openldap-bugs May 2008

openldap-bugs@openldap.org

54 participants
208 discussions

(ITS#5536) Always use a configured serverID in the syncrepl cookie
by rein＠OpenLDAP.org 28 May '08

28 May '08

Full_Name: Rein Tollevik Version: CVS head OS: linux and solaris URL: ftp://ftp.openldap.org/incoming/rein-serverID.patch Submission from: (NULL) (81.93.160.250) Submitted by: rein Syncrepl includes the serverID in the syncCookie in multi-master mode only, but there are other configuration that would benefit from it as well. A case I have is where a consumer replicates a glue'ed database, with the exception of one subordinate backend where the consumer is the master. The subordinate backend is replicated back to the master of the glue'ed database. With the current code the master would send the content of the subordinate db back to its master. I currently solve this problem with acl rules on the glue'ed master that prevents the slave from reading the subordinate db it is master for. Different rootdn's on the glue and subordinate db on the slave prevents syncrepl from succeeding in its attempts to remove the content of the subordinate db during the present phase. But it felt like I got a minor heartache the first time a saw the log of delete messages scroll by before I realized they were all error messages... A patch that fixes this is at the referenced URL. As I am not sure of the consequences if a defaulted serverID=0 value was included in the syncCookie the patch changes the internal default slap_serverID value to -1 to make it possible to differentiate between a configured and defaulted serverID=0. Btw, there are potential problems with using serverID=0, so it would be best if that value was reserved for the default unconfigured case. I.e, a default serverID=0 value could be chosen be slapadd when the two-argument form of serverID is used in the config, as resolving the URL needs the listener argument to slapd to succeed. Enforcing serverID>0 could require changes in existing configurations, but indicating it in the doc. could be a first step? Rein Tollevik Basefarm AS

1 0

Re: (ITS#5532) incorrect timestamp of slapd replica log
by quanah＠zimbra.com 28 May '08

28 May '08

--On Tuesday, May 27, 2008 10:10 AM +0000 hai.zhao(a)gmail.com wrote: > Full_Name: Zhao Hai > Version: 2.3.41 > OS: Linux 2.4.21 arm > URL: ftp://ftp.openldap.org/incoming/zhaohai-080527.patch > Submission from: (NULL) (205.209.140.4) > > > Problem: > race condition makes incorrect timestamp in replogfile, cause certain > modification of entries not replicate to slurp slaves. > > replica: 180.0.10.2:1234 > replica: 180.0.10.3:1234 > time: 1211855467 > ^^^^^^^^^^ this timestamp > > How to reproduce the problem: > 1) run under very slow machines (my environ: arm 266MHz) > 2) slapd is configed to generate replogfile > 3) ldapadd about 5 entries, then ldapmodify 2 entries without delay. This is fixed in RE23. If there is ever a 2.3.43 release, it will be in that. In the meantime, I'd advise using 2.3.42 + your patch. Regards, Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by hyc＠symas.com 28 May '08

28 May '08

Andrew Bartlett wrote: > On Tue, 2008-05-27 at 18:43 -0700, Howard Chu wrote: >> Andrew Bartlett wrote: >>> On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: >>>>> This needs to occur even between databases on the server, but I won't ask that >>>>> it occur outside the known trees. >>>> It's already possible for operations in one database to reference entries in a >>>> different database, so that aspect of validation should be fine. However, as >>>> noted before, "validation" is generally bogus to begin with. In particular, >>>> how do you create entries with circular references? If you disallow references >>>> to nonexistent entries, you can't set the references until after all of the >>>> entries have been created. This means that you cannot backup a database that >>>> has these references and then later reload it in a single pass. >>> An interesting point, but I need to match the windows runtime >>> behaviour. >> Only when it has a visible impact on other clients. What software will break >> if the directory allows you to add new entries that contain dangling >> references? What will break if the directory allows you to modify a reference >> attribute to point to a nonexistent entry? > > Sure, I'm not asking for a change to default behaviours. I'm listing > the things that our testsuite finds are differences, and looking for > solutions. I don't believe your proposed solution will ever be satisfactory. Entries with circular references will also break syncrepl Refresh if the constraint you're asking for is enforced. That will clearly have visible impact in many deployments. If the only thing that complains with the current behavior is your testsuite and not any real world clients, I suggest you just note the difference and move on. >> There's a lot of Windows behavior that is clearly wrong, by any number of >> metrics. You need to be a bit more selective in prioritizing the list of >> things to chase down. > > This is the currently the top priority for an LDAP Backend for Samba4. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#5535) smbk5pwd uses private heimdal functions
by Guillaume.Rousse＠inria.fr 28 May '08

28 May '08

Full_Name: Guillaume Rousse Version: 2.4.8 OS: linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (193.55.250.67) smbk5pwd uses two private heimdal functions: _kadm5_set_keys _kadm5_free_keys As of heimdal 1.1, those functions are not exported anymore. As a consequence, opendalp crashes as soon as I try to change password when the overlay is activated. According to heimdal maintainers, smb5pwd should rather use hdb_generate_key_set_password and hdb_free_keys to generate the key data. I tried to produce a patch myself (available at http://www.zarb.org/~guillomovitch/openldap-smbk5pwd-2.4.8-dont-use-interna…) by inlining _kadm5_set_keys function directly in smbk5pwd, but I don't know how to deal with members of private kadm_context structure.

1 0

Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by abartlet＠samba.org 27 May '08

27 May '08

--=-s2sha8beM9nUssvA07HS Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2008-05-27 at 18:43 -0700, Howard Chu wrote: > Andrew Bartlett wrote: > > On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: >=20 > >>> This needs to occur even between databases on the server, but I won't= ask that > >>> it occur outside the known trees. > >> It's already possible for operations in one database to reference entr= ies in a > >> different database, so that aspect of validation should be fine. Howev= er, as > >> noted before, "validation" is generally bogus to begin with. In partic= ular, > >> how do you create entries with circular references? If you disallow re= ferences > >> to nonexistent entries, you can't set the references until after all o= f the > >> entries have been created. This means that you cannot backup a databas= e that > >> has these references and then later reload it in a single pass. > > > > An interesting point, but I need to match the windows runtime > > behaviour. >=20 > Only when it has a visible impact on other clients. What software will br= eak=20 > if the directory allows you to add new entries that contain dangling=20 > references? What will break if the directory allows you to modify a refer= ence=20 > attribute to point to a nonexistent entry? Sure, I'm not asking for a change to default behaviours. I'm listing the things that our testsuite finds are differences, and looking for solutions.=20 > There's a lot of Windows behavior that is clearly wrong, by any number of= =20 > metrics. You need to be a bit more selective in prioritizing the list of=20 > things to chase down. This is the currently the top priority for an LDAP Backend for Samba4. =20 Andrew Bartlett --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. --=-s2sha8beM9nUssvA07HS Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBIPMMwz4A8Wyi0NrsRAljCAJsEsn1tsq4BdkdenNOEOF3PIGcDDACfVoUR APoU1kbv2ljwVBgjyhPbyGQ= =mXBr -----END PGP SIGNATURE----- --=-s2sha8beM9nUssvA07HS--

1 0

Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by hyc＠symas.com 27 May '08

27 May '08

Andrew Bartlett wrote: > On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: >>> This needs to occur even between databases on the server, but I won't ask that >>> it occur outside the known trees. >> It's already possible for operations in one database to reference entries in a >> different database, so that aspect of validation should be fine. However, as >> noted before, "validation" is generally bogus to begin with. In particular, >> how do you create entries with circular references? If you disallow references >> to nonexistent entries, you can't set the references until after all of the >> entries have been created. This means that you cannot backup a database that >> has these references and then later reload it in a single pass. > > An interesting point, but I need to match the windows runtime > behaviour. Only when it has a visible impact on other clients. What software will break if the directory allows you to add new entries that contain dangling references? What will break if the directory allows you to modify a reference attribute to point to a nonexistent entry? There's a lot of Windows behavior that is clearly wrong, by any number of metrics. You need to be a bit more selective in prioritizing the list of things to chase down. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by abartlet＠samba.org 27 May '08

27 May '08

--=-I6d9E5fOqbwKcJhhvz+z Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: > abartlet(a)samba.org wrote: > > Full_Name: Andrew Bartlett > > Version: CVS HEAD > > OS: Fedora 9 > > URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.h= tml > > Submission from: (NULL) (59.167.251.137) > > > > > > For Samba4, I need a few things, detailed in the attached URL. >=20 > The above message thread had some unanswered questions. We may need to ha= ve=20 > each point listed out again. >=20 > > This ITS is for internal transactions and validation - the ability to h= ave a > > openldap overlay roll back all the changes so far, because a preconditi= on is not > > met. >=20 > I think this one is understood, OK. Just a matter of getting the time to = do it. >=20 > > I need the memberOf and refint modules to ensure that no dangling links= ever > > exist, even over subtree renames and invalid modifies, and that a trans= action > > ensures this is always the case. >=20 > I think the proper use of memberOf still needs to be addressed. E.g., it'= s=20 > generally a bad idea to search for (memberOf=3Dfoo) when you can simply=20 > enumerate the members inside the "foo" entry. If you give us precise exam= ples=20 > of the searches and modifications that you'll be using, we may be able to= =20 > narrow the scope of this work. I'll be passing on any search that a windows client makes, and trying to return the same result a windows server would return. Bad ideas still have to be implemented in my world :-( > > This needs to occur even between databases on the server, but I won't a= sk that > > it occur outside the known trees. >=20 > It's already possible for operations in one database to reference entries= in a=20 > different database, so that aspect of validation should be fine. However,= as=20 > noted before, "validation" is generally bogus to begin with. In particula= r,=20 > how do you create entries with circular references? If you disallow refer= ences=20 > to nonexistent entries, you can't set the references until after all of t= he=20 > entries have been created. This means that you cannot backup a database t= hat=20 > has these references and then later reload it in a single pass. An interesting point, but I need to match the windows runtime behaviour.=20 Andrew Bartlett --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. --=-I6d9E5fOqbwKcJhhvz+z Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBIPLXqz4A8Wyi0NrsRArp6AJ9OaJP8Cu4MdO69n1k1S8vlBjtPOACdHvDh t0XbDQzXaJya2LR/bhl1RlQ= =/FnH -----END PGP SIGNATURE----- --=-I6d9E5fOqbwKcJhhvz+z--

1 0

Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by hyc＠symas.com 27 May '08

27 May '08

abartlet(a)samba.org wrote: > Full_Name: Andrew Bartlett > Version: CVS HEAD > OS: Fedora 9 > URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.html > Submission from: (NULL) (59.167.251.137) > > > For Samba4, I need a few things, detailed in the attached URL. The above message thread had some unanswered questions. We may need to have each point listed out again. > This ITS is for internal transactions and validation - the ability to have a > openldap overlay roll back all the changes so far, because a precondition is not > met. I think this one is understood, OK. Just a matter of getting the time to do it. > I need the memberOf and refint modules to ensure that no dangling links ever > exist, even over subtree renames and invalid modifies, and that a transaction > ensures this is always the case. I think the proper use of memberOf still needs to be addressed. E.g., it's generally a bad idea to search for (memberOf=foo) when you can simply enumerate the members inside the "foo" entry. If you give us precise examples of the searches and modifications that you'll be using, we may be able to narrow the scope of this work. > This needs to occur even between databases on the server, but I won't ask that > it occur outside the known trees. It's already possible for operations in one database to reference entries in a different database, so that aspect of validation should be fine. However, as noted before, "validation" is generally bogus to begin with. In particular, how do you create entries with circular references? If you disallow references to nonexistent entries, you can't set the references until after all of the entries have been created. This means that you cannot backup a database that has these references and then later reload it in a single pass. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#5534) Samba4 needs internal transactions/consistancy
by abartlet＠samba.org 27 May '08

27 May '08

Full_Name: Andrew Bartlett Version: CVS HEAD OS: Fedora 9 URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.html Submission from: (NULL) (59.167.251.137) For Samba4, I need a few things, detailed in the attached URL. This ITS is for internal transactions and validation - the ability to have a openldap overlay roll back all the changes so far, because a precondition is not met. I need the memberOf and refint modules to ensure that no dangling links ever exist, even over subtree renames and invalid modifies, and that a transaction ensures this is always the case. This needs to occur even between databases on the server, but I won't ask that it occur outside the known trees.

1 0

Re: (ITS#5318) response msgid <= 0 mishandled in libldap
by hyc＠symas.com 27 May '08

27 May '08

h.b.furuseth(a)usit.uio.no wrote: > Full_Name: Hallvard B Furuseth > Version: HEAD > OS: > URL: > Submission from: (NULL) (129.240.6.233) > Submitted by: hallvard > > > libraries/libldap/result.c:try_read1msg() accesses 'lr' uninitialized > if 'id' (message ID) from line 577's 'ber_get_int( ber,&id )' is<= 0. > > I'm not sure if the client should terminate the connection when it > receives message id< 0, or if it should just toss the response like > it does with unknown message IDs. RFC4511 isn't really explicit here, although it does say that the connection should be dropped for unparsable messages. Anyway, I've patched HEAD to toss the messages for now. > With message ID 0, the code reaches this statement with 'lr' uninitialized: > Debug( LDAP_DEBUG_TRACE, > "read1msg: ld %p msgid %ld message type %s\n", > (void *)ld, (long)lr->lr_msgid, ldap_int_msgtype2str( tag ) ); > As far as I can tell, normally lr->lr_msgid == id. I haven't tracked what > those values are with LDAP_CONNECTIONLESS at the 'nextresp2:' label. For CONNECTIONLESS, it can only jump back there because there were multiple responses to the current request. So the lr is the same as for the first response. No problem there. (Remember this is all within a single datagram. Responses to multiple different requests cannot be interleaved at this point.) > A 700-line function with 5 labels, yuck. > Anyway, I wonder why taht statement and the statement below: > if ( id == 0 ) { > doesn't use the same value, either id or lr->lr_msgid for both. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

← Newer
1
2
3
4
5
6
7
...
21
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2008