openldap-bugs October 2010

openldap-bugs@openldap.org

38 participants
86 discussions

Re: (ITS#6675) ConnectException UnknownHostException using subdomain URL when searching
by quanah＠zimbra.com 14 Oct '10

14 Oct '10

--On Thursday, October 14, 2010 10:54 AM +0000 adolfo(a)ingenia.es wrote: > Full_Name: Adolfo Cort?s > Version: openldap-2.3.43-12.el5 > OS: CentOS release 5.2 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (62.15.226.90) I see nothing in this report that has to do with OpenLDAP. I.e., you do not show any problems with ldapsearch or any other utility provided by the OpenLDAP Foundation. All of your information is about Java/JNDI, none of which uses the OpenLDAP Code base. I advise you to contact Oracle if you have questions/issues with JNDI. I would note that there are far superior Java API's for connecting to LDAP than JNDI, and that Active Directory, while LDAP "like", is not truly LDAP, and has many unique quirks. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#6675) ConnectException UnknownHostException using subdomain URL when searching
by adolfo＠ingenia.es 14 Oct '10

14 Oct '10

Full_Name: Adolfo Cortés Version: openldap-2.3.43-12.el5 OS: CentOS release 5.2 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (62.15.226.90) I try to connect to an Active directory from a java application using JNDI /OpenLDAP openldap-2.3.43-12.el5 in CentOS release 5.2 When i did a search i get a CommunicationException Error : javax.naming.CommunicationException: xxxxxxxx.es:636 [Root exception is java.net.UnknownHostException: xxxxxxxx.es]] xxxxxxxx.es:636 is reachable and another operations over LDAP as create user goes fine. I see that the problem is related to the DNS configuration: the Active Directory server DNS is aaaaa.bbbbb.xxxxxxxx.es but the base search is only xxxxxxxx.es when I do the search i get the exception because it takes xxxxxxxx.es instead of ssss.xxxxxxxx.es to perform the operation. I tried to solve it adding xxxxxxxx.es to hosts and writing the same IP of aaaaa.bbbbb.xxxxxxxx.es , so the bypass works and the connection goes but now i have a new problem, when i execute the search it connects but retrieves a Referral Limit Exception, iŽm thinking because there are jumps or confussion between aaaaa.bbbbb.xxxxxxxx.es and xxxxxxxx.es because of the hosts bypass i did. So my workaround doesnŽt works and i need to know or solve the connection problem for use subdomain DNS and domain in search base. Connection Parameters: everytihg goes right, is interesting the url, using not secure ldap protocol I also get the same error. [url: ldaps://aaaaa.bbbbb.xxxxxxxx.es] java.naming.security.authentication:simple Usuario mypassword(a)bbbbb.xxxxxxxx.es] Password[getLDAPropertiesSSL]:mypassword] keystore[getLDAPropertiesSSL]:/opt/java/jre/lib/security/jssecacerts trustStore[getLDAPropertiesSSL]:/opt/java/jre/lib/security/jssecacerts Especificacion uso SSL[getLDAPPropertiesSSL]java.naming.security.protocol ssl Search details: see that base DC is xxxxxxxx.es [base: OU=YYY,DC=xxxxxxxx,DC=es] [searchFilter: (&(objectClass=group)(cn={0}))] [filterArgs: new String[] {Usuarios}] [searchControls: SUBTREE_SCOPE, Atributes null, returningobjflag true] This Hosts file doesnŽt produce the Communication ERROR aaaaa.bbbbb.xxxxxxxx.es ccc.ccc.ccc.ccc xxxxxxxx.es ccc.ccc.ccc.ccc With this hosts file i get the Communication ERROR aaaaa.bbbbb.xxxxxxxx.es ccc.ccc.ccc.ccc If i try this search directly in the AD server console, it works giving me the results. Thanks in advance, Adolfo

1 0

Re: (ITS#6625) draft-zeilenga-ldap-c-api-concurrency support
by hyc＠symas.com 13 Oct '10

13 Oct '10

doug.leavitt(a)oracle.com wrote: > Part 3 of 3 of this patch > Part #1 delivered as: ITS#6669 remove obsolete SunOS4 LWP support > Part #2 delivered as: ITS#6672 mutex cleanup > > Is now available for review. The full details are located here: > > http://cr.opensolaris.org/~djl/openldap-patch3/ > > This patch is part 3 of 3 of the original ITS #6625 effort. > (aka openldap draft-zeilenga-ldap-c-api-concurrency) (aka CONCURRENCY) > This patch contains the library modifications to implement CONCURRENCY > as discussed previously in ITS #6625, on the openldap-devel mail list. > > This patch uses the new LDAP_MUTEX_[UN]LOCK macros, delivered by patch2. > Regression testing (post conversion) was performed using both 32-bit and > 64-bit x86 > compiles on an OpenSolaris system. In options.c, I'd rather just see "rc = foo; break;" instead of UNLOCK_RETURN() everywhere. (With the final unlock, return rc at the end of the function.) Aside from that things look ok to me. Anyone else have comments? > Additionally regular ongoing Solaris system testing is being performed > using the libraries built with this patch on both Solaris SPARC and > Solaris x86 systems. > > As previously shown in Round 3 codereview, there seems to be no performance > degradation with this patch, and a slight performance improvement with > the LDAP > server when using back-ldap and back-meta features of the server. > > IPR Notice > > This patch file is derived from OpenLDAP Software. All of the > modifications to > OpenLDAP Software represented in the following patch(es) were developed by > Oracle Corporation. Oracle Corporation has not assigned rights and/or > interest > in this work to any party. I, Douglas Leavitt am authorized by Oracle > Corporation, > my employer, to release this work under the following terms. > > Thank you for your consideration, > Doug. > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6625) draft-zeilenga-ldap-c-api-concurrency support
by doug.leavitt＠oracle.com 13 Oct '10

13 Oct '10

Part 3 of 3 of this patch Part #1 delivered as: ITS#6669 remove obsolete SunOS4 LWP support Part #2 delivered as: ITS#6672 mutex cleanup Is now available for review. The full details are located here: http://cr.opensolaris.org/~djl/openldap-patch3/ This patch is part 3 of 3 of the original ITS #6625 effort. (aka openldap draft-zeilenga-ldap-c-api-concurrency) (aka CONCURRENCY) This patch contains the library modifications to implement CONCURRENCY as discussed previously in ITS #6625, on the openldap-devel mail list. This patch uses the new LDAP_MUTEX_[UN]LOCK macros, delivered by patch2. Regression testing (post conversion) was performed using both 32-bit and 64-bit x86 compiles on an OpenSolaris system. Additionally regular ongoing Solaris system testing is being performed using the libraries built with this patch on both Solaris SPARC and Solaris x86 systems. As previously shown in Round 3 codereview, there seems to be no performance degradation with this patch, and a slight performance improvement with the LDAP server when using back-ldap and back-meta features of the server. IPR Notice This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Oracle Corporation. Oracle Corporation has not assigned rights and/or interest in this work to any party. I, Douglas Leavitt am authorized by Oracle Corporation, my employer, to release this work under the following terms. Thank you for your consideration, Doug.

1 0

Re: (ITS#6673) ldap_unbind() hangs on unreachable LDAP server when using TLS
by hyc＠symas.com 13 Oct '10

13 Oct '10

Arthur de Jong wrote: > On Wed, 2010-10-13 at 01:05 -0700, Howard Chu wrote: >> arthur(a)arthurdejong.org wrote: >>> If the connection is opened without TLS ldap_unbind() only writes some data on >>> the connection and then closes it but with TLS it expects some response back. >>> Since read() is used this blocks. >> >> Looks like this is a GnuTLS issue. Have you duplicated this with OpenSSL? > > I can confirm that this only happens if libldap is linked with GnuTLS > and not when it is linked against OpenSSL. It seems you can workaround this by changing tls_g.c's invocation of gnutls_bye() to use GNUTLS_SHUT_WR instead of GNUTLS_SHUT_RDWR. However, that strikes me as fundamentally wrong, since libldap is clearly closing both directions when it gets here. I think the bug is in gnutls_bye(), it shouldn't be waiting indefinitely when it tries to read the peer's Close alert. I'm not sure it should even be trying to read that at all; some peers may never send it. Note that because you're breaking the connection without warning, TCP doesn't know that the connection is gone, so there will be no error detected when gnutls attempts to send its own Close alert. In this case, it will probably block for 2*MSL before getting any further. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6673) ldap_unbind() hangs on unreachable LDAP server when using TLS
by arthur＠arthurdejong.org 13 Oct '10

13 Oct '10

--=-r1RmaIBBY6pCvl2u7gnR Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 2010-10-13 at 01:05 -0700, Howard Chu wrote: > arthur(a)arthurdejong.org wrote: > > If the connection is opened without TLS ldap_unbind() only writes some = data on > > the connection and then closes it but with TLS it expects some response= back. > > Since read() is used this blocks. >=20 > Looks like this is a GnuTLS issue. Have you duplicated this with OpenSSL? I can confirm that this only happens if libldap is linked with GnuTLS and not when it is linked against OpenSSL. --=20 -- arthur - arthur(a)arthurdejong.org - http://arthurdejong.org -- --=-r1RmaIBBY6pCvl2u7gnR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJMthnmAAoJECqLdGgQ4K/BXucP/RnIZ5OWQtivRE94QBQyvb2C hSoQb0U+ToQZucUDxxsIoFO81eEKTfOk5M1RVawzVVDUviq7YVxiE28BEbZQMvix FPiyEYFsUhrsq+ieRMupYS1tsSXE+6fZUjRVJ7JXYMJyMy/sG17zzMJhD/GXfB3Z A2yewks+jl+1i88w55ufwvPAwDgo3TIS1VudvA1K9gJ1wOoDY3jUHCAuUGjDLQ6V kHZ8IYmyRgspD7/pjjCfIewGkoy+ARzguPl28bNcai9xlvnNCmDfg1ECeGoZ5hwD tGTRGTAChhsYX+Aflv0UHRgIk1mPThdFCLgwpda36faiYFsjjWdDKw8u0owqgeLX OUnjkZ+3Q7eetROaqi+VtAqKQ78pRmsMbydsF0O88fERxDOYTGFMqdPItzPtFay5 uFFWBt/SaJruxU/FDNM87lAoL6uOBuQSGJJLoTRa8Sh8cjwakrN/NbIYcEwYBaSJ mNCoeFudWTJLvEa/4Iflu3RXR74599J4/QVyHJUm5GScyLEtfqB+7Vs9FH5Fqni8 qr+OdVVxw1x93WEEFMRv6RRBcsTFhjDFiP3vZ47jez4QLY9lU7iIzAD86I1jT37e CV+oZa2o/vgZR5O8NLsK23c5JM8nGDMBmaNo4c+iTDCxcI+zAUulG2XLVh9u4u7w F/KVk/Tt1bHunrjDWHyF =pUs6 -----END PGP SIGNATURE----- --=-r1RmaIBBY6pCvl2u7gnR--

1 0

Re: (ITS#6674) OpenLDAP 2.4.16 has very high CPU load on Solaris 10, x86
by quanah＠zimbra.com 13 Oct '10

13 Oct '10

--On Wednesday, October 13, 2010 10:11 AM +0000 donal.duane(a)ericsson.com wrote: > Full_Name: Donal Duane > Version: 2.4.16 > OS: Solaris 10 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (95.45.199.134) The current stable release is 2.4.23. Please use the current release. You also should note the size of your database, BDB version (and whether or not it is up to date on patches), and the relevant configuration bits for the database configuration. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#6674) OpenLDAP 2.4.16 has very high CPU load on Solaris 10, x86
by donal.duane＠ericsson.com 13 Oct '10

13 Oct '10

Full_Name: Donal Duane Version: 2.4.16 OS: Solaris 10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (95.45.199.134) Hi, I would like to know if this is a known issue, and if so, if a fix has been issued. We have only recently started using OpenLDAP 2.4.16 on Solaris 10, x86 HW. (Because of this, we have no previous benchmark for CPU usage for OpenDLAP for comparison - we also have sparc systems, but have not stress tested OpenLDAP on sparc yet). We have noticed that the slapd process is using a huge amount of CPU. There are massive CPU time spikes obvious over a period of time which we monitored, reaching 520 CPU seconds and even 700 CPU seconds at one stage. there are also some completely flat periods. The activities seem to be purely LDAP searches. Processor info: # psrinfo -pv The physical processor has 4 virtual processors (0 4 8 12) x86 (chipid 0x0 GenuineIntel family 6 model 29 step 1 clock 2400 MHz) Intel(r) Xeon(r) CPU E7440 @ 2.40GHz The physical processor has 4 virtual processors (1 5 9 13) x86 (chipid 0x1 GenuineIntel family 6 model 29 step 1 clock 2400 MHz) Intel(r) Xeon(r) CPU E7440 @ 2.40GHz The physical processor has 4 virtual processors (2 6 10 14) x86 (chipid 0x2 GenuineIntel family 6 model 29 step 1 clock 2400 MHz) Intel(r) Xeon(r) CPU E7440 @ 2.40GHz The physical processor has 4 virtual processors (3 7 11 15) x86 (chipid 0x3 GenuineIntel family 6 model 29 step 1 clock 2400 MHz) Intel(r) Xeon(r) CPU E7440 @ 2.40GHz # isainfo -b 64 => (64 bit) # uname -a SunOS atrcxb1226 5.10 Generic_142901-13 i86pc i386 i86pc Any help appreciated. Regards, Dónal

1 0

Re: (ITS#6673) ldap_unbind() hangs on unreachable LDAP server when using TLS
by hyc＠symas.com 13 Oct '10

13 Oct '10

arthur(a)arthurdejong.org wrote: > Full_Name: Arthur de Jong > Version: 2.4.23 > OS: Debian/unstable > URL: > Submission from: (NULL) (2001:888:1613:0:218:8bff:fe55:2c9f) > > > When a network connection to the LDAP server fails (is severed with iptables in > my set-up) the error is detected properly with ldap_result() > (LDAP_OPT_TIMELIMIT, LDAP_OPT_TIMEOUT and LDAP_OPT_NETWORK_TIMEOUT options are > set), however closing the connection with ldap_unbind() hangs indefinitely on a > read() operation (determined by strace) when using a ldaps:// connection. > > If the connection is opened without TLS ldap_unbind() only writes some data on > the connection and then closes it but with TLS it expects some response back. > Since read() is used this blocks. Looks like this is a GnuTLS issue. Have you duplicated this with OpenSSL? > > This is a backtrace of the thread that was hanging: > > #0 0xb7fe2424 in __kernel_vsyscall () > #1 0xb7f5809b in read () at ../sysdeps/unix/syscall-template.S:82 > #2 0xb7e021bb in sb_stream_read (sbiod=0x8064630, buf=0x8083038, len=5) > at /build/buildd-openldap_2.4.23-6-i386-fyqRGs/openldap-2.4.23/libraries/liblber/sockbuf.c:493 > #3 0xb7e0132a in sb_debug_read (sbiod=0x807e250, buf=0x8083038, len=5) > at /build/buildd-openldap_2.4.23-6-i386-fyqRGs/openldap-2.4.23/libraries/liblber/sockbuf.c:827 > #4 0xb7fa0d27 in tlsg_recv (ptr=0x806fb50, buf=0x8083038, len=4294966784) at > tls_g.c:904 > #5 0xb7c65aa2 in ?? () from /usr/lib/libgnutls.so.26 > #6 0xb7c65f77 in ?? () from /usr/lib/libgnutls.so.26 > #7 0xb7c611e7 in _gnutls_recv_int () from /usr/lib/libgnutls.so.26 > #8 0xb7c626b8 in gnutls_bye () from /usr/lib/libgnutls.so.26 > #9 0xb7fa0dc4 in tlsg_sb_close (sbiod=0x807e268) at tls_g.c:970 > #10 0xb7e01831 in ber_int_sb_close (sb=0x80645a8) > at /build/buildd-openldap_2.4.23-6-i386-fyqRGs/openldap-2.4.23/libraries/liblber/sockbuf.c:383 > #11 0xb7f8d1a0 in ldap_free_connection (ld=0x8066418, lc=0x8065b60, force=1, > unbind=1) at request.c:768 > #12 0xb7f83060 in ldap_ld_free (ld=0x8066418, close=1, sctrls=0x0, cctrls=0x0) > at unbind.c:93 > #13 0xb7f83326 in ldap_unbind_ext (ld=0x8066418, sctrls=0x0, cctrls=0x0) at > unbind.c:52 > #14 0xb7f8343f in ldap_unbind (ld=0x8066418) at unbind.c:69 > #15 0x0804cfc0 in ?? () > #16 0x0804e750 in ?? () > #17 0x08057a9f in ?? () > #18 0x0804bb8d in ?? () > #19 0xb7f50955 in start_thread (arg=0xb7b92b70) at pthread_create.c:300 > #20 0xb7ed0e7e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130 > > > More background information is available at [0]. > > As a workaround [1] I've used LDAP_OPT_DESC to get the file descriptor for the > connection and used setsockopt(SO_RCVTIMEO) and setsockopt(SO_SNDTIMEO) on it. > This fixes the problem for me at least but I'm not 100% this has no unwanted > side-effects. > > [0] http://bugs.debian.org/596983 > [1] http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1264 > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Local structure mech in servers/slapd/bind.c assigned to op->orb_mech.
by Grafton Kennedy 13 Oct '10

13 Oct '10

The local structure mech in servers/slapd/bind.c is declared in do_bind as struct berval mech = BER_BVNULL; at about line 44. Further in do_bind, around line 201, mech is assigned to op->orb_mech. As a newbie to slapd, I'm concerned about this assignment. Later, slapd cores in an_find and I see that op->orb_mech.bv_len shares the same address as op->o_request.oq_search.rs_attrs: Program received signal SIGSEGV, Segmentation fault. an_find (a=0x6, s=0x814322c) at ad.c:874 874 for ( ; a->an_name.bv_val; a++ ) { (gdb) up #1 0x0807f865 in slap_attr_flags (an=0x6) at result.c:1659 1659 flags |= an_find( an, slap_bv_all_operational_attrs ) (gdb) up #2 0x08080a54 in slap_send_search_entry (op=0x81e74e0, rs=0xbfffa368) at result.c:821 821 rs->sr_attr_flags = slap_attr_flags( rs->sr_attrs ); (gdb) print &op->o_request.oq_bind.rb_mech $97 = (struct berval *) 0x81e751c (gdb) print &op->o_request.oq_bind.rb_mech.bv_len $98 = (ber_len_t *) 0x81e751c (gdb) print &op->o_request.oq_search.rs_attrs $99 = (AttributeName **) 0x81e751c I am using back-shell and slapd cores when my bind shell script outputs blank lines between data lines. If I remove the blank lines slapd doesn't core. But then it dumps the whole input and complains "expected RESULT" which I know isn't right. Thanks, Grafton

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs October 2010