August 2008 - openldap-bugs

(ITS#5664) Deadlocks when writing in parallell (two processes)

by tom.bjorkholm＠aastra.com

Full_Name: Stelios Grigoriadis & Tom Björkholm Version: 2.3.39 OS: Novell SLES 10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (194.237.142.7) We get a lot of DB_LOCK_DEADLOCK when using client programs that for a period of time continuously writes to OpenLDAP. Version is 2.3.39. The information added is of the form: ebcmdCustomer=0+ebcmdDir=220xx,ou=AuthCodes,ebcmdVersion=0,ebcmdProduct=ebcmd,dc=example,dc=com where xx varies. Snippet of the output: Mar 27 13:03:21 ldapt1 slapd[7589]: => bdb_dn2id_add: subtree (ebcmdCustomer=0+ebcmdDir=22037,ou=authcodes,ebcmdVersion=0,ebcmdProduct=ebcmd,dc=example,dc=com) put failed: -30995 Mar 27 13:03:26 ldapt1 slapd[7589]: => bdb_idl_insert_key: c_put id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995) Mar 27 13:03:26 ldapt1 slapd[7589]: => bdb_dn2id_add: parent (ou=authcodes,ebcmdVersion=0,ebcmdProduct=ebcmd,dc=example,dc=com) insert failed: -30995 Mar 27 13:03:28 ldapt1 slapd[7589]: => bdb_idl_insert_key: c_put id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995) Mar 27 13:03:28 ldapt1 slapd[7589]: => bdb_dn2id_add: parent (ou=authcodes,ebcmdVersion=0,ebcmdProduct=ebcmd,dc=example,dc=com) insert failed: -30995 Mar 27 13:03:36 ldapt1 slapd[7589]: => bdb_idl_insert_key: c_put id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995) Mar 27 13:03:36 ldapt1 slapd[7589]: => bdb_dn2id_add: parent (ou=authcodes,ebcmdVersion=0,ebcmdProduct=ebcmd,dc=example,dc=com) insert failed: -30995 Mar 27 13:03:38 ldapt1 slapd[7589]: => bdb_idl_insert_key: c_put id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995)

15 years, 1 month

1
0
0 / 0

Re: (ITS#5662) Comments in schema declarations separated by semicolon

by hyc＠symas.com

michael(a)stroeder.com wrote: > Full_Name: Michael Ströder > Version: HEAD > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (84.163.84.234) > > > It might be helpful if the schema config file parser would accept lines with > comments at the end separated by semicolon. The parser doesn't know anything about line endings. Remember, lines with leading white space are continuations of the previous line. The schema parser is just fed a single string as one long line, the line endings were removed long before it ever got there. > Example (derived from http://tools.ietf.org/draft/draft-dally-acp133-and-ldap/ > using mainly OIDs): > > attributetype ( 2.16.840.1.101.2.2.1.69 NAME 'transferStation' > EQUALITY 2.5.13.13 ; booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ; BOOLEAN > SINGLE-VALUE ) It would be smarter to just standardize OID macros for each of these OIDs, the way X.500 did, and not require the humans reading these specs to memorize these numeric OIDs... I don't see any straightforward way to modify our parser as you're suggesting. Unless someone else feels like jumping in, I think we should reject this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

15 years, 1 month

1
0
0 / 0

(ITS#5663) Declaring substitute syntax as LDAP syntax

by michael＠stroeder.com

Full_Name: Michael Ströder Version: HEAD OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.163.84.234) Sometimes one wants to add a custom schema which also defines LDAP syntaxes which are not supported yet but could be substituted by another LDAP syntax already implemented. Instead of changing SYNTAX of all attribute type declarations in the custom schema it might be handy if declaring a substitute LDAP syntax would be possible while still providing the original syntax declaration to the client which might know better what to do with it. Example for emulating custom LDAP syntax with PrintableString: ldapsyntax ( 1.3.6.1.4.1.5427.666.42.42.42 X-SUBST 1.3.6.1.4.1.1466.115.121.1.44 ) This should fail with parsing error if one trys to add a substitute syntax for a syntax already implemented.

15 years, 1 month

1
0
0 / 0

(ITS#5662) Comments in schema declarations separated by semicolon

by michael＠stroeder.com

Full_Name: Michael Ströder Version: HEAD OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.163.84.234) It might be helpful if the schema config file parser would accept lines with comments at the end separated by semicolon. Example (derived from http://tools.ietf.org/draft/draft-dally-acp133-and-ldap/ using mainly OIDs): attributetype ( 2.16.840.1.101.2.2.1.69 NAME 'transferStation' EQUALITY 2.5.13.13 ; booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ; BOOLEAN SINGLE-VALUE )

15 years, 1 month

1
0
0 / 0

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

by guenther＠sendmail.com

I have an updated patch, but can't post it: ftp.openldap.org's incoming is full: ftp> cd incoming 250 CWD command successful. ftp> put guenther-080820.patch local: guenther-080820.patch remote: guenther-080820.patch 150 Opening BINARY mode data connection for 'guenther-080820.patch'. 100% |**************************************************| 9215 00:00 452 Error writing file: No space left on device. 9215 bytes sent in 0.13 seconds (66.79 KB/s) ftp> (Once we get a patch that looks good, I'll follow it with a patch for the docs.)

15 years, 1 month

1
0
0 / 0

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

by hyc＠symas.com

Philip Guenther wrote: > On Tue, 19 Aug 2008, Howard Chu wrote: >> guenther(a)sendmail.com wrote: > ... >>> TLS_PROTOCOL_MIN<major>,<minor> >> Let's use US convention<major>.<minor>... > > Ok. > >>> C: >>> struct ldap_tls_protocol { unsigned char major, minor; } val; >>> val.major = 3; val.minor=0; >>> ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val); >> I would just use an int, and have the caller OR in the appropriate >> values. > > So: > /* force TLS 1.0 or later */ > ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN, (3<< 8) + 1); The set_option interface requires a pointer. So min = (3<<8)+1; ldap_set_option(ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, &min); > > >> You could also define a few macros for the currently known versions. > > Preferences on the format of those macros? > > #define LDAP_OPT_X_TLS_PROTOCOL_SSLv2 (2<< 8) > #define LDAP_OPT_X_TLS_PROTOCOL_SSLv3 (3<< 8) > #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0 ((3<< 8) + 1) > #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_1 ((3<< 8) + 2) > #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_2 ((3<< 8) + 3) > > ? > Drop the 'v' and I think it'll be fine -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

15 years, 1 month

1
0
0 / 0

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

by guenther＠sendmail.com

On Tue, 19 Aug 2008, Howard Chu wrote: > guenther(a)sendmail.com wrote: ... > > TLS_PROTOCOL_MIN<major>,<minor> > > Let's use US convention <major>.<minor>... Ok. > > C: > > struct ldap_tls_protocol { unsigned char major, minor; } val; > > val.major = 3; val.minor=0; > > ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val); > > I would just use an int, and have the caller OR in the appropriate > values. So: /* force TLS 1.0 or later */ ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN, (3 << 8) + 1); > You could also define a few macros for the currently known versions. Preferences on the format of those macros? #define LDAP_OPT_X_TLS_PROTOCOL_SSLv2 (2 << 8) #define LDAP_OPT_X_TLS_PROTOCOL_SSLv3 (3 << 8) #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0 ((3 << 8) + 1) #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_1 ((3 << 8) + 2) #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_2 ((3 << 8) + 3) ? > What are the values for TLS1.1, 1.2, etc? So far, TLS 1.x == SSL version 3.(x+1). Philip Guenther

15 years, 1 month

1
0
0 / 0

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

by hyc＠symas.com

guenther(a)sendmail.com wrote: > On Fri, 15 Aug 2008, Philip Guenther wrote: > ... >> That said, it's more important to me that *some* option gets in so that I >> (and Sendmail) don't have to maintain forever a patch to add it. If >> someone 'official' will make a decision and simply state what the option >> should look like in its three forms (C API, ldap.conf, slapd config), I'll >> munge the patch to match. > > Any opinions? > > ldap.conf: > TLS_PROTOCOL_MIN<major>,<minor> Let's use US convention <major>.<minor>... > C: > struct ldap_tls_protocol { unsigned char major, minor; } val; > val.major = 3; val.minor=0; > ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val); I would just use an int, and have the caller OR in the appropriate values. You could also define a few macros for the currently known versions. What are the values for TLS1.1, 1.2, etc? > > ? > > > (I'm running out of time to get _something_ into Sendmail's local copy, at > which point I'll just commit something there and have to leave you guys to > hack whatever you get around into the official repository.) > > > Philip Guenther > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

15 years, 1 month

1
0
0 / 0

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

by guenther＠sendmail.com

On Fri, 15 Aug 2008, Philip Guenther wrote: ... > That said, it's more important to me that *some* option gets in so that I > (and Sendmail) don't have to maintain forever a patch to add it. If > someone 'official' will make a decision and simply state what the option > should look like in its three forms (C API, ldap.conf, slapd config), I'll > munge the patch to match. Any opinions? ldap.conf: TLS_PROTOCOL_MIN <major>,<minor> C: struct ldap_tls_protocol { unsigned char major, minor; } val; val.major = 3; val.minor=0; ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN, &val); ? (I'm running out of time to get _something_ into Sendmail's local copy, at which point I'll just commit something there and have to leave you guys to hack whatever you get around into the official repository.) Philip Guenther

15 years, 1 month

1
0
0 / 0

Re: (ITS#5661) contextCSN gets corrupted on the stand by mirror

by ghenry＠OpenLDAP.org

----- "ali pouya" <ali.pouya(a)free.fr> wrote: > Hi Gavin; > > Below you find the answers to your questions : > > > Can we get your bdb version, your config and the logs of an empty > mirrormode > > node B pulling in the data loaded in mirrormode A (posted/hosted > online > > somewhere). > > The BDB version is 4.6.21. > You find here attached the file conf.tar.gz containing the > configuration of B. Thanks. > The file syncrepl.conf.simple works well, but the file > syncrepl.conf.double > garbles the contextCSN (I write more than 1000 entries per minute). > Do you want a log for the 10 million entries ? Which loglevel ? Nope, not yet. loglevel sync > The problem only happens if there are write operations on A, not if > the server A > is stationary. Also note that serverID is a *global* directive not per database. Move that out of "database bdb". > > Also, has this always happened on the same machine? What are the > specs of the > > servers? > > The problem happens on the stand by server : If I write on B the > contextCSN of > A gets corrupted (I have already tested this). > > My servers are quadri-processor Xeon 2.2 GHz. > I think this is not related to the hardware but the "year" part of > contextCSN is > not well protected against concurrent operations (?). > > > > > Is this a fresh install? > Yes for 2.4.11, but I use OpenLdap since 5 years for my different > projects. OK, well you should then know that "rootdn cn=admin,ou=ressources-dgi,ou=mefi,o=gouv,c=fr" by passes all ACLs, so you don't need: access to * by dn.base="cn=admin,ou=ressources-dgi,ou=mefi,o=gouv,c=fr" write -- Kind Regards, Gavin Henry. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

15 years, 1 month

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs August 2008