openldap-bugs November 2009

openldap-bugs@openldap.org

40 participants
183 discussions

Re: (ITS#6368) Bug in deleting entry in MirrorMode
by masarati＠aero.polimi.it 10 Nov '09

10 Nov '09

pitpalme+openldap(a)gmail.com wrote: > Full_Name: Peter Palmreuther > Version: 2.4.19 > OS: FreeBSD 7.2 / Solaris 8 > URL: > Submission from: (NULL) (87.123.91.4) > > > I've set up OpenLDAP to run in "MirrorMode": > > # [...] > overlay syncprov > syncprov-checkpoint 100 10 > syncprov-sessionlog 100 > # [...] > syncrepl rid=001 > provider=ldap://localhost:11389 > type=refreshAndPersist > searchbase="o=esolution,dc=deutscherv,dc=de" > schemachecking=on > bindmethod=simple > binddn="cn=MirrorMode,o=esolution,dc=deutscherv,dc=de" > credentials="M1rr0rM3" > retry="60 +" > > serverID 1 > mirrormode on > # [...] > > The second server is set up identically, except "serverID" is 2 and "provider" > is set to URL of first server. The fact addresses are "localhost" is because I > replicated my main setup on my private server (FreeBSD) to better inspect and > debug the problem. > > When adding, modifying and deleting an entry it can happend I do get a positive > return from delete, but a subsequent "add" fails with "code=68: Already > exists". Can you check whether the entry actually exist, although in "glue" state? You can do this by searching (e.g. with ldapsearch) as the rootdn, to bypass access checking, and using the manageDSAit control (-MM). p.

1 0

(ITS#6247)
by daniel＠pluta.biz 10 Nov '09

10 Nov '09

Hi, I've uploaded a cleaned up version. It's nearly a complete rewrite of the original contribution. In addition to the previous version which (intentionally) just supported the constant MRA "NOW" the updated version also supports now[+/-]offset calculation and matching. The offset's syntax is "NYears#Nmonths#Ndays#NHours#NMinutes#NSeconds" where '#' separates the different time unit fields and N is the amount of time (offset) for a distinct time unit. N can be a negative or positive value (all none-digits and blanks are ignored, multiple signs are simply aggregated to a single (the first from the left) sign). Thanks to previous normalization before the actual matching the "timedrift effect" (see followup #4 above) isn't present any more, too. The two matching rule's (nowOrEarlier/nowOrLaterMatch) are compatible with any generalizedTime-syntax based attribute. Additionally the module introduces two specialized syntaxes exclusively dedicated to this modules matching rules (intentionally not supporting any kind of generalizedTime[Ordering]Match-ing extensible match). Please have a look at the README, the sample schema definition, and/or the source for further details. The current version can be found here: ftp://ftp.openldap.org/incoming/daniel-pluta-now-091110-1.tgz Any kind of feedback is very welcome. Thanks a lot! Daniel

1 0

(ITS#6369) Get rid of cacertdir_rehash
by FullName＠in-valid.com 10 Nov '09

10 Nov '09

Full_Name: Full Name Version: 2.3.43 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:708:10:10:21c:25ff:fe98:3f0e) It is inconvenient to have to use cacertdir_rehash command to hash the certs. IMO it does not service any purpose. It would be nice if cert could be just dropped to a dir and then openldap sees it.

1 0

(ITS#6368) Bug in deleting entry in MirrorMode
by pitpalme+openldap＠gmail.com 09 Nov '09

09 Nov '09

Full_Name: Peter Palmreuther Version: 2.4.19 OS: FreeBSD 7.2 / Solaris 8 URL: Submission from: (NULL) (87.123.91.4) I've set up OpenLDAP to run in "MirrorMode": # [...] overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # [...] syncrepl rid=001 provider=ldap://localhost:11389 type=refreshAndPersist searchbase="o=esolution,dc=deutscherv,dc=de" schemachecking=on bindmethod=simple binddn="cn=MirrorMode,o=esolution,dc=deutscherv,dc=de" credentials="M1rr0rM3" retry="60 +" serverID 1 mirrormode on # [...] The second server is set up identically, except "serverID" is 2 and "provider" is set to URL of first server. The fact addresses are "localhost" is because I replicated my main setup on my private server (FreeBSD) to better inspect and debug the problem. When adding, modifying and deleting an entry it can happend I do get a positive return from delete, but a subsequent "add" fails with "code=68: Already exists". This does not happen all the time, but often enough to name it "reproducible". This seems not to happen if there's a "sleep" between modify and delete. It also seems not to happen if secondary server is down.

1 0

Bug in deleting entry in MirrorMode?
by Peter Palmreuther 09 Nov '09

09 Nov '09

Hello, I'm writing to this list to clarify if I discovered a bug or just did not configure OpenLDAP properly. I've set up OpenLDAP to run in "MirrorMode": # [...] overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # [...] syncrepl rid=001 provider=ldap://localhost:11389 type=refreshAndPersist searchbase="o=esolution,dc=deutscherv,dc=de" schemachecking=on bindmethod=simple binddn="cn=MirrorMode,o=esolution,dc=deutscherv,dc=de" credentials="M1rr0rM3" retry="60 +" serverID 1 mirrormode on # [...] The second server is set up identically, except "serverID" is 2 and "provider" is set to URL of first server. The fact addresses are "localhost" is because I replicated my main setup on my private server to better inspect and debug the problem. When adding, modifying and deleting an entry it can happend I do get a positive return from delete, but a subsequent "add" fails with "code=68: Already exists". This does not happen all the time, but often enough to name it "reproducible". This seems not to happen if there's a "sleep" between modify and delete. It also seems not to happen if secondary server is down. So either I've got a configuration problem or there's a problem with synchronization. Anybody here to help, tracking down this problem? Thanks a lot, and -- Regards, Peter

2 1

(ITS#6367) syncprov ... changed by peer, ignored
by olivier.chirossel＠sfr.com 09 Nov '09

09 Nov '09

Full_Name: olivier chirossel Version: 2.4.17 and 2.4.19 OS: linux URL: http://86.64.145.174:8080/ Submission from: (NULL) (62.39.9.251) in refreshend persist mode, the replication is incorrect for an entry which be delete/add after master restart and before the reconnection of the slave. steps to reproduce : 0) two linux server (one for the master, one for the slave) on the master ip : 10.143.73.9 on the slave ip : 10.143.73.71 1) kernel configuration on the slave by default tcp_keepalive_time 7200 on linux and tcp_keepalive_probes 9 put in /etc/sysctl.conf net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_probes = 2 and sysctl -p 2) master set up on /etc/openldap tar xvf slapd_master.tar (get on the url ) and slapd -F /etc/openldap/slapd.d and ldapadd -h 10.153.73.9 -D "cn=admin, cn=config" -w secret -f first.ldif (get on url) 2) slave set up on /etc/openldap tar xvf slapd_slave.tar (get on the url ) and slapd -F /etc/openldap/slapd.d 2) on the master : add the entry ldapadd -h 10.153.73.9 -D "cn=admin, cn=config" -w secret -f test1init.ldif (get on url) 3) on the master : restart the master and delete/add (with new value) kill `pidof slapd` slapd -F /etc/openldap/slapd.d ldapdelete -h 10.153.73.9 -D "cn=admin, cn=config" -w secret msisdn=6666666660,suffix=0,dc=sfr.com ldapadd -h 10.153.73.9 -D "cn=admin, cn=config" -w secret -f testcreate.ldif (get on url) verify the entry ldapsearch -L -L -L -D "cn=admin, cn=config" -w secret -b " suffix=0,dc=sfr.com" 4) on the slave : see the slave reconnect netstat -an | grep 389 for see the connection between the slave and the master ldapsearch -L -L -L -D "cn=admin, cn=config" -w secret -b " suffix=0,dc=sfr.com" see the logs 5) on the slave after reconnection to the master ldapsearch -L -L -L -D "cn=admin, cn=config" -w secret -b " suffix=0,dc=sfr.com" ( "no entry for dn msisdn=6666666660,suffix=0,dc=sfr.com" ) 6) on the master after reconnection from the slave to the master in the logs syncprov ... changed by peer, ignored

1 0

Re: (ITS#6366) application GUI crashes when openning file by a user created by LDAP
by michael＠stroeder.com 06 Nov '09

06 Nov '09

fuzq(a)anl.gov wrote: > Full_Name: Albert Fu > Version: 2.3.27-8.el5_2.4.i386 > OS: Scientific Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (164.54.208.62) > > > I have a Linux application software with a text editor developed with QT > and C++. Every time when openning a file by a user created by LDAP, the > software crashes with "floating point exception". However, this doesn't > happen to users added to the system by command 'useradd' or 'Users and > Groups' tool of the system. I really doubt that this has something to do with OpenLDAP itself. Regarding the LDAP side you should try to track down whether the user data returned via nss_ldap or similar is complete and correct. Anyway the software should not crash if the user name for a numeric user id cannot be found. Ciao, Michael.

1 0

Re: (ITS#6366) application GUI crashes when openning file by a user created by LDAP
by quanah＠zimbra.com 06 Nov '09

06 Nov '09

--On Friday, November 06, 2009 5:07 PM +0000 fuzq(a)anl.gov wrote: > Full_Name: Albert Fu > Version: 2.3.27-8.el5_2.4.i386 > OS: Scientific Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (164.54.208.62) > > > I have a Linux application software with a text editor developed with QT > and C++. Every time when openning a file by a user created by LDAP, the > software crashes with "floating point exception". However, this doesn't > happen to users added to the system by command 'useradd' or 'Users and > Groups' tool of the system. Aside from the fact that 2.3 is historic, how is it OpenLDAP's bug that an application you wrote crashes? --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#6366) application GUI crashes when openning file by a user created by LDAP
by fuzq＠anl.gov 06 Nov '09

06 Nov '09

Full_Name: Albert Fu Version: 2.3.27-8.el5_2.4.i386 OS: Scientific Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (164.54.208.62) I have a Linux application software with a text editor developed with QT and C++. Every time when openning a file by a user created by LDAP, the software crashes with "floating point exception". However, this doesn't happen to users added to the system by command 'useradd' or 'Users and Groups' tool of the system. Thanks,

1 0

(ITS#6365) Bad slapcat output when slapd running
by apm＠mutex.dk 06 Nov '09

06 Nov '09

Full_Name: Peter Mogensen Version: 2.4.19 OS: Debian Lenny URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (95.166.36.16) Using openldap 2.4.17 and 2.4.19 linked with libdb4.6 and libdb4.8 in a mirrormode setup: * Load the database with slapadd on server-1, start server-1 The LDIF being loaded is generated with slapcat from a slapd 2.3.30-5+etch2 Running on Debian Etch. I have no reason to suspect that it is not loaded correctly into server1 * Start server-2 and monitor the progress of replication with slapcat, for example: # for ((I=1;I<=20;I++)); do slapcat > out-$I; done * Look at the output: # for ((I=1;I<=20;I++)); do wc -l out-$I; done I would expect the generated files to be strictly increasing in size. However, some times there's a file which is smaller than the previous. In it I see LDIF entries like this: dn: objectClass: top objectClass: NamedObject objectClass: simpleSecurityObject uid: rieke userPassword:: e1NBU0x..... structuralObjectClass: NamedObject entryUUID: e46b680e-e5f5-102b-93c9-79162adc1d46 creatorsName: dc=admin,dc=example,dc=com createTimestamp: 20070823185333Z entryCSN: 20070823185333.000000Z#000002#000#000000 modifiersName: dc=admin,dc=example,dc=com modifyTimestamp: 20070823185333Z ... with an empty DN line. My config is as follows. It has been converted to LDIF and the server is running with a cn=config database: ============================================ #gentlehup on pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none tool-threads 4 # Modules modulepath /usr/lib/ldap moduleload back_hdb moduleload syncprov # Schemas include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema # Limits disallow bind_anon #idletimeout 120 sizelimit 2000 # TLS/Auth TLSCACertificateFile /etc/ldap/ssl/ca.crt TLSCertificateFile /etc/ldap/ssl/server.crt TLSCertificateKeyFile /etc/ldap/ssl/server.nopass.key TLSCipherSuite "NULL-SHA" # Allow root to configure slapd via ldapi:/// TLSVerifyClient demand authz-regexp "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=config" authz-regexp "email=root(a)example.com,cn=config,ou=dev,o=example.com,st=Denmark,c=DK" "cn=config" ##### Mirror mode #### serverID 2 database config limits dn.exact="cn=config" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited syncrepl rid=1 provider=ldaps://server1.example.com:636/ searchbase="cn=config" type=refreshAndPersist retry="60 +" scope=sub schemachecking=on bindmethod=sasl binddn="cn=config" saslmech="EXTERNAL" tls_cert=/etc/ldap/ssl/config.crt tls_key=/etc/ldap/ssl/config.nopass.key tls_cacert=/etc/ldap/ssl/ca.crt tls_cipher_suite="NULL-SHA" syncrepl rid=2 provider=ldaps://server2.example.com:636/ searchbase="cn=config" type=refreshAndPersist retry="60 +" scope=sub schemachecking=on bindmethod=sasl binddn="cn=config" saslmech="EXTERNAL" tls_cert=/etc/ldap/ssl/config.crt tls_key=/etc/ldap/ssl/config.nopass.key tls_cacert=/etc/ldap/ssl/ca.crt tls_cipher_suite="NULL-SHA" overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncprov-reloadhint TRUE mirrormode on ================================================= The database which I slapcat and which is being replicated has been loaded with " ldapadd -YEXTERNAL -H ldapi:/// -f ..." from this LDIF: dn: olcDatabase={1}hdb,cn=config objectClass: olcHdbConfig objectClass: olcDatabaseConfig olcDatabase: hdb olcSuffix: cn=data,dc=example,dc=com olcRootDN: cn=config olcDbDirectory: /var/lib/ldap/cn=data,dc=example,dc=com olcDbMode: 0660 olcDbConfig: set_cachesize 2 0 0 olcDbConfig: set_lg_bsize 2097512 olcDbConfig: set_lg_dir /var/lib/ldap/cn=data,dc=example,dc=com-log olcDbConfig: set_flags DB_LOG_AUTOREMOVE olcDbConfig: set_lk_max_objects 5000 olcDbConfig: set_lk_max_locks 5000 olcDbConfig: set_lk_max_lockers 5000 olcDbCheckpoint: 1024 10 olcDbCachefree: 16 olcDbCachesize: 100000 olcDbIDLcacheSize: 300000 olcDbLinearIndex: TRUE olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: cn eq,sub olcDbIndex: uid eq olcDbIndex: ou eq olcDbIndex: o eq olcDbIndex: givenName eq,sub olcDbIndex: sn eq,sub olcDbIndex: mail eq,sub olcDbIndex: member eq olcDbIndex: reader eq olcDbIndex: writer eq olcDbIndex: admin eq olcAccess: to dn.base="cn=data,dc=example,dc=com" attrs=userPassword by * auth olcAccess: to dn.base="cn=data,dc=example,dc=com" by dn.base="cn=data,dc=example,dc=com" search olcAccess: to dn.children="cn=data,dc=example,dc=com" by dn.base="cn=data,dc=example,dc=com" write olcSyncRepl: rid=3 provider=ldaps://server1.example.com:636/ searchbase="cn=data,dc=example,dc=com" type=refreshAndPersist retry="60 +" scope=sub schemachecking=on bindmethod=sasl binddn="cn=config" saslmech="EXTERNAL" tls_cert=/etc/ldap/ssl/config.crt tls_key=/etc/ldap/ssl/config.nopass.key tls_cacert=/etc/ldap/ssl/ca.crt tls_cipher_suite="NULL-SHA" olcSyncRepl: rid=4 provider=ldaps://server2.example.com:636/ searchbase="cn=data,dc=example,dc=com" type=refreshAndPersist retry="60 +" scope=sub schemachecking=on bindmethod=sasl binddn="cn=config" saslmech="EXTERNAL" tls_cert=/etc/ldap/ssl/config.crt tls_key=/etc/ldap/ssl/config.nopass.key tls_cacert=/etc/ldap/ssl/ca.crt tls_cipher_suite="NULL-SHA" olcMirrorMode: TRUE olcLimits: dn.base="cn=config" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint: 100 600 olcSpSessionlog: 100 olcSpReloadHint: TRUE dn: olcOverlay=refint,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcOverlay: refint olcRefintAttribute: member

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs November 2009