openldap-bugs August 2007

openldap-bugs@openldap.org

42 participants
211 discussions

Re: (ITS#5065) out of order ctxcsn from old entryCSN
by hyc＠symas.com 10 Aug '07

10 Aug '07

donn(a)u.washington.edu wrote: > On Aug 10, 2007, at 1:53 PM, Howard Chu wrote: >> You didn't mention how your syncrepl is configured but it seems >> that this can only occur for refreshAndPersist mode, with old >> entries being ldapadd'd to the running master. > > It is indeed refreshAndPersist ... > >> In fact, since entryCSN is NO-USER-MODIFICATION it shouldn't even >> be possible to add entries this way to a running server. Before we >> can "catch the problem in the master" we need more information on >> how the problem was caused. > > The master server had updatedn defined to itself. Changes, logged from > another server, were applied with ldapmodify. "Don't do this" ... You're essentially creating the same inconsistency that a naive multimaster setup introduces. Since 2.4.4 has real multimaster support, you should not be doing things this way. Note that a proper configuration works with either refreshOnly or refreshAndPersist mode, and cascaded to an arbitrary depth. Your current setup only works with refreshAndPersist, and cannot be cascaded reliably. I.e. your setup is inherently broken. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5077) syncrepl.add_cmp() infinite loop on swapped values
by hyc＠symas.com 10 Aug '07

10 Aug '07

donn(a)u.washington.edu wrote: > Full_Name: Donn Cave > Version: 2.4.4 > OS: Red Hat Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (128.95.135.150) > > > In "while" loop at 2656, I find old->a_vals are like [..., a, b, ...] and > new->a_vals are like [..., b, a, ...]. > > Matches are found at old [i] == new [k = j+1] and old [k = i+1] == new [j], but > this just shows that neither an add nor a delete is called for, and the loop end > is reached without having incremented i or j. > > Actual attribute values I'm looking at right now in the debugger are > eduPersonAffiliation: old [ member, alum, employee, faculty ], new [ member, > alum, faculty, employee ]. I built the replica from a slapcat dump on the idle > master, started the slapd syncrepl client and applied a lot of normal > modifications to the master, until it hit the infinite loop. It has been a > recurrent problem. Now fixed in HEAD, please test. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5065) out of order ctxcsn from old entryCSN
by donn＠u.washington.edu 10 Aug '07

10 Aug '07

On Aug 10, 2007, at 1:53 PM, Howard Chu wrote: > > You didn't mention how your syncrepl is configured but it seems > that this can only occur for refreshAndPersist mode, with old > entries being ldapadd'd to the running master. It is indeed refreshAndPersist ... > > In fact, since entryCSN is NO-USER-MODIFICATION it shouldn't even > be possible to add entries this way to a running server. Before we > can "catch the problem in the master" we need more information on > how the problem was caused. The master server had updatedn defined to itself. Changes, logged from another server, were applied with ldapmodify. Donn Cave, donn(a)u.washington.edu

1 0

Re: (ITS#5065) out of order ctxcsn from old entryCSN
by hyc＠symas.com 10 Aug '07

10 Aug '07

donn(a)u.washington.edu wrote: > Full_Name: Donn Cave > Version: 2.4.4 > OS: RH Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (128.95.135.150) > > > Old entryCSN values imported into the data from another server, can crash > replicas. > > In loop at top of syncrepl_updateCookie, replica encounters a syncCookie whose > value is less than its matching si_cookieState->cs_val. This breaks out of the > inner loop, and the outer loop, without copying anything into `first', so > slap_queue_csn crashes on the null csn. Both are element 0 of their respective > arrays. I assume it is no surprise that syncCookie takes its value from an > entryCSN attribute. > > To duplicate, add an entry with an explicit entryCSN, with value less than the > current contextCSN. In my case, the entryCSN is of the format without the > `decimal fraction' field, but I doubt that matters. > > I don't want to say OpenLDAP needs to support this, but maybe it would be better > to catch the problem in the master, than crash the replicas. You didn't mention how your syncrepl is configured but it seems that this can only occur for refreshAndPersist mode, with old entries being ldapadd'd to the running master. As you say, this is not a supported mode of operation. New data in the server should always have a new entryCSN as well. In fact, since entryCSN is NO-USER-MODIFICATION it shouldn't even be possible to add entries this way to a running server. Before we can "catch the problem in the master" we need more information on how the problem was caused. As for crashing the replicas - the only sure solution is to patch the code in the replicas - "catching the problem in the master" isn't really a proper solution anyway. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: ITS#5082
by hyc＠symas.com 10 Aug '07

10 Aug '07

ando(a)sys-net.it wrote: > See also discussion in thread > <http://www.openldap.org/lists/openldap-software/200708/msg00063.html> The fix currently in CVS HEAD is to remove the olcPasswordHash attribute from the olcGlobal entry and move it to the frontendDB entry. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5085) slapo-translucent has wrong Debug message
by ghenry＠OpenLDAP.org 10 Aug '07

10 Aug '07

ghenry(a)OpenLDAP.org wrote: > Full_Name: Gavin Henry > Version: HEAD > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (212.159.59.85) > Submitted by: ghenry > > > Inside: > > translucent_db_destroy > > Debug: > > Debug(LDAP_DEBUG_TRACE, "==> translucent_db_close\n", 0, 0, 0); > > Should be: > > Debug(LDAP_DEBUG_TRACE, "==> translucent_db_destroy\n", 0, 0, 0); > > Probably copy and paste error. > > Correcting. > > Gavin. > > This is missing from RE_23, but obviously not going to be added. There is another error in RE_23 though: Debug(LDAP_DEBUG_TRACE, "==> translucent_init\n", 0, 0, 0); should be translucent_db_init. Will change under this ITS. Gavin. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

1 0

(ITS#5086) back-bdb bug when add is used with snapshot isolation
by stelios.xx.grigoriadis＠ericsson.com 10 Aug '07

10 Aug '07

Full_Name: Stelios Grigoriadis Version: 2.3.32 OS: Linux, (SLES 10) URL: http://ninikos.freehostia.com/bdb_idl_cache_bug.tar.gz Submission from: (NULL) (194.237.142.7) When using slapd with the snapshot isolation level in DB (version 4.5.20) it is possible that added entries don't appear in subsequent searches. Scenario: A client is adding new information while at the same time another is initiating an LDAP search with the same searchbase as the "parent" of the added information. If the search is executed after the add operation has cleared the IDL-cache but before the changes has been committed, the added entries will not appear in any subsequent searches unless slapd is restarted. The problem is that, in the bdb_idl_insert_key-function, the key is deleted from the IDL-cache but the newly added keys in the database are not yet committed, so clients that re-read the information will not have those updated keys. The solution would be to clear the relevant IDL-cache entries after the changes has been committed. This behaviour is demonstrated by the program cache_test_fork.c which is supplied in bdb_idl_cache_bug.tar.gz along with the slapd configuration. I am currently working on the solution but would greatly appreciate any help from you as I am not nearly as familiar with the code as you are.

1 0

(ITS#5085) slapo-translucent has wrong Debug message
by ghenry＠OpenLDAP.org 10 Aug '07

10 Aug '07

Full_Name: Gavin Henry Version: HEAD OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (212.159.59.85) Submitted by: ghenry Inside: translucent_db_destroy Debug: Debug(LDAP_DEBUG_TRACE, "==> translucent_db_close\n", 0, 0, 0); Should be: Debug(LDAP_DEBUG_TRACE, "==> translucent_db_destroy\n", 0, 0, 0); Probably copy and paste error. Correcting. Gavin.

1 0

Re: (ITS#5074) slapo-pcache's proxyattrset does not recognize '1.1' to describe an empty attribute set
by ando＠sys-net.it 10 Aug '07

10 Aug '07

> On Aug 6, 2007, at 6:43 AM, Pierangelo Masarati wrote: >> I believe there's something odd in pcache's current behavior. In >> fact, right now "proxyattrset 0" is already a valid directive, but >> it implies "proxyattrset 0 *", which means all attributes. >> Unfortunately, this seems to only work if no attribute is >> requested, while it fails if a "*" is explicitly requested. > > Ah, I was not aware of this behaviour! I've noticed it from the sources, I don't think it was noted anywhere. >> I've modified the propxycache code in HEAD so that a "1.1" can only >> explicitly appear in a list if it's the only string. An empty >> attribute set is no longer valid, to avoid confusion about the >> meaning of non-explicit attribute sets. A "*" or a "+" can >> explicitly appear in a proxyattrset statement, resulting in the >> expected behavior. Use both to indicate that all attributes are in >> the set. > > Let me confirm, that I should specify "proxyattrset 0 1.1" to match > an empty attribute list, and only an empty attribute list. Will a > '*' than match emptiness as well, or does it only match where there > is some attribute specified by the client? No: you need to specify proxyattrset <#idx> "*" in order to have either nothing or "*" return all attributes. In short, an empty attribute set and "*" are now recognized as equivalent. You need to specify proxyattrset <#idx> "1.1" in order to have searches requesting "1.1", namely no attributes, be cached. > I will work on this as soon as I am able to, although it seems this > won't be for a couple of weeks. I will be in touch. Thanks again > for your work and for your very timely response. Right now, I'm not planning to backport this fix to re23 because it seems to be an enhancement rather than a bugfix, and 2.4 __should be__ just 'round the corner. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it ---------------------------------------

1 0

Re: (ITS#5074) slapo-pcache's proxyattrset does not recognize "1.1" to describe an empty attribute set
by zep＠ni.enate.org 09 Aug '07

09 Aug '07

On Aug 6, 2007, at 6:43 AM, Pierangelo Masarati wrote: > I believe there's something odd in pcache's current behavior. In > fact, right now "proxyattrset 0" is already a valid directive, but > it implies "proxyattrset 0 *", which means all attributes. > Unfortunately, this seems to only work if no attribute is > requested, while it fails if a "*" is explicitly requested. Ah, I was not aware of this behaviour! > I've modified the propxycache code in HEAD so that a "1.1" can only > explicitly appear in a list if it's the only string. An empty > attribute set is no longer valid, to avoid confusion about the > meaning of non-explicit attribute sets. A "*" or a "+" can > explicitly appear in a proxyattrset statement, resulting in the > expected behavior. Use both to indicate that all attributes are in > the set. Let me confirm, that I should specify "proxyattrset 0 1.1" to match an empty attribute list, and only an empty attribute list. Will a '*' than match emptiness as well, or does it only match where there is some attribute specified by the client? > Please test. I will work on this as soon as I am able to, although it seems this won't be for a couple of weeks. I will be in touch. Thanks again for your work and for your very timely response. -Mike

1 0

← Newer
1
...
13
14
15
16
17
18
19
...
22
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs August 2007