openldap-bugs December 2006

openldap-bugs@openldap.org

23 participants
120 discussions

Re: (ITS#4782) back-ldap bugs
by ando＠sys-net.it 19 Dec '06

19 Dec '06

hyc(a)OpenLDAP.org wrote: > Full_Name: Howard Chu > Version: HEAD > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (76.168.84.21) > Submitted by: hyc > > > 1) back-ldap fails to startup if back-monitor isn't enabled. It should silently > skip usage of back-monitor, the way back-bdb does. > That's what's supposed to do. Do you mean back-monitor "compiled" or "instantiated"? "Compiled" should be moot, as back-monitor should now be always compiled. > 2) multiple calls are made to ldap_back_is_proxy_authz with > sendok=LDAP_BACK_SENDERR without checking the return status or aborting the > operation. As such, when proxy authorization is not in effect for an operation, > the client receives multiple Error Result messages for its request (even though > it continues to completion). Likewise for ldap_back_proxy_authz_bind. Either > these functions should never send a result back to the client, or their return > status should be checked and processing should stop when they fail. I've cleaned > up several instances of this type of error in previous revisions but can't track > them all down now. Errors of this type may also exist in RE23; I haven't > looked. > I've been cleaning up some of those in back-ldap (and in back-meta as well); some might have slipped thru. Thanks, p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

(ITS#4782) back-ldap bugs
by hyc＠OpenLDAP.org 19 Dec '06

19 Dec '06

Full_Name: Howard Chu Version: HEAD OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.168.84.21) Submitted by: hyc 1) back-ldap fails to startup if back-monitor isn't enabled. It should silently skip usage of back-monitor, the way back-bdb does. 2) multiple calls are made to ldap_back_is_proxy_authz with sendok=LDAP_BACK_SENDERR without checking the return status or aborting the operation. As such, when proxy authorization is not in effect for an operation, the client receives multiple Error Result messages for its request (even though it continues to completion). Likewise for ldap_back_proxy_authz_bind. Either these functions should never send a result back to the client, or their return status should be checked and processing should stop when they fail. I've cleaned up several instances of this type of error in previous revisions but can't track them all down now. Errors of this type may also exist in RE23; I haven't looked.

1 0

Re: (ITS#4774) Add network timeout option to ldapsearch
by lukeh＠padl.com 17 Dec '06

17 Dec '06

Kurt, >Given this, -e nettimeout=X might be better choice here. >Or -o nettimeout=X. Agreed. I have prepared a patch for the following which I will commit to HEAD: -o <opt>[=<optparam] general options nettimeout=<timeout> (in seconds, or "none" or "max") -- Luke -- www.padl.com | www.lukehoward.com

1 0

Re: (ITS#4585) slapd-search generates TIME_WAIT connections increasingly
by ando＠sys-net.it 17 Dec '06

17 Dec '06

Roland, Howard pointed out that part of your problem could be related to the fact that AD makes an intensive use of referrals, and automatic referral chasing with OpenLDAP's client library was buggy (ITS#4545). A fix to this issue will appear in OpenLDAP 2.3.31; you can get the corresponding code from the CVS under the tag OPENLDAP_REL_ENG_2_3, or wait a few days for the official release. Could you please check if your problem persists with this release? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

(ITS#4781) optimize bind behavior in back-ldap when idassert is in use
by ando＠sys-net.it 17 Dec '06

17 Dec '06

Full_Name: Pierangelo Masarati Version: HEAD OS: irrelevant URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (81.72.89.40) Submitted by: ando When idassert is used with "override" (i.e. it occurs also when the instance of back-ldap is the authorizing backend) and it is going to accept to authorize any identity, there is no need to create/destroy a connection for each bind, since subsequent operations will ever occur on the privileged, cached connection with identity assertion. So a separate cached connection is used only for binds, which of course need to be serialized (i.e. wait for response before submitting another one). Here there's room for further optimization: in case the connection is busy waiting for response, back-ldap can either wait or use a temporary (the original behavior). Further optimization will allow a pool of dedicated connections to alleviate concurrency issues. A patch is coming. p.

1 0

Re: (ITS#4780) ACL set memory leak
by ando＠sys-net.it 16 Dec '06

16 Dec '06

dhawes(a)vt.edu wrote: > When using ACL sets, OpenLDAP 2.3.30 steadily uses up all the system memory > before crashing (slapd: ch_malloc.c:57: ch_malloc: Assertion `0' failed). > > The system is loaded using SLAMD with 4 clients doing anonymous searches on a > filter file of approximately 300,000 filters (taken from a typical day on a > production server). SLAMD reports that 2885650 entries are returned in the 30 > minutes it takes to use up all available memory (4G). > > The instance contains approximately 1 million entries in a bdb backend, and uses > the following simple set of ACLs for this test: > > ... > access to dn.base="" > by * read > > access to dn.base="cn=Subschema" > by * read > > access to dn.base="dc=example,dc=com" > by * read > > access to dn.base="ou=People,dc=example,dc=com" > by * read > > access to * > by set="[string1] & [string2]" read > by peername.ip=<slamd client ip 1> read > by peername.ip=<slamd client ip 2> read > by peername.ip=<slamd client ip 3> read > by peername.ip=<slamd client ip 4> read > by * none > ... > > Removing the "by set=" clause and running the SLAMD job causes OpenLDAP memory > usage to stabilize. > > I notice the same behavior on 2.3.27, but did not notice it with older versions > such as 2.2.26. > I can't confirm this issue neither with HEAD nor with re23; I used valgrind and the set string you posted verbatim, although I didn't use slamd. However, right now I don't see how it may be a matter of concurrency. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

(ITS#4780) ACL set memory leak
by dhawes＠vt.edu 15 Dec '06

15 Dec '06

Full_Name: David Hawes Version: 2.3.30 OS: Debian GNU/Linux 3.1 URL: Submission from: (NULL) (128.173.13.109) When using ACL sets, OpenLDAP 2.3.30 steadily uses up all the system memory before crashing (slapd: ch_malloc.c:57: ch_malloc: Assertion `0' failed). The system is loaded using SLAMD with 4 clients doing anonymous searches on a filter file of approximately 300,000 filters (taken from a typical day on a production server). SLAMD reports that 2885650 entries are returned in the 30 minutes it takes to use up all available memory (4G). The instance contains approximately 1 million entries in a bdb backend, and uses the following simple set of ACLs for this test: ... access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to dn.base="dc=example,dc=com" by * read access to dn.base="ou=People,dc=example,dc=com" by * read access to * by set="[string1] & [string2]" read by peername.ip=<slamd client ip 1> read by peername.ip=<slamd client ip 2> read by peername.ip=<slamd client ip 3> read by peername.ip=<slamd client ip 4> read by * none ... Removing the "by set=" clause and running the SLAMD job causes OpenLDAP memory usage to stabilize. I notice the same behavior on 2.3.27, but did not notice it with older versions such as 2.2.26.

1 0

Re: (ITS#4770) monitoringslapd.sdf patch
by ghenry＠suretecsystems.com 15 Dec '06

15 Dec '06

<quote who="ando(a)sys-net.it"> > Gavin Henry wrote: >> <quote who="Pierangelo Masarati"> >>> Gavin, >>> >>> from the preamble, one may infer that monitoring is optional in the >>> sense it can be optionally built. That's how it used to be; >> >> In 2.3. I see. Thanks. >> >>> however, in >>> 2.4, it is always enabled, but it still must be explicitly exposed in >>> slapd.conf/slapd.d by using "database monitor". >> >> Ah, understood. >> >>> I would replace >>> "enabled" with "exposed", and possibly explicitly indicate that in 2.4 >>> it is no longer an option to build the monitor interface. >> >> Yes, that sounds fine. >> >>> No global directive should occur after "database monitor", as it >>> represents a database instantiation like any other. Although most >>> global directives wouldn't complain if appearing __after__ a database >>> instantiation, such use should be considered at least "bad practice". Understood. >> >> OK. But I was right with the fact you can put rootpw directly beneath >> it, >> or is that what you are saying about bad practices? > > "rootdn" and "rootpw" are per-database directives. They __have__ to go > there. What I call "bad practice" is, say, putting a "threads" > directive inside a database. It will be handled as expected, i.e. it > impacts the whole instance of slapd, but it appears like it were for > that database only! Ah yes! ;-) Agreed and now understood. > >>> About access control, it may be worth stressing that some attributes >>> can >>> actually be written; this requires to protect them and, at the same >>> time, to grant the desired identities write privileges on them. >> >> Only with the rootpw defined? > > back-monitor honors access control much like any other database (at > least it should; if it doesn't, then it's a bug). > > So any ACL applies (should apply) and as such there's much freedom in > defining who has access to what under which circumstances. So I don't > see any need to write any specific information about access control, as > soon as the administrator is warned that access control needs to be > taken into account for that database as well. OK. > >> If so; >> >> What attributes can be written to? > > AFAIR: managedInfo and derived attrs are writable; practically, they can > only be written whenever a modify hook is defined for that subsystem, > and constraints may be present. > > managedInfo can be written in "cn=Log,cn=Monitor" but it can only take > the values that are allowed as loglevels (see loglevel in slapd.conf(5), > but note that in HEAD, and possibly in 2.3 as well, I don't remember, > modules can add further log levels). OK. This should be all documented! ;-) > > readOnly can be written in each database entry (those residing below > "cn=Databases,cn=Monitor") > > I'm not sure there' any more in stock back-monitor; but beware that > back-monitor can be extended by modules through an API, so there might > be more. In general, look for any modify hook in the definition of each > subsystem. Modules, as in overlays? That was what my last question was really asking. For example, how accesslog is used by Delta-Syncrepl. I was merely trying to understand if, when some other feature gets enabled, it relies on back-monitor to work properly. > >> What are their purpose/effects? > > perform non-persistent state changes (i.e. changes that are not > reflected in back-config and don't et to the persistent storage on disk > when the system is arrested. OK. > >> What ACL example can we show to protect them? > > I don't think anything relevant is needed; in case, something like > > # only let the manager rite managed info (add further modifiable attrs) > access to attrs=managedInfo > by dn.exact="cn=Manager" write > by * read > > # only let the manager read connections data (may be sensible) > access to dn.children="cn=Connections,cn=Monitor" > by dn.exact="cn=Manager" read > by * none > > # allow read access to anything else > access to * > by * read > > unless there's anything else worth protecting. Looks standard enough. > >> Are they used by any overlays/backends? > > Not sure I got the point. See my above comment regarding accesslog. Thanks for your time. Gavin. > > p. > > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.n.c. > Via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > ------------------------------------------ > Office: +39.02.23998309 > Mobile: +39.333.4963172 > Email: pierangelo.masarati(a)sys-net.it > ------------------------------------------ > > >

1 0

Re: (ITS#4770) monitoringslapd.sdf patch
by ando＠sys-net.it 15 Dec '06

15 Dec '06

Gavin Henry wrote: > <quote who="Pierangelo Masarati"> >> Gavin, >> >> from the preamble, one may infer that monitoring is optional in the >> sense it can be optionally built. That's how it used to be; > > In 2.3. I see. Thanks. > >> however, in >> 2.4, it is always enabled, but it still must be explicitly exposed in >> slapd.conf/slapd.d by using "database monitor". > > Ah, understood. > >> I would replace >> "enabled" with "exposed", and possibly explicitly indicate that in 2.4 >> it is no longer an option to build the monitor interface. > > Yes, that sounds fine. > >> No global directive should occur after "database monitor", as it >> represents a database instantiation like any other. Although most >> global directives wouldn't complain if appearing __after__ a database >> instantiation, such use should be considered at least "bad practice". > > OK. But I was right with the fact you can put rootpw directly beneath it, > or is that what you are saying about bad practices? "rootdn" and "rootpw" are per-database directives. They __have__ to go there. What I call "bad practice" is, say, putting a "threads" directive inside a database. It will be handled as expected, i.e. it impacts the whole instance of slapd, but it appears like it were for that database only! >> About access control, it may be worth stressing that some attributes can >> actually be written; this requires to protect them and, at the same >> time, to grant the desired identities write privileges on them. > > Only with the rootpw defined? back-monitor honors access control much like any other database (at least it should; if it doesn't, then it's a bug). So any ACL applies (should apply) and as such there's much freedom in defining who has access to what under which circumstances. So I don't see any need to write any specific information about access control, as soon as the administrator is warned that access control needs to be taken into account for that database as well. > If so; > > What attributes can be written to? AFAIR: managedInfo and derived attrs are writable; practically, they can only be written whenever a modify hook is defined for that subsystem, and constraints may be present. managedInfo can be written in "cn=Log,cn=Monitor" but it can only take the values that are allowed as loglevels (see loglevel in slapd.conf(5), but note that in HEAD, and possibly in 2.3 as well, I don't remember, modules can add further log levels). readOnly can be written in each database entry (those residing below "cn=Databases,cn=Monitor") I'm not sure there' any more in stock back-monitor; but beware that back-monitor can be extended by modules through an API, so there might be more. In general, look for any modify hook in the definition of each subsystem. > What are their purpose/effects? perform non-persistent state changes (i.e. changes that are not reflected in back-config and don't et to the persistent storage on disk when the system is arrested. > What ACL example can we show to protect them? I don't think anything relevant is needed; in case, something like # only let the manager rite managed info (add further modifiable attrs) access to attrs=managedInfo by dn.exact="cn=Manager" write by * read # only let the manager read connections data (may be sensible) access to dn.children="cn=Connections,cn=Monitor" by dn.exact="cn=Manager" read by * none # allow read access to anything else access to * by * read unless there's anything else worth protecting. > Are they used by any overlays/backends? Not sure I got the point. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4770) monitoringslapd.sdf patch
by ghenry＠suretecsystems.com 15 Dec '06

15 Dec '06

<quote who="Pierangelo Masarati"> > Gavin, > > from the preamble, one may infer that monitoring is optional in the > sense it can be optionally built. That's how it used to be; In 2.3. I see. Thanks. > however, in > 2.4, it is always enabled, but it still must be explicitly exposed in > slapd.conf/slapd.d by using "database monitor". Ah, understood. > I would replace > "enabled" with "exposed", and possibly explicitly indicate that in 2.4 > it is no longer an option to build the monitor interface. Yes, that sounds fine. > > No global directive should occur after "database monitor", as it > represents a database instantiation like any other. Although most > global directives wouldn't complain if appearing __after__ a database > instantiation, such use should be considered at least "bad practice". OK. But I was right with the fact you can put rootpw directly beneath it, or is that what you are saying about bad practices? > > About access control, it may be worth stressing that some attributes can > actually be written; this requires to protect them and, at the same > time, to grant the desired identities write privileges on them. Only with the rootpw defined? If so; What attributes can be written to? What are their purpose/effects? What ACL example can we show to protect them? Are they used by any overlays/backends? > > Sorry I haven't time to go into too much detail. Anyway, it seems > you're doing a great job. > > Thanks, p. > Your thanks is much appreciated. Gavin. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

1 0

← Newer
1
2
3
4
5
6
7
8
9
...
12
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs December 2006