openldap-bugs November 2010

openldap-bugs@openldap.org

32 participants
103 discussions

Re: (ITS#6684) Patch for autogroup overlay
by ryans＠aweber.com 30 Nov '10

30 Nov '10

I'm not sure if this is still relevant or useful, but included below is a set of steps that will reliably reproduce the issue and a backtrace using autogroup from HEAD and ppolicy, which as noted causes segmentation faults in the slaptools utilities (e.g., slapcat). Note that this backtrace is from a build of 2.4.21, but the issue is present and occurs with 2.4.23 as well, as Norbert has stated. rgs@ldapmaster3:~# ldapmodify -x -h localhost -ZZ -D 'cn=admin,cn=config' -y /etc/ldap.secret dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: ppolicy.la modifying entry "cn=module{0},cn=config" rgs@ldapmaster3:~# ldapadd -x -h localhost -ZZ -D 'cn=admin,cn=config' -y /etc/ldap.secret dn: olcOverlay={3}ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {3}ppolicy olcPPolicyHashCleartext: FALSE olcPPolicyForwardUpdates: FALSE olcPPolicyUseLockout: TRUE adding new entry "olcOverlay={3}ppolicy,olcDatabase={1}hdb,cn=config" rgs@ldapmaster3:~# cat /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb.la olcModuleLoad: {1}autogroup.la olcModuleLoad: {2}syncprov.la olcModuleLoad: {3}smbk5pwd.la olcModuleLoad: {4}ppolicy.la structuralObjectClass: olcModuleList creatorsName: cn=config entryUUID: f83e3413-5ba7-4c85-9bf7-ed8728d9fbce createTimestamp: 20091018205311Z entryCSN: 20101129205850.805900Z#000000#001#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20101129205850Z rgs@ldapmaster3:~/ldap/ldifs/ppolicy# gdb --args slapcat -n1 (gdb) run Starting program: /usr/sbin/slapcat -n1 [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff2228840 in ppolicy_restrict (op=0x7fffffffd700, rs=0x7fffffffd660) at /usr/src/openldap/openldap-2.4.21/servers/slapd/overlays/ppolicy.c:1271 1271 /usr/src/openldap/openldap-2.4.21/servers/slapd/overlays/ppolicy.c: No such file or directory. in /usr/src/openldap/openldap-2.4.21/servers/slapd/overlays/ppolicy.c (gdb) backtrace #0 0x00007ffff2228840 in ppolicy_restrict (op=0x7fffffffd700, rs=0x7fffffffd660) at /usr/src/openldap/openldap-2.4.21/servers/slapd/overlays/ppolicy.c:1271 #1 0x00007ffff7f6ed3a in overlay_op_walk (op=0x7fffffffd700, rs=0x7fffffffd660, which=<value optimized out>, oi=0x7ffff83220c0, on=0x7ffff8341e50) at /usr/src/openldap/openldap-2.4.21/servers/slapd/backover.c:659 #2 0x00007ffff7f6f8ab in over_op_func (op=0x7fffffffd700, rs=0xfffffffffffffff0, which=4294957760) at /usr/src/openldap/openldap-2.4.21/servers/slapd/backover.c:721 #3 0x00007ffff2846141 in autogroup_db_open (be=<value optimized out>, cr=<value optimized out>) at autogroup.c:1754 #4 0x00007ffff7f6e994 in over_db_open (be=<value optimized out>, cr=0x7fffffffdfb0) at /usr/src/openldap/openldap-2.4.21/servers/slapd/backover.c:155 #5 0x00007ffff7f1388c in backend_startup_one (be=0x7ffff8315f80, cr=0x7fffffffdfb0) at /usr/src/openldap/openldap-2.4.21/servers/slapd/backend.c:224 #6 0x00007ffff7f13a83 in backend_startup (be=0x7ffff8315f80) at /usr/src/openldap/openldap-2.4.21/servers/slapd/backend.c:278 #7 0x00007ffff7f742cc in slap_tool_init (progname=<value optimized out>, tool=2, argc=2, argv=0x7fffffffe5a8) at /usr/src/openldap/openldap-2.4.21/servers/slapd/slapcommon.c:780 #8 0x00007ffff7f7335a in slapcat (argc=-9536, argv=<value optimized out>) at /usr/src/openldap/openldap-2.4.21/servers/slapd/slapcat.c:51 #9 0x00007ffff7ee84f5 in main (argc=2, argv=0x7fffffffe5a8) at /usr/src/openldap/openldap-2.4.21/servers/slapd/main.c:657 (gdb) x 0x7fffffffd700 0x7fffffffd700: 0xffffd870 (gdb) x 0x7fffffffd660 0x7fffffffd660: 0x00000000 For reference, line 1271, located within the ppolicy_restrict function, looks like so: if ( op->o_conn && !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) { -Ryan

1 0

(ITS#6729) slapd segfault caused by ldapsearch -Y OTP
by daniel＠pluta.biz 30 Nov '10

30 Nov '10

Full_Name: Daniel Pluta Version: HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:4ca0:0:f000:223:aeff:feac:1f51) For details and a patch please visit: http://www.openldap.org/its/index.cgi/Development?id=6475;selectid=6475#fol…

1 0

(ITS#6728) libldap TCP/SASL problems
by quanah＠zimbra.com 29 Nov '10

29 Nov '10

Full_Name: Quanah Gibson-Mount Version: 2.4.23 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.45.108) As reported at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604122 Hello, During some tests for nslcd[1], I found that if the SASL_SECPROPS in /etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the library: - open a useless TCP connection to the server - check the mechanism and fail - close the TCP connection ===== /etc/ldap/ldap.conf BASE dc=baby-gnu,dc=org URI ldap://192.168.122.4 SASL_MECH DIGEST-MD5 SASL_SECPROPS noactive ===== /etc/ldap/ldap.conf ===== Wireshark capture No. Time Source Destination Protocol Info 3 2.728967 192.168.122.3 192.168.122.4 TCP 51521 > ldap [SYN] Seq=0 [...] 4 2.729699 192.168.122.4 192.168.122.3 TCP ldap > 51521 [SYN, ACK] Seq=0 [...] 5 2.729714 192.168.122.3 192.168.122.4 TCP 51521 > ldap [ACK] Seq=1 [...] 6 2.739576 192.168.122.3 192.168.122.4 TCP 51521 > ldap [FIN, ACK] Seq=1 [...] 7 2.740686 192.168.122.4 192.168.122.3 TCP ldap > 51521 [FIN, ACK] Seq=1 [...] 8 2.740702 192.168.122.3 192.168.122.4 TCP 51521 > ldap [ACK] Seq=2 [...] ===== Wireshark capture ===== ldapsearch ldapsearch -U dad -s base -LLL supportedSASLMechanisms ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found ===== ldapsearch As the problem is found in a software using the libldap, I conclude the problem is in the lib and not in ldapsearc. Regards.

1 0

Re: (ITS#6641) Syncrepl failure with 'overlay unique'
by ondrej.kuznik＠acision.com 29 Nov '10

29 Nov '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/09/2010 03:50 PM, ondrej.kuznik(a)acision.com wrote: > On 09/07/2010 03:26 PM, andrew.findlay(a)skills-1st.co.uk wrote: >> It would certainly help to keep the apparent promises made by things >> like the uniqueness overlay. Alternatively you could take the view >> that the data will converge eventually and that is all that the LDAP >> standards promise. > > We've hit a similar problem and decided to go this way, i.e. allowing > the replication to bypass the uniqueness constraints. > > [...] > > I have put a preliminary version of patches that modify the unique > overlay here > ftp://ftp.openldap.org/incoming/ondrej-kuznik-20101109-unique_bypass_v1.tgz > > [...] > > Howard and/or others, do you consider this solution valid for this ITS? > If yes, could you help me address the things that should be sorted out? > Hi, I am resurrecting this ITS since there has been no comment on the idea since, nor has it been explicitly rejected by anyone. Does it seem valid to you? If so, could you spare a pointer or two to help me resolve some of the issues with the patch I have pointed out so that I can make it more fit for inclusion? Regards, Ondrej Kuznik -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzzx1gACgkQ9GWxeeH+cXuhQACcCQVydbRBhQJqhONrgeqwXLQ8 xwwAnj0NBBBY3xkazS+QfBRKB/GVGFHm =ZYQI -----END PGP SIGNATURE----- This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

1 0

Re: RE : (ITS#6720) back-ldap core dump
by masarati＠aero.polimi.it 29 Nov '10

29 Nov '10

olivier.chirossel(a)sfr.com wrote: > Thanks for the report. I've reproduced the bug; it appears to be inside=20 > slapo-rwm(5). The core dump is related to a double free, which I'm=20 > trying to track. Please test the latest commit of overlays/rwm.c (should apply fine to 2.4.23) and report. It fixes the double free. With respect to your problem description, "lastmod off" means that the backend will not *generate* modification-related operational attributes; however they are proxied. Moreover, you can't strip them off with mapping unless the remapping is part of a replication process (i.e. the backend contains syncrepl or "updatedn" is set and the operation is performed with that identity). p.

1 0

RE: RE : (ITS#6720) back-ldap core dump
by olivier.chirossel＠sfr.com 29 Nov '10

29 Nov '10

Thank's for your time, the write can't be stop, i have to reinstall all the replica , and my plann= ing, for the second step, take 3 months ... Regards, Olivier -----Message d'origine----- De=A0: Pierangelo Masarati [mailto:masarati@aero.polimi.it]=20 Envoy=E9=A0: lundi 29 novembre 2010 15:21 =C0=A0: CHIROSSEL, Olivier Cc=A0: openldap-its(a)openldap.org Objet=A0: Re: RE : (ITS#6720) back-ldap core dump olivier.chirossel(a)sfr.com wrote: > Thank's for you reply, >=20 > you can get a tar file containing a simple case which reproduce the probl= em=3D > here ( i don't put rewriting rules in proxy conf, just strip of operati= on=3D > nal attribut ) >=20 > wget http://olivier:its6720@84.103.237.12/its6720.tar >=20 >=20 > the lance.sh inititialise the tests=3D20 > (the slapd suppose to be in /usr/local/libexec) >=20 > and you reproduce it with the command : >=20 > ldapmodify -D "cn=3D3Dmanager,dc=3D3Dneuf,dc=3D3Dfr" -H "ldap://127.0.0.1= :489" -=3D > w secret -f mod >=20 > i try to explain you my need=3D20 >=20 > 1) For the moment i have a master in 2.3.x with many replica in 2.3.x wit= h =3D > slurpd replication >=20 > 2) my goal is to migrate to a mirror mode master infrastructure with sync= re=3D > pl replication >=20 > 3) the first step is to install my mirror mode infrastructure and replica= te=3D > with slurpd from my old master. >=20 > 4) second step re install replica one by one with syncrepl replication to= m=3D > y new mirror mode infrastructure >=20 > 5) third step write directly to my mirror mode infrastructure >=20 > For the first step i put a proxy ldap between my old master and my mirror= m=3D > ode infrastructure to do rewrite rules and strip operationnal attribut (i= n=3D > eed, at the end, have a new clean infrastructure with entryCSN contains = th=3D > e ServerId of my new master, for checks the replcation status between my = ma=3D > ster and between my replica and my mirror mode architcture) > =3D20 > The ldapmodify command reproduce the replication operations which highlig= ht=3D > the problem.. >=20 > PS:=3DA0before strip attribute with rwm-map directives i try to put "last= mod =3D > off" in proxy ldap configuration without success ... Thanks for the report. I've reproduced the bug; it appears to be inside=20 slapo-rwm(5). The core dump is related to a double free, which I'm=20 trying to track. In any case, since as far as I understand the only reason you need=20 slapo-rwm(5) is to modify data during the migration, you should probably=20 do it offline, after exporting your data and before importing in the new=20 system. p.

1 0

Re: RE : (ITS#6720) back-ldap core dump
by masarati＠aero.polimi.it 29 Nov '10

29 Nov '10

olivier.chirossel(a)sfr.com wrote: > Thank's for you reply, > > you can get a tar file containing a simple case which reproduce the problem= > here ( i don't put rewriting rules in proxy conf, just strip of operation= > nal attribut ) > > wget http://olivier:its6720@84.103.237.12/its6720.tar > > > the lance.sh inititialise the tests=20 > (the slapd suppose to be in /usr/local/libexec) > > and you reproduce it with the command : > > ldapmodify -D "cn=3Dmanager,dc=3Dneuf,dc=3Dfr" -H "ldap://127.0.0.1:489" -= > w secret -f mod > > i try to explain you my need=20 > > 1) For the moment i have a master in 2.3.x with many replica in 2.3.x with = > slurpd replication > > 2) my goal is to migrate to a mirror mode master infrastructure with syncre= > pl replication > > 3) the first step is to install my mirror mode infrastructure and replicate= > with slurpd from my old master. > > 4) second step re install replica one by one with syncrepl replication to m= > y new mirror mode infrastructure > > 5) third step write directly to my mirror mode infrastructure > > For the first step i put a proxy ldap between my old master and my mirror m= > ode infrastructure to do rewrite rules and strip operationnal attribut (i n= > eed, at the end, have a new clean infrastructure with entryCSN contains th= > e ServerId of my new master, for checks the replcation status between my ma= > ster and between my replica and my mirror mode architcture) > =20 > The ldapmodify command reproduce the replication operations which highlight= > the problem.. > > PS:=A0before strip attribute with rwm-map directives i try to put "lastmod = > off" in proxy ldap configuration without success ... Thanks for the report. I've reproduced the bug; it appears to be inside slapo-rwm(5). The core dump is related to a double free, which I'm trying to track. In any case, since as far as I understand the only reason you need slapo-rwm(5) is to modify data during the migration, you should probably do it offline, after exporting your data and before importing in the new system. p.

1 0

Re: (ITS#6532) Support for common orderingMatching rules in extensible match filters
by h.b.furuseth＠usit.uio.no 28 Nov '10

28 Nov '10

BTW, it occurred to me that it might be an idea to add comments instead of removing yours. slapd/schema_init.c (rev 1.474) now explains how it works, as far as I understand it. -- Hallvard

1 0

Re: (ITS#6727) ./scripts/test047-ldap: line 599: 26709 Segmentation fault
by michael＠stroeder.com 28 Nov '10

28 Nov '10

Now I got running this test: "WhoAmI failed (34)!" See gdb output below. I could provide content of testrun/ if necessary. $ ./run -b bdb -l 30 test047 Cleaning up test run directory leftover from previous run. Running ./scripts/test047-ldap for bdb... Running 1 of 30 iterations running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to check that slapd is running... Using ldapadd to populate the database... Starting slapd on TCP/IP port 9012... Using ldapsearch to check that slapd is running... Using ldapadd to populate the database... Starting slapd on TCP/IP port 9013... Using ldapsearch to check that slapd is running... Searching base="o=Example,c=US"... Searching base="ou=Meta,o=Example,c=US"... Modifying database "o=Example,c=US"... Searching base="o=Example,c=US"... base="o=Example,c=US"... Searching filter="(seeAlso=cn=all staff,ou=Groups,o=Example,c=US)" attrs="seeAlso" base="o=Example,c=US"... Searching filter="(uid=example)" attrs="uid" base="o=Example,c=US"... Searching filter="(member=cn=Another Added Group,ou=Groups,o=Example,c=US)" attrs="member" base="o=Example,c=US"... Waiting 10 seconds for cached connections to timeout... Searching with a timed out connection... Checking server-enforced size limit... Checking client-requested size limit... Filtering ldapsearch results... Filtering original ldif used to create database... Comparing filter output... Changing password to database "o=Example,c=US"... Binding with newly changed password to database "o=Example,c=US"... Binding as newly added user to database "o=Example,c=US"... WhoAmI failed (34)! (gdb) info threads * 1 Thread 31230 0x00007f9e739109e5 in raise () from /lib64/libc.so.6 (gdb) thread apply all bt Thread 1 (Thread 31230): #0 0x00007f9e739109e5 in raise () from /lib64/libc.so.6 #1 0x00007f9e73911ee6 in abort () from /lib64/libc.so.6 #2 0x00007f9e73909235 in __assert_fail () from /lib64/libc.so.6 #3 0x0000000000475d13 in at_delete_names () at at.c:242 #4 at_destroy () at at.c:323 #5 0x000000000046fef3 in schema_destroy () at schema_init.c:6768 #6 0x000000000040ad0f in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:1037

1 0

Re: (ITS#6727) ./scripts/test047-ldap: line 599: 26709 Segmentation fault
by michael＠stroeder.com 28 Nov '10

28 Nov '10

It seems this only happens occasionally. I'll try to get a stack trace...

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs November 2010