4.204. openldap

Bug Fixes

BZ#717738

In a utility which uses both OpenLDAP and Mozilla NSS (Network Security Services) libraries, OpenLDAP validates TLS peer and the certificate is cached by Mozilla NSS library. The utility then sometimes terminated unexpectedly on the NSS_Shutdown() function call because the client certificate was not freed and the cache could not be destroyed. With this update, the peer certificate is freed in OpenLDAP library after certificate validation is finished, all cache entries can now be deleted properly, and the NSS_Shutdown() call now succeeds as expected.

BZ#726984

When a program used the OpenLDAP library to securely connect to an LDAP server using SSL/TLS, while the server was using a certificate with a wildcarded common name (for example CN=*.example.com), the connection to the server failed. With this update, the library has been fixed to verify wildcard hostnames used in certificates correctly, and the connection to the server now succeeds if the wildcard common name matches the server name.

BZ#727533

Previously, if an OpenLDAP server was installed with an SQL back end, the server terminated unexpectedly after a few operations. An upstream patch, which updates data types for storing the length of the values by using the ODBC (Open Database Connectivity) interface, has been provided to address this issue. Now, the server no longer crashes when the SQL back end is used.

BZ#684810

The slapd-config(5) and ldap.conf(5) manual pages contained incorrect information about TLS settings. This update adds new TLS documentation relevant for the Mozilla NSS cryptographic library.

BZ#698921

When an LDIF (LDAP Data Interchange Format) input file was passed to the ldapadd utility or another openldap client tool, and the file was not terminated by a newline character, the client terminated unexpectedly. With this update, client utilities are able to properly handle such LDIF files, and the crashes no longer occur in the described scenario.

BZ#701227

When an LDIF (LDAP Data Interchange Format) input file was passed to the ldapadd utility or another openldap client tool, and a line in the file was split into two lines but was missing correct indentation (the second line has to be indented by one space character), the client terminated unexpectedly. With this update, client utilities are able to properly handle such filetype LDIF files, and the crashes no longer occur in the described scenario.

BZ#709407

When an OpenLDAP server was under heavy load or multiple replicating OpenLDAP servers were running, and, at the same time, TLS/SSL mode with certificates in PEM (Privacy Enhanced Mail) format was enabled, a race condition caused the server to terminate unexpectedly after a random amount of time (ranging from minutes to weeks). With this update, a mutex has been added to the code to protect calls of thread-unsafe Mozilla NSS functions dealing with PEM certificates, and the crashes no longer occur in the described scenario.

BZ#712358

When the openldap-servers package was installed on a machine while the initscript package was not already installed, some scriptlets terminated during installation and error messages were returned. With this update, initscripts have been defined as a required package for openldap-servers, and no error messages are now returned in the described scenario.

BZ#713525

When an openldap client had the TLS_REQCERT option set to never and the TLS_CACERTDIR option set to an empty directory, TLS connection attempts to a remote server failed as TLS could not be initialized on the client side. Now, TLS_CACERTDIR errors are ignored when TLS_REQCERT is set to never, thus fixing this bug.

BZ#722923

When a slapd.conf file was converted into a new slapd.d directory while the constraint overlay was in place, the constraint_attribute option of the size or count type was converted to the olcConstraintAttribute option with its value part missing. A patch has been provided to address this issue and constraint_attribute options are now converted correctly in the described scenario.

BZ#722959

When an openldap client had the TLS_REQCERT option set to never and the remote LDAP server uses a certificate issued by a CA (Certificate Authority) whose certificate has expired, connection attempts to the server failed due to the expired certificate. Now, expired CA certificates are ignored when TLS_REQCERT is set to never, thus fixing this bug.

BZ#723487

Previously, the openldap package compilation log file contained warning messages returned by strict-aliasing rules. These warnings indicated that unexpected runtime behavior could occur. With this update, the -fno-strict-aliasing option is passed to the compiler to avoid optimizations that can produce invalid code, and no warning messages are now returned during the package compilation.

BZ#723514

Previously, the olcDDStolerance option was shortening TTL (time to live) for dynamic entries, instead of prolonging it. Consequently, when an OpenLDAP server was configured with the dds overlay and the olcDDStolerance option was enabled, the dynamic entries were deleted before their TTL expired. A patch has been provided to address this issue and the real lifetime of a dynamic entry is now calculated properly, as described in documentation.

BZ#729087

When a utility used the OpenLDAP library and TLS to connect to a server, while the library failed to verify a certificate or a key, a memory leak occurred in the tlsm_find_and_verify_cert_key() function. Now, verified certificates and keys are properly disposed of when their verification fails, and memory leaks no longer occur in the described scenario.

BZ#729095

When the olcVerifyClient option was set to allow in an OpenLDAP server or the TLS_REQCERT option was set to allow in a client utility, while the remote peer certificate was invalid, OpenLDAP server/client connection failed. With this update, invalid remote peer certificates are ignored, and connections can now be established in the described scenario.

BZ#731168

When multiple TLS operations were performed by clients or other replicated servers, with the openldap-servers package installed and TLS enabled, the server terminated unexpectedly. With this update, a mutex has been added to the code to protect calls of thread-unsafe Mozilla NSS initialization functions, and the crashes no longer occur in the described scenario.

BZ#732001

When the openldap-servers package was being installed on a server for the first time, redundant and confusing / character was printed during the installation. With this update, the responsible RPM scriptlet has been fixed and the / character is no longer printed in the described scenario.

BZ#723521

Previously, the slapo-unique manual page was missing information about quoting the keywords and URIs (uniform resource identifiers), and the attribute parameter was not described in the section about unique_strict configuration options. A patch has been provided to address these issues and the manual page is now up-to-date.

BZ#742592

Previously, when the openldap-servers package was installed, host-based ACLs did not work. With this update, configuration flags that enable TCP wrappers have been updated, and the host-based ACLs now work as expected.

Enhancements

BZ#730311

Previously, when a connection to an LDAP server was created by specifying search root DN (distinguished name) instead of the server hostname, the SRV records in DNS were requested and a list of LDAP server hostnames was generated. The servers were then queried in the order, in which the DNS server returned them but the priority and weight of the records were ignored. This update adds support for priority/weight of the DNS SRV records, and the servers are now queried according to their priority/weight, as required by RFC 2782.

BZ#712494

In the default installation of the openldap-servers package, the configuration database (cn=config) could only be modified manually when the slapd daemon was not running. With this update, the ldapi:/// interface has been enabled by default, and the ACLs (access control lists) now enable the root user to modify the server configuration without stopping the server and using OpenLDAP client tools if he is authenticated using ldapi:/// and the SASL/EXTERNAL mechanism.

BZ#723999

The openldap package was compiled without RELRO (read-only relocations) flags and was therefore vulnerable to various attacks based on overwriting the ELF section of a program. To increase the security of the package, the openldap spec file has been modified to use the -Wl,-z,relro flags when compiling the package. The openldap package is now provided with partial RELRO protection.