openldap-bugs February 2010

openldap-bugs@openldap.org

28 participants
69 discussions

Re: (ITS#6479) olcAccess filter does not work
by masarati＠aero.polimi.it 19 Feb '10

19 Feb '10

> Full_Name: hellweiss > Version: 2.4.20 > OS: openSuSE > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (82.135.6.106) > > > olcAccess {3}to dn.subtree="dc=site" filter=(objectclass=*) > attrs=cn,email,entry,objectClass,uid by * read > > works ok, changing the olcAccess filter to e.g. person > > olcAccess {3}to dn.subtree="dc=site" filter=(objectclass=person) > attrs=cn,email,entry,objectClass,uid by * read > > gives no results Given that this is specifically tested by test006, and this test routinely passes, and considering how incomplete your report is, I recommend you provide a means to easily reproduce the issue (e.g. detailed slapd.conf, LDIF data and details about the unsuccessful operation) in order to have this issue report processed further. p.

1 0

(ITS#6479) olcAccess filter does not work
by hellweiss＠gmx.de 19 Feb '10

19 Feb '10

Full_Name: hellweiss Version: 2.4.20 OS: openSuSE URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (82.135.6.106) olcAccess {3}to dn.subtree="dc=site" filter=(objectclass=*) attrs=cn,email,entry,objectClass,uid by * read works ok, changing the olcAccess filter to e.g. person olcAccess {3}to dn.subtree="dc=site" filter=(objectclass=person) attrs=cn,email,entry,objectClass,uid by * read gives no results

1 0

Re: (ITS#6478) slapd crashes with segfault
by quanah＠zimbra.com 19 Feb '10

19 Feb '10

--On Friday, February 19, 2010 2:18 PM +0000 wolfgang.hummel(a)hp.com wrote: > Full_Name: Wolfgang Hummel > Version: 2.4.21 > OS: RedHat Linux 5.1 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (15.203.233.80) Please provide a backtrace from a version of slapd compiled with full debugging symbols (CFLAGS="-g"). Your report is too vague to provide any help. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#6478) slapd crashes with segfault
by masarati＠aero.polimi.it 19 Feb '10

19 Feb '10

wolfgang.hummel(a)hp.com wrote: > Full_Name: Wolfgang Hummel > Version: 2.4.21 > OS: RedHat Linux 5.1 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (15.203.233.80) > > > OpenLdap crashes occasionally with a segfault error, e.g. > [root@ts2mstsv010 Ldap]# dmesg|grep slapd > slapd[8783]: segfault at 00000000000000f0 rip 0000000000459b72 rsp > 000000004286e990 error 4 > [root@ts2mstsv010 Ldap]# > After the crash, stale lock files exist, slapd_db_recover has to be run > The server is HP D380 G5 with Intel Quadcore CPU @ 2 GHz > 32 GB memory > OS is Linux Redhat 64bit 5.1 > Oracle Berkeley DB is 4.7 > The server has 5 DBs. The whole setup has a second master in identical config > with multi-master replication and 2 slaves. > The 2 main DBs have 30 Mio. entries each, the other dbs are very small. > <http://www.openldap.org/faq/data/cache/59.html> p.

1 0

(ITS#6478) slapd crashes with segfault
by wolfgang.hummel＠hp.com 19 Feb '10

19 Feb '10

Full_Name: Wolfgang Hummel Version: 2.4.21 OS: RedHat Linux 5.1 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (15.203.233.80) OpenLdap crashes occasionally with a segfault error, e.g. [root@ts2mstsv010 Ldap]# dmesg|grep slapd slapd[8783]: segfault at 00000000000000f0 rip 0000000000459b72 rsp 000000004286e990 error 4 [root@ts2mstsv010 Ldap]# After the crash, stale lock files exist, slapd_db_recover has to be run The server is HP D380 G5 with Intel Quadcore CPU @ 2 GHz 32 GB memory OS is Linux Redhat 64bit 5.1 Oracle Berkeley DB is 4.7 The server has 5 DBs. The whole setup has a second master in identical config with multi-master replication and 2 slaves. The 2 main DBs have 30 Mio. entries each, the other dbs are very small.

1 0

(ITS#6477) Clarify ambiguous TLS/SSL Errors in libldap/tls2c.
by bseklecki＠noc.cfi.pgh.pa.us 18 Feb '10

18 Feb '10

Full_Name: Brian A. Seklecki Version: 2.4.21 OS: FreeBSD, Linux, Plan 9, CP/M, Bubble Memory URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2607:f000:10:202:21a:a0ff:fec2:7a6c) I'll try not to be ambiguous in my bug report. We received a support request escalation regarding an ambiguous error printed by slapd(8) at init. After review, we found that SSL library calls in OpenLDAP are not properly reporting back to the user fopen() problems when TLSCert* configuration objects are unreadable by the effective POSIX user. E.g., when a private key/cert/intermediary cert chain has POSIX permissions restricting read access by "-u $USER", the following error is printed: User Steve Polyack reports a similar error here: http://www.openldap.org/lists/openldap-software/201002/msg00025.html Also Google says: Results 1-10 of about 1,730 for "main: TLS init def ctx failed: -1". Some of these result all the back to early 2003 If you look at mailing list archives, similar error reports appear thousands of times from confused users who thought they were being diligent in by setting restrictive permissions only to receive an ambiguous error that indicates nothing about excessively restrictive permissions. The problem is that this error gets printed with "-1" under too many conditions in libraries/libldap/tls2.c::ldap_pvt_tls_set_option() ...which in turn sets rc= in servers/slapd/main.c: Which prints: 2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] slapd[6261]: main: TLS init def ctx failed: -1 So unless you've browsed through the OpenSSL API guide, you wouldn't even know what the CTX data structure is or how it relates to this. They do a pretty shitty job of explaining it even, so why bother mentioning it? Anyway, until we can implement OpenSSL's err(3) framework, we should refer to the user to ssl.h for RC values from ldap_pvt_tls_set_option() greater than 0. For errors, greater than 1, ldap_pvt_tls_set_option() can return that in about 15 different locations. It _could also_ pass on a -1 return code from ldap_int_tls_init_ctx () at: return ldap_int_tls_init_ctx( lo, *(int *)arg ); There are no shortage of places where where -1 could be returned to user in our code, so we should make -1 return codes other negative values to nudge the user along. Additional Debug() statements would be useful, but I don't want to get greedy. ~BAS ----------------- These patches compile-test. I'll push them into our pre-production environment: $ diff -u servers/slapd/main.c-orig servers/slapd/main.c --- servers/slapd/main.c-orig 2010-02-18 16:52:37.000000000 -0500 +++ servers/slapd/main.c 2010-02-18 16:57:30.000000000 -0500 @@ -843,8 +843,16 @@ load_extop( &slap_EXOP_START_TLS, 0, starttls_extop ); } else if ( rc != LDAP_NOT_SUPPORTED ) { Debug( LDAP_DEBUG_ANY, - "main: TLS init def ctx failed: %d\n", + "main: TLS initialization of def SSL/TLS CTX object failed with err: %d\n", rc, 0, 0 ); + + if (rc < 0) { + Debug( LDAP_DEBUG_ANY, "main: something has gone terribly wrong in creation of the SSL data structure. Check filesystem permissions, ownership bits, ACLs, configuration file paths. Resort to strace(1)/ktrace(1) debugging.\n", rc, 0, 0); + } + if (rc > 0) { + Debug( LDAP_DEBUG_ANY, "main: something has gone wrong in creation of the SSL socket data structure. Please check the OpenSSL error code above against: /usr/include/openssl/ssl until we add err(3) support.\n", rc, 0, 0); + } + rc = 1; SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 ); goto destroy; $ diff -u ./libraries/libldap/tls2.c-orig ./libraries/libldap/tls2.c --- ./libraries/libldap/tls2.c-orig 2010-02-18 17:14:59.000000000 -0500 +++ ./libraries/libldap/tls2.c 2010-02-18 17:16:25.000000000 -0500 @@ -704,7 +704,7 @@ switch( option ) { case LDAP_OPT_X_TLS: - if ( !arg ) return -1; + if ( !arg ) return -2; switch( *(int *) arg ) { case LDAP_OPT_X_TLS_NEVER: @@ -718,7 +718,7 @@ return 0; } - return -1; + return -3; case LDAP_OPT_X_TLS_CTX: if ( lo->ldo_tls_ctx ) @@ -757,7 +757,7 @@ lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; return 0; case LDAP_OPT_X_TLS_REQUIRE_CERT: - if ( !arg ) return -1; + if ( !arg ) return -3; switch( *(int *) arg ) { case LDAP_OPT_X_TLS_NEVER: case LDAP_OPT_X_TLS_DEMAND: @@ -767,10 +767,10 @@ lo->ldo_tls_require_cert = * (int *) arg; return 0; } - return -1; + return -4; #ifdef HAVE_OPENSSL_CRL case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ - if ( !arg ) return -1; + if ( !arg ) return -5; switch( *(int *) arg ) { case LDAP_OPT_X_TLS_CRL_NONE: case LDAP_OPT_X_TLS_CRL_PEER: @@ -778,7 +778,7 @@ lo->ldo_tls_crlcheck = * (int *) arg; return 0; } - return -1; + return -6; #endif case LDAP_OPT_X_TLS_CIPHER_SUITE: if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite ); @@ -786,17 +786,17 @@ return 0; case LDAP_OPT_X_TLS_PROTOCOL_MIN: - if ( !arg ) return -1; + if ( !arg ) return -7; lo->ldo_tls_protocol_min = *(int *)arg; return 0; case LDAP_OPT_X_TLS_RANDOM_FILE: if ( ld != NULL ) - return -1; + return -8; if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile ); lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; break; case LDAP_OPT_X_TLS_NEWCTX: - if ( !arg ) return -1; + if ( !arg ) return -9; if ( lo->ldo_tls_ctx ) ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx ); lo->ldo_tls_ctx = NULL;

1 0

Re: (ITS#6464) Buffer overflow
by rhafer＠suse.de 17 Feb '10

17 Feb '10

Am Mittwoch 17 Februar 2010 11:57:27 schrieb csdr(a)lthd.com: > Well .. it worked. > > Here are that stack traces if you need them anymore (I thought strace > did that) ... > > http://www.lthd.com/thread_apply_all_bt.txt > and > http://www.lthd.com/bt_full.txt > > Thank you. > > PS: I am surprised that none has encountered that bug which comes from > version 2.4.19 (AFAIK) This problem only appears when using pretty recent gcc Versions and when building with -D_FORTIFY_SOURCE=2 (At least for me). -- Ralf

1 0

(ITS#6476) Failure to delete entry with multi-master replication
by worganc＠avaya.com 17 Feb '10

17 Feb '10

Full_Name: Craig Worgan Version: 2.4.21 OS: RedHat Enterprise Linux 5 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.11.182.86) As per Kyle Blaney's post to the bugs mailing list (Kyle is n vacation so I am submitting this ITS on his behalf): I have encountered a situation with multi-master replication in OpenLDAP 2.4.21 where an entry deleted on one server is not deleted from its peer. I'm using Redhat Enterprise Linux 5. Here's what I did: 1. Configure Network Time Protocol with server A as the NTP master and server B as the NTP slave. 2. Configure multi-master replication between server A (server ID=1) and server B (server ID=2). 3. Start OpenLDAP service on servers A and B. 4. Add an entry to server A and ensure it's replicated to server B. 5. Add an entry to server B and ensure it's replicated to server A. 6. Stop OpenLDAP service on server A. 7. Delete an entry on server B. 8. Start OpenLDAP service on server A with sync debugging enabled (-d sync). At this point, I expected that the entry deleted from server B would be deleted from server A. Instead, the entry remained on server A and slapd displayed the following (with the entry's DN X'ed out): slapd starting do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE Entry XXXXXX CSN 20100209193028.621799Z#000000#001#000000 older or equal to ctx 20100209193028.621799Z#000000#001#000000 syncprov_search_response: cookie=rid=001,sid=001,csn=20100202210831.101462Z#000000#000#000000;2010 0209193028.621799Z#000000#001#000000;20100209193118.342038Z#000000#002#0 00000 Why wouldn't the entry deleted on server B also deleted from server A? Is the failure to delete the entry related to the "entry CSN older or equal to context CSN" message? Unfortunately, I have been unable to reproduce the failure since I first saw it. All subsequent tests have shown that the entry deleted from server B is deleted from server A when the OpenLDAP service on server A is restarted. Kyle Blaney ------------------------------------------------------------------------- There is also this follow up post: I can now reliably reproduce this problem in 2.4.21 and 2.4.20 on a multi-master setup that only has five entries: 1. Stop service on server A. 2. Delete one entry on server B. 3. Start service on server A. After step 3, the entry is never deleted from server A. I have changed many aspects of configuration (replication with and without TLS, syncprov-sessionlog enabled and disabled, syncprov-checkpoint enabled and disabled, syncprov-nopresent TRUE and FALSE, syncprov-reloadhint TRUE and FALSE) and the problem still occurs. Is this problem the same one outlined in "test 058 failure" at http://www.openldap.org/lists/openldap-software/201002/msg00031.html? Kyle ---------------------------------------------------------------------- Thanks, Craig Worgan

1 0

Re: (ITS#6464) Buffer overflow
by csdr＠lthd.com 17 Feb '10

17 Feb '10

Well .. it worked. Here are that stack traces if you need them anymore (I thought strace did that) ... http://www.lthd.com/thread_apply_all_bt.txt and http://www.lthd.com/bt_full.txt Thank you. PS: I am surprised that none has encountered that bug which comes from version 2.4.19 (AFAIK)

1 0

Re: (ITS#6464) Buffer overflow
by Ralf Haferkamp 17 Feb '10

17 Feb '10

> Sorry. > I hope this helps: http://lthd.com/slapd.out Hm, that's not a stack backtrace (http://www.openldap.org/faq/index.cgi?file=59), but not apart from that, it looks like you are hit by ITS#6474. Please test again with current HEAD. Or apply the changes between 1.168 and 1.169 of servers/slapd/back-bdb/dn2id.c from CVS to your 2.4.21 release: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-bdb/dn2id.c.dif… r1=1.168&r2=1.169&hideattic=1&sortbydate=0&f=h -- Ralf

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs February 2010