[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Re : Re: (ITS#7676) OpenLDAP 2.4.36 slapd crash with "assertion failed" message

To: openldap-its@OpenLDAP.org
Subject: Re: Re : Re: (ITS#7676) OpenLDAP 2.4.36 slapd crash with "assertion failed" message
From: hyc@symas.com
Date: Tue, 3 Sep 2013 11:59:41 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

"POISSON FrÃ©dÃ©ric" wrote:
> Hello all,
>
> Thanks first for the patch, i have applied it on my own build of 2.4.36 but i
> have now a strange behavior, the slapd do not crash but it refused operations.
>
> First here is the diff after applying the patch :
> $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c
> ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig
> 3795d3794
> <               slap_tls_ctx = NULL;
> 3804,3808d3802
> <               } else {
> <                       if ( rc == LDAP_NOT_SUPPORTED )
> <                               rc = LDAP_UNWILLING_TO_PERFORM;
> <                       else
> <                               rc = LDAP_OTHER;
>
> Now when i only add or replace only attribute olcTLSRandFile on cn=config i have :
>
> ldap_modify: Server is unwilling to perform (53)
>
>
> When i replace following values in this order with 4 actions/operations or
> with a single action/operation it works :
>
> dn: cn=config
> changetype: modify
> replace: olcTLSCACertificateFile
> olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem
> -
> replace: olcTLSCertificateFile
> olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem
> -
> replace: olcTLSCertificateKeyFile
> olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem
> -
> replace: olcTLSRandFile
> olcTLSRandFile: /dev/random
>
> But it don't works with only olcTLSRandfile if i do an add or replace first, why ?
>
> What do you need for investigation ?

There's nothing to investigate, this works as designed. The config engine 
requires your TLS configuration to be valid when you configure it. That means 
at a minimum you must configure a server cert and key. If you only configure 
the randfile and nothing else, the config is rejected.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: RE: (ITS#7673) rwm and bad ACL evaluation
Next by Date: (ITS#7680) [Patch] Fix typos in manpages
Index(es):
- Chronological
- Thread