponed to RE25?

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

ITS review 9/29/2017

2017-09-29 Thread Quanah Gibson-Mount


Howard -- Looking for a thumbs up/down on these.

The following ITSes were mostly supplied with patches and are IPR ok.  I've 
imported them into my openldap-scratch repo for easy review.  If they 
didn't have a supplied patch, I did the related work.  Branch names are by 
ITS.


---
Suggested for LMDB 0.9:
---
its8612 - Fix LMDB builds on Solaris & derivative OSes


---

Suggested for RE24:
---

its5048 - Fix documentation for entryCSN with syncprov


its7100 - Fix slapo-dds with entryTTL currently not decreasing


its7373 - Fix tls_session reuse when hostname check fails


its7374 - Fix MozNSS file matching for hashed CA cert directory (RE24 ONLY)


its7389 - Fix MozNSS to fallback to PEM if cert not found in certdb (RE24 
ONLY)



its7442 - Add debug statements when index_intlen values are out of range


its7520 - Omit unknown schema option for back-ldap


its8037 - Fix delta-syncrepl with relax


its8121 - Add LDAP_SASL_SIMPLE to ldap_bind(3)


its8167 - Fix nonblocking TLS with referrals


its8404 - Fix assertion with back-meta when olcDbRewrite is changed


its8578 - Remove unused variables in RE24


its8583 - Fix C++ LDAPCtrl structure


its8605 - Fix various spelling errors


its8687 - OpenSSL 1.1 compatibility, fix build when cross-compiling



---
Purely for RE25:
---

its6035 - Fix slapd so it doesn't require restart after modifying 
olcAuthzRegexp



its6300 - Add support for kqueue


its6475 - Add documentation to slapd.conf(5) and slapd-config(5) for 
SASLDONTUSECOPY



its7042 - Make it possible to unset TLS options with syncrepl


its7532 - Add ldap_connection function for asynchronous clients


its7721 - Allow authTimestamp to be forwarded via updateref


its8037 - Fixes delta-sync replication when "relax" is used to modify the 
structural OC of an entry



its8153 - olcTimeLimit should be SINGLE-VALUE


its8291 - Fix slapmodify with BDB backends


its8508 - ucgendat.c properly add title-case characters without upper-case 
equivalents (e.g. greek letters with iota subscript)



its8511 - Fix documentation for multimaster, deprecate mirrormode


its8527 - Improve SYNC debug output in certain situations


its8573 - Add TLS options to ldap* tools


its8692 - Support LDAP_MOD_INCREMENT with back-sock


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 9/12/2017

2017-09-20 Thread Ryan Tandy


For RE25, possibly (but unlikely) RE24:

its6035 - slapd requires restart after modifying olcAuthzRegexp

Re: ITS review 9/12/2017

2017-09-19 Thread Michael Ströder


Quanah Gibson-Mount wrote:

--On Monday, September 18, 2017 10:29 PM +0200 Michael Ströder
 wrote:


ITS#8051:
2fbecdd756a288c787d8326d6630ab8500058e2f
129299a9337287527f2046fe5385cdb2afb35f0b


Ah, it seems to be complete. IMO this would also be an interesting
candiate for RE24. If you port it to RE24 I will test it.


They apply cleanly to RE24 for me.  You can grab a squashed commit at:


This works like a charm with my openSUSE builds.

Would be really nice to get the back-sock improvements into 2.4.46 release.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: ITS review 9/12/2017

2017-09-18 Thread Quanah Gibson-Mount

--On Monday, September 18, 2017 10:29 PM +0200 Michael Ströder 
 wrote:



ITS#8051:
2fbecdd756a288c787d8326d6630ab8500058e2f
129299a9337287527f2046fe5385cdb2afb35f0b


Ah, it seems to be complete. IMO this would also be an interesting
candiate for RE24. If you port it to RE24 I will test it.


They apply cleanly to RE24 for me.  You can grab a squashed commit at:



--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: ITS review 9/12/2017

2017-09-18 Thread Michael Ströder


Quanah Gibson-Mount wrote:

--On Wednesday, September 13, 2017 9:50 AM +0200 Michael Ströder
 wrote:

There is also a 'sockdnpat' config directive in git-master. But it
seems only the config. This would be very helpful for my
deployments. I don't know which ITS though.


ITS#8051:
2fbecdd756a288c787d8326d6630ab8500058e2f
129299a9337287527f2046fe5385cdb2afb35f0b


Ah, it seems to be complete. IMO this would also be an interesting 
candiate for RE24. If you port it to RE24 I will test it.


Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: ITS review 9/12/2017

2017-09-13 Thread Michael Ströder


Quanah Gibson-Mount wrote:

---
Suggested for RE25, possibly RE24:
[..]
its8692 - Support LDAP_MOD_INCREMENT with back-sock



Yes, please.

It would be also helpful if this could land in RE24:

(ITS#8714) RFE: Sendout EXTENDED operation message in back-sock

I'm already using it with my own patched 2.4.45 builds.

I'm willing to extensively test back-sock in RE24 to make sure it 
fully works with the above changes.


There is also a 'sockdnpat' config directive in git-master. But it 
seems only the config. This would be very helpful for my 
deployments. I don't know which ITS though.


Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

ITS review 9/12/2017

2017-09-12 Thread Quanah Gibson-Mount

The following ITSes were mostly supplied with patches and are IPR ok.  I've 
imported them into my openldap-scratch repo for easy review.  If they 
didn't have a supplied patch, I did the related work.  Branch names are by 
ITS.


---
Suggested for RE24:

its5048 - Fix documentation for entryCSN with syncprov


its7100 - Fix slapo-dds with entryTTL currently not decreasing


its7373 - Fix tls_session reuse when hostname check fails


its7374 - Fix MozNSS file matching for hashed CA cert directory (RE24 ONLY)


its7389 - Fix MozNSS to fallback to PEM if cert not found in certdb (RE24 
ONLY)



its7442 - Add debug statements when index_intlen values are out of range


its7520 - Omit unknown schema option for back-ldap


its8037 - Fix delta-syncrepl with relax


its8121 - Add LDAP_SASL_SIMPLE to ldap_bind(3)


its8167 - Fix nonblocking TLS with referrals


its8404 - Fix assertion with back-meta when olcDbRewrite is changed


its8578 - Remove unused variables in RE24


its8583 - Fix C++ LDAPCtrl structure


its8605 - Fix various spelling errors



---
Suggested for RE25, possibly RE24:

its8153 - olcTimeLimit should be SINGLE-VALUE


its8692 - Support LDAP_MOD_INCREMENT with back-sock



---
Purely for RE25:

its7042 - Make it possible to unset TLS options with syncrepl


its7532 - Add ldap_connection function for asynchronous clients


its7721 - Allow authTimestamp to be forwarded via updateref


its8291 - Fix slapmodify with BDB backends


its8527 - Improve SYNC debug output in certain situations


its8573 - Add TLS options to ldap* tools



--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

41 matches

Mail list logo