(ITS#5536) Always use a configured serverID in the syncrepl cookie
by rein@OpenLDAP.org
Full_Name: Rein Tollevik
Version: CVS head
OS: linux and solaris
URL: ftp://ftp.openldap.org/incoming/rein-serverID.patch
Submission from: (NULL) (81.93.160.250)
Submitted by: rein
Syncrepl includes the serverID in the syncCookie in multi-master mode only, but
there are other configuration that would benefit from it as well.
A case I have is where a consumer replicates a glue'ed database, with the
exception of one subordinate backend where the consumer is the master. The
subordinate backend is replicated back to the master of the glue'ed database.
With the current code the master would send the content of the subordinate db
back to its master.
I currently solve this problem with acl rules on the glue'ed master that
prevents the slave from reading the subordinate db it is master for. Different
rootdn's on the glue and subordinate db on the slave prevents syncrepl from
succeeding in its attempts to remove the content of the subordinate db during
the present phase. But it felt like I got a minor heartache the first time a
saw the log of delete messages scroll by before I realized they were all error
messages...
A patch that fixes this is at the referenced URL. As I am not sure of the
consequences if a defaulted serverID=0 value was included in the syncCookie the
patch changes the internal default slap_serverID value to -1 to make it possible
to differentiate between a configured and defaulted serverID=0.
Btw, there are potential problems with using serverID=0, so it would be best if
that value was reserved for the default unconfigured case. I.e, a default
serverID=0 value could be chosen be slapadd when the two-argument form of
serverID is used in the config, as resolving the URL needs the listener argument
to slapd to succeed. Enforcing serverID>0 could require changes in existing
configurations, but indicating it in the doc. could be a first step?
Rein Tollevik
Basefarm AS
15 years, 6 months
Re: (ITS#5532) incorrect timestamp of slapd replica log
by quanah@zimbra.com
--On Tuesday, May 27, 2008 10:10 AM +0000 hai.zhao(a)gmail.com wrote:
> Full_Name: Zhao Hai
> Version: 2.3.41
> OS: Linux 2.4.21 arm
> URL: ftp://ftp.openldap.org/incoming/zhaohai-080527.patch
> Submission from: (NULL) (205.209.140.4)
>
>
> Problem:
> race condition makes incorrect timestamp in replogfile, cause certain
> modification of entries not replicate to slurp slaves.
>
> replica: 180.0.10.2:1234
> replica: 180.0.10.3:1234
> time: 1211855467
> ^^^^^^^^^^ this timestamp
>
> How to reproduce the problem:
> 1) run under very slow machines (my environ: arm 266MHz)
> 2) slapd is configed to generate replogfile
> 3) ldapadd about 5 entries, then ldapmodify 2 entries without delay.
This is fixed in RE23. If there is ever a 2.3.43 release, it will be in
that. In the meantime, I'd advise using 2.3.42 + your patch.
Regards,
Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
15 years, 6 months
Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by hyc@symas.com
Andrew Bartlett wrote:
> On Tue, 2008-05-27 at 18:43 -0700, Howard Chu wrote:
>> Andrew Bartlett wrote:
>>> On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote:
>>>>> This needs to occur even between databases on the server, but I won't ask that
>>>>> it occur outside the known trees.
>>>> It's already possible for operations in one database to reference entries in a
>>>> different database, so that aspect of validation should be fine. However, as
>>>> noted before, "validation" is generally bogus to begin with. In particular,
>>>> how do you create entries with circular references? If you disallow references
>>>> to nonexistent entries, you can't set the references until after all of the
>>>> entries have been created. This means that you cannot backup a database that
>>>> has these references and then later reload it in a single pass.
>>> An interesting point, but I need to match the windows runtime
>>> behaviour.
>> Only when it has a visible impact on other clients. What software will break
>> if the directory allows you to add new entries that contain dangling
>> references? What will break if the directory allows you to modify a reference
>> attribute to point to a nonexistent entry?
>
> Sure, I'm not asking for a change to default behaviours. I'm listing
> the things that our testsuite finds are differences, and looking for
> solutions.
I don't believe your proposed solution will ever be satisfactory. Entries with
circular references will also break syncrepl Refresh if the constraint you're
asking for is enforced. That will clearly have visible impact in many
deployments. If the only thing that complains with the current behavior is
your testsuite and not any real world clients, I suggest you just note the
difference and move on.
>> There's a lot of Windows behavior that is clearly wrong, by any number of
>> metrics. You need to be a bit more selective in prioritizing the list of
>> things to chase down.
>
> This is the currently the top priority for an LDAP Backend for Samba4.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 6 months
(ITS#5535) smbk5pwd uses private heimdal functions
by Guillaume.Rousse@inria.fr
Full_Name: Guillaume Rousse
Version: 2.4.8
OS: linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (193.55.250.67)
smbk5pwd uses two private heimdal functions:
_kadm5_set_keys
_kadm5_free_keys
As of heimdal 1.1, those functions are not exported anymore. As a consequence,
opendalp crashes as soon as I try to change password when the overlay is
activated.
According to heimdal maintainers, smb5pwd should rather use
hdb_generate_key_set_password and hdb_free_keys to generate the key data. I
tried to produce a patch myself (available at
http://www.zarb.org/~guillomovitch/openldap-smbk5pwd-2.4.8-dont-use-inter...)
by inlining _kadm5_set_keys function directly in smbk5pwd, but I don't know how
to deal with members of private kadm_context structure.
15 years, 6 months
Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by abartlet@samba.org
--=-s2sha8beM9nUssvA07HS
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Tue, 2008-05-27 at 18:43 -0700, Howard Chu wrote:
> Andrew Bartlett wrote:
> > On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote:
>=20
> >>> This needs to occur even between databases on the server, but I won't=
ask that
> >>> it occur outside the known trees.
> >> It's already possible for operations in one database to reference entr=
ies in a
> >> different database, so that aspect of validation should be fine. Howev=
er, as
> >> noted before, "validation" is generally bogus to begin with. In partic=
ular,
> >> how do you create entries with circular references? If you disallow re=
ferences
> >> to nonexistent entries, you can't set the references until after all o=
f the
> >> entries have been created. This means that you cannot backup a databas=
e that
> >> has these references and then later reload it in a single pass.
> >
> > An interesting point, but I need to match the windows runtime
> > behaviour.
>=20
> Only when it has a visible impact on other clients. What software will br=
eak=20
> if the directory allows you to add new entries that contain dangling=20
> references? What will break if the directory allows you to modify a refer=
ence=20
> attribute to point to a nonexistent entry?
Sure, I'm not asking for a change to default behaviours. I'm listing
the things that our testsuite finds are differences, and looking for
solutions.=20
> There's a lot of Windows behavior that is clearly wrong, by any number of=
=20
> metrics. You need to be a bit more selective in prioritizing the list of=20
> things to chase down.
This is the currently the top priority for an LDAP Backend for Samba4. =20
Andrew Bartlett
--=20
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
--=-s2sha8beM9nUssvA07HS
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQBIPMMwz4A8Wyi0NrsRAljCAJsEsn1tsq4BdkdenNOEOF3PIGcDDACfVoUR
APoU1kbv2ljwVBgjyhPbyGQ=
=mXBr
-----END PGP SIGNATURE-----
--=-s2sha8beM9nUssvA07HS--
15 years, 6 months
Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by hyc@symas.com
Andrew Bartlett wrote:
> On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote:
>>> This needs to occur even between databases on the server, but I won't ask that
>>> it occur outside the known trees.
>> It's already possible for operations in one database to reference entries in a
>> different database, so that aspect of validation should be fine. However, as
>> noted before, "validation" is generally bogus to begin with. In particular,
>> how do you create entries with circular references? If you disallow references
>> to nonexistent entries, you can't set the references until after all of the
>> entries have been created. This means that you cannot backup a database that
>> has these references and then later reload it in a single pass.
>
> An interesting point, but I need to match the windows runtime
> behaviour.
Only when it has a visible impact on other clients. What software will break
if the directory allows you to add new entries that contain dangling
references? What will break if the directory allows you to modify a reference
attribute to point to a nonexistent entry?
There's a lot of Windows behavior that is clearly wrong, by any number of
metrics. You need to be a bit more selective in prioritizing the list of
things to chase down.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 6 months
Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by abartlet@samba.org
--=-I6d9E5fOqbwKcJhhvz+z
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote:
> abartlet(a)samba.org wrote:
> > Full_Name: Andrew Bartlett
> > Version: CVS HEAD
> > OS: Fedora 9
> > URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.h=
tml
> > Submission from: (NULL) (59.167.251.137)
> >
> >
> > For Samba4, I need a few things, detailed in the attached URL.
>=20
> The above message thread had some unanswered questions. We may need to ha=
ve=20
> each point listed out again.
>=20
> > This ITS is for internal transactions and validation - the ability to h=
ave a
> > openldap overlay roll back all the changes so far, because a preconditi=
on is not
> > met.
>=20
> I think this one is understood, OK. Just a matter of getting the time to =
do it.
>=20
> > I need the memberOf and refint modules to ensure that no dangling links=
ever
> > exist, even over subtree renames and invalid modifies, and that a trans=
action
> > ensures this is always the case.
>=20
> I think the proper use of memberOf still needs to be addressed. E.g., it'=
s=20
> generally a bad idea to search for (memberOf=3Dfoo) when you can simply=20
> enumerate the members inside the "foo" entry. If you give us precise exam=
ples=20
> of the searches and modifications that you'll be using, we may be able to=
=20
> narrow the scope of this work.
I'll be passing on any search that a windows client makes, and trying to
return the same result a windows server would return. Bad ideas still
have to be implemented in my world :-(
> > This needs to occur even between databases on the server, but I won't a=
sk that
> > it occur outside the known trees.
>=20
> It's already possible for operations in one database to reference entries=
in a=20
> different database, so that aspect of validation should be fine. However,=
as=20
> noted before, "validation" is generally bogus to begin with. In particula=
r,=20
> how do you create entries with circular references? If you disallow refer=
ences=20
> to nonexistent entries, you can't set the references until after all of t=
he=20
> entries have been created. This means that you cannot backup a database t=
hat=20
> has these references and then later reload it in a single pass.
An interesting point, but I need to match the windows runtime
behaviour.=20
Andrew Bartlett
--=20
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
--=-I6d9E5fOqbwKcJhhvz+z
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQBIPLXqz4A8Wyi0NrsRArp6AJ9OaJP8Cu4MdO69n1k1S8vlBjtPOACdHvDh
t0XbDQzXaJya2LR/bhl1RlQ=
=/FnH
-----END PGP SIGNATURE-----
--=-I6d9E5fOqbwKcJhhvz+z--
15 years, 6 months
Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by hyc@symas.com
abartlet(a)samba.org wrote:
> Full_Name: Andrew Bartlett
> Version: CVS HEAD
> OS: Fedora 9
> URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.html
> Submission from: (NULL) (59.167.251.137)
>
>
> For Samba4, I need a few things, detailed in the attached URL.
The above message thread had some unanswered questions. We may need to have
each point listed out again.
> This ITS is for internal transactions and validation - the ability to have a
> openldap overlay roll back all the changes so far, because a precondition is not
> met.
I think this one is understood, OK. Just a matter of getting the time to do it.
> I need the memberOf and refint modules to ensure that no dangling links ever
> exist, even over subtree renames and invalid modifies, and that a transaction
> ensures this is always the case.
I think the proper use of memberOf still needs to be addressed. E.g., it's
generally a bad idea to search for (memberOf=foo) when you can simply
enumerate the members inside the "foo" entry. If you give us precise examples
of the searches and modifications that you'll be using, we may be able to
narrow the scope of this work.
> This needs to occur even between databases on the server, but I won't ask that
> it occur outside the known trees.
It's already possible for operations in one database to reference entries in a
different database, so that aspect of validation should be fine. However, as
noted before, "validation" is generally bogus to begin with. In particular,
how do you create entries with circular references? If you disallow references
to nonexistent entries, you can't set the references until after all of the
entries have been created. This means that you cannot backup a database that
has these references and then later reload it in a single pass.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 6 months
(ITS#5534) Samba4 needs internal transactions/consistancy
by abartlet@samba.org
Full_Name: Andrew Bartlett
Version: CVS HEAD
OS: Fedora 9
URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.html
Submission from: (NULL) (59.167.251.137)
For Samba4, I need a few things, detailed in the attached URL.
This ITS is for internal transactions and validation - the ability to have a
openldap overlay roll back all the changes so far, because a precondition is not
met.
I need the memberOf and refint modules to ensure that no dangling links ever
exist, even over subtree renames and invalid modifies, and that a transaction
ensures this is always the case.
This needs to occur even between databases on the server, but I won't ask that
it occur outside the known trees.
15 years, 6 months
Re: (ITS#5318) response msgid <= 0 mishandled in libldap
by hyc@symas.com
h.b.furuseth(a)usit.uio.no wrote:
> Full_Name: Hallvard B Furuseth
> Version: HEAD
> OS:
> URL:
> Submission from: (NULL) (129.240.6.233)
> Submitted by: hallvard
>
>
> libraries/libldap/result.c:try_read1msg() accesses 'lr' uninitialized
> if 'id' (message ID) from line 577's 'ber_get_int( ber,&id )' is<= 0.
>
> I'm not sure if the client should terminate the connection when it
> receives message id< 0, or if it should just toss the response like
> it does with unknown message IDs.
RFC4511 isn't really explicit here, although it does say that the connection
should be dropped for unparsable messages. Anyway, I've patched HEAD to toss
the messages for now.
> With message ID 0, the code reaches this statement with 'lr' uninitialized:
> Debug( LDAP_DEBUG_TRACE,
> "read1msg: ld %p msgid %ld message type %s\n",
> (void *)ld, (long)lr->lr_msgid, ldap_int_msgtype2str( tag ) );
> As far as I can tell, normally lr->lr_msgid == id. I haven't tracked what
> those values are with LDAP_CONNECTIONLESS at the 'nextresp2:' label.
For CONNECTIONLESS, it can only jump back there because there were multiple
responses to the current request. So the lr is the same as for the first
response. No problem there. (Remember this is all within a single datagram.
Responses to multiple different requests cannot be interleaved at this point.)
> A 700-line function with 5 labels, yuck.
> Anyway, I wonder why taht statement and the statement below:
> if ( id == 0 ) {
> doesn't use the same value, either id or lr->lr_msgid for both.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 6 months
