Re: (ITS#9182) slapd crash with invalid pcache config

On Wed, Mar 11, 2020 at 07:18:22PM +, Howard Chu wrote: >Fixed in git master Confirmed fixed, thanks!

Re: (ITS#9182) slapd crash with invalid pcache config

==24838== Thread 3: ==24838== Invalid read of size 8 ==24838==at 0x13FCD3: backend_stopdown_one (backend.c:425) ==24838==by 0x1DF97A: pcache_db_destroy (pcache.c:4899) ==24838==by 0x19AD46: overlay_destroy_one (backover.c:1150) ==24838==by 0x124A10: config_add_internal.isra.16

(ITS#9182) slapd crash with invalid pcache config

Full_Name: Ryan Tandy Version: RE24 OS: Debian URL: Submission from: (NULL) (70.66.128.207) Submitted by: ryan Reported in IRC #openldap by user Dragnell, reproduced by me on current RE24. Configure slapd like so: -- include servers/slapd/schema/core.schema include servers/slapd/schema

Re: (ITS#8639) Remove support for LANMAN

Tested smbk5pwd with Samba 4.9.5 (both openssl and gnutls). Works for me, so pushed to master now. Further testing would be appreciated.

Re: (ITS#8639) Remove support for LANMAN

I put up my WIP branch on github: https://github.com/openldap/openldap/compare/master...rtandy:its8639 Still need to finish testing smbk5pwd before I can push it.

(ITS#9177) Finish the autoconf 2.69 upgrade

Full_Name: Ryan Tandy Version: master OS: URL: Submission from: (NULL) (70.66.128.207) Submitted by: ryan autoconf 2.69 upgrade was only partially completed. So far we have autoconf (6b81910fc) and autoheader (c2f75cd10). However running autoreconf 2.69 still generates more diffs. At least

Re: (ITS#8639) Remove support for LANMAN

Hello, On Thu, Feb 20, 2020 at 03:50:38PM +, fumi...@osstech.co.jp wrote: >I've created a path for smbk5pwd to disable the insecure sambaLMPassword >support by default. Thanks for this patch. Are you aware of any scenarios where sambaLMPassword is actually required today? Personally I'm

(ITS#9176) libldap support for TLSv1.3 Encrypted SNI

Full_Name: Ryan Tandy Version: master OS: Debian URL: Submission from: (NULL) (70.66.128.207) Submitted by: ryan ldap.google.com requires clients to support SNI and sends back an intentionally invalid certificate if it is not used. Affects libldap with both OpenSSL and GnuTLS. (Might want

Re: (ITS#9174) Openldap configuration

Quanah already told you, in your previous ticket, where to ask for help. Please don't open more tickets as help requests. Thank you.

(ITS#9166) RE25 admin guide fails to build

Full_Name: Ryan Tandy Version: 2.5 OS: URL: Submission from: (NULL) (70.66.128.207) Submitted by: ryan openldap/doc/guide/admin$ make sdf -2html guide.sdf ./slapdconfig.sdf warning, para. on 531: {{ phrase not terminated make: *** [Makefile:81: guide.html] Error 8

(ITS#9153) replication.sdf inconsistent whitespace

Full_Name: Ryan Tandy Version: RE24 OS: URL: https://github.com/openldap/openldap/compare/OPENLDAP_REL_ENG_2_4...rtandy:guide-whsp.patch Submission from: (NULL) (70.66.128.207) Submitted by: ryan This patch fixes indentation of two 'maxsize' lines in the 'Syncrepl Proxy' example. For RE24 only

Re: (ITS#9144) Remove ICU detection

Patch available: https://github.com/openldap/openldap/compare/master...rtandy:its9144.patch

Re: (ITS#9101) man pages don't reflect some global options are actually global/database

On Fri, Oct 25, 2019 at 09:15:33PM +, qua...@symas.com wrote: >Correction, slapd-config(5) handles this via discussion of the frontend >database. Sort of - at least it has that distinction, but the three attrs you mentioned are still documented only in the GLOBAL CONFIGURATION OPTIONS

Re: (ITS#8996) Please supply a pkg-config file for libldap

irectory Access Protocol library (reentrant version)". Only an opinion, there's nothing wrong with what you wrote. I'd like to see this included, however a more senior team member should approve it first. Good luck! cheers, Ryan

(ITS#9086) Add debug logging for GnuTLS configuration errors

Full_Name: Ryan Tandy Version: master OS: Debian 10/buster URL: https://github.com/openldap/openldap/compare/master...rtandy:gnutls-logging.patch Submission from: (NULL) (70.66.128.207) Submitted by: ryan This patch adds debug logging for common GnuTLS configuration errors. It should help

Re: (ITS#8383) msys build error "portable.h:1116:19: error: two or more data types in declaration specifiers"

I've run into this myself while trying to test ITS#9069 on Windows. In my MinGW environment, does not define socklen_t, so portable.h:1116 does '#define socklen_t int'. However, includes which does typedef socklen_t. base64.c includes "portable.h" first and then later. This second include

Re: (ITS#9069) Stop setting custom GnuTLS mutex functions

On Wed, Aug 28, 2019 at 01:34:31PM +0100, Howard Chu wrote: >This is not a safe assumption on Windows, unfortunately. While libldap uses >native >Windows mutexes on Windows, a lot of code built using gcc/g++ uses a >posixthreads >emulation library for thread and mutex support, and the

(ITS#9069) Stop setting custom GnuTLS mutex functions

Full_Name: Ryan Tandy Version: master OS: Debian URL: https://github.com/rtandy/openldap/compare/openldap:master...rtandy:remove-gnutls_global_set_mutex.patch Submission from: (NULL) (70.66.128.207) Submitted by: ryan The GnuTLS documentation <https://gnutls.org/manual/html_node/Core-

Re: (ITS#8753) Public key pinning support in libldap

The gnutls_digest_get_id function was added in GnuTLS 3.2.2: https://gitlab.com/gnutls/gnutls/blob/gnutls_3_2_2/NEWS That was released in 2013, so I think it's OK to depend on it by now. Please consider applying this patch to update the configure.in check:

Re: (ITS#9032) need to create custom attributes in openldap schema

Hello Suresh, The ITS is for reporting bugs, not for usage questions. For support, please write to the openldap-techni...@openldap.org mailing list. See https://www.openldap.org/support/ for more details. This ITS will be closed. Thank you, Ryan.

Re: (ITS#9026) slapd

tained from e.g. 'dpkg-query -W slapd'). I will close this ITS for now. It can be reopened if the issue actually turns out to be a problem with OpenLDAP software. Thanks Ryan

Re: (ITS#8961) Crash when deleting olcDbIndex (back-mdb)

Possible duplicate of ITS#8472?

(ITS#8949) slapd crashes when adding first olcPlugin value

Full_Name: Ryan Tandy Version: 2.4, master OS: Debian URL: Submission from: (NULL) (70.66.128.207) Submitted by: ryan Initial configuration, no existing value for olcPlugin: ldapmodify -H ldap://:9000 -x -D cn=config -w secret << eof dn: olcDatabase={1}mdb,cn=config add: olcPlugin olc

Re: (ITS#8930) Setting source interface of LDAP session the ldap client uses to connect to server

Hello Adrian, I think someone is already working on this feature, please see: ITS#8847 https://openldap.org/its?findid=8847 ITS#8654 https://openldap.org/its?findid=8654 http://www.openldap.org/lists/openldap-devel/201810/msg8.html

Re: (ITS#8650) EAGAIN from gnutls_handshake not respected

On Tue, Sep 18, 2018 at 10:55:50PM -0700, Ryan Tandy wrote: >There is some EAGAIN handling conditional on LDAP_USE_NON_BLOCKING_TLS >which itself is behind LDAP_DEVEL. However this code is meant for >non-blocking sockets, and in my case it ends up stuck in poll() >waiting for a

Re: (ITS#8650) EAGAIN from gnutls_handshake not respected

Made some good progress on this one this evening. The original issue this ITS is about is that gnutls_handshake() can, in some versions of GnuTLS, return GNUTLS_E_AGAIN even when the socket is blocking. Specifically, this happens in the case I described with a large CA list sent by the server.

Re: (ITS#8650) EAGAIN from gnutls_handshake not respected

read, but would be nice to confirm). thanks Ryan

Re: (ITS#8650) EAGAIN from gnutls_handshake not respected

Hi Kartik, On Fri, Aug 03, 2018 at 11:19:06AM -0400, Kartik Subbarao wrote: >I'm running into a problem with slapd 2.4.46 hanging on Ubuntu 18.04, >which seems to be a side effect of the ITS#8650 patch: > >https://github.com/openldap/openldap/commit/7b5181da8cdd47a13041f9ee36fa9590a0fa6e48 >

Re: (ITS#8885) hdb_generate_key_set_password prototype check for smbk5pwd

On Mon, Jul 30, 2018 at 01:44:31AM +, m...@netbsd.org wrote: >--- a/configure.in >+++ b/configure.in >@@ -1312,6 +1312,14 @@ if test $ol_enable_lmpasswd != no; then > AC_DEFINE(SLAPD_LMHASH, 1, [define to support LAN Manager passwords]) > fi > >+dnl

Re: (ITS#8877) Issue while setting up openLDAP 2.4.44 with mdb

Hello, On Wed, Jul 11, 2018 at 02:16:16AM +, sakshi...@gmail.com wrote: >Issue while setting up openLDAP 2.4.44 with mdb. Getting following error when >trying to setup up mdb database instead of hdb using ansible - >fatal: [tokyo-ldap1]: FAILED! => {"changed": true, "cmd": ["ldapmodify",

Re: (ITS#8860) searching issue

Hello, The ITS is for reporting bugs in the software. For user support please contact the openldap-techni...@openldap.org mailing list. This ITS will be closed. On Sun, May 27, 2018 at 02:33:05PM +, bahaa.mos...@barqsystems.com wrote: >Full_Name: bahaa mosaad ali >Version: 2.4.39-3.el7

Re: (ITS#8853) back-mdb broken on GNU/kFreeBSD

Never mind. This works for me on a local VM. The build server has a bunch of outdated packages so I'm going to blame that build environment unless proven otherwise. Closing the ITS; sorry for the noise.

(ITS#8853) back-mdb broken on GNU/kFreeBSD

Full_Name: Ryan Tandy Version: 2.4.46 OS: Debian URL: Submission from: (NULL) (70.66.128.207) Submitted by: ryan On Debian GNU/kFreeBSD (Debian with GNU userland and FreeBSD kernel), liblmdb and back-mdb compile but slapd apparently fails to start. Build log: https://buildd.debian.org/status

Re: (ITS#8852) slapd memory use grows continuously with non-delta syncrepl and modifying groups

bisect identifies c365ac359e9c9b483b934c2a1f0bc552645c32fa as the commit that introduced this behaviour. 003dfbda574f37bbf1a2240f530ff9fa35ab0801 on RE24 (2.4.20) commit c365ac359e9c9b483b934c2a1f0bc552645c32fa Author: Howard Chu Date: Sun Nov 22 04:42:00 2009 +

(ITS#8852) slapd memory use grows continuously with non-delta syncrepl and modifying groups

Full_Name: Ryan Tandy Version: 2.4.46 OS: Debian URL: ftp://ftp.openldap.org/incoming/20180511_rtandy_syncrepl-memory-consumer.tgz Submission from: (NULL) (70.66.128.207) Submitted by: ryan When running object-based syncrepl, and making changes to groups, the provider slapd uses more and more

Re: (ITS#8847) New LDAP URL syntax to support binding to specific IP address at client side

SES. I would think that's probably a better approach. Maybe you could pick up where the author of that one left off? He disappeared after posting his patch for review... thanks Ryan

(ITS#8835) update admin guide to use "openssl rehash" instead of c_rehash

Full_Name: Ryan Tandy Version: RE24 OS: Debian URL: Submission from: (NULL) (70.66.128.207) Submitted by: ryan >From https://bugs.debian.org/895091 - > This package is using the c_rehash command which is part of the > openssl package. The c_rehash script is considered by

Re: (ITS#8797) improper use of gnutls causes segfault

On Mon, Jan 15, 2018 at 07:33:52PM +, lu...@selfnet.de wrote: >During initialization, libldap sets custom gnutls mutex functions: >https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_g.c;h=adcb6be04076a91d3a0bf94cf8357f4e51f5b9da;hb=HEAD#l113 > >PAM uses

Re: (ITS#8795) Authentication in database

Hello, The ITS is for bug reports, not user support. For support, please contact the openldap-techni...@openldap.org mailing list, or join the #openldap IRC channel. This ITS will be closed.

Re: (ITS#8763) ACL scope warning

Hi Claude, Please use the openldap-techni...@openldap.org mailing list for usage or configuration questions. If you post your slapd.conf to the list I'm sure someone will be able to point out the reason for the warning. This ITS will be closed.

Re: (ITS#8745) Need to join Windows server 2012 R2 to open lapd as a client

On Thu, Sep 28, 2017 at 07:11:35AM +, ramku...@mgtechsoft.com wrote: >Request you to inform whether can we join windows 2012 server to Open Ldap as >client? > >and if it is possible please share the procedure with us. The ITS system is for reporting software bugs, not for support questions.

Re: (ITS#8707) slapd: Add systemd service notification support

On Tue, Sep 12, 2017 at 08:24:15PM +, h...@symas.com wrote: >I don't have documentation for sd_notify() on my machine https://www.freedesktop.org/software/systemd/man/sd_notify.html >- what does it return if systemd isn't running at the moment? What does >it return if the current program

Re: (ITS#8707) slapd: Add systemd service notification support

On Tue, Sep 12, 2017 at 07:04:48PM +, h...@symas.com wrote: >My experience so far with Arch/Debian/Ubuntu/Centos mirrors this - >they're all different in FS layouts (/var/run vs /run, etc etc etc) and >the situation is no better than it was in SysV init In the case of the unit file

Re: (ITS#8707) slapd: Add systemd service notification support

On Tue, Sep 12, 2017 at 05:17:11PM +, qua...@symas.com wrote: >b) The OpenLDAP project has never provided init scripts of their >equivalents. I'm not sure it would be correct to include the systemd unit >file as a part of the project. An explicit design goal of systemd is that unit files

Re: (ITS#8703) slapd should create its PID file before dropping privileges

On Fri, Jul 28, 2017 at 07:35:47PM +, mich...@orlitzky.com wrote: >The slapd daemon should create its PID file before dropping privileges. This >represents a minor security issue; additional factors are needed to make it >exploitable. If I understood you correctly, "Additional factors are

Re: (ITS#8707) slapd: Add systemd service notification support

On Fri, Aug 11, 2017 at 08:10:09PM +0900, SATOH Fumiyasu wrote: >I've added slapd.service file. Please check. Looks good to me. Thanks again for working on this! :) Just minor comments: >- $(srcdir)/slapd.conf > slapd.conf.tmp ; \ >+ $(srcdir)/slapd.conf >

Re: (ITS#8707) slapd: Add systemd service notification support

On Wed, Aug 09, 2017 at 05:13:44PM +0900, SATOH Fumiyasu wrote: >I've revised the patch for master to check if the listener initialization >suceeds or not. With this patch, `slapd -d0` can return non-zero exit code >if the listener initialization fails, thus systemd can detect slapd.service

Re: (ITS#8707) slapd: Add systemd service notification support

On Tue, Aug 08, 2017 at 03:10:35PM +0900, SATOH Fumiyasu wrote: >My slapd.service file: > >[Unit] >Description=OpenLDAP Server >After=syslog.target network-online.target >Documentation=man:slapd >Documentation=man:slapd.conf >Documentation=man:slapd-config >Documentation=man:slapd-bdb

Re: (ITS#8707) slapd: Add systemd service notification support

On Mon, Aug 07, 2017 at 01:12:02PM -0700, Ryan Tandy wrote: >Side note: the version message from slapd appears in the journal >twice, once with the timestamp and once without... not sure exactly >why! Sorry, meant to delete this paragraph before sending. The difference betwee

Re: (ITS#8707) slapd: Add systemd service notification support

On Mon, Aug 07, 2017 at 12:23:27PM -0700, Ryan Tandy wrote: >I guess MAINPID= is actually needed, unless we run slapd with -d, regardless of >whether we set Type=forking or Type=notify. Not exactly "needed", but better to >have it than not. I experimented a bit with a ser

Re: (ITS#8707) slapd: Add systemd service notification support

oint? I seem to recall that in the past there was opposition to moving the parent's exit later, but I can't remember why. (and I still wish we could do that, and dispense with the ldapsearch-loop hacks...) cheers, Ryan

(ITS#8696) deadlock with 3-way delta-MMR and syncprov-checkpoint

Full_Name: Ryan Tandy Version: 2.4.45 OS: Debian URL: Submission from: (NULL) (24.68.41.160) Submitted by: ryan This is rather similar to ITS#8429 (the deadlock is at the same location), but not enough for me to be sure it's the same. cat > slapd.conf << EOF include /path/to/co

Re: (ITS#8685) Invalid memory access

On Fri, Jul 07, 2017 at 06:20:55AM +, r...@nardis.ca wrote: >Unpacking the computation, it looks like the multiplication is the part >that sometimes returns the wrong result. Not the multiplication, but rather the cast of nvalues to double. I'm going to take further followups to the Debian

Re: (ITS#8685) Invalid memory access

Hi Breno, Thanks a lot for taking the time to look at this. I reproduced the crash on a minicloud VM (thanks!) with gcc -O2 (but not -O1 or -O0) and also with clang -O2 and -O1 (but not -O0). On Fri, Jul 07, 2017 at 12:57:47AM +, lei...@debian.org wrote: >So, that is what I suppose is

Re: (ITS#8672) syncrepl with openldap 2.4.{40,42} and mdb backend

On Thu, Jun 08, 2017 at 01:06:21PM +, remy.der...@umontpellier.fr wrote: >I am able to reproduce the bug quite easily. I'm afraid I have not been able to. I followed the steps you posted (with s/hdb/mdb/) with both servers running slapd 2.4.40+dfsg-1+deb8u3 and syncrepl seems to work fine.

Re: (ITS#8658) Can't change olcTLSCipherSuite

Hello Oleg, The Ubuntu package uses GnuTLS and therefore your olcTLSCipherSuite setting needs to contain a valid GnuTLS priority string. https://gnutls.org/manual/html_node/Priority-Strings.html The slapd crash you are seeing is an Ubuntu-specific bug and has been fixed in later versions.

Re: (ITS#8648) sasl_client_init called concurrently causes issues

An Ubuntu user confirmed that this change solved their issue with slapd and multiple syncrepl clients using GSSAPI. https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1688575/comments/6

Re: (ITS#8650) EAGAIN from gnutls_handshake not respected

Committed the fix, and pinged the submitter to test it.

(ITS#8650) EAGAIN from gnutls_handshake not respected

Full_Name: Ryan Tandy Version: RE24 OS: Debian URL: Submission from: (NULL) (24.68.41.160) Submitted by: ryan https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861838 That bug's submitter seems to have unintentionally configured their slapd with the entire list of system CAs. They're fixing

Re: (ITS#8648) sasl_client_init called concurrently causes issues

On Fri, Apr 28, 2017 at 02:52:44PM +, r...@nardis.ca wrote: >I tried cyrus-sasl-2.1.25 and the issue doesn't seem to happen. I'll see >if I can isolate the related change. SASL version was a red herring. I accidentally linked with Debian's libldap (2.4.31) when I tested that. Mea culpa. The

(ITS#8644) test064-constraint should wait for slapd to start

Full_Name: Ryan Tandy Version: 2.4.44 OS: Debian URL: Submission from: (NULL) (24.68.41.160) Submitted by: ryan test064-constraint can occasionally fail if ldapadd runs while slapd is still starting up. https://bugs.debian.org/770890 has links to examples. >>>>> Starting tes

Re: (ITS#8586) load cert+chain from TLSCertificateFile

FWIW, tls_g already has the behaviour that (I think) this ticket asks for: if you set TLSCertificateFile to a file containing concatenated server and intermediate certs, it sends the chain of both. I found that useful in a setup very similar to what Andreas and Michael describe: slapd with a

(ITS#8554) lmdb build failure on GNU/kFreeBSD

Full_Name: Ryan Tandy Version: 2.4.44 OS: Debian GNU/kFreeBSD URL: Submission from: (NULL) (24.68.41.160) Forwarded from https://bugs.debian.org/845394: lmdb fails to build on Debian GNU/kFreeBSD. https://buildd.debian.org/status/fetch.php?pkg=openldap=kfreebsd-amd64=2.4.44%2Bdfsg-1

Re: (ITS#8522) Incoming

On Tue, Oct 25, 2016 at 09:37:22AM +0200, Ralf Mattes wrote: >> Can you please try with commit 2e60bf5e applied? > >There seem to be quite some changes in op.c, no way to just >apply that change. I'd have to swítch from debian to upstream >which I try to avoid. Are we looking at the same change?

Re: (ITS#8512) segfault for large entries

This is probably a specific case of ITS#8435. There is a fix in git master already, commit id 23c5d6bb. Would you please test with that patch applied?

Re: (ITS#8522) Incoming

On Mon, Oct 24, 2016 at 04:48:18PM +, r...@mh-freiburg.de wrote: >#0 0x7f60dd7e0aa0 in ?? () >#1 0x7f61650bca41 in slap=5Fwritewait=5Fplay (op=3D0x7f60c8002550)= > at ../../../../servers/slapd/result.c:294 >#2 send=5Fldap=5Fber (op=3D0x7f60c8002550, ber=3D0x7f60dd64f250) at ..=

Re: (ITS#7384) Assert Crash in ppolicy_ctrls_cleanup

Just noting that one way to reproduce this assert reliably is to bind to an existing entry, through the relay, with an incorrect password. The important part of the config is: database mdb suffix dc=example,dc=com [...] overlay ppolicy database relay suffix o=example overlay rwm

Re: (ITS#8507) adding the syncprov overlay does not load the associated schema elements

On Thu, Sep 29, 2016 at 06:03:38PM +, elecha...@apache.org wrote: >$ grep -ri "olcSpNoPresent" slapd.d >$ ... > >You can stop and restart the server, the attribute is still not present. It's system schema and not user schema, so I kind of expect this. The behaviour is the same when cn=config

Re: (ITS#8510) OpenLDAP Crash when using ppolicy

Hi, On Mon, Oct 03, 2016 at 08:00:55AM +, p...@quake.fr wrote: >I have an openldap with a master-master replication >* Config directory is a HDB database >* Main directory (people/group/policy) is a MDB database > >When using ># ldapwhoami -x -H ldap://localhost -D

Re: (ITS#8464) Documentation for enabling monitoring via cn=config

On Fri, Jul 15, 2016 at 12:06:22AM +, d...@pandora.com wrote: >I've attached a patch whichrovivides some minimal instructions to enable >monitoring via cn=config Thanks for the patch! I commented on these points in IRC, duplicating here for the record: Module loading is a generic task, IMO

Re: (ITS#8463) Steps to upgarde 2.4 to 2.44

Hello, On Mon, Jul 11, 2016 at 11:58:04AM +, lokesh.gowd...@hubzu.com wrote: >I am new to this, i need to upgrade the openldap 2.4 tp 2.4.44 can you please >send me the steps to do the same. The ITS is for reporting bugs only. For support, please write to the openldap-technical mailing

Re: (ITS#8099) Documentation bug with 'tls_cipher(_)suite' option

Thanks for that. Fixed in git master.

Re: (ITS#8438) slapd won't stop (shutdown) on multi-core system under stress

On Wed, Jun 08, 2016 at 04:45:38PM +, zvika.fere...@gmail.com wrote: >Version: 2.4.31 (deb7u2) >OS: Debian Wheezy This version is no longer supported (except for critical security updates via Debian-LTS). Would you please try a more recent version? openldap 2.4.40 is available in jessie and

(ITS#8097) update nssov to nss-pam-ldapd 0.9.4

Full_Name: Ryan Tandy Version: master, 2.4 OS: Debian URL: Submission from: (NULL) (24.68.37.4) updating the copied nss-pam-ldapd files: ftp://ftp.openldap.org/incoming/20150405_rtandy_nssov-update-nss-pam-ldapd-files-to-0.9.4.patch updating nssov for those changes, see commit msg for details

(ITS#8092) slapd crash with sasl auxprop and empty suffix

Full_Name: Ryan Tandy Version: master, 2.4 OS: Debian URL: Submission from: (NULL) (24.68.37.4) Based on a Debian bug report: https://bugs.debian.org/781162 ./configure --enable-spasswd cat slapd.conf EOF include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap

Re: (ITS#8081) syncprov crash in syncprov_op_mod

On Wed, Mar 18, 2015 at 05:06:33AM +, r...@nardis.ca wrote: I get the following crash on master and RE24. not every time, but most times. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffe6ffe700 (LWP 25923)] 0x00511d45 in syncprov_op_mod

(ITS#8081) syncprov crash in syncprov_op_mod

Full_Name: Ryan Tandy Version: master (05ea787), RE24 (082e192) OS: Debian unstable URL: ftp://ftp.openldap.org/incoming/20150317_rtandy_syncprovsegv.tgz Submission from: (NULL) (24.68.37.4) hi, ./configure CFLAGS=-g -O0 --disable-bdb --disable-hdb --enable-syncprov reproducer: ftp

(ITS#8080) nssov allows users to change anyone's password

Full_Name: Ryan Tandy Version: 2.4 OS: Debian URL: Submission from: (NULL) (24.68.37.4) If I write to the socket, un-base64ed: AQAAACVOAAAGcnRhbmR5HHVpZD1ydGFuZHksZGM9ZXhhbXBsZSxkYz1jb20GcGFzc3dkAAQAAABhc2Rm (pwmod action, uid 'rtandy', dn 'uid=rtandy,dc=example,dc=com

(ITS#8079) nssov usergroup check always fails (patch)

Full_Name: Ryan Tandy Version: RE24 OS: Debian URL: Submission from: (NULL) (24.68.37.4) The usergroup check in pam_authz always fails, because the compare result is overwritten before it's returned. Quanah already fixed this for hostservice in b3712e4f, this patch does the same for usergroup

(ITS#8027) ldapsearch -E deref=member: crashes slapd

Full_Name: Ryan Tandy Version: master (7df548d), RE24 (2b14bbc) OS: Debian unstable URL: Submission from: (NULL) (142.32.208.227) If you use the deref control but leave the list of requested attributes empty, slapd crashes. ldapsearch [...] -E deref=member: #0 0x00516ef0

Re: (ITS#7935) fails to convert slapd.conf including schema with + in name

On 08/09/14 01:30 PM, qua...@zimbra.com wrote: Schema filenames should only be alphanumeric. Noted to update the documentation with this restriction. OK, noted. Even so, please consider a change along the lines of http://paste.debian.net/119969/, just to avoid crashing on an inappropriate

Re: (ITS#7094) slapd ciphersuite TLS_RSA_3DES_EDE_CBC_SHA1 not usable with GnuTLS

I would consider this a duplicate of ITS#6251. More confusion about the gnutls cipher suite parsing changes. Setting olcTLSCipherSuite: +RSA:+3DES-CBC:+SHA1 works for me, with the Debian 2.4.23 package this was reported against. thanks, Ryan

Re: (ITS#6970) OpenLDAP 2.4.25 MemberOf + AutoGroup user has stale memberof attributes for target group after removal from trigger group

,cn=config objectClass: olcAutomaticGroups olcAGattrSet: groupOfURLs memberURL member On Wed, Jun 4, 2014 at 12:24 PM, Ryan Tandy r...@nardis.ca wrote: Adding a new entry that triggers an autogroup member to be added: I don't get a crash or deadlock, but the new entry doesn't have a memberOf

Re: (ITS#6970) OpenLDAP 2.4.25 MemberOf + AutoGroup user has stale memberof attributes for target group after removal from trigger group

Back in June, Gerry replied to me privately. Copying his thoughts here, with his permission: On Sat, Jun 14, 2014 at 8:13 AM, Gerry Calderhead ge...@everythingsucks.co.uk wrote: Hi, It's been a while since I looked at this - in fact since I originally reported it. In the end I concluded it

Re: (ITS#7869) [PATCH] contrib passwd/apr1 do_phk_hash arguments

Thanks for following up. On Thu, Jul 17, 2014 at 2:00 PM, Howard Chu h...@symas.com wrote: my($password) = 'seekrit'; my($salt) = 'pepperoni'; my($apache_crypted) = apache_md5_crypt($password, $salt); $apr1$pepperon$VBD3GaYfoFXuIcZrTw/Y// can be converted to OpenLDAP

Re: (ITS#7869) [PATCH] contrib passwd/apr1 do_phk_hash arguments

Shortcut key fail, sorry. On Thu, Jul 17, 2014 at 3:18 PM, Ryan Tandy r...@nardis.ca wrote: dn: uid=test,dc=example,dc=com objectClass: account objectClass: simpleSecurityObject userPassword: {APR1}FK7q3pAf80k0Wh9BYZJ0FHBlcHBlcm9u What I meant to say was: I can't bind to that entry

(ITS#7897) admin guide documents old syncrepl TLS defaults

Full_Name: Ryan Tandy Version: master OS: Debian unstable URL: Submission from: (NULL) (142.32.208.235) Debian bug report: https://bugs.debian.org/613663 In 2.4 syncrepl was changed to take its TLS defaults from the slapd configuration (commit 1cc1f9b) and the man page was updated to document

(ITS#7894) slapcat assertion on cn=config

Full_Name: Ryan Tandy Version: master/3102cbb OS: Debian unstable URL: Submission from: (NULL) (24.68.121.206) Since commit 5ee5251 (ITS#7212 slapmodify support for back-ldif), slapcat -b cn=config triggers an assertion after finishing its output. slapcat of a regular database is OK. slapcat

Re: (ITS#7212) slapmodify support for back-config

Hi Ondrej, With current git master, slapcat -b cn=config triggers an assertion after it finishes its output. git-bisect blames slapmodify patch for introducing that. Would you mind taking a look? See ITS#7894. thanks, Ryan

Re: (ITS#7877) please make gcrypt optional with newer gnutls

On Mon, Jun 30, 2014 at 5:05 AM, Howard Chu h...@symas.com wrote: The only reason GnuTLS support exists in OpenLDAP is because of Debian. Therefore, if Debian no longer uses libgcrypt, I'm happy to rip all of that crap out. Sounds good to me. So a patch that removes gcrypt entirely looks like:

(ITS#7885) [PATCH] wrong RPATH in contrib/passwd/Makefile

Full_Name: Ryan Tandy Version: master OS: Debian unstable URL: Submission from: (NULL) (24.68.121.206) Similar to #7858, another easy patch. From 3047469eb717018e5b292352626cd084477faf12 Mon Sep 17 00:00:00 2001 From: Ryan Tandy r...@nardis.ca Date: Fri, 27 Jun 2014 11:15:26 -0700 Subject

Re: (ITS#7851) [PATCH] buffer overrun in password checkers with malformed hash

This is a multi-part message in MIME format. --070104060109070008020807 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit I checked the new pw-pbkdf2 module. It doesn't appear to be affected by this problem. On 11/05/14 07:56 PM, Ryan Tandy wrote

Re: (ITS#7877) please make gcrypt optional with newer gnutls

--047d7bdc8ac419e30c04fc856540 Content-Type: text/plain; charset=UTF-8 And here are the changes for smbk5pwd. Tried to use gnutls' own api since it abstracts gcrypt/nettle, but sadly it doesn't provide md4, so nettle it is. Note this patch assumes the HAVE_GNUTLS_GCRYPT define from the configure

Re: (ITS#7877) please make gcrypt optional with newer gnutls

On Fri, Jun 20, 2014 at 5:23 PM, Ryan Tandy r...@nardis.ca wrote: This might be a better patch, if the build system change is acceptable. As usual, I can't get anything right on the first try. That one was missing a line (but apparently not one that stopped it from building or working

(ITS#7877) please make gcrypt optional with newer gnutls

Full_Name: Ryan Tandy Version: HEAD OS: Debian unstable URL: Submission from: (NULL) (142.32.208.235) Debian bug report: https://bugs.debian.org/745231 Quoting Andreas Metzler: given that gmp has been dual-licensed LGPLv3+/GPLv2+ it should be possible to switch openldap over to the newer

Re: (ITS#7877) please make gcrypt optional with newer gnutls

: text/x-patch; name=0001-ITS-7877-detect-whether-gnutls-uses-gcrypt.patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-ITS-7877-detect-whether-gnutls-uses-gcrypt.patch From e904900beb419576abc098e96deda04e53119603 Mon Sep 17 00:00:00 2001 From: Ryan Tandy r

(ITS#7869) [PATCH] contrib passwd/apr1 do_phk_hash arguments

Full_Name: Ryan Tandy Version: master/33e12f4 RE24/b000d95 OS: Debian unstable URL: Submission from: (NULL) (24.68.121.206) Hi, The apr1 passwd plugin calls do_phk_hash with the arguments in the wrong order, so the digest updates are done in a different order than md5crypt does. The following

(ITS#7860) [PATCH] correction to ldap_ava in ldap_get_dn.3

Full_Name: Ryan Tandy Version: master/b22a614, RE24/d961650 OS: Debian unstable URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=38;bug=465024 Submission from: (NULL) (24.68.121.206) Hi, In Debian bug #465024, Philipp Hahn has provided the following patch, supplementing the change from

(ITS#7851) [PATCH] buffer overrun in password checkers with malformed hash

Full_Name: Ryan Tandy Version: master, commit 141f1680 OS: Ubuntu 14.04 URL: ftp://ftp.openldap.org/incoming/rtandy_20140511_fix-passwd-b64-buffer.patch Submission from: (NULL) (24.68.121.206) The password checkers call lutil_b64_pton like this: rc = lutil_b64_pton(passwd-bv_val, orig_pass

Re: (ITS#7851) [PATCH] buffer overrun in password checkers with malformed hash

Sorry, I missed a line from the patch. Corrected one: ftp://ftp.openldap.org/incoming/rtandy_20140511_fix-passwd-b64-buffer_v2.patch

  1   2   >