openldap-bugs February 2007

openldap-bugs@openldap.org

32 participants
125 discussions

(ITS#4851) improper database recovery at startup when using shared memory for db cache
by erici＠motown.cc.utexas.edu 24 Feb '07

24 Feb '07

Full_Name: Eric Irrgang Version: 2.3.34 OS: Solaris 9 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (128.83.217.14) Using Berkeley DB 4.4.20 for the hdb backend to OpenLDAP 2.3.34 with a shared memory segment for the db cache, the automatic bdb database recovery fails after a reboot (because the shared memory segment doesn't exist yet). slapd logs show the following: [ID 446079 local3.debug] bdb(dc=directory,dc=utexas,dc=edu): shmat: id 0: unable to attach to shared system memory region: Invalid argument [ID 656078 local3.debug] bdb_db_open: Database cannot be opened, err 22. Restore from backup! [ID 446079 local3.debug] bdb(dc=directory,dc=utexas,dc=edu): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem [ID 446079 local3.debug] bdb(dc=directory,dc=utexas,dc=edu): txn_checkpoint interface requires an environment configured for the transaction subsystem [ID 881909 local3.debug] bdb_db_close: txn_checkpoint failed: Invalid argument (22) [ID 658289 local3.debug] backend_startup_one: bi_db_open failed! (22) [ID 948119 local3.debug] bdb_db_close: alock_close failed [ID 486161 local3.debug] slapd stopped. [ID 432338 local3.debug] connections_destroy: nothing to destroy. db_recover must be used to clean up the environment. It gives the message "db_recover: shmat: id 0: unable to attach to shared system memory region: Invalid argument" but completes with return code 0, removes the __db.001 file, and slapd is then able to start without errors.

1 0

Re: (ITS#4792) not able to install Slapd i.e. when I install openldap it does'nt install server module
by ando＠sys-net.it 24 Feb '07

24 Feb '07

azia(a)techxact.com wrote: > Full_Name: Ahmad Zia > Version: openldap-2.3.31 > OS: Redhat ES 4 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (80.227.142.2) > > > I have successfully compiled, make openldad but when I get to the point where I > have to run "make test" it says cannot connect to the openldap server after > timing out. You should ask software usage related questions on the openldap-software mailing list. The ITS is intended to track software bugs or development issues, and you are not pointing out any evidence of software malfunction yet. > When I use this command , I get the following: > > [root@TXDXB openldap]# rpm -qa | grep openldap > openldap-devel-2.2.13-6.4E > openldap-2.2.13-6.4E > openldap-clients-2.2.13-6.4E > > its not listing openldap-server-2.2.13-6.4E and in my /etc/openldap directory I > only have ldap.conf and I do not have slapd.conf, so what I gather so far is > that I am not able to install the server module. This has nothing to do with OpenLDAP software; OpenLDAP software is released only in source form, and it's up to dofwtare distributors to package it in binary form. It is very unlikely that by simply compiling OpenLDAP software as distributed by OpenLDAP you may see anything show up with rpm -qa, since building OpenLDAP software does not result in any rpm package (and, in any case, you'd need to explicitly __install__ any rpm package to see it appear with rpm -qa). > I have used the parameter --enable-slapd with ./configure command but its still > the same thing. Slapd is built by default; the --enable-slapd switch is provided to allow users to __disable__ it. > Can you please tell me what am I doing wrong Testing may fail for hundreds of reasons beyond a bug in the software. You should check trivial things first, e.g. by inspecting any log messages resulting from the tests. See <http://www.openldap.org/faq/data/cache/1089.html> and <http://www.openldap.org/faq/data/cache/56.html> for possible directions. This ITS will be closed. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4849) LDAP URL not recognized with bind9
by ando＠sys-net.it 24 Feb '07

24 Feb '07

cyril wrote: > The message is located in > > isc_result_t dlz_ldap_checkURL(char *URL, int attrCnt, const char *msg) > > located in file bin/named/dlz_ldap_driver.c provided by > ctrix_dlz_9.3.3.patch OK. In your initial posting you claimed to be using bind 9.3.4, I assume you patched 9.3.4 with 9.3.3 patch. Anyway, in that patch I still don't see the message you reported; did you copy it verbatim, or did you elaborate it?. Anyway, that patch looks definitely similar to the analogous code in bind 9.4.0. That code seems to make use of LDAP URLs only as a means to define a LDAP search in compact form; but URLs have a specific syntax with restrictions, as indicated in RFC4516 and RFC3986; pretending to parse them with standards compliant library functions while they don't comply with their definition sounds a bit hazardous. In any case, it's astonishing that the URL syntax is used along with a marker for macro replacement that's the most reserved char in URLs. Sounds like someone chose the largest available gun to shoot in his own foot. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

RE: (ITS#4849) LDAP URL not recognized with bind9
by cyril＠coupel.net 24 Feb '07

24 Feb '07

Il s'agit d'un message ` parties multiples au format MIME. ------=_NextPart_000_0163_01C75810.9E49DBB0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable FYI =20 -----Message d'origine----- De : Pierangelo Masarati [mailto:ando@sys-net.it]=20 Envoy=E9 : vendredi 23 f=E9vrier 2007 22:02 =C0 : cyril(a)coupel.net Cc : openldap-its(a)openldap.org Objet : Re: (ITS#4849) LDAP URL not recognized with bind9 =20 cyril(a)coupel.net wrote: > Tanks for your answer. > I tested by removing the %xxxx% from the URL and the tests are passed; = but > there is an error saying that there is no %xxx% token. > I already open a case to the BIND team, but they reply this is not a = bind > problem. > However, I will transmit this information to the BIND/DLZ team. =20 I have few more comments; see below. =20 =20 > Cyril COUPEL wrote: >> I agree with this information. >> The fact is the ldapURL is not used as it, the key %zone% (or = %client%) is >> replaced with the ns domain (the client name). >>=20 >> It was working well since I upgrade to 2.3.30-r2. =20 There is no OpenLDAP 2.3.30-r2; the current version is 2.3.34. This is a Gentoo relase based on 2.3.30 (the latest relase available is 2.3.33) =20 Also, you mentioned an error message "failed to parse ldap URL"; there's no such message in bind 9.3.4 code, nor in 9.4.0rc2. Also, there's no explicit ldap_url_parse() call, so the problem could only arise when performing an operation with that broken DN. However, I don't see how the error message could be raised by bind, since the URL is parsed by bind itself, without using the OpenLDAP API function, and the DN is only used as base for other operations, so OpenLDAP API cannot have any notion of that DN being part of an URL. Finally, bind itself, while parsing the URL, checks for badly encoded portions of the URL, and the corresponding error message is "LDAP sdb zone '%s': URL: bad hex = values". =20 The message is located in =20 isc_result_t dlz_ldap_checkURL(char *URL, int attrCnt, const char *msg) located in file bin/named/dlz_ldap_driver.c provided by ctrix_dlz_9.3.3.patch =20 Could you point us to the __real__ version of OpenLDAP __and__ bind you pretend to be broken? =20 =20 p. =20 =20 =20 Ing. Pierangelo Masarati OpenLDAP Core Team =20 SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------ =20 ------=_NextPart_000_0163_01C75810.9E49DBB0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)"> <style>  </style>  </head> <body lang=3DFR link=3Dblue vlink=3Dpurple> <div class=3DSection1> FYI<o:p></o:p> <o:p> </o:p> -----Message d'origine----- De : Pierangelo Masarati [mailto:ando@sys-net.it] Envoy=E9 : vendredi 23 f=E9vrier 2007 22:02 =C0 : cyril(a)coupel.net Cc : openldap-its(a)openldap.org Objet : Re: (ITS#4849) LDAP URL not recognized with = bind9<o:p></o:p> <o:p> </o:p> cyril(a)coupel.net wrote:<o:p></o:p> > Tanks for your answer.<o:p></o:p> > I tested by removing the %xxxx% from the = URL and the tests are passed; but<o:p></o:p> > there is an error saying that there is no = %xxx% token.<o:p></o:p> > I already open a case to the BIND team, but = they reply this is not a bind<o:p></o:p> > problem.<o:p></o:p> > However, I will transmit this information = to the BIND/DLZ team.<o:p></o:p> <o:p> </o:p> I have few more comments; see = below.<o:p></o:p> <o:p> </o:p> <o:p> </o:p> > Cyril COUPEL wrote:<o:p></o:p> >> I agree with this = information.<o:p></o:p> >> The fact is the ldapURL is not used as = it, the key %zone% (or %client%) is<o:p></o:p> >> replaced with the ns domain (the client = name).<o:p></o:p> >><o:p> </o:p> >> It was working well since I upgrade to 2.3.30-r2.<o:p></o:p> <o:p> </o:p> There is no = OpenLDAP 2.3.30-r2; the current version is 2.3.34.<o:p></o:p> This = is a Gentoo relase based on 2.3.30 (the latest relase available is = 2.3.33)<o:p></o:p> <o:p> </o:p> Also, you mentioned an error message = "failed to parse ldap URL"; there's<o:p></o:p> no such message in bind 9.3.4 code, nor in = 9.4.0rc2.=A0 Also, there's no<o:p></o:p> explicit ldap_url_parse() call, so the problem = could only arise when<o:p></o:p> performing an operation with that broken DN.=A0 = However, I don't see how<o:p></o:p> the error message could be raised by bind, since = the URL is parsed by<o:p></o:p> bind itself, without using the OpenLDAP API = function, and the DN is only<o:p></o:p> used as base for other operations, so OpenLDAP = API cannot have any<o:p></o:p> notion of that DN being part of an URL.=A0 = Finally, bind itself, while<o:p></o:p> parsing the URL, checks for badly encoded = portions of the URL, and the<o:p></o:p> corresponding error message is "LDAP sdb = zone '%s': URL: bad hex values".<o:p></o:p> <o:p> </o:p> The = message is located in =A0=A0=A0 <o:p></o:p> isc_result_t dlz_ldap_checkURL(char *URL, int attrCnt, const char *msg)<o:p></o:p> located in file bin/named/dlz_ldap_driver.c provided by ctrix_dlz_9.3.3.patch<o:p></o:p> <o:p> </o:p> Could you point us to the __real__ version of = OpenLDAP __and__ bind you<o:p></o:p> pretend to be broken?<o:p></o:p> <o:p> </o:p> <o:p> </o:p> p.<o:p></o:p> <o:p> </o:p> <o:p> </o:p> <o:p> </o:p> Ing. Pierangelo Masarati<o:p></o:p> OpenLDAP Core Team<o:p></o:p> <o:p> </o:p> SysNet s.n.c.<o:p></o:p> Via Dossi, 8 - 27100 Pavia - = ITALIA<o:p></o:p> http://www.sys-net.it<o:p></o:p> ------------------------------------------<o:p></o:p= > Office:=A0=A0 +39.02.23998309<o:p></o:p> Mobile:=A0=A0 +39.333.4963172<o:p></o:p> Email:=A0=A0=A0 = pierangelo.masarati(a)sys-net.it<o:p></o:p> ------------------------------------------<o:p></o:p= > <o:p> </o:p> </div> </body> </html> ------=_NextPart_000_0163_01C75810.9E49DBB0--

1 0

Re: (ITS#4848) Another slapd startup segfault
by ando＠sys-net.it 24 Feb '07

24 Feb '07

ando(a)sys-net.it wrote: >> # No limits for CNO-LDC >> limits dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" size=unlimited >> time=unlimited > > Is this "time=unlimited" starting in the first column a wrap of the > mailer or is it really there? Something absurd is happening: that limit > option starting in the first column is a syntax error, but 2.3 ignores > it. What's odd is that with this syntax error I exactly get your crash, > while without it I don't get any crash. The above had nothing to do with your problem. Your problem is related to the fact that you intermixed overlay and database configuration statements, so the idletimeout statement after the accesslog overlay instantiation was causing invalid memory write (beyond the private data of the accesslog overlay instead of in the private data of the bdb database) resulting in heap corruption. Maybe it hasn't been stressed enough, but the order of directives is: - global [- global overlay [- global overlay [...] ]] [- database [- overlay [- overlay [...] ]] [- database [- overlay [- overlay [...] ]]]] and each overlay's directives have to appear before any other overlay's. I'll see if sanity checks may be added to avoid your issue. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4848) Another slapd startup segfault
by ando＠sys-net.it 24 Feb '07

24 Feb '07

michael.heep(a)o2.com wrote: > Full_Name: Michael Heep > Version: 2.3.34 > OS: RHES30 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (82.113.101.1) Just one quick question: > # No limits for CNO-LDC > limits dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" size=unlimited > time=unlimited Is this "time=unlimited" starting in the first column a wrap of the mailer or is it really there? Something absurd is happening: that limit option starting in the first column is a syntax error, but 2.3 ignores it. What's odd is that with this syntax error I exactly get your crash, while without it I don't get any crash. >From valgrind, there appears to be some invalid write and an invalid free. I keep investigating... p. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4848) Another slapd startup segfault
by ando＠sys-net.it 24 Feb '07

24 Feb '07

michael.heep(a)o2.com wrote: > Full_Name: Michael Heep > Version: 2.3.34 > OS: RHES30 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (82.113.101.1) Few preliminary comments: 1) could easily reproduce 2) doesn't core with HEAD/2.4 code 3) you probably don't need the unique overlay on the consumer, since it's supposed to trust consistency of data coming from the producer The direct cause of the crash is that the LDAPDN structure that's being used to rebuild a normalized string representation of the unique_base is corrupted. I'm investigating how it got corrupted. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4849) LDAP URL not recognized with bind9
by ando＠sys-net.it 23 Feb '07

23 Feb '07

cyril(a)coupel.net wrote: > Tanks for your answer. > I tested by removing the %xxxx% from the URL and the tests are passed; but > there is an error saying that there is no %xxx% token. > I already open a case to the BIND team, but they reply this is not a bind > problem. > However, I will transmit this information to the BIND/DLZ team. I have few more comments; see below. > Cyril COUPEL wrote: >> I agree with this information. >> The fact is the ldapURL is not used as it, the key %zone% (or %client%) is >> replaced with the ns domain (the client name). >> >> It was working well since I upgrade to 2.3.30-r2. There is no OpenLDAP 2.3.30-r2; the current version is 2.3.34. Also, you mentioned an error message "failed to parse ldap URL"; there's no such message in bind 9.3.4 code, nor in 9.4.0rc2. Also, there's no explicit ldap_url_parse() call, so the problem could only arise when performing an operation with that broken DN. However, I don't see how the error message could be raised by bind, since the URL is parsed by bind itself, without using the OpenLDAP API function, and the DN is only used as base for other operations, so OpenLDAP API cannot have any notion of that DN being part of an URL. Finally, bind itself, while parsing the URL, checks for badly encoded portions of the URL, and the corresponding error message is "LDAP sdb zone '%s': URL: bad hex values". Could you point us to the __real__ version of OpenLDAP __and__ bind you pretend to be broken? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4850) back-meta stops returning data
by ando＠sys-net.it 23 Feb '07

23 Feb '07

hyc(a)symas.com wrote: >> I am experiencing problems with back_meta. It does return search results for >> some time, but at some point starts returning empty search results, with SEARCH >> RESULT err=32 in the logfile. This often (but not always) happens after 5 - 30 >> minutes. > > Significant changes were made to back-meta between 2.3.32 and 2.3.33. The > current version is 2.3.34. Please upgrade and see if the issue is still present. I believe the reported behavior does no longer occur with 2.3.34. What you report seems to be related to broken behavior when the remote server closes the connection as a consequence of an idletimeout. 2.3.33 saw a lot of improvements on this side, resulting from significant development efforts and stress testing in a harsh environment, where resilience to odd target behavior was a key requirement. 2.3.34 fixed minor issues after that upgrade, and more minor fixes already are in re23 for next 2.3 release, if any. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: ITS#3812
by hyc＠symas.com 23 Feb '07

23 Feb '07

quanah(a)stanford.edu wrote: > --On Friday, February 23, 2007 7:27 PM +0000 hyc(a)symas.com wrote: > >> It might be nice to set up an automated script to pull the updated >> manpages from CVS onto the web site. > >>From CVS for the current primary release. I.e., I think it would be bad if > the manpages for 2.4 showed up right now on the website. You'll note that the web site has a selector for the release you want to view. In some respects I like the old pages being on there because their dates establish a ballpark for when a feature first appeared (well, was first documented). But I think we should always have a "Current" selection as well, that always corresponds to the latest general-use release. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs February 2007