- When the
smbk5pwdoverlay was enabled in an OpenLDAP server and a user changed their password, the Microsoft NT LAN Manager (NTLM) and Microsoft LAN Manager (LM) hashes were not computed correctly. Consequently, the
sambaNTPasswordattributes were updated with incorrect values, preventing the user from logging in using a Windows-based client or a Samba client. With this update, the
smbk5pwdoverlay is linked against OpenSSL. As such, the NTLM and LM hashes are computed correctly and password changes work as expected when using
- If the
TLS_CACERTDIRconfiguration option used a prefix, which specified a Mozilla NSS database type, such as
sql:, and when a TLS operation was requested, the certificate database failed to open. This update provides a patch, which removes the database type prefix when checking the existence of a directory with certificate database, and the certificate database is now successfully opened even if the database type prefix is used.
- When a file containing a password was provided to open a database without user interaction, a piece of unallocated memory could be read and be mistaken to contain a password, leading to the connection to become unresponsive. A patch has been applied to correctly allocate the memory for the password file and the connection no longer hangs in the described scenario.
- When a TLS connection to an LDAP server was established, used, and then correctly terminated, the order of the internal TLS shutdown operations was incorrect. Consequently, unexpected terminations and other issues could occur in the underlying cryptographic library (Mozilla NSS). A patch has been provided to reorder the operations performed when closing the connection. Now, the order of TLS shutdown operations matches the Mozilla NSS documentation, thus fixing this bug.
- When TLS was configured to use a certificate from a PEM file while
TLS_CACERTDIRwas set to use a Mozilla NSS certificate database, the PEM certificate failed to load. With this update, the certificate is first looked up in the Mozilla NSS certificate database and if not found, the PEM file is used as a fallback. As a result, PEM certificates are now properly loaded in the described scenario.
- The OpenLDAP server could be configured for replication with TLS enabled for both accepting connections from remote peers and for TLS client authentication to the other replicas. When different TLS configuration was used for server and for connecting to replicas, a connection to a replica could fail due to TLS certificate lookup errors or due to unknown PKCS#11 TLS errors. This update provides a set of patches, which makes multiple TLS LDAP contexts within one process possible without affecting the others. As a result, OpenLDAP replication works properly in the described scenario.
- When the CA (Certificate Authority) certificate directory hashed via OpenSSL was configured to be used as a source of trusted CA certificates, the
libldaplibrary incorrectly expected that filenames of all hashed certificates end with the
.0suffix. Consequently, even though any numeric suffix is allowed, only certificates with
.0suffix were loaded. This update provides a patch that properly checks filenames in OpenSSL CA certificate directory and now all certificates that are allowed to be in that directory are loaded with
- When multiple LDAP servers were specified with TLS enabled and a connection to a server failed because the host name did not match the name in the certificate, fallback to another server was performed. However, the fallback connection became unresponsive during the TLS handshake. This update provides a patch that re-creates internal structures, which handle the connection state, and the fallback connection no longer hangs in the described scenario.
- When the OpenLDAP server was configured to use the
rwmoverlay and a client sent the
modrdnoperation, which included the
newsuperiorattribute matching the current
superiorattribute of the entry being modified, the
slapdserver terminated unexpectedly with a segmentation fault. With this update,
slapdis prevented from accessing uninitialized memory in the described scenario, the crashes no longer occur, and the client operation now finishes successfully.
- When a self-signed certificate without Basic Constraint Extension (BCE) was used as a server TLS certificate and the TLS client was configured to ignore any TLS certificate validation errors, the client could not connect to the server and an incorrect message about missing BCE was returned. This update provides a patch to preserve the original TLS certificate validation error if BCE is not found in the certificate. As a result, clients can connect to the server, proper error messages about untrusted certification authority which signed the server certificate are returned, and the connection continues as expected.
- When the
slapdserver configuration database (
cn=config) was configured with replication in mirror mode and the replication configuration (
olcSyncrepl) was changed, the
cn=configdatabase was silently removed from mirror mode and could not be futher modified without restarting the
slapddaemon. With this update, changes in replication configuration are properly handled so that the state of mirror mode is now properly preserved and the
cn=configdatabase can be modified in the described scenario.
- Previously, the OpenLDAP library looked up for an
AAAA(IPv6) DNS record while resolving the server IP address even if IPv6 was disabled on the host, which could cause extra delays when connecting. With this update, the
AI_ADDRCONFIGflag is set when resolving the remote host address. As a result, the OpenLDAP library no longer looks up for the
AAAADNS record when resolving the server IP address and IPv6 is disabled on the local system.
libldapwas configured to use TLS, not all TLS ciphers supported by the Mozilla NSS library could be used. This update provides all missing ciphers supported by Mozilla NSS to the internal list of ciphers in
libldap, thus improving