Re: (ITS#5583) slapadd core dumps
by dieter@dkluenter.de
Pierangelo Masarati <ando(a)sys-net.it> writes:
> dieter(a)dkluenter.de wrote:
>
>> Sorry, forgot it,
>
> Should be fixed in HEAD, please test. I infer you're using multiple
> instances of slapo-dynlist(5) in your slapd.conf, aren't you?
No, just one instance.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
15 years, 3 months
Re: (ITS#5581) slapd: search.c:970: oc_filter: Assertion `f != ((void *)0)' failed.
by ando@sys-net.it
amg1127(a)cefetrs.tche.br wrote:
> I submitted a bug report in Ubuntu's Launchpad. The address is:
>
> https://bugs.launchpad.net/ubuntu/+source/openldap2.3/+bug/243337
>
> The bug refers to 2.4.9, but it is reproducible in OpenLDAP 2.4.10 (I could
> reproduce it, at least).
Your logs show something relatively odd: apparently, slapo-unique(5) is
trying to perform an internal search with a really malformed filter:
==> unique_search ,
str2filter "(&objectClass=posixGroup(|(gidNumber=1000)))"
put_filter: "(&objectClass=posixGroup(|(gidNumber=1000)))"
put_filter: AND
put_filter_list "objectClass=posixGroup(|(gidNumber=1000))"
Can you please try using "(objectClass=posixGroup)" instead of
"objectClass=posixGroup" as the unique_uri filter in your test slapd.conf?
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: ando(a)sys-net.it
-----------------------------------
15 years, 3 months
Re: (ITS#5583) slapadd core dumps
by ando@sys-net.it
dieter(a)dkluenter.de wrote:
> Sorry, forgot it,
Should be fixed in HEAD, please test. I infer you're using multiple
instances of slapo-dynlist(5) in your slapd.conf, aren't you?
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: ando(a)sys-net.it
-----------------------------------
15 years, 3 months
Re: (ITS#5583) slapadd core dumps
by dieter@dkluenter.de
Howard Chu <hyc(a)symas.com> writes:
> dieter(a)dkluenter.de wrote:
>> Full_Name: Dieter Kluenter
>> Version: 2.4.10
>> OS: openSUSE
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (84.142.217.87)
[...]
>
> Where is the backtrace?
Sorry, forgot it,
#0 0x00007f07d3c6a5c5 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007f07d3c6a5c5 in raise () from /lib64/libc.so.6
#1 0x00007f07d3c6bbb3 in abort () from /lib64/libc.so.6
#2 0x00007f07d3c631e9 in __assert_fail () from /lib64/libc.so.6
#3 0x00000000004894a1 in slap_bv2ad (bv=0x7fffddbd3c30, ad=0x7f07d2bbc4f0,
text=0x7fffddbd3c70) at ad.c:164
#4 0x00000000004893a3 in slap_str2ad (str=0x7f07d29bad62 "dgIdentity",
ad=0x7f07d2bbc4f0, text=0x7fffddbd3c70) at ad.c:123
#5 0x00007f07d29ba0bc in dynlist_db_open (be=0x7fffddbd3ce0,
cr=0x7fffddbd3f20) at dynlist.c:1560
#6 0x00000000004bae67 in over_db_open (be=0x8b9a90, cr=0x7fffddbd3f20)
at backover.c:153
#7 0x0000000000449819 in backend_startup_one (be=0x8b9a90, cr=0x7fffddbd3f20)
at backend.c:224
#8 0x0000000000449ad2 in backend_startup (be=0x8b9a90) at backend.c:267
#9 0x000000000047366f in slap_startup (be=0x8b9a90) at init.c:225
#10 0x00000000004c1853 in slap_tool_init (progname=0x55a728 "slapadd", tool=1,
argc=10, argv=0x7fffddbe4a08) at slapcommon.c:725
#11 0x00000000004beff0 in slapadd (argc=10, argv=0x7fffddbe4a08)
at slapadd.c:73
#12 0x00000000004190ef in main (argc=10, argv=0x7fffddbe4a08) at main.c:636
(gdb)
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
15 years, 3 months
Re: (ITS#5355) back-meta calls back-ldap directly
by hyc@symas.com
hyc(a)symas.com wrote:
> vorlon(a)debian.org wrote:
>> This bug is marked as fixed in 2.4.8, but I still see the same problem in
>> the test suite in 2.4.10. Trying to start slapd with back-meta gives:
>>
>> /home/devel/openldap/build-area/openldap2.3-2.4.10/debian/build/servers/slapd/.libs/lt-slapd: symbol lookup error: ../servers/slapd/back-meta/.libs/back_meta-2.4.so.2: undefined symbol: slap_idassert_parse_cf
>>
>> Is this a regression since 2.4.8?
>
> Looks more like an incomplete fix. The functions in question haven't changed
> since 2006. Since we're not using a hacked libltdl the problem you're seeing
> doesn't show up here. I guess you should have tested this sooner...
Additional patches for back-ldap/back-meta are now in HEAD; please test.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 3 months
Re: (ITS#5355) back-meta calls back-ldap directly
by hyc@symas.com
vorlon(a)debian.org wrote:
> This bug is marked as fixed in 2.4.8, but I still see the same problem in
> the test suite in 2.4.10. Trying to start slapd with back-meta gives:
>
> /home/devel/openldap/build-area/openldap2.3-2.4.10/debian/build/servers/slapd/.libs/lt-slapd: symbol lookup error: ../servers/slapd/back-meta/.libs/back_meta-2.4.so.2: undefined symbol: slap_idassert_parse_cf
>
> Is this a regression since 2.4.8?
Looks more like an incomplete fix. The functions in question haven't changed
since 2006. Since we're not using a hacked libltdl the problem you're seeing
doesn't show up here. I guess you should have tested this sooner...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 3 months
Re: (ITS#5579) Interaction of ppolicy attributes
by hyc@symas.com
Andrew Findlay wrote:
> Indeed, though draft-behera-ldap-password-policy-xx.txt is a bit unclear
> on the subject of that attribute:
>
> 5.3.3 pwdAccountLockedTime
> The current implementation does allow
> admins to set the value, which appears to be the only way to
> lock/unlock an account without changing the password.
The current implementation allows pretty much anybody to set the attribute.
It's intended that it can only be set when using the Relax Constraints control.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 3 months
Re: (ITS#5583) slapadd core dumps
by hyc@symas.com
dieter(a)dkluenter.de wrote:
> Full_Name: Dieter Kluenter
> Version: 2.4.10
> OS: openSUSE
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (84.142.217.87)
> running slapadd with following options
>
> ./slapd -T add -d-1 -qwv -f /opt/openldap/etc/openldap/slapd.conf -F
> /opt/openldap/etc/openldap/slapd.d -l /tmp/hdk-init.ldif
>
> slapadd startup: initiated.
> backend_startup_one: starting "o=avci,c=de"
> hdb_db_open: "o=avci,c=de"
> hdb_db_open: database "o=avci,c=de": dbenv_open(/tmp/ldap).
> slapd: ad.c:164: slap_bv2ad: Assertion `*ad == ((void *)0)' failed.
> Abgebrochen (core dumped)
>
> output of gdb
Where is the backtrace?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 3 months
(ITS#5583) slapadd core dumps
by dieter@dkluenter.de
Full_Name: Dieter Kluenter
Version: 2.4.10
OS: openSUSE
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (84.142.217.87)
Hello,
processor: amd64
my configure flags:
export CFLAGS="-g -march=athlon64"
PREFIX="/opt/openldap"
DATABASE="bdb"
make distclean ;
./configure \
--prefix=${PREFIX} \
--enable-dynamic \
--enable-aci \
--enable-modules \
--enable-rewrite \
--enable-bdb=yes \
--enable-hdb=yes \
--enable-ldap=mod \
--enable-monitor=yes \
--enable-meta=mod \
--enable-perl=mod \
--enable-relay=mod \
--enable-monitor=yes \
--enable-sql=mod \
--enable-overlays=mod
make depend && make && cd tests ;
running slapadd with following options
./slapd -T add -d-1 -qwv -f /opt/openldap/etc/openldap/slapd.conf -F
/opt/openldap/etc/openldap/slapd.d -l /tmp/hdk-init.ldif
slapadd startup: initiated.
backend_startup_one: starting "o=avci,c=de"
hdb_db_open: "o=avci,c=de"
hdb_db_open: database "o=avci,c=de": dbenv_open(/tmp/ldap).
slapd: ad.c:164: slap_bv2ad: Assertion `*ad == ((void *)0)' failed.
Abgebrochen (core dumped)
output of gdb
(gdb) file /work/openldap/2.4.10/servers/slapd/.libs/slapd
Reading symbols from /work/openldap/2.4.10/servers/slapd/.libs/slapd..done
(gdb) core-file core
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /opt/openldap/lib/libldap_r-2.4.so.2...done.
Loaded symbols for /opt/openldap/lib/libldap_r-2.4.so.2
Reading symbols from /opt/openldap/lib/liblber-2.4.so.2...done.
Loaded symbols for /opt/openldap/lib/liblber-2.4.so.2
Reading symbols from /usr/lib64/libltdl.so.3...done.
Loaded symbols for /usr/lib64/libltdl.so.3
Reading symbols from /usr/lib64/libdb-4.5.so...done.
Loaded symbols for /usr/lib64/libdb-4.5.so
Reading symbols from /usr/lib64/libodbc.so.1...done.
Loaded symbols for /usr/lib64/libodbc.so.1
Reading symbols from /lib64/libpthread.so.0...done.
Loaded symbols for /lib64/libpthread.so.0
Reading symbols from /usr/lib64/libsasl2.so.2...done.
Loaded symbols for /usr/lib64/libsasl2.so.2
Reading symbols from /lib64/libdl.so.2...done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /usr/lib64/libssl.so.0.9.8...done.
Loaded symbols for /usr/lib64/libssl.so.0.9.8
Reading symbols from /usr/lib64/libcrypto.so.0.9.8...done.
Loaded symbols for /usr/lib64/libcrypto.so.0.9.8
Reading symbols from /lib64/libresolv.so.2...done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /lib64/libc.so.6...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib64/libz.so.1...done.
Loaded symbols for /lib64/libz.so.1
Reading symbols from /usr/lib64/sasl2/liblogin.so...done.
Loaded symbols for /usr/lib64/sasl2/liblogin.so
Reading symbols from /lib64/libcrypt.so.1...done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /usr/lib64/sasl2/libanonymous.so...done.
Loaded symbols for /usr/lib64/sasl2/libanonymous.so
Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...done.
Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so
Reading symbols from /usr/lib64/sasl2/libcrammd5.so...done.
Loaded symbols for /usr/lib64/sasl2/libcrammd5.so
Reading symbols from /usr/lib64/sasl2/libsasldb.so...done.
Loaded symbols for /usr/lib64/sasl2/libsasldb.so
Reading symbols from /usr/lib64/sasl2/libplain.so...done.
Loaded symbols for /usr/lib64/sasl2/libplain.so
Reading symbols from /opt/openldap/libexec/openldap/dynlist-2.4.so.2...done.
Loaded symbols for /opt/openldap/libexec/openldap/dynlist-2.4.so.2
Reading symbols from /opt/openldap/libexec/openldap/accesslog-2.4.so.2...done.
Loaded symbols for /opt/openldap/libexec/openldap/accesslog-2.4.so.2
Reading symbols from /opt/openldap/libexec/openldap/ppolicy-2.4.so.2...done.
Loaded symbols for /opt/openldap/libexec/openldap/ppolicy-2.4.so.2
Reading symbols from /opt/openldap/libexec/openldap/syncprov-2.4.so.2...done.
Loaded symbols for /opt/openldap/libexec/openldap/syncprov-2.4.so.2
Core was generated by `./slapd -Tadd -d-1 -qwv -f
/opt/openldap/etc/openldap/slapd.conf -F /opt/openld'
Program terminated with signal 6, Aborted.
[New process 16951]
#0 0x00007f39e0ea95c5 in raise () from /lib64/libc.so.6
(gdb) quit
-Dieter
15 years, 3 months
Re: (ITS#5579) Interaction of ppolicy attributes
by andrew.findlay@skills-1st.co.uk
On Sat, Jun 28, 2008 at 07:21:44PM -0700, Howard Chu wrote:
> >pwdFailureTime cannot be modified directly, so I think there is a case for
> >clearing it when pwdAccountLockedTime is cleared explicitly.
>
> Technically, you're not supposed to be able to modify pwdAccountLockedTime
> directly either. The current behavior is a temporary hack. The only
> legitimate way to remove those attributes is by setting a new password. I'm
> rejecting this ITS.
Indeed, though draft-behera-ldap-password-policy-xx.txt is a bit unclear
on the subject of that attribute:
5.3.3 pwdAccountLockedTime
This attribute holds the time that the user's account was locked. A
locked account means that the password may no longer be used to
authenticate. A 000001010000Z value means that the account has been
locked permanently, and that only a password administrator can unlock
the account.
One reading of that clause is that *setting* pwdAccountLockedTime to
000001010000Z is the way to lock an account by administrative action.
There does not appear to be anything in the I-D that would cause the
server to set that value itself. The current implementation does allow
admins to set the value, which appears to be the only way to
lock/unlock an account without changing the password.
I would certainly prefer to have separate attributes for 'admin lock'
and 'auto lock'.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
15 years, 3 months