4.204. openldap
Updated openldap packages that fix number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.
Bug Fixes
- BZ#717738
- In a utility which uses both OpenLDAP and Mozilla NSS (Network Security Services) libraries, OpenLDAP validates TLS peer and the certificate is cached by Mozilla NSS library. The utility then sometimes terminated unexpectedly on the
NSS_Shutdown()
function call because the client certificate was not freed and the cache could not be destroyed. With this update, the peer certificate is freed in OpenLDAP library after certificate validation is finished, all cache entries can now be deleted properly, and theNSS_Shutdown()
call now succeeds as expected. - BZ#726984
- When a program used the OpenLDAP library to securely connect to an LDAP server using SSL/TLS, while the server was using a certificate with a wildcarded common name (for example
CN=*.example.com
), the connection to the server failed. With this update, the library has been fixed to verify wildcard hostnames used in certificates correctly, and the connection to the server now succeeds if the wildcard common name matches the server name. - BZ#727533
- Previously, if an OpenLDAP server was installed with an SQL back end, the server terminated unexpectedly after a few operations. An upstream patch, which updates data types for storing the length of the values by using the ODBC (Open Database Connectivity) interface, has been provided to address this issue. Now, the server no longer crashes when the SQL back end is used.
- BZ#684810
- The
slapd-config(5)
andldap.conf(5)
manual pages contained incorrect information about TLS settings. This update adds new TLS documentation relevant for the Mozilla NSS cryptographic library. - BZ#698921
- When an LDIF (LDAP Data Interchange Format) input file was passed to the ldapadd utility or another
openldap
client tool, and the file was not terminated by a newline character, the client terminated unexpectedly. With this update, client utilities are able to properly handle such LDIF files, and the crashes no longer occur in the described scenario. - BZ#701227
- When an LDIF (LDAP Data Interchange Format) input file was passed to the
ldapadd
utility or anotheropenldap
client tool, and a line in the file was split into two lines but was missing correct indentation (the second line has to be indented by one space character), the client terminated unexpectedly. With this update, client utilities are able to properly handle such filetypeLDIF
files, and the crashes no longer occur in the described scenario. - BZ#709407
- When an OpenLDAP server was under heavy load or multiple replicating OpenLDAP servers were running, and, at the same time, TLS/SSL mode with certificates in PEM (Privacy Enhanced Mail) format was enabled, a race condition caused the server to terminate unexpectedly after a random amount of time (ranging from minutes to weeks). With this update, a mutex has been added to the code to protect calls of thread-unsafe Mozilla NSS functions dealing with PEM certificates, and the crashes no longer occur in the described scenario.
- BZ#712358
- When the openldap-servers package was installed on a machine while the initscript package was not already installed, some scriptlets terminated during installation and error messages were returned. With this update, initscripts have been defined as a required package for openldap-servers, and no error messages are now returned in the described scenario.
- BZ#713525
- When an openldap client had the
TLS_REQCERT
option set tonever
and theTLS_CACERTDIR
option set to an empty directory, TLS connection attempts to a remote server failed as TLS could not be initialized on the client side. Now,TLS_CACERTDIR
errors are ignored whenTLS_REQCERT
is set tonever
, thus fixing this bug. - BZ#722923
- When a
slapd.conf
file was converted into a newslapd.d
directory while the constraint overlay was in place, theconstraint_attribute
option of thesize
orcount
type was converted to theolcConstraintAttribute
option with its value part missing. A patch has been provided to address this issue and constraint_attribute options are now converted correctly in the described scenario. - BZ#722959
- When an openldap client had the
TLS_REQCERT
option set tonever
and the remote LDAP server uses a certificate issued by a CA (Certificate Authority) whose certificate has expired, connection attempts to the server failed due to the expired certificate. Now, expired CA certificates are ignored whenTLS_REQCERT
is set tonever
, thus fixing this bug. - BZ#723487
- Previously, the openldap package compilation log file contained warning messages returned by strict-aliasing rules. These warnings indicated that unexpected runtime behavior could occur. With this update, the
-fno-strict-aliasing
option is passed to the compiler to avoid optimizations that can produce invalid code, and no warning messages are now returned during the package compilation. - BZ#723514
- Previously, the
olcDDStolerance
option was shortening TTL (time to live) for dynamic entries, instead of prolonging it. Consequently, when an OpenLDAP server was configured with the dds overlay and theolcDDStolerance
option was enabled, the dynamic entries were deleted before their TTL expired. A patch has been provided to address this issue and the real lifetime of a dynamic entry is now calculated properly, as described in documentation. - BZ#729087
- When a utility used the OpenLDAP library and TLS to connect to a server, while the library failed to verify a certificate or a key, a memory leak occurred in the
tlsm_find_and_verify_cert_key()
function. Now, verified certificates and keys are properly disposed of when their verification fails, and memory leaks no longer occur in the described scenario. - BZ#729095
- When the
olcVerifyClient
option was set toallow
in an OpenLDAP server or theTLS_REQCERT
option was set toallow
in a client utility, while the remote peer certificate was invalid, OpenLDAP server/client connection failed. With this update, invalid remote peer certificates are ignored, and connections can now be established in the described scenario. - BZ#731168
- When multiple TLS operations were performed by clients or other replicated servers, with the openldap-servers package installed and TLS enabled, the server terminated unexpectedly. With this update, a mutex has been added to the code to protect calls of thread-unsafe Mozilla NSS initialization functions, and the crashes no longer occur in the described scenario.
- BZ#732001
- When the openldap-servers package was being installed on a server for the first time, redundant and confusing
/
character was printed during the installation. With this update, the responsible RPM scriptlet has been fixed and the/
character is no longer printed in the described scenario. - BZ#723521
- Previously, the
slapo-unique
manual page was missing information about quoting the keywords and URIs (uniform resource identifiers), and the attribute parameter was not described in the section about unique_strict configuration options. A patch has been provided to address these issues and the manual page is now up-to-date. - BZ#742592
- Previously, when the openldap-servers package was installed, host-based ACLs did not work. With this update, configuration flags that enable TCP wrappers have been updated, and the host-based ACLs now work as expected.
Enhancements
- BZ#730311
- Previously, when a connection to an LDAP server was created by specifying search root DN (distinguished name) instead of the server hostname, the SRV records in DNS were requested and a list of LDAP server hostnames was generated. The servers were then queried in the order, in which the DNS server returned them but the priority and weight of the records were ignored. This update adds support for priority/weight of the DNS SRV records, and the servers are now queried according to their priority/weight, as required by RFC 2782.
- BZ#712494
- In the default installation of the openldap-servers package, the configuration database (
cn=config
) could only be modified manually when theslapd
daemon was not running. With this update, theldapi:///
interface has been enabled by default, and the ACLs (access control lists) now enable the root user to modify the server configuration without stopping the server and using OpenLDAP client tools if he is authenticated usingldapi:///
and the SASL/EXTERNAL mechanism. - BZ#723999
- The openldap package was compiled without RELRO (read-only relocations) flags and was therefore vulnerable to various attacks based on overwriting the ELF section of a program. To increase the security of the package, the openldap spec file has been modified to use the
-Wl,-z,relro
flags when compiling the package. The openldap package is now provided with partial RELRO protection.
Users of openldap are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.