openldap-bugs February 2007

openldap-bugs@openldap.org

32 participants
125 discussions

(ITS#4849) LDAP URL not recognized with bind9
by cyril_coupel＠yahoo.fr 22 Feb '07

22 Feb '07

Full_Name: Cyril COUPEL Version: 2.3.30-r2 OS: Gentoo URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (82.241.40.178) Since the openldap update 2.3.30-r2, le LDAP URL are no more recognized in the bind 9.3.4 named.conf. Reproducible: Always Steps to Reproduce: 1. compile BIND with DLZ and LDAP 2. add dlz "ldap zone" { database "ldap 2 v3 simple {} {} {10.1.2.253} ldap:///dlzZoneName=%zone%,ou=dns,o=bind-dlz???objectclass=dlzZone ldap:///dlzHostName=%record%,dlzZoneName=%zone%,ou=dns,o=bind-dlz?dlzTTL,dlzType,dlzPreference,dlzData,dlzIPAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa))) ldap:///dlzHostName=@,dlzZoneName=%zone%,ou=dns,o=bind-dlz?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa)) ldap:///dlzZoneName=%zone%,ou=dns,o=bind-dlz?dlzTTL,dlzType,dlzHostName,dlzPreference,dlzData,dlzIPAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa))) ldap:///dlzZoneName=%zone%,ou=dns,o=bind-dlz???(&(objectclass=dlzXFR)(dlzIPAddr=%client%)) "; }; to /etc/bind/named.conf 3. start named Actual Results: the log says :"failed to parse ldap URL" Expected Results: eb 15 16:51:35 sc1 process `named' is using obsolete setsockopt SO_BSDCOMPAT Feb 15 16:51:35 sc1 named[2220]: Loading 'ldap zone' using driver ldap Feb 15 16:51:35 sc1 named[2220]: command channel listening on 127.0.0.1#953 Feb 15 16:51:35 sc1 named[2220]: zone 127.in-addr.arpa/IN: loaded serial 2002081601 Feb 15 16:51:35 sc1 named[2220]: zone localhost/IN: loaded serial 2002081601 Feb 15 16:51:35 sc1 named[2220]: running

1 0

(ITS#4848) Another slapd startup segfault
by michael.heep＠o2.com 22 Feb '07

22 Feb '07

Full_Name: Michael Heep Version: 2.3.34 OS: RHES30 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (82.113.101.1) Since I'm not sure whether this is realted to my previos ITS (4847) so I'm filing another report as the OS and circumstances are different. As of 2.3.34 slapd crashes on Red Hat Enterprise 3.0 during startup. The funny thing is it only crashes on our slave, not on the master. The slave uses the following slapd.conf: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # Schema files to include include /opt/openldap/etc/schema/core.schema include /opt/openldap/etc/schema/cosine.schema include /opt/openldap/etc/schema/sudo.schema include /opt/openldap/etc/schema/nis.schema include /opt/openldap/etc/schema/openssh-lpk.schema include /opt/openldap/etc/schema/dyngroup.schema # Put those into the 'ldap' user's homedir (/var/lib/ldap) because # user 'ldap' has no write permissions in /var/run pidfile /var/lib/ldap/slapd.pid argsfile /var/lib/ldap/slapd.args # Security restrictions (all operations require at least 128bit encryption) security ssf=128 update_ssf=128 simple_bind=128 # Access control policy # rootdn can always read/write anything! # DO NOT MESS WITH THIS UNLESS YOU KNOW WHAT YOU’ARE DOING! access to dn.subtree="cn=Monitor" by dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" read access to dn.subtree="cn=accesslog" by dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" read access to * by dn.children="ou=Area 52,dc=o2online,dc=de" none by dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" write by dn.exact="cn=syncreader,dc=o2online,dc=de" read by * break access to attrs=userPassword by self write by anonymous auth access to attrs=shadowLastChange by self write by * read access to * by * read # Logging loglevel 256 # Close idle connections after 120sec idletimeout 120 # SSL/TLS Stuff TLSCACertificateFile /opt/openldap/etc/ssl-certs/cno-ldc_ca.cert TLSCertificateFile /opt/openldap/etc/ssl-certs/sgmldap02.cert TLSCertificateKeyFile /opt/openldap/etc/ssl-keys/sgmldap02.key TLSCipherSuite HIGH TLSVerifyClient try # Chainig overlay for automatic referral chasing (global so it affects updaterefs!) # chain-uri must be EXACTLY the same as updateref (ip/host, port), otherwise it wont't work! overlay chain chain-uri "ldap://sgmldap01" chain-idassert-bind bindmethod=sasl binddn="cn=syncreader,dc=o2online,dc=de" saslmech=external mode=self chain-tls start ######################## # Database definitions # ######################## # Database for access logging database bdb suffix cn=accesslog rootdn "cn=root,cn=accesslog" rootpw {SSHA}FORBIDDEN directory /var/lib/ldap/openldap-accesslog # Indices to maintain index reqStart eq index objectClass eq # Checkpointing & caching checkpoint 256 5 cachesize 1000 idlcachesize 3000 # No limits for CNO-LDC limits dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" size=unlimited time=unlimited # Database with monitor backend for the Directory Informartion Tree database monitor database bdb suffix "dc=o2online,dc=de" rootdn "cn=root,dc=o2online,dc=de" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA} # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/openldap-data # Accesslog overlay - Keep logs for 30 days and purge old entries once a day overlay accesslog logdb cn=accesslog logops writes logold (objectclass=*) logpurge 30+00:00 01+00:00 # Indices to maintain # WARNING: If you add indices stop slapd, run slapindex, then start slapd! # Otherwise you'll experience problems like searches returning improper results. index objectClass eq index entryCSN eq index entryUUID eq index sudoUser pres,eq,sub index uid,cn pres,eq,sub index uidNumber eq index gidNumber eq index memberUid eq index uniqueMember eq index host eq ## Syncrepl provider settings #overlay syncprov #syncprov-checkpoint 50 5 #syncprov-sessionlog 100 # Syncrepl consumer settings # Set attrs="*,+" or don't configure it at all to also replicate all operational attributes # (createTimestamp, creatorsName, modifiersName, modifyTimestamp, etc.) syncrepl rid=100 provider=ldap://sgmldap01 type=refreshAndPersist interval=00:00:00:10 retry="60 10 300 +" searchbase="dc=o2online,dc=de" filter="(objectclass=*)" scope=sub attrs="*,+" schemachecking=on starttls=critical bindmethod=sasl saslmech="external" # URL to return to clients which submit update requests updateref ldap://sgmldap01 # No limits for the "syncreader" account limits dn.exact="cn=syncreader,dc=o2online,dc=de" size=unlimited time=unlimited # Caches & Checkpointing (see slapd-bdb(5) manual) cachesize 10000 idlcachesize 30000 checkpoint 1024 5 # Attribute uniqueness overlay for POSIX accounts overlay unique unique_base "ou=People,dc=o2online,dc=de" unique_attributes uid uidNumber # Dynlist overlay to dynamically add members to groups through memberURLs overlay dynlist dynlist-attrset extensibleObject memberURL uniqueMember # Value sorting overlay overlay valsort valsort-attr uniqueMember dc=o2online,dc=de alpha-ascend valsort-attr host dc=o2online,dc=de alpha-ascend # Allow Proxy Authorization authz-policy to # SASL rewrite rules authz-regexp email=[we want no spam](a)o2.com,cn=sgmldap([0-9]*),ou=cno-ldc,o=o2\ germany,l=frankfurt,st=hessen,c=de cn=syncreader,dc=o2online,dc=de The master's conf is basically the same. Just overlay chain + syncrepl commaneted out and overlay syncprov commented in. Uncommenting the following directives results in a clean startup: ## Syncrepl provider settings #overlay syncprov #syncprov-checkpoint 50 5 #syncprov-sessionlog 100 Here's the gdb dump: (gdb) file ./slapd Reading symbols from /home/heepm/slapd...done. Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) run -u ldap -f /opt/openldap/etc/slapd.conf -h "ldap:/// ldaps:///" Starting program: /home/heepm/slapd -u ldap -f /opt/openldap/etc/slapd.conf -h "ldap:/// ldaps:///" [Thread debugging using libthread_db enabled] [New Thread -1218506624 (LWP 29908)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1218506624 (LWP 29908)] 0x0062ff95 in memmove () from /lib/tls/libc.so.6 (gdb) bt full #0 0x0062ff95 in memmove () from /lib/tls/libc.so.6 No symbol table info available. #1 0x0817722a in rdn2str (rdn=0x901ea28, str=0x901ed12 "", flags=272, len=0x90177e2, s2s=0x8176420 <strval2str>) at getdn.c:2571 iAVA = 0 l = 3 #2 0x08177dfc in ldap_dn2bv_x (dn=0x901ebe0, bv=0x901e854, flags=272, ctx=0x0) at getdn.c:3044 rdnl = 10 iRDN = 1 rc = -3 len = 28 l = 10 sv2l = (int (*)(struct berval *, unsigned int, ber_len_t *)) 0x8176130 <strval2strlen> sv2s = (int (*)(struct berval *, char *, unsigned int, ber_len_t *)) 0x8176420 <strval2str> #3 0x08095479 in dnNormalize (use=0, syntax=0x0, mr=0x0, val=0xbfffb098, out=0x901e854, ctx=0x0) at dn.c:627 dn = 0x901ebe0 rc = 0 #4 0x081516c5 in unique_config (be=0x90177e2, fname=0x8fd9018 "/opt/openldap/etc/slapd.conf", lineno=156, argc=2, argv=0x9006ff8) at unique.c:151 bv = {bv_len = 27, bv_val = 0x901e7fd "ou=People,dc=o2online,dc=de"} on = (slap_overinst *) 0x90177e2 ud = (unique_data *) 0x901e848 up = (unique_attrs *) 0xbfffb098 text = 0xbfffb21c "/opt/openldap/etc/slapd.conf: line 156" ad = (AttributeDescription *) 0x6030a4 i = 7256760 #5 0x080ddb1a in over_db_config (be=0x901e040, fname=0x8fd9018 "/opt/openldap/etc/slapd.conf", lineno=156, argc=2, argv=0x9006ff8) at backover.c:157 on2 = (slap_overinst *) 0x0 onp = (slap_overinst **) 0x81512c0 be2 = {bd_info = 0x0, be_ctrls = '\0' <repeats 32 times>, be_flags = 0, be_restrictops = 0, be_requires = 0, be_ssf_set = { sss_ssf = 0, sss_transport = 0, sss_tls = 0, sss_sasl = 0, sss_update_ssf = 0, sss_update_transport = 0, sss_update_tls = 0, sss_update_sasl = 0, sss_simple_bind = 0}, be_suffix = 0x0, be_nsuffix = 0x0, be_schemadn = {bv_len = 0, bv_val = 0x0}, be_schemandn = {bv_len = 0, bv_val = 0x0}, be_rootdn = {bv_len = 0, bv_val = 0x0}, be_rootndn = {bv_len = 0, bv_val = 0x0}, be_rootpw = {bv_len = 0, bv_val = 0x0}, be_max_deref_depth = 0, be_def_limit = {lms_t_soft = 0, lms_t_hard = 0, lms_s_soft = 0, lms_s_hard = 0, lms_s_unchecked = 0, lms_s_pr = 0, lms_s_pr_hide = 0, lms_s_pr_total = 0}, be_limits = 0x0, be_acl = 0x0, be_dfltaccess = ACL_NONE, be_replica = 0x0, be_replogfile = 0x0, be_update_ndn = {bv_len = 0, bv_val = 0x0}, be_update_refs = 0x0, be_pending_csn_list = 0x0, be_pcl_mutex = {__m_reserved = 0, __m_count = 0, __m_owner = 0x0, __m_kind = 0, __m_lock = {__status = 0, __spinlock = 0}}, be_pcl_mutexp = 0x0, be_syncinfo = 0x0, be_pb = 0x0, be_cf_ocs = 0x0, be_private = 0x0, be_next = {stqe_next = 0x0}} i = 0 oi2 = (slap_overinfo *) 0x90177e2 oi = (slap_overinfo *) 0x901e4f8 on = (slap_overinst *) 0x901ebf8 be_cf_ocs = (struct ConfigOCs *) 0x82a0900 ca = {argc = 2, argv = 0x9006ff8, argv_size = 0, line = 0x0, tline = 0x0, fname = 0x8fd9018 "/opt/openldap/etc/slapd.conf", lineno = 156, log = "/opt/openldap/etc/slapd.conf: line 156", '\0' <repeats 4085 times>, msg = '\0' <repeats 255 times>, depth = 0, valx = 0, values = {v_int = 0, v_long = 0, v_ber_t = 0, v_string = 0x0, v_bv = {bv_len = 0, bv_val = 0x0}, v_dn = {vdn_dn = {bv_len = 0, bv_val = 0x0}, vdn_ndn = {bv_len = 0, bv_val = 0x0}}}, rvalue_vals = 0x0, rvalue_nvals = 0x0, op = 0, type = 0, ---Type <return> to continue, or q <return> to quit--- be = 0x901e040, bi = 0x0, ca_entry = 0x0, private = 0x0, cleanup = 0} rc = -1026 #6 0x0807918f in read_config_file (fname=0x8fd9018 "/opt/openldap/etc/slapd.conf", depth=0, cf=0x9007800, cft=0x829bea0) at config.c:807 fp = (FILE *) 0x9007800 ct = (ConfigTable *) 0x90177e2 c = (ConfigArgs *) 0x9005e80 rc = 151019136 s = {st_dev = 26626, __pad1 = 0, st_ino = 229380, st_mode = 33184, st_nlink = 1, st_uid = 0, st_gid = 55, st_rdev = 0, __pad2 = 0, st_size = 5199, st_blksize = 4096, st_blocks = 16, st_atim = {tv_sec = 1172158204, tv_nsec = 0}, st_mtim = { tv_sec = 1171993893, tv_nsec = 0}, st_ctim = {tv_sec = 1171993893, tv_nsec = 0}, __unused4 = 0, __unused5 = 0} #7 0x0807357e in read_config (fname=0x8fd9018 "/opt/openldap/etc/slapd.conf", dir=0x8fd9018 "/opt/openldap/etc/slapd.conf") at bconfig.c:3077 st = {st_dev = 7, __pad1 = 50360, st_ino = 135507850, st_mode = 150982944, st_nlink = 3221210280, st_uid = 1, st_gid = 150983096, st_rdev = 588336130853561644, __pad2 = 50360, st_size = 134901884, st_blksize = 136982680, st_blocks = 0, st_atim = {tv_sec = -1073756936, tv_nsec = 134933086}, st_mtim = {tv_sec = 0, tv_nsec = 24582}, st_ctim = {tv_sec = -1073756952, tv_nsec = 135684567}, __unused4 = 136990016, __unused5 = 0} be = (BackendDB *) 0x9005bb8 cfb = (CfBackInfo *) 0x9005cc0 cfdir = 0x901ea60 "\002" cfname = 0x8fd9018 "/opt/openldap/etc/slapd.conf" rc = 151018424 #8 0x0806c445 in main (argc=7, argv=0xbfffc614) at main.c:667 val = 0x0 opt = {bv_len = 3221210504, bv_val = 0x822db6e "\215\223\024\207ÿÿ\215\213\024\207ÿÿ)ÊÁú\0021ö9Ös\017\211×\220ÿ\224³\024\207ÿÿF9þrô\203Ä\f[^_ÉÃU\211åVSè"} i = 0 i = 136960888 no_detach = 0 rc = 0 urls = 0x8fd9040 "ldap:/// ldaps:///" username = 0x8fd9008 "ACI Item" groupname = 0x0 sandbox = 0x0 syslogUser = 160 configfile = 0x8fd9018 "/opt/openldap/etc/slapd.conf" configdir = 0x0 serverName = 0xbfffec31 "slapd" scp = (struct sync_cookie *) 0x829db78 scp_entry = (struct sync_cookie *) 0x90177e2 debug_unknowns = (char **) 0x0 syslog_unknowns = (char **) 0x0 serverNamePrefix = 0x90177e2 "" slapd_pid_file_unlink = 0 slapd_args_file_unlink = 0 With kind regards Michael Heep

1 0

(ITS#4847) slapd segfaults on startup
by michael.heep＠o2.com 22 Feb '07

22 Feb '07

Full_Name: Michael Heep Version: 2.3.34 OS: RHES21 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (82.113.101.1) Since version 2.3.34 slapd simply segfaults during startup on a Red Hat Enterprise 2.1 system. I've been building a customized OpenLDAP RPM for our purposes (installs to /opt/openldap) for over a year now and never encountered any problems like this before. + CPPFLAGS= -I/usr/src/redhat/BUILD/openldap-2.3.34/db-instroot/include -I/usr/include/sasl2 + LDFLAGS= -L/usr/src/redhat/BUILD/openldap-2.3.34/db-instroot/lib + CFLAGS= -O2 -march=i386 -mcpu=i686 -D_REENTRANT -fPIC -I/usr/src/redhat/BUILD/openldap-2.3.34/db-instroot/include -I/usr/include/sasl2 -g -O2 + ./configure --prefix=/opt/openldap --exec_prefix=/opt/openldap --bindir=/opt/openldap/bin --sbindir=/opt/openldap/sbin --sysconfdir=/opt/openldap/etc --datadir=/opt/openldap/share --includedir=/opt/openldap/include --libdir=/opt/openldap/lib --libexecdir=/opt/openldap/sbin --localstatedir=/var/run --sharedstatedir=/usr/com --mandir=/opt/openldap/man --infodir=/opt/openldap/info --enable-debug --enable-bdb --enable-hdb --enable-ldap --enable-monitor --disable-ldbm --enable-slapd --disable-slurpd --enable-syncprov --enable-accesslog --enable-ppolicy --enable-unique --enable-proxycache --enable-dynlist --enable-valsort --enable-refint --with-threads --enable-shared --enable-static --enable-local --disable-rlookups --with-tls --with-cyrus-sasl --disable-wrappers --disable-ipv6 --enable-passwd --enable-crypt --enable-cleartext --enable-spasswd --enable-syslog --enable-modules --disable-sql --disable-shell Here is the stacktrace when run under gdb: (gdb) file ./slapd Load new symbol table from "./slapd"? (y or n) y Reading symbols from ./slapd...done. (gdb) run -u ldap -f /opt/openldap/etc/slapd.conf -h "ldap:/// ldaps:/// ldaps://192.168.128.204:80/" Starting program: /usr/src/redhat/BUILD/openldap-2.3.34/servers/slapd/slapd -u ldap -f /opt/openldap/etc/slapd.conf -h "ldap:/// ldaps:/// ldaps://192.168.128.204:80/" [Thread debugging using libthread_db enabled] [New Thread 8192 (LWP 30130)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 8192 (LWP 30130)] 0x08092364 in LDAPDN_rewrite (dn=0x833f618, flags=0, ctx=0x0) at dn.c:519 519 validf = ad->ad_type->sat_syntax->ssyn_validate; (gdb) bt full #0 0x08092364 in LDAPDN_rewrite (dn=0x833f618, flags=0, ctx=0x0) at dn.c:519 validf = (slap_syntax_validate_func *) 0 transf = (slap_syntax_transform_func *) 0 bv = {bv_len = 0, bv_val = 0x0} ava = (LDAPAVA *) 0x833e3a8 ad = (AttributeDescription *) 0x833e418 normf = (slap_mr_normalize_func *) 0 mr = (MatchingRule *) 0x0 do_sort = 1 iAVA = 0 iRDN = 0 rc = 2 #1 0x08092615 in dnNormalize (use=0, syntax=0x0, mr=0x0, val=0xbffeac18, out=0x833e804, ctx=0x0) at dn.c:619 val = (struct berval *) 0xbffeac18 dn = 0x833f618 rc = 137623037 #2 0x08140898 in unique_config (be=0x833f810, fname=0x82a8230 "/opt/openldap/etc/slapd.conf", lineno=168, argc=2, argv=0x833cef8) at unique.c:151 bv = {bv_len = 17, bv_val = 0x833f5fd "dc=o2online,dc=de"} be = (BackendDB *) 0x7530 on = (slap_overinst *) 0x2 ud = (unique_data *) 0x833e7f8 up = (unique_attrs *) 0xbffeac18 text = 0x101b <Address 0x101b out of bounds> ad = (AttributeDescription *) 0xbffead9c i = 137003568 #3 0x080d5c95 in over_db_config (be=0x833f810, fname=0x82a8230 "/opt/openldap/etc/slapd.conf", lineno=168, argc=2, argv=0x833cef8) at backover.c:157 oi = (slap_overinfo *) 0x833e210 on = (slap_overinst *) 0x8355c98 be_cf_ocs = (struct ConfigOCs *) 0x827f2b4 ca = {argc = 2, argv = 0x833cef8, argv_size = 0, line = 0x0, tline = 0x0, fname = 0x82a8230 "/opt/openldap/etc/slapd.conf", lineno = 168, log = "/opt/openldap/etc/slapd.conf: line 168", '\0' <repeats 4084 times>, msg = '\0' <repeats 255 times>, depth = 0, valx = 0, values = {v_int = 0, v_long = 0, v_ber_t = 0, v_string = 0x0, v_bv = {bv_len = 0, bv_val = 0x0}, v_dn = {vdn_dn = {bv_len = 0, bv_val = 0x0}, vdn_ndn = {bv_len = 0, bv_val = 0x0}}}, rvalue_vals = 0x0, rvalue_nvals = 0x0, op = 0, type = 0, be = 0x833f810, bi = 0x0, ca_entry = 0x0, private = 0x0, cleanup = 0} rc = -1026 #4 0x08078bbf in read_config_file (fname=0x82a8230 "/opt/openldap/etc/slapd.conf", depth=0, cf=0x0, cft=0x827a5f4) at config.c:807 fp = (FILE *) 0x833d700 ct = (ConfigTable *) 0x2 c = (ConfigArgs *) 0x833bd80 rc = -1026 s = {st_dev = 26632, __pad1 = 0, st_ino = 229391, st_mode = 33184, st_nlink = 1, st_uid = 0, st_gid = 55, st_rdev = 0, __pad2 = 0, st_size = 6040, st_blksize = 4096, st_blocks = 16, st_atime = 1172155110, __unused1 = 0, st_mtime = 1170837817, __unused2 = 0, st_ctime = 1171879479, __unused3 = 0, __unused4 = 0, __unused5 = 0} #5 0x080731fd in read_config (fname=0x82a8230 "/opt/openldap/etc/slapd.conf", dir=0x0) at bconfig.c:3077 dir = 0x82a8230 "/opt/openldap/etc/slapd.conf" be = (BackendDB *) 0x833bac8 cfb = (CfBackInfo *) 0x833bbd0 cfdir = 0x7530 <Address 0x7530 out of bounds> cfname = 0x82a8230 "/opt/openldap/etc/slapd.conf" rc = 137607880 #6 0x0806c33d in main (argc=7, argv=0xbffec1a4) at main.c:667 i = 137003568 no_detach = 0 rc = 0 urls = 0x82a8258 "ldap:/// ldaps:/// ldaps://192.168.128.204:80/" username = 0x82a8220 "HÏ,@Àò.@\020" groupname = 0x0 sandbox = 0x0 syslogUser = 160 configfile = 0x82a8230 "/opt/openldap/etc/slapd.conf" configdir = 0x0 serverName = 0xbffedbd0 "slapd" scp = (struct sync_cookie *) 0x0 scp_entry = (struct sync_cookie *) 0x2 debug_unknowns = (char **) 0x0 syslog_unknowns = (char **) 0x0 serverNamePrefix = 0x2 <Address 0x2 out of bounds> slapd_pid_file_unlink = 0 slapd_args_file_unlink = 0 (gdb) (gdb) thread apply all bt Thread 1 (Thread 8192 (LWP 30130)): #0 0x08092364 in LDAPDN_rewrite (dn=0x833f618, flags=0, ctx=0x0) at dn.c:519 #1 0x08092615 in dnNormalize (use=0, syntax=0x0, mr=0x0, val=0xbffeac18, out=0x833e804, ctx=0x0) at dn.c:619 #2 0x08140898 in unique_config (be=0x833f810, fname=0x82a8230 "/opt/openldap/etc/slapd.conf", lineno=168, argc=2, argv=0x833cef8) at unique.c:151 #3 0x080d5c95 in over_db_config (be=0x833f810, fname=0x82a8230 "/opt/openldap/etc/slapd.conf", lineno=168, argc=2, argv=0x833cef8) at backover.c:157 #4 0x08078bbf in read_config_file (fname=0x82a8230 "/opt/openldap/etc/slapd.conf", depth=0, cf=0x0, cft=0x827a5f4) at config.c:807 #5 0x080731fd in read_config (fname=0x82a8230 "/opt/openldap/etc/slapd.conf", dir=0x0) at bconfig.c:3077 #6 0x0806c33d in main (argc=7, argv=0xbffec1a4) at main.c:667 (gdb) I hope this helps, since I'm not that experienced in gdb/strace usage and thus cannot make much of the output ;) OpenLDAP 2.3.33 (or lower) worked flawlessly. This is the slapd.conf we use, which hasn't changed since 2.3.32. I kept all comments, etc. to provide accurate data. Just censored the passwords: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /opt/openldap/etc/schema/core.schema include /opt/openldap/etc/schema/cosine.schema include /opt/openldap/etc/schema/sudo.schema include /opt/openldap/etc/schema/nis.schema include /opt/openldap/etc/schema/openssh-lpk.schema include /opt/openldap/etc/schema/dyngroup.schema include /opt/openldap/etc/schema/ppolicy.schema # Put those into the 'ldap' user's homedir (/var/lib/ldap) because # user 'ldap' has no write permissions in /var/run pidfile /var/lib/ldap/slapd.pid argsfile /var/lib/ldap/slapd.args # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 112-bit encryption for simple bind #security ssf=1 update_ssf=112 simple_bind=112 security ssf=128 update_ssf=128 simple_bind=128 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! access to dn.subtree="cn=accesslog" by dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" read access to * by dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" write by dn.exact="cn=syncreader,dc=o2online,dc=de" read by * break access to attrs=userPassword by self write by anonymous auth access to attrs=shadowLastChange by self write by * read access to * by * read # Logging loglevel 256 # Remove idle connections after 5 minutes idletimeout 300 # SSL/TLS Stuff TLSCACertificateFile /opt/openldap/etc/ssl-certs/cno-ldc_ca.cert TLSCertificateFile /opt/openldap/etc/ssl-certs/sgmldaptest02.cert TLSCertificateKeyFile /opt/openldap/etc/ssl-keys/sgmldaptest02.key TLSCipherSuite HIGH TLSVerifyClient try ## Chainig overlay for automatic referral chasing (global so it affects updateref entries!) ## chain-uri must be EXACTLY the same as updateref (ip/host, port), otherwise it wont't work! #overlay chain #chain-uri "ldap://192.168.128.205" #chain-idassert-bind bindmethod=sasl binddn="cn=syncreader,dc=o2online,dc=de" saslmech=external mode=self #chain-tls start ####################################################################### # BDB database definitions ####################################################################### # Database for access logging database bdb suffix cn=accesslog rootdn "cn=root,cn=accesslog" rootpw {SSHA}FORBIDDEN directory /var/lib/ldap/openldap-accesslog #Iindices to maintain index objectClass eq index reqStart eq # Checkpointing & caching checkpoint 256 5 cachesize 1000 idlcachesize 3000 # Main database definitions database bdb suffix "dc=o2online,dc=de" rootdn "cn=root,dc=o2online,dc=de" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA} # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/openldap-data # Accesslog overlay - Keep logs for 30 days and purge old entries once a day overlay accesslog logdb cn=accesslog logops writes logold (objectclass=*) logpurge 30+00:00 01+00:00 # Indices to maintain # WARNING: If you add indices stop slapd, run slapindex, then start slapd! # Otherwise you'll experience problems like searches returning improper results. index objectClass eq index entryCSN eq index entryUUID eq index sudoUser pres,eq,sub index uid,cn pres,eq,sub index uidNumber eq index gidNumber eq index memberUid eq index uniqueMember eq index host eq # Syncrepl provider settings overlay syncprov syncprov-checkpoint 50 5 syncprov-sessionlog 1000 ## Syncrepl consumer settings ## Set attrs="*,+" or don't configure it at all to also replicate all operational attributes ## (createTimestamp, creatorsName, modifiersName, modifyTimestamp, etc.) #syncrepl rid=100 # provider=ldap://sgmldaptest01 # type=refreshAndPersist # interval=00:00:00:10 # retry="60 10 300 +" # searchbase="dc=o2online,dc=de" # filter="(objectclass=*)" # scope=sub # attrs="*,+" # schemachecking=on # starttls=critical # bindmethod=sasl # saslmech="external" # ## URL to return to clients which submit update requests #updateref ldap://192.168.128.205 # No limits for the "syncreader" account limits dn.exact="cn=syncreader,dc=o2online,dc=de" size=unlimited time=unlimited # Caches & Checkpointing (see slapd-bdb(5) manual) cachesize 10000 idlcachesize 30000 checkpoint 1024 5 # Attribute uniqueness overlay for POSIX accounts overlay unique unique_base "dc=o2online,dc=de" unique_attributes uid uidNumber # 2 gleiche overlays gehen nicht. Tja, was tun mit gidNumber? #overlay unique #unique_base "ou=Groups,dc=o2online,dc=de" #unique_attributes gidNumber # Dynlist overlay to dynamically add members to groups through memberURLs overlay dynlist dynlist-attrset extensibleObject memberURL uniqueMember # Valsort overlay overlay valsort valsort-attr uniqueMember dc=o2online,dc=de alpha-ascend valsort-attr host dc=o2online,dc=de alpha-ascend # Password policy configuration overlay ppolicy #ppolicy_default "cn=Standard,ou=Password_Policies,dc=o2online,dc=de" #ppolicy_hash_cleartext ppolicy_use_lockout # Allow Proxy Authorization authz-policy to # SASL rewrite rules authz-regexp email=[we want no spam],cn=sgmldaptest([0-9]*),ou=cno-ldc,o=o2\ germany,l=frankfurt,st=hessen,c=de cn=syncreader,dc=o2online,dc=de With kind regards Michael Heep

1 0

Re: (ITS#4844) Missing 2.4 man pages and things marked as "Experimental"
by ghenry＠suretecsystems.com 21 Feb '07

21 Feb '07

<quote who="ando(a)sys-net.it"> > ghenry(a)suretecsystems.com wrote: > >> Just a quick to note that there are some overlays missing from >> slapd.overlays.5 >> in 2.4.4alpha and actual man pages. > > Please enumerate them; some are intentionally not present because they > are not intended for real use. Certainly. Will do in the morning. > >> Also, relay and rwm are still marked as experimental in some places. > >> grep experimental doc/man/man5/* >> >> doc/man/man5/slapd-relay.5:This backend and the above mentioned overlay >> are >> experimental. >> >> doc/man/man5/slapo-rwm.5:This overlay is experimental. >> >> I'll help where I can, > > Sure. I believe they are no longer experimental, but they still do not > support back-config, so better wait until they're complete. Understood. > > p. > > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.n.c. > Via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > ------------------------------------------ > Office: +39.02.23998309 > Mobile: +39.333.4963172 > Email: pierangelo.masarati(a)sys-net.it > ------------------------------------------ > > >

1 0

Re: (ITS#4845) Back-perl is non working
by ando＠sys-net.it 21 Feb '07

21 Feb '07

kiwi(a)oav.net wrote: > Full_Name: Xavier Beaudouin > Version: 2.3.33 > OS: FreeBSD 6.2 > URL: http://www.oav.net/tmp/openldap/ > Submission from: (NULL) (82.225.248.92) > Sending -> dn : uid=kiwi(a)oav.net,ou=mailboxes,dc=kazar,dc=net > objectClass : top > objectClass : kazarPerson > uid : kiwi(a)oav.net > cn : Nom Prenom > description : Sample description > uidNumber : 10 > gidNumber : 10 > userPassword : Password > homeDirectory : /home/test > mailQuota : 50 > CouriermailQuota : 50S > > str2entry: entry -1 has no dn > str2entry(dn) failed > send_ldap_result: err=0 matched="" text="" > connection_get(8) If the above is the way your LDIF is formatted, then back-perl (actually, str2entry, a helper function in the core of slapd) is working as intended. There's supposed to be no space between attribute names or "dn" and the colon ":". Please fix you PERL and report. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4844) Missing 2.4 man pages and things marked as "Experimental"
by ando＠sys-net.it 21 Feb '07

21 Feb '07

ghenry(a)suretecsystems.com wrote: > Just a quick to note that there are some overlays missing from slapd.overlays.5 > in 2.4.4alpha and actual man pages. Please enumerate them; some are intentionally not present because they are not intended for real use. > Also, relay and rwm are still marked as experimental in some places. > grep experimental doc/man/man5/* > > doc/man/man5/slapd-relay.5:This backend and the above mentioned overlay are > experimental. > > doc/man/man5/slapo-rwm.5:This overlay is experimental. > > I'll help where I can, Sure. I believe they are no longer experimental, but they still do not support back-config, so better wait until they're complete. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

old devel bugs
by Howard Chu 21 Feb '07

21 Feb '07

Are ITS#4332 and #4473 still relevant, or can we close them? -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

RE: (ITS#4846) attribute 'objectClass' provided more than once
by Wolfgang.Christ＠secunet.com 21 Feb '07

21 Feb '07

Hello Howard, i'm surely using slurpd. The replication part in slapd.conf of the master is: replogfile /home/ldap/de/secartis.replog replica uri=ldap://10.36.125.15:389 bindmethod=simple binddn="cn=admin,o=secartis,c=de" credentials=secartis attrs!=structuralObjectClass attrs!=entryUUID attrs!=creatorsName attrs!=createTimestamp attrs!=entryCSN attrs!=modifiersName attrs!=modifyTimestamp i.e. i'm using the root account for replication. And that's the mistake. I changed the binddn to a user account and now it works. Thanks a lot Kind Regards Wolfgang -----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Wed 2007-02-21 14:20 To: Christ, Wolfgang Cc: openldap-its(a)openldap.org Subject: Re: (ITS#4846) attribute 'objectClass' provided more than once wolfgang.christ(a)secunet.com wrote: > Full_Name: Wolfgang Christ > Version: 2.3.32 > OS: linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (213.68.205.167) > > > I'm trying to replicate an OpenLDAP DB using slurpd. But even a simple ldapadd > with an LDIF file like this: > > dn: cn=wolfgang,ou=organization unit,o=organization,c=de > objectClass: inetOrgPerson > objectClass: person > cn: wolfgang > sn: hilfe > userCertificate;binary:< file:///cert.crt > > OpenLDAP returns an error "attribute 'objectClass' provided more than once". If > I > remove the second objectclass with certificate and and add these in a seperate > modify step, everything is fine. > > If i modify "servers/slapd/add.c" in line 318: > > /* check for unmodifiable attributes */ > /*rs->sr_err = slap_mods_no_repl_user_mod_check( op, > modlist, &rs->sr_text, textbuf, textlen ); > if ( rs->sr_err != LDAP_SUCCESS ) { > send_ldap_result( op, rs ); > goto done; > }*/ > > and prevent calling of slap_mods_no_repl_user_mod_check(), replication works. > > Could you explain, what is the sense of slap_mods_no_repl_user_mod_check() > and why it causes slurpd not to work. Your post makes no sense. That function is only called when a normal user is trying to add an entry. It is skipped when the replication user is doing the add. So this should have nothing to do with slurpd. What are you using to perform the Add operation? Certainly OpenLDAP's ldapadd tool won't generate an error like this; it can only arise because of a malformed Add request packet. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#4846) attribute 'objectClass' provided more than once
by hyc＠symas.com 21 Feb '07

21 Feb '07

wolfgang.christ(a)secunet.com wrote: > Full_Name: Wolfgang Christ > Version: 2.3.32 > OS: linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (213.68.205.167) > > > I'm trying to replicate an OpenLDAP DB using slurpd. But even a simple ldapadd > with an LDIF file like this: > > dn: cn=wolfgang,ou=organization unit,o=organization,c=de > objectClass: inetOrgPerson > objectClass: person > cn: wolfgang > sn: hilfe > userCertificate;binary:< file:///cert.crt > > OpenLDAP returns an error "attribute 'objectClass' provided more than once". If > I > remove the second objectclass with certificate and and add these in a seperate > modify step, everything is fine. > > If i modify "servers/slapd/add.c" in line 318: > > /* check for unmodifiable attributes */ > /*rs->sr_err = slap_mods_no_repl_user_mod_check( op, > modlist, &rs->sr_text, textbuf, textlen ); > if ( rs->sr_err != LDAP_SUCCESS ) { > send_ldap_result( op, rs ); > goto done; > }*/ > > and prevent calling of slap_mods_no_repl_user_mod_check(), replication works. > > Could you explain, what is the sense of slap_mods_no_repl_user_mod_check() > and why it causes slurpd not to work. Your post makes no sense. That function is only called when a normal user is trying to add an entry. It is skipped when the replication user is doing the add. So this should have nothing to do with slurpd. What are you using to perform the Add operation? Certainly OpenLDAP's ldapadd tool won't generate an error like this; it can only arise because of a malformed Add request packet. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#4846) attribute 'objectClass' provided more than once
by wolfgang.christ＠secunet.com 20 Feb '07

20 Feb '07

Full_Name: Wolfgang Christ Version: 2.3.32 OS: linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (213.68.205.167) I'm trying to replicate an OpenLDAP DB using slurpd. But even a simple ldapadd with an LDIF file like this: dn: cn=wolfgang,ou=organization unit,o=organization,c=de objectClass: inetOrgPerson objectClass: person cn: wolfgang sn: hilfe userCertificate;binary:< file:///cert.crt OpenLDAP returns an error "attribute 'objectClass' provided more than once". If I remove the second objectclass with certificate and and add these in a seperate modify step, everything is fine. If i modify "servers/slapd/add.c" in line 318: /* check for unmodifiable attributes */ /*rs->sr_err = slap_mods_no_repl_user_mod_check( op, modlist, &rs->sr_text, textbuf, textlen ); if ( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto done; }*/ and prevent calling of slap_mods_no_repl_user_mod_check(), replication works. Could you explain, what is the sense of slap_mods_no_repl_user_mod_check() and why it causes slurpd not to work. kind regards Wolfgang Christ

1 0

← Newer
1
2
3
4
5
6
7
8
...
13
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs February 2007