(ITS#5664) Deadlocks when writing in parallell (two processes)
by tom.bjorkholm@aastra.com
Full_Name: Stelios Grigoriadis & Tom Björkholm
Version: 2.3.39
OS: Novell SLES 10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (194.237.142.7)
We get a lot of DB_LOCK_DEADLOCK when using client programs that for a period of
time continuously writes to OpenLDAP.
Version is 2.3.39.
The information added is of the form:
ebcmdCustomer=0+ebcmdDir=220xx,ou=AuthCodes,ebcmdVersion=0,ebcmdProduct=ebcmd,dc=example,dc=com
where xx varies.
Snippet of the output:
Mar 27 13:03:21 ldapt1 slapd[7589]: => bdb_dn2id_add: subtree
(ebcmdCustomer=0+ebcmdDir=22037,ou=authcodes,ebcmdVersion=0,ebcmdProduct=ebcmd,dc=example,dc=com)
put failed: -30995
Mar 27 13:03:26 ldapt1 slapd[7589]: => bdb_idl_insert_key: c_put id failed:
DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995)
Mar 27 13:03:26 ldapt1 slapd[7589]: => bdb_dn2id_add: parent
(ou=authcodes,ebcmdVersion=0,ebcmdProduct=ebcmd,dc=example,dc=com) insert
failed: -30995
Mar 27 13:03:28 ldapt1 slapd[7589]: => bdb_idl_insert_key: c_put id failed:
DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995)
Mar 27 13:03:28 ldapt1 slapd[7589]: => bdb_dn2id_add: parent
(ou=authcodes,ebcmdVersion=0,ebcmdProduct=ebcmd,dc=example,dc=com) insert
failed: -30995
Mar 27 13:03:36 ldapt1 slapd[7589]: => bdb_idl_insert_key: c_put id failed:
DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995)
Mar 27 13:03:36 ldapt1 slapd[7589]: => bdb_dn2id_add: parent
(ou=authcodes,ebcmdVersion=0,ebcmdProduct=ebcmd,dc=example,dc=com) insert
failed: -30995
Mar 27 13:03:38 ldapt1 slapd[7589]: => bdb_idl_insert_key: c_put id failed:
DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995)
15 years, 1 month
Re: (ITS#5662) Comments in schema declarations separated by semicolon
by hyc@symas.com
michael(a)stroeder.com wrote:
> Full_Name: Michael Ströder
> Version: HEAD
> OS:
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (84.163.84.234)
>
>
> It might be helpful if the schema config file parser would accept lines with
> comments at the end separated by semicolon.
The parser doesn't know anything about line endings. Remember, lines with
leading white space are continuations of the previous line. The schema parser
is just fed a single string as one long line, the line endings were removed
long before it ever got there.
> Example (derived from http://tools.ietf.org/draft/draft-dally-acp133-and-ldap/
> using mainly OIDs):
>
> attributetype ( 2.16.840.1.101.2.2.1.69 NAME 'transferStation'
> EQUALITY 2.5.13.13 ; booleanMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ; BOOLEAN
> SINGLE-VALUE )
It would be smarter to just standardize OID macros for each of these OIDs, the
way X.500 did, and not require the humans reading these specs to memorize
these numeric OIDs...
I don't see any straightforward way to modify our parser as you're suggesting.
Unless someone else feels like jumping in, I think we should reject this ITS.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 1 month
(ITS#5663) Declaring substitute syntax as LDAP syntax
by michael@stroeder.com
Full_Name: Michael Ströder
Version: HEAD
OS:
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (84.163.84.234)
Sometimes one wants to add a custom schema which also defines LDAP syntaxes
which are not supported yet but could be substituted by another LDAP syntax
already implemented.
Instead of changing SYNTAX of all attribute type declarations in the custom
schema it might be handy if declaring a substitute LDAP syntax would be possible
while still providing the original syntax declaration to the client which might
know better what to do with it.
Example for emulating custom LDAP syntax with PrintableString:
ldapsyntax ( 1.3.6.1.4.1.5427.666.42.42.42 X-SUBST 1.3.6.1.4.1.1466.115.121.1.44
)
This should fail with parsing error if one trys to add a substitute syntax for a
syntax already implemented.
15 years, 1 month
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by guenther@sendmail.com
I have an updated patch, but can't post it: ftp.openldap.org's incoming is
full:
ftp> cd incoming
250 CWD command successful.
ftp> put guenther-080820.patch
local: guenther-080820.patch remote: guenther-080820.patch
150 Opening BINARY mode data connection for 'guenther-080820.patch'.
100% |**************************************************| 9215 00:00
452 Error writing file: No space left on device.
9215 bytes sent in 0.13 seconds (66.79 KB/s)
ftp>
(Once we get a patch that looks good, I'll follow it with a patch for the
docs.)
15 years, 1 month
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by hyc@symas.com
Philip Guenther wrote:
> On Tue, 19 Aug 2008, Howard Chu wrote:
>> guenther(a)sendmail.com wrote:
> ...
>>> TLS_PROTOCOL_MIN<major>,<minor>
>> Let's use US convention<major>.<minor>...
>
> Ok.
>
>>> C:
>>> struct ldap_tls_protocol { unsigned char major, minor; } val;
>>> val.major = 3; val.minor=0;
>>> ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val);
>> I would just use an int, and have the caller OR in the appropriate
>> values.
>
> So:
> /* force TLS 1.0 or later */
> ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN, (3<< 8) + 1);
The set_option interface requires a pointer. So
min = (3<<8)+1;
ldap_set_option(ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, &min);
>
>
>> You could also define a few macros for the currently known versions.
>
> Preferences on the format of those macros?
>
> #define LDAP_OPT_X_TLS_PROTOCOL_SSLv2 (2<< 8)
> #define LDAP_OPT_X_TLS_PROTOCOL_SSLv3 (3<< 8)
> #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0 ((3<< 8) + 1)
> #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_1 ((3<< 8) + 2)
> #define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_2 ((3<< 8) + 3)
>
> ?
>
Drop the 'v' and I think it'll be fine
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 1 month
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by guenther@sendmail.com
On Tue, 19 Aug 2008, Howard Chu wrote:
> guenther(a)sendmail.com wrote:
...
> > TLS_PROTOCOL_MIN<major>,<minor>
>
> Let's use US convention <major>.<minor>...
Ok.
> > C:
> > struct ldap_tls_protocol { unsigned char major, minor; } val;
> > val.major = 3; val.minor=0;
> > ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val);
>
> I would just use an int, and have the caller OR in the appropriate
> values.
So:
/* force TLS 1.0 or later */
ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN, (3 << 8) + 1);
> You could also define a few macros for the currently known versions.
Preferences on the format of those macros?
#define LDAP_OPT_X_TLS_PROTOCOL_SSLv2 (2 << 8)
#define LDAP_OPT_X_TLS_PROTOCOL_SSLv3 (3 << 8)
#define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0 ((3 << 8) + 1)
#define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_2 ((3 << 8) + 3)
?
> What are the values for TLS1.1, 1.2, etc?
So far, TLS 1.x == SSL version 3.(x+1).
Philip Guenther
15 years, 1 month
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by hyc@symas.com
guenther(a)sendmail.com wrote:
> On Fri, 15 Aug 2008, Philip Guenther wrote:
> ...
>> That said, it's more important to me that *some* option gets in so that I
>> (and Sendmail) don't have to maintain forever a patch to add it. If
>> someone 'official' will make a decision and simply state what the option
>> should look like in its three forms (C API, ldap.conf, slapd config), I'll
>> munge the patch to match.
>
> Any opinions?
>
> ldap.conf:
> TLS_PROTOCOL_MIN<major>,<minor>
Let's use US convention <major>.<minor>...
> C:
> struct ldap_tls_protocol { unsigned char major, minor; } val;
> val.major = 3; val.minor=0;
> ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val);
I would just use an int, and have the caller OR in the appropriate values. You
could also define a few macros for the currently known versions.
What are the values for TLS1.1, 1.2, etc?
>
> ?
>
>
> (I'm running out of time to get _something_ into Sendmail's local copy, at
> which point I'll just commit something there and have to leave you guys to
> hack whatever you get around into the official repository.)
>
>
> Philip Guenther
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 1 month
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
by guenther@sendmail.com
On Fri, 15 Aug 2008, Philip Guenther wrote:
...
> That said, it's more important to me that *some* option gets in so that I
> (and Sendmail) don't have to maintain forever a patch to add it. If
> someone 'official' will make a decision and simply state what the option
> should look like in its three forms (C API, ldap.conf, slapd config), I'll
> munge the patch to match.
Any opinions?
ldap.conf:
TLS_PROTOCOL_MIN <major>,<minor>
C:
struct ldap_tls_protocol { unsigned char major, minor; } val;
val.major = 3; val.minor=0;
ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN, &val);
?
(I'm running out of time to get _something_ into Sendmail's local copy, at
which point I'll just commit something there and have to leave you guys to
hack whatever you get around into the official repository.)
Philip Guenther
15 years, 1 month
Re: (ITS#5661) contextCSN gets corrupted on the stand by mirror
by ghenry@OpenLDAP.org
----- "ali pouya" <ali.pouya(a)free.fr> wrote:
> Hi Gavin;
>
> Below you find the answers to your questions :
>
> > Can we get your bdb version, your config and the logs of an empty
> mirrormode
> > node B pulling in the data loaded in mirrormode A (posted/hosted
> online
> > somewhere).
>
> The BDB version is 4.6.21.
> You find here attached the file conf.tar.gz containing the
> configuration of B.
Thanks.
> The file syncrepl.conf.simple works well, but the file
> syncrepl.conf.double
> garbles the contextCSN (I write more than 1000 entries per minute).
> Do you want a log for the 10 million entries ? Which loglevel ?
Nope, not yet. loglevel sync
> The problem only happens if there are write operations on A, not if
> the server A
> is stationary.
Also note that serverID is a *global* directive not per database. Move
that out of "database bdb".
> > Also, has this always happened on the same machine? What are the
> specs of the
> > servers?
>
> The problem happens on the stand by server : If I write on B the
> contextCSN of
> A gets corrupted (I have already tested this).
>
> My servers are quadri-processor Xeon 2.2 GHz.
> I think this is not related to the hardware but the "year" part of
> contextCSN is
> not well protected against concurrent operations (?).
>
> >
> > Is this a fresh install?
> Yes for 2.4.11, but I use OpenLdap since 5 years for my different
> projects.
OK, well you should then know that
"rootdn cn=admin,ou=ressources-dgi,ou=mefi,o=gouv,c=fr"
by passes all ACLs, so you don't need:
access to *
by dn.base="cn=admin,ou=ressources-dgi,ou=mefi,o=gouv,c=fr" write
--
Kind Regards,
Gavin Henry.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
15 years, 1 month