Full_Name: Quanah Gibson-Mount Version: 2.3.24 OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (171.66.155.86) The slapd.conf manpage states: require <conditions> Specify a set of conditions (separated by white space) to require (default none). The directive may be specified globally and/or per-database. bind requires bind operation prior to directory operations. LDAPv3 requires session to be using LDAP version 3. authc requires authentication prior to directory operations. SASL requires SASL authentication prior to directory operations. strong requires strong authentication prior to directory operations. The strong keyword allows protected "simple" authentication as well as SASL authentication. none may be used to require no conditions (useful for clearly globally set conditions within a particular database). However, if you set require to "none", which it says is possible in the last sentence there, slapd fails to start with the following error: line 37 (require none) /usr/local/etc/openldap/slapd.conf: line 37: <require> unknown feature none slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy.
--On Friday, June 02, 2006 7:19 PM +0000 quanah@stanford.edu wrote: > However, if you set require to "none", which it says is possible in the > last sentence there, slapd fails to start with the following error: > > line 37 (require none) > /usr/local/etc/openldap/slapd.conf: line 37: <require> unknown feature > none slapd destroy: freeing system resources. > slapd stopped. > connections_destroy: nothing to destroy. It looks like the problem code is here, in bconfig.c: static int config_requires(ConfigArgs *c) { slap_mask_t requires = 0; int i; slap_verbmasks requires_ops[] = { { BER_BVC("bind"), SLAP_REQUIRE_BIND }, { BER_BVC("LDAPv3"), SLAP_REQUIRE_LDAP_V3 }, { BER_BVC("authc"), SLAP_REQUIRE_AUTHC }, { BER_BVC("sasl"), SLAP_REQUIRE_SASL }, { BER_BVC("strong"), SLAP_REQUIRE_STRONG }, { BER_BVNULL, 0 } }; It is definitely missing "none" as an option. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
On Fri, 2006-06-02 at 20:17 +0000, quanah@stanford.edu wrote: > > --On Friday, June 02, 2006 7:19 PM +0000 quanah@stanford.edu wrote: > > > However, if you set require to "none", which it says is possible in the > > last sentence there, slapd fails to start with the following error: > > > > line 37 (require none) > > /usr/local/etc/openldap/slapd.conf: line 37: <require> unknown feature > > none slapd destroy: freeing system resources. > > slapd stopped. > > connections_destroy: nothing to destroy. > > > It looks like the problem code is here, in bconfig.c: > > static int > config_requires(ConfigArgs *c) { > slap_mask_t requires = 0; > int i; > slap_verbmasks requires_ops[] = { > { BER_BVC("bind"), SLAP_REQUIRE_BIND }, > { BER_BVC("LDAPv3"), SLAP_REQUIRE_LDAP_V3 }, > { BER_BVC("authc"), SLAP_REQUIRE_AUTHC }, > { BER_BVC("sasl"), SLAP_REQUIRE_SASL }, > { BER_BVC("strong"), SLAP_REQUIRE_STRONG }, > { BER_BVNULL, 0 } > }; > > > It is definitely missing "none" as an option. "none" needs special handling. config_requires() uses verbs_to_mask(), which ORs mask items, while the use of "none" in "requires", according to the man page, consists in resetting bits already present in the mask. If we agree that verbs_to_mask() should: - OR the selected bit if != 0 - clear out all mask if == 0 then the fix is trivial in input, provided we place the 0-valued case first in the array of choices. However, the EMIT case will be a bit more complicated. Currently, if the mask is zero, it is simply skipped, while, according to slapd.conf, "none" should actually clear out any value in the mask. The current code will not emit any olcRequires value instead of a single "olcRequires: none" for those databases that have "requires" explicitly set to "none". I can fix this behavior by changing "verbs_to_mask() and mask_to_verbs(), but I fear this could break the behavior of other config stuff that relies on the current behavior of those functions. p. Ing. Pierangelo Masarati Responsabile Open Solution OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
changed notes changed state Open to Feedback
I suggest this patch <http://www.sys-net.it/~ando/Download/pierangelo- masarati-2006-06-03-its4574.patch>; I have no means to check if it breaks anything else in back-config. p. Ing. Pierangelo Masarati Responsabile Open Solution OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
--On Saturday, June 03, 2006 2:48 PM +0000 ando@sys-net.it wrote: > I suggest this patch <http://www.sys-net.it/~ando/Download/pierangelo- > masarati-2006-06-03-its4574.patch>; I have no means to check if it > breaks anything else in back-config. Me either... Any suggested ways to proceed on this? --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
> > > --On Saturday, June 03, 2006 2:48 PM +0000 ando@sys-net.it wrote: > >> I suggest this patch <http://www.sys-net.it/~ando/Download/pierangelo- >> masarati-2006-06-03-its4574.patch>; I have no means to check if it >> breaks anything else in back-config. > > Me either... Any suggested ways to proceed on this? A couple of comments here: we don't need here to allow too much freedom and generality in configuration. Note that these comments might apply to other configuration bits. Basically we have: slapd.conf: databases inherit from global; per-databases statements are additive, except "none" that clears out the value. So if the intersection of any database's value with the global value is not equal to the global value, one needs to clear out the global value first, and then add the per-database values back-config: each per-database value needs be added explicitly; if a new database is created, it inherits from global (FIXME: is this correct? check) and then it can be modified to reflect additions or modifications. So we need the "none" capability in slapd.conf to allow elimination of inheritance, but we don't need it in back-config because we already have the modify semantics of LDIF (delete, replace and so) whose granularity is even finer. Actually, in back-config "none" shouldn't even be allowed, otherwise we'd need X-ORDERING as well: the result of using "none" depends on when it occurs with respect to the other values (i.e. a "none" as first value would be irrelevant, while a "none" as last value would make all the others irrelevant). If this discussion is correct, then we could simply handle "none" specially (and maybe require it to appear as the first value), and leave the rest as is. p. Ing. Pierangelo Masarati Responsabile Open Solution OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
changed notes changed state Feedback to Test moved from Incoming to Software Bugs
Actually, slapd is contradicting the man page since databases do not inherit from global. I'm fixing this (and the docs) so that databases do inherit, but "none" can appear as the first value to clear out all values inherited from global. A fix is now in HEAD, please test as usual. p. Ing. Pierangelo Masarati Responsabile Open Solution OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
changed notes changed state Test to Closed
moved from Software Bugs to Archive.Software Bugs
fixed differently in HEAD/2.3.25