Issue 8267 - contributing a new overlay unicodepw
Summary: contributing a new overlay unicodepw
Status: UNCONFIRMED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: contrib (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-10 19:32 UTC by ingo.voss@gmail.com
Modified: 2021-02-12 12:06 UTC (History)
0 users

See Also:


Attachments
tar of the module (30.00 KB, application/x-tar)
2021-02-05 20:16 UTC, Quanah Gibson-Mount
Details
updated version of the module (23.00 KB, application/x-tar)
2021-02-05 20:19 UTC, Quanah Gibson-Mount
Details

Note You need to log in before you can comment on or make changes to this issue.
Description ingo.voss@gmail.com 2015-10-10 19:32:21 UTC
Full_Name: Ingo Voss
Version: 
OS: 
URL: ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
Submission from: (NULL) (78.53.86.212)


Hello,

I wrote a small overlay, that restricts all LDAP modification requests, so that
only password changes for MS unicodePwd are possible.  
All  other  LDAP requests will not be observed.
If someone needs a read-only proxy (in a e.g. dmz) for an MS Active Directory,
but password changes must be possible, then unicodepw is the right overlay.
For more informations, a manual page is included.

Kindly regards

Ingo Voss
Comment 1 ingo.voss@gmail.com 2015-10-11 18:33:54 UTC
Hello,

after rereading, I’ve made a few changes in the manual page, so that
the old tar package can be discarded.
Please use instead the old package now:
ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw-151011.tar

Thanks,
kindly regards

Ingo Voss

Comment 2 Howard Chu 2015-10-17 18:58:13 UTC
ingo.voss@gmail.com wrote:
> Full_Name: Ingo Voss
> Version:
> OS:
> URL: ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
> Submission from: (NULL) (78.53.86.212)
>
>
> Hello,
>
> I wrote a small overlay, that restricts all LDAP modification requests, so that
> only password changes for MS unicodePwd are possible.
> All  other  LDAP requests will not be observed.
> If someone needs a read-only proxy (in a e.g. dmz) for an MS Active Directory,
> but password changes must be possible, then unicodepw is the right overlay.
> For more informations, a manual page is included.

If you want a read-only proxy, shouldn't this overlay also intercept and deny 
all Add/Delete/ModDN requests?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 3 ingo.voss@gmail.com 2015-10-18 15:23:47 UTC

Am 17.10.2015 um 20:58 schrieb Howard Chu:
> ingo.voss@gmail.com wrote:
>> Full_Name: Ingo Voss
>> Version:
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
>> Submission from: (NULL) (78.53.86.212)
>>
>>
>> Hello,
>>
>> I wrote a small overlay, that restricts all LDAP modification 
>> requests, so that
>> only password changes for MS unicodePwd are possible.
>> All  other  LDAP requests will not be observed.
>> If someone needs a read-only proxy (in a e.g. dmz) for an MS Active 
>> Directory,
>> but password changes must be possible, then unicodepw is the right 
>> overlay.
>> For more informations, a manual page is included.
>
> If you want a read-only proxy, shouldn't this overlay also intercept 
> and deny all Add/Delete/ModDN requests?
>

Yes, you are right! But such overlay (denyop) exist already and it is 
working well.
The manual page for unicodepw refers to denyop and describes the 
complete configuration in detail.

Kindly regards
Ingo

Comment 4 Howard Chu 2015-10-25 08:28:20 UTC
Ingo Voss wrote:
>
>
> Am 17.10.2015 um 20:58 schrieb Howard Chu:
>> ingo.voss@gmail.com wrote:
>>> Full_Name: Ingo Voss
>>> Version:
>>> OS:
>>> URL: ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
>>> Submission from: (NULL) (78.53.86.212)
>>>
>>>
>>> Hello,
>>>
>>> I wrote a small overlay, that restricts all LDAP modification requests, so
>>> that
>>> only password changes for MS unicodePwd are possible.
>>> All  other  LDAP requests will not be observed.
>>> If someone needs a read-only proxy (in a e.g. dmz) for an MS Active Directory,
>>> but password changes must be possible, then unicodepw is the right overlay.
>>> For more informations, a manual page is included.
>>
>> If you want a read-only proxy, shouldn't this overlay also intercept and
>> deny all Add/Delete/ModDN requests?
>>
>
> Yes, you are right! But such overlay (denyop) exist already and it is working
> well.
> The manual page for unicodepw refers to denyop and describes the complete
> configuration in detail.

OK.

This code is full of C++ comments. OpenLDAP uses C comments only.

This code is full of SPACEs for indentation. OpenLDAP uses TAB characters for 
indentation, with 4-column tab stops.

Your debug messages are using STATS debug level. STATS is reserved for LDAP 
operation/parameter logging only and is the default level. Code should be 
silent at the default level unless major errors have occurred.

This code cannot be accepted in its current form.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 5 Howard Chu 2015-10-25 08:31:56 UTC
changed state Open to Feedback
Comment 6 ingo.voss@gmail.com 2015-11-05 11:09:49 UTC
2015-10-25 9:28 GMT+01:00 Howard Chu <hyc@symas.com>:
> Ingo Voss wrote:
>>
>>
>>
>> Am 17.10.2015 um 20:58 schrieb Howard Chu:
>>>
>>> ingo.voss@gmail.com wrote:
>>>>
>>>> Full_Name: Ingo Voss
>>>> Version:
>>>> OS:
>>>> URL: ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
>>>> Submission from: (NULL) (78.53.86.212)
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I wrote a small overlay, that restricts all LDAP modification requests,
>>>> so
>>>> that
>>>> only password changes for MS unicodePwd are possible.
>>>> All  other  LDAP requests will not be observed.
>>>> If someone needs a read-only proxy (in a e.g. dmz) for an MS Active
>>>> Directory,
>>>> but password changes must be possible, then unicodepw is the right
>>>> overlay.
>>>> For more informations, a manual page is included.
>>>
>>>
>>> If you want a read-only proxy, shouldn't this overlay also intercept and
>>> deny all Add/Delete/ModDN requests?
>>>
>>
>> Yes, you are right! But such overlay (denyop) exist already and it is
>> working
>> well.
>> The manual page for unicodepw refers to denyop and describes the complete
>> configuration in detail.
>
>
> OK.
>
> This code is full of C++ comments. OpenLDAP uses C comments only.
>
> This code is full of SPACEs for indentation. OpenLDAP uses TAB characters
> for indentation, with 4-column tab stops.

OK, I'll change that.

>
> Your debug messages are using STATS debug level. STATS is reserved for LDAP
> operation/parameter logging only and is the default level. Code should be
> silent at the default level unless major errors have occurred.

Please can you guide me what log level should be used for such
security related messages?
The messages are only logged, if a password is changed. (Normally,
password changes are very seldom and makes low noise.)

Thanks Ingo

Comment 7 Quanah Gibson-Mount 2017-03-29 22:44:50 UTC
moved from Incoming to Contrib
Comment 8 Quanah Gibson-Mount 2021-02-05 20:16:18 UTC
moving to unconfirmed, user requested more info and was never answered.

If this is still of interest, I suggest creating a merge request for the overlay in the gitlab instance (https://git.openldap.org) so a proper modern review can be done.
Comment 9 Quanah Gibson-Mount 2021-02-05 20:16:45 UTC
Created attachment 791 [details]
tar of the module
Comment 10 Quanah Gibson-Mount 2021-02-05 20:19:20 UTC
Created attachment 792 [details]
updated version of the module
Comment 11 ingo.voss@gmail.com 2021-02-05 21:47:00 UTC
Hello Quanah,

in 2015, I removed all spaces, added a new switch to turn of the noisy
logging. But my question was never answered.
I would be pleased, if you add the module to the contrib.
Where can I upload the latest, corrected version?

We use that module since 2015 without any problems.

Kindly regards,
Ingo

Am Fr., 5. Feb. 2021 um 21:19 Uhr schrieb <openldap-its@openldap.org>:
>
> https://bugs.openldap.org/show_bug.cgi?id=8267
>
> Quanah Gibson-Mount <quanah@openldap.org> changed:
>
>            What    |Removed                     |Added
> ----------------------------------------------------------------------------
>  Attachment #791 [details] is|0                           |1
>            obsolete|                            |
>
> --- Comment #10 from Quanah Gibson-Mount <quanah@openldap.org> ---
> Created attachment 792 [details]
>   --> https://bugs.openldap.org/attachment.cgi?id=792&action=edit
> updated version of the module
>
> --
> You are receiving this mail because:
> You reported the issue.
Comment 12 Quanah Gibson-Mount 2021-02-05 21:50:16 UTC
Hi Ingo,

Please open a merge request in our gitlab instance:

https://git.openldap.org/

so that the contribution can be reviewed, etc.

You will also need to add a rights statement to this ITS as documented at https://www.openldap.org/devel/contributing.html#notice
Comment 13 Howard Chu 2021-02-05 21:56:18 UTC
(In reply to ingo.voss@gmail.com from comment #11)
> Hello Quanah,
> 
> in 2015, I removed all spaces, added a new switch to turn of the noisy
> logging. But my question was never answered.
> I would be pleased, if you add the module to the contrib.
> Where can I upload the latest, corrected version?
> 
> We use that module since 2015 without any problems.

If the excessive logging can be disabled then it's fine using STATS loglevel.
Comment 14 ingo.voss@gmail.com 2021-02-12 12:06:35 UTC
Hello Quanah,

I've created a merge request
https://git.openldap.org/openldap/openldap/-/merge_requests/232

Here my rights statement:
"The attached patch file is derived from OpenLDAP Software.
All of the modifications to OpenLDAP Software represented in
the following patch(es) were developed by Ingo Voss ingo.voss@gmail.com
I have not assigned rights and/or interest in this work to any party."

Thanks,  Ingo

Am Fr., 5. Feb. 2021 um 22:56 Uhr schrieb <openldap-its@openldap.org>:
>
> https://bugs.openldap.org/show_bug.cgi?id=8267
>
> --- Comment #13 from Howard Chu <hyc@openldap.org> ---
> (In reply to ingo.voss@gmail.com from comment #11)
> > Hello Quanah,
> >
> > in 2015, I removed all spaces, added a new switch to turn of the noisy
> > logging. But my question was never answered.
> > I would be pleased, if you add the module to the contrib.
> > Where can I upload the latest, corrected version?
> >
> > We use that module since 2015 without any problems.
>
> If the excessive logging can be disabled then it's fine using STATS loglevel.
>
> --
> You are receiving this mail because:
> You reported the issue.