1 for hunking out LANMAN hashes completely.
Ciao, Michael.
In one of our test envs, had the path wrong in replication config for =
encryption artifacts:
*** Conf excerpt: ***
syncrepl
=E2=80=A6
tls_key=3D/opt/symas/etc/openldap/file-name.pem
***
Which gives generic error:
*** Log Trace: ***
an 27 17:25:17 sapz1a slapd[6203]: slapd starting
=E2=80=A6
TLS
ms to work
smoothly in my local test environment.
Ciao, Michael.
Full_Name: Michael Str.der
Version: master
OS:
URL:
Submission from: (NULL) (213.240.182.99)
As a system engineer I want to see the number of entries within a mdb database
in the monitoring (e.g. to alarm unusual fast changes due to false deletions).
While one can use mdb_stat or other custom
This still happens with current RE24 snapshot.
Is more information needed to address this?
nsistent in your config or the information you
provided herein.
Also this does not seem to be a bug report but the ITS is only for
reporting bugs. Please send usage questions to openldap-technical
mailing list.
Ciao, Michael.
for all the work done upstream to fix a
particular security issue and for applying back-port patches to
downstream packages (e.g. in Linux distributions).
Furthermore OpenLDAP's ITS allows to mark an issue as security issue
which hides it from public access.
I read Howard's comment that he meant exactly this.
Ciao, Michael.
Stephan,
regarding:
https://www.openldap.org/its/index.cgi?findid=9124
Was there ever a CVE-Id assigned to this issue? I'd like to reference it
in back-port patches for downstream packages.
Ciao, Michael.
Full_Name: Michael Str.der
Version: 2.4.48 / RE24 branch
OS: openSUSE Linux
URL:
Submission from: (NULL) (213.240.182.73)
slapd seg faults in case the client sends a modify operation like this (let me
know if you need a stack trace):
- snip
On 11/29/19 1:06 PM, on...@mistotebe.net wrote:
> thanks for the report, this should be fixed by commit
> 1dbf0e9441def3d6dbc0fa8fba3c2e86fa50fa19 in master.
Will this fix be added to 2.4.49 and when?
Ciao, Michael.
t to read this:
Fix schema on all replicas before the upgrade.
Ciao, Michael.
attributes like:
>=20
> 5d36b192 UNKNOWN attributeDescription "TESTTYPE" inserted.
Mainly running a replication setup without consistent schema on all=20
replicas is asking for trouble. It may work in some niche cases. But in=20
most cases it will fail miserably.
=3D&
> I tried, but unfortunatley the FAQ software breaks Apache when you try and
> delete an answer. I think the better solution is just to remove the FAQ
> software completely.
The FAQ contains the only documentation for set-based ACLs.
So it's not an option to just shutdown FAQ-O-MATIC.
Ciao, Michael.
clean up properly, it should just return an =
error
> instead?
Yes.
In general I prefer fail-early-fail-hard with clear error messages.
Ciao, Michael.
--ms030705030102060301060203
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base6
s
always a call into gethostname(). Does that make sense?
Ciao, Michael.
I considered contacting current SUSE maintainers of package openldap2.
In preparation to that I tried to find out which bug caused this patch
to be developed.
AFAIK the patch is not applied to the package anymore:
https://build.opensuse.org/package/show/network:ldap/openldap2
And I have no refe
On 4/18/19 12:44 AM, qua...@symas.com wrote:
> Sending this to your @suse.com email bounced. Please see below and update
> with an IPR as requested. Thanks!
Since quite a while Howard Guo does not work for SUSE anymore.
Do you need Howard's IPR notice or one from SUSE?
Ciao, Michael.
On 3/29/19 8:58 PM, qua...@openldap.org wrote:
> To work around this, slapcat could be given an option to honor the rtxnsize
> setting in slapd.conf/cn=config.
> [..]
> It should be noted in the man page section for this option that the value of
> such a backup is of dubious quality, since it is no
Full_Name: Michael Str.der
Version: 2.4.47
OS: openSUSE Tumbleweed
URL:
Submission from: (NULL) (213.240.182.56)
Adding line
SASL_NOCANON on
to my ~/.ldaprc causes ldapwhoami to fail like this:
$ ldapwhoami -H ldapi:// -Y EXTERNAL
ldap_sasl_interactive_bind_s: Local error (-2)
Using the
I'm currently testing this feature back-ported to RE24 branch.
I noticed that these attributes are set to empty values:
creatorsName:
modifiersName:
Rest of entry looks good:
dn: cn=Database 1,cn=Databases,cn=Monitor
objectClass: monitoredObject
objectClass: olmMDBDatabase
structuralObjectClass
Full_Name:
Version: RE24 branch
OS: openSUSE Linux
URL:
Submission from: (NULL) (212.68.198.84)
For the records an issue tested with Howard today:
slapo-accesslog hits an assert checking for empty 'reqDN' after processing a
password modify extended operation.
More information in the ITS upon
Full_Name: Michael Str.der
Version:
OS:
URL:
Submission from: (NULL) (213.240.182.19)
All links herein are dead:
https://www.openldap.org/faq/data/cache/220.html
I'd suggest to remove this FAQ page completely.
ling list and post your question there:
https://www.openldap.org/lists/mm/listinfo/openldap-technical
You should describe what you want to achieve, the exact version you're
using, OS platform, the config you've tried and some relevant log
excerpts if available.
Ciao, Michael.
sterday:
ftp://ftp.cyrusimap.org/cyrus-sasl/
Nevermind, I'm not using SASL password mechs for anything serious. Just
stumbled across this while implementing a regression test for bad
password in ldap0 module which explicitly checks that
invalidCredentials(49) is returned.
Ciao, Michael.
Full_Name:
Version: 2.4.46
OS: openSUSE Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (213.240.182.29)
SASL bind with SCRAM-SHA-1 does not return invalidCredentials (49) in case of a
wrong password being used while DIGEST-MD5 and other password mechs works as
expected.
Thi
separate user schema
file.
With such a layout the standard schema shipped with the software is not
part of cn=config but can still be dynamically changed (by directly
modifying subschema subentry). But there's always a way out of trouble
because you can manually fix the separate LDIF schema file(s).
Ciao, Michael.
this to the end you have to move *all* standard schema
installed to schema_prep.c.
IMO this is bad design. But I'm not the one to decide on that. :-/
Ciao, Michael.
On 11/4/18 12:16 AM, h...@symas.com wrote:
> I don't see this in the deref code. It only returns protocolError if there is
> any type of error when parsing the control itself.
It was my fault. Sorry for the noise. Please close this ITS.
Ciao, Michael.
Full_Name:
Version: RE24
OS:
URL:
Submission from: (NULL) (46.183.103.8)
In aehostd I try to limit the number of required search requests. Therefore I'm
using the deref control to read group and sudoers entries referenced in service
groups.
If there are no such references (yet) slapd currentl
On 10/26/18 4:21 PM, OndÅej KuznÃk wrote:
> Yes, but `key` had already been freed a few lines earlier and using
> o_tmpalloc reliably exposes the issue where ch_malloc just masks it.
Ouch!
> This is now fixed in master.
Thanks. Everything now works like a charm also with RE24.
Ciao, Michael.
ay code. There are many occurences of ch_malloc()
and ch_free() throughout the whole code.
Does op->o_tmpalloc() and op->o_tmpfree() work correctly in RE24 branch?
Ciao, Michael.
ndex.cgi?findid=8791
Ciao, Michael.
eporting bugs.
Please post your questions on the openldap-technical mailing list:
https://www.openldap.org/lists/mm/listinfo/openldap-technical
Ciao, Michael.
Can someone correct the subject line of the ticket?
Should of course mention slapo-unique instead of slapo-constraint.
see also ITS#7738
Related to ITS#8866.
I really wonder why function rwm_attrs() is called with
stripEntryDN = 1. A comment indicates the front-end generates 'entryDN'.
BTW: The database uses back-mdb. I did not test whether it behaves
differently with back-hdb yet.
Full_Name:
Version: 2.4.46
OS:
URL:
Submission from: (NULL) (213.240.182.45)
Enabling slapo-rwm for a database makes operational attribute 'entryDN'
invisible (tested with rootdn).
It's sufficient to add this line to the database section:
overlay rwm
IMO this is a serious bug.
ffected by this =
special processing. Wouldn't it make sense to limit the functionality to =
a defined group of broken LDAP clients (by group membership, peer=20
address check or similar)?
Ciao, Michael.
--ms030107030309090109010404
Content-Type: application/pkcs7-signature; name="sm
e or where I can find a description how to proceed?
You can only add new messages to tickets,
mainly by a simple follow-up e-mail preserving the e-mail subject.
From my understanding this is also the accepted way to add an IPR
notice after initial submission.
Ciao, Michael.
Full_Name:
Version:
OS:
URL:
Submission from: (NULL) (213.240.182.26)
There is a stale link in this section of the admin guide:
https://www.openldap.org/doc/admin24/overlays.html#Password%20Policy%20Configuration
Points to https://symas.com/blog/?page_id=66 which says "No Results Found"
In
On 06/20/2018 01:25 PM, Michael Ströder wrote:
> This patch is meant to enhance user experience in case a client software
> is used to maintain data directly via LDAP. This is a real-world issue.
>
> Find the patch against master here:
> https://www.stroeder.com/temp/0001-ITS-88
The ITS is for reporting bugs only.
Please subscribe to the openldap-technical mailing list and post your
usage questions there:
https://www.openldap.org/lists/mm/listinfo/openldap-technical
Ciao, Michael.
On 06/20/2018 01:41 PM, Michael Ströder wrote:
> Ouch! This was not yet complete. I'll come up with a new revision soon.
Please review this patch:
https://www.stroeder.com/temp/0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
Disclaimer: I'm not a C programmer. Th
On 06/20/2018 01:26 PM, mich...@stroeder.com wrote:
> Find the patch against master here:
> https://www.stroeder.com/temp/0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
Ouch! This was not yet complete. I'll come up with a new revision soon.
Ciao, Michael.
Rationale:
This patch is meant to enhance user experience in case a client software
is used to maintain data directly via LDAP. This is a real-world issue.
Find the patch against master here:
https://www.stroeder.com/temp/0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
Also clean
Full_Name:
Version:
OS:
URL:
Submission from: (NULL) (213.240.182.62)
See motivation and disclosure considerations in list archive:
https://www.openldap.org/lists/openldap-devel/201711/msg3.html
Patch will follow.
g to do anyway. Therefore web browsers will also
limit this functionality in the not so far future.
Ciao, Michael.
P.S.:
Due to MIME processing deficiencies of the ITS your messages are
displayed base64-encoded and therefore hard to read:
https://www.openldap.org/its/index.cgi?findid=8846#followup4
should be used.
This also has the advantage that e.g. python-ldap's LDAP URL parser can
also be used for that.
Ideally one could write a very short I-D for such an extension.
Ciao, Michael.
roduct or
> embedded?
>
> If this comes bundled with any other product?
ITS is only used for reporting bugs. Please ask such a question on the
openldap-technical mailing list.
And please do not file the same question several times.
Ciao, Michael.
t or
> embedded?
ITS is only used for reporting bugs. Please ask such a question on the
openldap-technical mailing list.
Ciao, Michael.
stnames. If
they were they would cause more interop issues anyway.
> Therefore I believe such change could only be done in a major release. And at
> that point we might just remove the depreciated '-h' option altogether.
Agreed. 2.5 release chould IMO simply remove options -h and -p.
Ciao, Michael.
ether you _allow_ underscores to accommodate some strange setups is
your decision.
Ciao, Michael.
st where you
reach more recipients. So others can answer and learn as well.
https://www.openldap.org/lists/
Ciao, Michael.
--ms020404010102000204010800
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachmen
ser id.
> Actually, we start it with user uid=3D10009, gid=3D0
AFAICT and independent of OpenLDAP's slapd allowing an arbitrary uid to
use gid=3D0 would be an unauthorized privilege escalation / security hole=
=2E
Why don't you use the primary gid of uid=3D10009
eally literally in
your schema? If you used it as a placeholder herein which OID did you
really use?
Did you eventually changed index-related schema config without re-indexin=
g?
Ciao, Michael.
--ms080105080402020204000104
Content-Type: application/pkcs7-signature; name="smime.p7
escape
once more for config syntax.
Ciao, Michael.
Canned config available:
https://stroeder.com/temp/openldap-testbed-its8770.tar.gz
Seg faults with 2.4.45 and current RE24 branch:
$ cd openldap-testbed-its8770
$ ./start-slapd.sh
[..]
5a009864 slapd.conf: line 19 (moduleloadback_mdb)
5a009864 loaded module back_mdb
5a009864 mdb_back_init
Full_Name:
Version: RE24
OS:
URL:
Submission from: (NULL) (213.240.182.108)
This leads to a seg fault:
moduleload dsaschema.so
/home/michael/Proj/oath-ldap/oath-ldap-dsa.schema
More information to come...
org/lists/mm/listinfo/openldap-technical
A short hint about escaping, e.g. a comma in DN string representation:
https://tools.ietf.org/html/rfc4514#section-2.4
Note that depending on your client config system more escaping might be
needed because of the config syntax.
Ciao, Michael.
---
stion better to be
discussed on openldap-technical mailing list.
Ciao, Michael.
Full_Name: Michael Str.der
Version:
OS:
URL:
Submission from: (NULL) (217.145.44.194)
In some situations having a "primary" master would be very useful (e.g. where to
assign numeric IDs).
The providers connected with MMR could try to vote a primary master with the
raft algori
steffen.kr...@nexio.de wrote:
> Regarding segmentation fault: that's true, but I have to investigate
> further
Please make sure to install with debug symbols and read how to use gdb
to obtain a stack back trace:
https://www.openldap.org/faq/data/cache/59.html
Ciao, Michael.
str2filter
> "(&(objectClass=3D*)(!(objectClass=3D*)))"
IMO it makes perfect sense to treat extended filter part with a
non-supported matching rule as a filter which always evaluates to False.
Ciao, Michael.
--ms02070306080901000202
Content-Type: application
.42.2.27.8.5.1 to be missing.
(It's present in all my OpenLDAP servers.)
The original poster asked for another outdated password policy
mechanism.
Ciao, Michael.
sed by your TLS lib.
You could also monitor the DNS traffic. Some resolvers allow to
switch on query logging. Or tcpdump or similar.
And BTW: The most likely answer is that your resolver should
always be up and running. Sometimes a local caching resolver helps
to overcome upstream resolver outage.
Ciao, Michael.
Howard Chu wrote:
> If no one has any other reasons to offer, I'm inclined to reject
> and close this ITS.
Note that the systemd unit file was only a little detail in this
ITS. The most important part is the C code change.
Ciao, Michael.
system layout, not to speak of their systemd
back-port patches.
Ciao, Michael.
P.S.:
Right at this moment I'm trying to figure out the appropriate
Requires and After lines in systemd unit file template in Ã-DIR's
ansible role. And the ansible role has only support for three (and
d flavors.
My suggestion would be to provide an example systemd unit file as
documentation.
Ciao, Michael.
Is there anything wrong with the patch herein?
On 09/06/2017 09:29 AM, Howard Chu wrote:
>
> Learn something about Unix, please.
>
> Use the ps command to verify that the process at least has the correct name.
> The init script should know it's looking for a process named slapd, not init.
>
Supposing we want to copy/paste two or more "ps"
On 09/06/2017 08:29 AM, Howard Chu wrote:
>
>> 4. Someone compromises the daemon, which sits on the open network.
>
> Nobody compromises slapd from the network. There are no buffer overflow
> vulnerabilities, there are no RCE vulnerabilities.
>
Oh, it's one of /those/ daemons.
>>
>> 6. I run
On 09/05/2017 05:38 PM, Ryan Tandy wrote:
>
> If you would like to propose a patch, we could review that. For myself I
> don't think I would attach a high priority to this.
I understand that it's a low priority, I'm just trying to clean up the
hundred or so cases of this that we have in Gentoo.
mich...@stroeder.com wrote:
> If you don't mind I just produce another follow-up patch for the
> man-page.
Find this man-page patch here:
https://www.stroeder.com/temp/0001-ITS-8714-man-page-corrections-regarding-EXTENDED-ope.patch
Ciao, Michael.
This has been assigned CVE-2017-14159.
n.
Ah, yes. Forgot to update the message format in the man-page.
If you don't mind I just produce another follow-up patch for the
man-page.
Ok?
Ciao, Michael.
clear in the man-page but was unsure about the appropriate section.
Ciao, Michael.
tps://www.stroeder.com/temp/0001-ITS-8714-Send-out-EXTENDED-operation-m=
essage-from-back-sock_rev3.patch
Ciao, Michael.
--ms020207030808080005010306
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filena
also download patch file here:
https://www.stroeder.com/temp/0001-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock_rev2.patch
Ciao, Michael.
--E329EF3D834E0A798BAC2EBC
Content-Type: text/x-patch;
name="0001-ITS-8714-Send-out-EXTENDED-operation-message-from
n: %lu\n", op->oq_bind.rb_cred.bv_len );
fprintf( fp, "cred: %s\n", op->oq_bind.rb_cred.bv_val ); /* XXX */
fprintf( fp, "\n" );
The above should also work with null-bytes, shoudn't it?
Ciao, Michael.
(es) were developed by
Michael
Ströder . I have not assigned rights and/or interest in
this work
to any party.
I, Michael Ströder, hereby place the following modifications to OpenLDAP
Software (and
only these modifications) into the public domain. Hence, these modifications
may be
freely used
Full_Name: Michael Str.der
Version: master / RE24
OS: irrelevant
URL:
Submission from: (NULL) (213.240.182.101)
back-sock should also send extended operations to external listener.
Patch will follow.
dup of ITS#8711
n and=
let slapd do
the fail-over to another available provider internally.
Ciao, Michael.
--ms08090101090902090203
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s&
The problem scenario looks like the following:
1. I run "/etc/init.d/slapd start" to start the daemon.
2. slapd drops to the "slapd" user.
3. slapd writes its PID file, now owned by the "slapd" user.
4. Someone compromises the daemon, which sits on the open network.
5. The attacker is generall
Full_Name: Michael Orlitzky
Version: 2.4.45
OS: Gentoo
URL:
Submission from: (NULL) (98.218.46.55)
The slapd daemon should create its PID file before dropping privileges. This
represents a minor security issue; additional factors are needed to make it
exploitable.
Why?
The purpose of the PID
(Re-sent without S/MIME sign. for better readability in ITS)
This seems really trivial to fix - even for me. ;-)
I've successfully tested it with Python module slapdsock (and ldif module in
python-ldap
2.4.41+).
I, Michael Ströder, hereby place the following modifications to Ope
dsock (and ldif module=
in python-ldap
2.4.41+).
I, Michael Str=C3=B6der, hereby place the following modifications to Open=
LDAP Software (and
only these modifications) into the public domain. Hence, these modificati=
ons may be
freely used and/or redistributed for any purpose with or without att
Full_Name:
Version:
OS:
URL:
Submission from: (NULL) (85.115.23.42)
back-sock does not generate a MODIFY message with "increment:" line when LDAP
clients sends modify operation with LDAP_MOD_INCREMENT.
Example of incomplete message (incrementing attribute gidNumber):
---
s)
of other
backend(s) is/are also not closed in a controlled manner.
So at least it should properly log a message and shutdown cleanly.
Ciao, Michael.
Full_Name:
Version: 2.4.45
OS: Linux
URL:
Submission from: (NULL) (213.240.182.98)
When using back-sock (database sock) and the external sock listener returns
CONTINUE then slapd seg faults.
Yes, returning CONTINUE is only allowed when using back-sock as overlay.
But slapd should not seg fault
ck-monitor in sub-tree
cn=Connections,cn=Monitor. IITC attribute 'monitorConnectionActivityTime'
contains last
client access time on this connection.
(Ummh, I have to add this to my own monitoring script...)
And of course normal system monitoring of file handles would be also helpful.
Ciao,
should kick out your server vendor from doing the OpenLDAP support.
Ciao, Michael.
qua...@symas.com wrote:
> Seems like it would have been better to leave audit* attrs with slapo-auditlog
I was not aware of a specific schema for slapo-auditlog
(except attribute type 'olcAuditlogFile' for back-config).
Ciao, Michael.
issing the reqMod AT
>=20
> I think you mean slapo-auditlog, not slapo-accesslog?
No, Emmanuel is definitely referring to slapo-accesslog.
Ciao, Michael.
--ms020708080809040305030308
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Enc
use-case. This also raises the
question of
the IP address list os ordered and the caller can therefore give a preference
for IPv4 or
IPv6 (e.g. like postfix is doing it for out-going SMTP conns).
Ciao, Michael.
kavy...@gmail.com wrote:
> Version: 2.4.33
Note that release 2.4.33 is 4,5 years old.
Many fixes have been applied since then.
Do you still experience the same problem with recent release 2.4.44?
Ciao, Michael.
Please close this misdirected ITS.
FWIW: The patch is still available here in openSUSE's package openldap2:
https://build.opensuse.org/package/view_file/network:ldap/openldap2/0009-Fix-ldap-host-lookup-ipv6.patch?expand=1
This is a cryptographically signed message in MIME format.
--ms030807090208090401070408
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
FWIW: The patch is still available here in openSUSE's package openldap2:
https://build.opensuse.org/package
1 - 100 of 739 matches
Mail list logo
