Re: (ITS#6540) test022-ppolicy is flawed, masks serious stability issue
by ryans@aweber.com
The other thing I should note is initially, everything seemed to work, but became prevalent the very first time I
restarted slapd after adding the chaining configurations from test022-ppolicy. That's when all the errors started with
slapcat. The second time I restarted it (to try and fix the issue), slapd would not start at all, as described above.
13 years, 7 months
ITS#6540
by masarati@aero.polimi.it
Please do not report issues related to old releases. Current is 2.4.22.
Please test and report whether the issue persists.
p.
13 years, 7 months
Re: (ITS#6540) test022-ppolicy is flawed, masks serious stability issue
by ryans@aweber.com
I should also note that a slapcat of the config database fails too in the exact same manner.
I'm guessing this is somehow related to the fact that the chain module/overlay is located within the back_ldap module,
but I'm not sure how to work around the issue yet, so at this time slapd will not start on the slave server on which
slapd was stopped after adding the chaining configuration as is documented in test022-ppolicy.
13 years, 7 months
(ITS#6540) test022-ppolicy is flawed, masks serious stability issue
by ryans@aweber.com
Full_Name: Ryan Steele
Version: 2.4.18
OS: Ubuntu Server
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (207.106.239.81)
When the chaining configuration for cn=config is added, as is done in
test022-ppolicy, the process of adding the module and overlay succeed, but
subsequent slapcat operations will fail with:
root@nebula:~# slapcat -n1
slapd-chain: first underlying database
"olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config"
cannot contain attribute "olcDbURI".
config error processing
olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config:
slapcat: bad configuration file!
Additionally, if slapd is stopped after adding the configuration in
test022-ppolicy, the server will not start again, and on the foreground shows:
slapd-chain: first underlying database
"olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config"
cannot contain attribute "olcDbURI".
: config_add_internal:
DN="olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config"
no structural objectClass add function
config error processing
olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config:
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=65 matched="" text=""
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
The reason test022-ppolicy does not catch this is because an ldapsearch will
still work. In fact, the chaining operations still succeed (writes are ferried
off to the upstream server). But, this is a very grave problem, as it can cause
the slapd server to stop functioning completely.
13 years, 7 months
RE: (ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by masarati@aero.polimi.it
> Hi,
>
> I upgraded the version to openldap 2.4.22 and now I could add the ldif
> file with the arl in with slapcat command
>
> Previously the same was not working, so I guess the bug in 2.4.21 is fixed
> in 2.4.22 version
>
> You may treat the call as closed and thanks for your prompt response
Probably a dup of ITS#6466. Closed, thanks. p.
13 years, 7 months
RE: (ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by mmishra@isabel.eu
Hi,
I upgraded the version to openldap 2.4.22 and now I could add the ldif file=
with the arl in with slapcat command
Previously the same was not working, so I guess the bug in 2.4.21 is fixed =
in 2.4.22 version
You may treat the call as closed and thanks for your prompt response
Regards
Mayashankar Mishra
-----Original Message-----
From: masarati(a)aero.polimi.it [mailto:masarati@aero.polimi.it]
Sent: 2010-04-27 18:13
To: Mayashankar Mishra
Cc: openldap-its(a)openldap.org
Subject: RE: (ITS#6537) arl[authority revocation list] issue during opnelda=
p upgrade
One of us is clearly doing something wrong. Can you please check if the is=
sue also appears with 2.4.22? I can't rebuild 2.4.21 right now, and since =
2.4.22 works for me, it would be pointless to track any issue that was fixe=
d since 2.4.21.
p.
> See the error when I try to add
>
>
> [root@ldap ~]# ldapadd -x -H ldap://:389 -D <Manager DN > -W -f
> aaa.ldif Enter LDAP Password:
> adding new entry "cn=3Dca,l=3Disabel,l=3Dbe"
> ldap_add: Invalid syntax (21)
> additional info: authorityRevocationList;binary: value #0
> invalid per syntax
>
> [root@ldap ~]# cat aaa.ldif
> dn: cn=3Dca,l=3Disabel,l=3Dbe
> changetype: add
> objectClass: cRLDistributionPoint
> authorityRevocationList;binary:: MIIBwTCBqgIBATANBgkqhkiG9w0BAQUFADBUM
> QswCQYDVQQGEwJCZTEPMA0GA1UEBxMGSXNhYmVsMQswCQYDVQQKEwJDYTEnMCUGA1UEAx
> MeSXNhYmVsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw0wNTEyMDIwNDAwNTRaFw0wNTE
> yMDMwNDAwMDBaMACgIDAeMA8GA1UdIwQIMAaABENBMDIwCwYDVR0UBAQCAgzSMA0GCSqG
> SIb3DQEBBQUAA4IBAQALWRmn79TNllOD+oOqv7r64NSFdBGo/8fCQAykbjcNMJHRjTOSq
> fU0amv2hS509I68/VhwfwHw9NzNsnPEevWkb1oFWSLvZ6FuWXTNOV5n9aY/bMqJX5gPtw
> lNWez/ATv99M5WbUUKPjDxpc90bd2xjMoKBhlsrykMg0DXaRkiYYREl3lXF0wr4F/FsfO
> 7QS+fzkifmI09Z7zCIc2043xl2RpXvRostzrq8ncQdjBh5UdHj3qW0HQfkCaNxiIy3eZY
> 4JKyCqW97nTyh9v5As1X2mvujbTtKW5i5lnXeHDtjOdufva86TbZvSyQyikxLRlpQle+Y
> i5x6NWdDN7Sz9LO
>
>
>
>
>
>
>
>
> Mayashankar Mishra
> Consultant
> E-mail : mmishra(a)isabel.eu
> Tel : +32 (0)2 403.18.84
> Fax : +32
>
> Isabel NV/S.A.
> Keizerinlaan 13-15 Boulevard de l'Imp=E9ratrice 1000 Brussels - Belgium
> RPR Bruxelles / RPM Brussel: BE 0455 530 509
> http://www.isabel.eu/ http://www.zoomit.eu/
>
> Zoomit is a Registered Trademark of Isabel NV/S.A.
> Disclaimer : http://www.isabel.eu/gps/en/disclaimer/mailing.php
>
> -----Original Message-----
> From: masarati(a)aero.polimi.it [mailto:masarati@aero.polimi.it]
> Sent: 2010-04-27 17:41
> To: Mayashankar Mishra
> Cc: openldap-its(a)openldap.org
> Subject: RE: (ITS#6537) arl[authority revocation list] issue during
> opneldap upgrade
>
>> uploaded the arl on ftp server
>
> I could load it without any problem. LDIF:
>
> dn: cn=3Dtest,dc=3Dexample,dc=3Dcom
> changetype: add
> objectClass: cRLDistributionPoint
> authorityRevocationList;binary:: MIIBwTCBqgIBATANBgkqhkiG9w0BAQUFADBUM
> QswCQYDVQQGEwJCZTEPMA0GA1UEBxMGSXNhYmVsMQswCQYDVQQKEwJDYTEnMCUGA1UEAx
> MeSXNhYmVsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw0wNTEyMDIwNDAwNTRaFw0wNTE
> yMDMwNDAwMDBaMACgIDAeMA8GA1UdIwQIMAaABENBMDIwCwYDVR0UBAQCAgzSMA0GCSqG
> SIb3DQEBBQUAA4IBAQALWRmn79TNllOD+oOqv7r64NSFdBGo/8fCQAykbjcNMJHRjTOSq
> fU0amv2hS509I68/VhwfwHw9NzNsnPEevWkb1oFWSLvZ6FuWXTNOV5n9aY/bMqJX5gPtw
> lNWez/ATv99M5WbUUKPjDxpc90bd2xjMoKBhlsrykMg0DXaRkiYYREl3lXF0wr4F/FsfO
> 7QS+fzkifmI09Z7zCIc2043xl2RpXvRostzrq8ncQdjBh5UdHj3qW0HQfkCaNxiIy3eZY
> 4JKyCqW97nTyh9v5As1X2mvujbTtKW5i5lnXeHDtjOdufva86TbZvSyQyikxLRlpQle+Y
> i5x6NWdDN7Sz9LO
>
> command:
>
> ldapadd -x -H ldap://:9011 -D <manager DN> -w <password> -f <LDIF
> file>
>
> using HEAD and re24 (basically, 2.4.22).
>
> I think this ITS should definitely be closed, and you should
> eventually discuss your issue on the openldap-software mailing list,
> as there appears to be no software bug.
>
> p.
>
>
>
>
>
>
>
13 years, 7 months
RE: (ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by masarati@aero.polimi.it
One of us is clearly doing something wrong. Can you please check if the
issue also appears with 2.4.22? I can't rebuild 2.4.21 right now, and
since 2.4.22 works for me, it would be pointless to track any issue that
was fixed since 2.4.21.
p.
> See the error when I try to add
>
>
> [root@ldap ~]# ldapadd -x -H ldap://:389 -D <Manager DN > -W -f aaa.ldif
> Enter LDAP Password:
> adding new entry "cn=ca,l=isabel,l=be"
> ldap_add: Invalid syntax (21)
> additional info: authorityRevocationList;binary: value #0 invalid
> per syntax
>
> [root@ldap ~]# cat aaa.ldif
> dn: cn=ca,l=isabel,l=be
> changetype: add
> objectClass: cRLDistributionPoint
> authorityRevocationList;binary:: MIIBwTCBqgIBATANBgkqhkiG9w0BAQUFADBUM
> QswCQYDVQQGEwJCZTEPMA0GA1UEBxMGSXNhYmVsMQswCQYDVQQKEwJDYTEnMCUGA1UEAx
> MeSXNhYmVsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw0wNTEyMDIwNDAwNTRaFw0wNTE
> yMDMwNDAwMDBaMACgIDAeMA8GA1UdIwQIMAaABENBMDIwCwYDVR0UBAQCAgzSMA0GCSqG
> SIb3DQEBBQUAA4IBAQALWRmn79TNllOD+oOqv7r64NSFdBGo/8fCQAykbjcNMJHRjTOSq
> fU0amv2hS509I68/VhwfwHw9NzNsnPEevWkb1oFWSLvZ6FuWXTNOV5n9aY/bMqJX5gPtw
> lNWez/ATv99M5WbUUKPjDxpc90bd2xjMoKBhlsrykMg0DXaRkiYYREl3lXF0wr4F/FsfO
> 7QS+fzkifmI09Z7zCIc2043xl2RpXvRostzrq8ncQdjBh5UdHj3qW0HQfkCaNxiIy3eZY
> 4JKyCqW97nTyh9v5As1X2mvujbTtKW5i5lnXeHDtjOdufva86TbZvSyQyikxLRlpQle+Y
> i5x6NWdDN7Sz9LO
>
>
>
>
>
>
>
>
> Mayashankar Mishra
> Consultant
> E-mail : mmishra(a)isabel.eu
> Tel : +32 (0)2 403.18.84
> Fax : +32
>
> Isabel NV/S.A.
> Keizerinlaan 13-15 Boulevard de l'Impératrice
> 1000 Brussels - Belgium
> RPR Bruxelles / RPM Brussel: BE 0455 530 509
> http://www.isabel.eu/ http://www.zoomit.eu/
>
> Zoomit is a Registered Trademark of Isabel NV/S.A.
> Disclaimer : http://www.isabel.eu/gps/en/disclaimer/mailing.php
>
> -----Original Message-----
> From: masarati(a)aero.polimi.it [mailto:masarati@aero.polimi.it]
> Sent: 2010-04-27 17:41
> To: Mayashankar Mishra
> Cc: openldap-its(a)openldap.org
> Subject: RE: (ITS#6537) arl[authority revocation list] issue during
> opneldap upgrade
>
>> uploaded the arl on ftp server
>
> I could load it without any problem. LDIF:
>
> dn: cn=test,dc=example,dc=com
> changetype: add
> objectClass: cRLDistributionPoint
> authorityRevocationList;binary:: MIIBwTCBqgIBATANBgkqhkiG9w0BAQUFADBUM
> QswCQYDVQQGEwJCZTEPMA0GA1UEBxMGSXNhYmVsMQswCQYDVQQKEwJDYTEnMCUGA1UEAx
> MeSXNhYmVsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw0wNTEyMDIwNDAwNTRaFw0wNTE
> yMDMwNDAwMDBaMACgIDAeMA8GA1UdIwQIMAaABENBMDIwCwYDVR0UBAQCAgzSMA0GCSqG
> SIb3DQEBBQUAA4IBAQALWRmn79TNllOD+oOqv7r64NSFdBGo/8fCQAykbjcNMJHRjTOSq
> fU0amv2hS509I68/VhwfwHw9NzNsnPEevWkb1oFWSLvZ6FuWXTNOV5n9aY/bMqJX5gPtw
> lNWez/ATv99M5WbUUKPjDxpc90bd2xjMoKBhlsrykMg0DXaRkiYYREl3lXF0wr4F/FsfO
> 7QS+fzkifmI09Z7zCIc2043xl2RpXvRostzrq8ncQdjBh5UdHj3qW0HQfkCaNxiIy3eZY
> 4JKyCqW97nTyh9v5As1X2mvujbTtKW5i5lnXeHDtjOdufva86TbZvSyQyikxLRlpQle+Y
> i5x6NWdDN7Sz9LO
>
> command:
>
> ldapadd -x -H ldap://:9011 -D <manager DN> -w <password> -f <LDIF file>
>
> using HEAD and re24 (basically, 2.4.22).
>
> I think this ITS should definitely be closed, and you should eventually
> discuss your issue on the openldap-software mailing list, as there appears
> to be no software bug.
>
> p.
>
>
>
>
>
>
>
13 years, 7 months
RE: (ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by mmishra@isabel.eu
See the error when I try to add
[root@ldap ~]# ldapadd -x -H ldap://:389 -D <Manager DN > -W -f aaa.ldif
Enter LDAP Password:
adding new entry "cn=3Dca,l=3Disabel,l=3Dbe"
ldap_add: Invalid syntax (21)
additional info: authorityRevocationList;binary: value #0 invalid p=
er syntax
[root@ldap ~]# cat aaa.ldif
dn: cn=3Dca,l=3Disabel,l=3Dbe
changetype: add
objectClass: cRLDistributionPoint
authorityRevocationList;binary:: MIIBwTCBqgIBATANBgkqhkiG9w0BAQUFADBUM
QswCQYDVQQGEwJCZTEPMA0GA1UEBxMGSXNhYmVsMQswCQYDVQQKEwJDYTEnMCUGA1UEAx
MeSXNhYmVsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw0wNTEyMDIwNDAwNTRaFw0wNTE
yMDMwNDAwMDBaMACgIDAeMA8GA1UdIwQIMAaABENBMDIwCwYDVR0UBAQCAgzSMA0GCSqG
SIb3DQEBBQUAA4IBAQALWRmn79TNllOD+oOqv7r64NSFdBGo/8fCQAykbjcNMJHRjTOSq
fU0amv2hS509I68/VhwfwHw9NzNsnPEevWkb1oFWSLvZ6FuWXTNOV5n9aY/bMqJX5gPtw
lNWez/ATv99M5WbUUKPjDxpc90bd2xjMoKBhlsrykMg0DXaRkiYYREl3lXF0wr4F/FsfO
7QS+fzkifmI09Z7zCIc2043xl2RpXvRostzrq8ncQdjBh5UdHj3qW0HQfkCaNxiIy3eZY
4JKyCqW97nTyh9v5As1X2mvujbTtKW5i5lnXeHDtjOdufva86TbZvSyQyikxLRlpQle+Y
i5x6NWdDN7Sz9LO
Mayashankar Mishra
Consultant
E-mail : mmishra(a)isabel.eu
Tel : +32 (0)2 403.18.84
Fax : +32
Isabel NV/S.A.
Keizerinlaan 13-15 Boulevard de l'Imp=E9ratrice
1000 Brussels - Belgium
RPR Bruxelles / RPM Brussel: BE 0455 530 509
http://www.isabel.eu/ http://www.zoomit.eu/
Zoomit is a Registered Trademark of Isabel NV/S.A.
Disclaimer : http://www.isabel.eu/gps/en/disclaimer/mailing.php
-----Original Message-----
From: masarati(a)aero.polimi.it [mailto:masarati@aero.polimi.it]
Sent: 2010-04-27 17:41
To: Mayashankar Mishra
Cc: openldap-its(a)openldap.org
Subject: RE: (ITS#6537) arl[authority revocation list] issue during opnelda=
p upgrade
> uploaded the arl on ftp server
I could load it without any problem. LDIF:
dn: cn=3Dtest,dc=3Dexample,dc=3Dcom
changetype: add
objectClass: cRLDistributionPoint
authorityRevocationList;binary:: MIIBwTCBqgIBATANBgkqhkiG9w0BAQUFADBUM
QswCQYDVQQGEwJCZTEPMA0GA1UEBxMGSXNhYmVsMQswCQYDVQQKEwJDYTEnMCUGA1UEAx
MeSXNhYmVsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw0wNTEyMDIwNDAwNTRaFw0wNTE
yMDMwNDAwMDBaMACgIDAeMA8GA1UdIwQIMAaABENBMDIwCwYDVR0UBAQCAgzSMA0GCSqG
SIb3DQEBBQUAA4IBAQALWRmn79TNllOD+oOqv7r64NSFdBGo/8fCQAykbjcNMJHRjTOSq
fU0amv2hS509I68/VhwfwHw9NzNsnPEevWkb1oFWSLvZ6FuWXTNOV5n9aY/bMqJX5gPtw
lNWez/ATv99M5WbUUKPjDxpc90bd2xjMoKBhlsrykMg0DXaRkiYYREl3lXF0wr4F/FsfO
7QS+fzkifmI09Z7zCIc2043xl2RpXvRostzrq8ncQdjBh5UdHj3qW0HQfkCaNxiIy3eZY
4JKyCqW97nTyh9v5As1X2mvujbTtKW5i5lnXeHDtjOdufva86TbZvSyQyikxLRlpQle+Y
i5x6NWdDN7Sz9LO
command:
ldapadd -x -H ldap://:9011 -D <manager DN> -w <password> -f <LDIF file>
using HEAD and re24 (basically, 2.4.22).
I think this ITS should definitely be closed, and you should eventually dis=
cuss your issue on the openldap-software mailing list, as there appears to =
be no software bug.
p.
13 years, 7 months
RE: (ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by masarati@aero.polimi.it
> uploaded the arl on ftp server
I could load it without any problem. LDIF:
dn: cn=test,dc=example,dc=com
changetype: add
objectClass: cRLDistributionPoint
authorityRevocationList;binary:: MIIBwTCBqgIBATANBgkqhkiG9w0BAQUFADBUM
QswCQYDVQQGEwJCZTEPMA0GA1UEBxMGSXNhYmVsMQswCQYDVQQKEwJDYTEnMCUGA1UEAx
MeSXNhYmVsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw0wNTEyMDIwNDAwNTRaFw0wNTE
yMDMwNDAwMDBaMACgIDAeMA8GA1UdIwQIMAaABENBMDIwCwYDVR0UBAQCAgzSMA0GCSqG
SIb3DQEBBQUAA4IBAQALWRmn79TNllOD+oOqv7r64NSFdBGo/8fCQAykbjcNMJHRjTOSq
fU0amv2hS509I68/VhwfwHw9NzNsnPEevWkb1oFWSLvZ6FuWXTNOV5n9aY/bMqJX5gPtw
lNWez/ATv99M5WbUUKPjDxpc90bd2xjMoKBhlsrykMg0DXaRkiYYREl3lXF0wr4F/FsfO
7QS+fzkifmI09Z7zCIc2043xl2RpXvRostzrq8ncQdjBh5UdHj3qW0HQfkCaNxiIy3eZY
4JKyCqW97nTyh9v5As1X2mvujbTtKW5i5lnXeHDtjOdufva86TbZvSyQyikxLRlpQle+Y
i5x6NWdDN7Sz9LO
command:
ldapadd -x -H ldap://:9011 -D <manager DN> -w <password> -f <LDIF file>
using HEAD and re24 (basically, 2.4.22).
I think this ITS should definitely be closed, and you should eventually
discuss your issue on the openldap-software mailing list, as there appears
to be no software bug.
p.
13 years, 7 months
RE: (ITS#6537) arl[authority revocation list] issue during opneldap upgrade
by mmishra@isabel.eu
uploaded the arl on ftp server
Mayashankar Mishra
Consultant
E-mail : mmishra(a)isabel.eu
Tel : +32 (0)2 403.18.84
Fax : +32
Isabel NV/S.A.
Keizerinlaan 13-15 Boulevard de l'Imp=E9ratrice
1000 Brussels - Belgium
RPR Bruxelles / RPM Brussel: BE 0455 530 509
http://www.isabel.eu/ http://www.zoomit.eu/
Zoomit is a Registered Trademark of Isabel NV/S.A.
Disclaimer : http://www.isabel.eu/gps/en/disclaimer/mailing.php
-----Original Message-----
From: Mayashankar Mishra
Sent: 2010-04-27 17:28
To: openldap-its(a)openldap.org
Cc: 'masarati(a)aero.polimi.it'
Subject: RE: (ITS#6537) arl[authority revocation list] issue during opnelda=
p upgrade
-----Original Message-----
From: masarati(a)aero.polimi.it [mailto:masarati@aero.polimi.it]
Sent: 2010-04-27 17:19
To: Mayashankar Mishra
Cc: openldap-its(a)openldap.org
Subject: RE: (ITS#6537) arl[authority revocation list] issue during opnelda=
p upgrade
Please reply to openldap-its; the "T" stands for "Tracking", if you don't p=
ost there, tracking becomes impossible.
>
>
> Hi,
>
> But same arl work in openldap 2.2.26
In 2.2.26 certificate list was something like
int
certificateListValidate()
{
return LDAP_SUCCESS;
}
I would be surprised it failed.
> I could treat with openssl command to
> convert to variuos format
That's another point. If openssl tools can operate on that CL, then it mig=
ht not strictly comply with X509 but be somehow tolerated. We need to insp=
ect the certificate in order to find out why it fails.
Unless its disclosure violates any confidentiality you're bound to, please =
upload it to ftp.openldap.org *in binary form* following these instructions=
<http://www.openldap.org/devel/contributing.html#submitting>,
then post a message to the ITS with the URL of the file you uploaded.
If you're not allowed to upload the offending CL, you'll have to inspect it=
yourself. Run slapd under gdb; find out where the failure occurs (running=
with "-d stats,trace,args" should suffice); place a breakpoint at the offe=
nding call (should be either certificateListValidate() or certificateListEx=
actNormalize()), step through the function and see where it fails. We migh=
t need to request you to print specific values of variables inside those fu=
nctions.
> But then whats wrong I maens what it means binary value # 0
This sentence is definitely obscure to me. Please clarify.
p.
13 years, 7 months