openldap-bugs May 2010

openldap-bugs@openldap.org

28 participants
84 discussions

Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by michael＠stroeder.com 14 May '10

14 May '10

Mark A. Ziesemer wrote: > 2010/5/14 Michael Ströder <michael(a)stroeder.com > <mailto:michael@stroeder.com>> > 'shadowLastChange' is rather a POSIX account attribute which from my > understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be > extended... > > I guess I wouldn't have any objections if all the references to "shadow" > were renamed to "posix". However, the shadowLastChange attribute is > part of the shadowAccount objectClass - with neither of these names > referring to POSIX. I didn't consider to change the name of the attribute. With POSIX account data I rather wanted to point to RFC 2307 where posixAccount and shadowAccount object classes and the accompanying attributes are defined. Don't get me wrong. I support the idea of setting shadowLastChange even if Howard considers it to be deprecated. And I have no objections to a one-sets-all-of-these overlay. But I'd even like to see this overlay available as standard feature. Since in the current state it has build dependencies to Kerberos libs this is not easy. Only building the Samba support is possible and needs some tweaking of the Makefile. > There are many issues posted online with all the password attributes > except shadowLastChange getting updated. This patch should provide a > solution for many of these cases. Yupp. I already thought these problems long ago when implementing the different password change use-cases in web2ldap. Ciao, Michael.

1 0

Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by online＠mark.ziesemer.com 14 May '10

14 May '10

--00504501586f17398e04868dddb7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable 2010/5/14 Michael Str=F6der <michael(a)stroeder.com> > online(a)mark.ziesemer.com wrote: > > Full_Name: Mark A. Ziesemer > > Version: 2.4.21 / HEAD > > OS: Ubuntu Linux > > URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch > > Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148) > > > > Using the PasswordModify Extended Operation (exop) along with the > smbk5pwd slapd > > overlay provides several benefits, but does not currently include the > > shadowLastChange attribute of the shadowAccount class. This means the > > shadowLastChange is missed from update, unless specially done along wit= h > a > > PasswordModify. > > While I agree that this could be useful in general I'd rather argue that > for > Samba 3 'sambaPwdLastSet' should be set. > sambaPwdLastSet is already handled by the "samba" portion of this overlay. 'shadowLastChange' is rather a POSIX account attribute which from my > understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could b= e > extended... > I guess I wouldn't have any objections if all the references to "shadow" were renamed to "posix". However, the shadowLastChange attribute is part o= f the shadowAccount objectClass - with neither of these names referring to POSIX. I had considered a separate overlay. However, in terms of purpose, shared code, functionality, and performance, it seems to make the most sense to include this addition into the smbk5pwd overlay. Both pam_ldap and the Samba client support use of exop password changes. Additionally, pam_ldap doesn't appear to support hashing to SSHA (only MD5, which is also the default) - so setting to "exop" also allows for a stronge= r hash of the password to be stored. With the unpatched overlay, doing an exop password change updates userPassword (used by POSIX), as well as all the Samba attributes: sambaLMPassword, sambaNTPassword, and sambaPwdLastSet . This allows Samba clients to use the updated password as well as seeing when the password was last set, but POSIX clients do not see an updated shadowLastChange. This patch adds support for the otherwise missing shadowLastChange, keeping everything consistent. There are many issues posted online with all the password attributes except shadowLastChange getting updated. This patch should provide a solution for many of these cases. > Ciao, Michael. > -- Mark A. Ziesemer www.ziesemer.com --00504501586f17398e04868dddb7 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <div class=3D"gmail_quote">2010/5/14 Michael Str=F6der &l= t;<a href=3D"mailto:michael@stroeder.com">michael(a)stroeder.com</a>></spa= n> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex;= border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <a href=3D"mailto:online@mark.ziesemer.com">online(a)mark.ziesemer.com</a> wr= ote: > Full_Name: Mark A. Ziesemer > Version: 2.4.21 / HEAD > OS: Ubuntu Linux > URL: <a href=3D"ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc= h" target=3D"_blank">ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc= h</a> > Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148) > > Using the PasswordModify Extended Operation (exop) along with the smbk= 5pwd slapd > overlay provides several benefits, but does not currently include the<= br> > shadowLastChange attribute of the shadowAccount class. =A0This means t= he > shadowLastChange is missed from update, unless specially done along wi= th a > PasswordModify. While I agree that this could be useful in general I'd rather argue tha= t for Samba 3 'sambaPwdLastSet' should be set. </blockquote><div> s= ambaPwdLastSet is already handled by the "samba" portion of this = overlay. </div><blockquote class=3D"gmail_quote" style=3D"margin: 0= pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: = 1ex;"> 'shadowLastChange' is rather a POSIX account attribute which from m= y understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be<= br> extended... </blockquote><div> I guess I wouldn't have any object= ions if all the references to "shadow" were renamed to "posi= x".=A0 However, the shadowLastChange attribute is part of the shadowAc= count objectClass - with neither of these names referring to POSIX. I had considered a separate overlay.=A0 However, in terms of purpose, s= hared code, functionality, and performance, it seems to make the most sense= to include this addition into the smbk5pwd overlay. Both pam_ldap a= nd the Samba client support use of exop password=20 changes.=A0 Additionally, pam_ldap doesn't appear to support hashing to= =20 SSHA (only MD5, which is also the default) - so setting to "exop"= also=20 allows for a stronger hash of the password to be stored. With the unpatched overlay, doing an exop password change updates userP= assword (used by POSIX), as well as all the Samba attributes: sambaLMPasswo= rd, sambaNTPassword, and sambaPwdLastSet .=A0 This allows Samba clients to = use the updated password as well as seeing when the password was last set, = but POSIX clients do not see an updated shadowLastChange.=A0 This patch add= s support for the otherwise missing shadowLastChange, keeping everything co= nsistent. =A0 There are many issues posted online with all the password attributes= except shadowLastChange getting updated.=A0 This patch should provide a so= lution for many of these cases. </div><blockquote class=3D"gmail_quo= te" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204= , 204); padding-left: 1ex;"> Ciao, Michael. </blockquote><div>=A0</div></div>-- Mark A. Ziesemer<b= r><a href=3D"http://www.ziesemer.com">www.ziesemer.com</a> --00504501586f17398e04868dddb7--

1 0

Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by hyc＠symas.com 14 May '10

14 May '10

michael(a)stroeder.com wrote: > michael(a)stroeder.com wrote: >> I'd rather argue that for >> Samba 3 'sambaPwdLastSet' should be set. > > Uumpf! This is already set. Sorry for the noise. > >> 'shadowLastChange' is rather a POSIX account attribute which from my >> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be >> extended... > > But still it's the question whether we want to have this functionality for > various password-related attribute all in on overlay or whether there should > be distinct overlays for each account type (posixAccount/shadowAccount, > sambaSAMAccount, Kerberos user). shadowAccount is deprecated. LDAP ppolicy already provides a pwdChangedTime attribute. > Personally I'd like to see this overlay moved from contrib/ into the standard > build. But for Kerberos-related attributes the build and schema dependencies > are an obstacle. => separate overlays at least for KDC/LDAP and Samba-Posix/LDAP. Ultimately both Kerberos and Samba will just be using LDAP ppolicy. But yes, the build dependencies are still annoying. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by michael＠stroeder.com 14 May '10

14 May '10

michael(a)stroeder.com wrote: > I'd rather argue that for > Samba 3 'sambaPwdLastSet' should be set. Uumpf! This is already set. Sorry for the noise. > 'shadowLastChange' is rather a POSIX account attribute which from my > understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be > extended... But still it's the question whether we want to have this functionality for various password-related attribute all in on overlay or whether there should be distinct overlays for each account type (posixAccount/shadowAccount, sambaSAMAccount, Kerberos user). Personally I'd like to see this overlay moved from contrib/ into the standard build. But for Kerberos-related attributes the build and schema dependencies are an obstacle. => separate overlays at least for KDC/LDAP and Samba-Posix/LDAP. Ciao, Michael.

1 0

Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by michael＠stroeder.com 14 May '10

14 May '10

online(a)mark.ziesemer.com wrote: > Full_Name: Mark A. Ziesemer > Version: 2.4.21 / HEAD > OS: Ubuntu Linux > URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch > Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148) > > Using the PasswordModify Extended Operation (exop) along with the smbk5pwd slapd > overlay provides several benefits, but does not currently include the > shadowLastChange attribute of the shadowAccount class. This means the > shadowLastChange is missed from update, unless specially done along with a > PasswordModify. While I agree that this could be useful in general I'd rather argue that for Samba 3 'sambaPwdLastSet' should be set. 'shadowLastChange' is rather a POSIX account attribute which from my understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be extended... Ciao, Michael.

1 0

(ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by online＠mark.ziesemer.com 13 May '10

13 May '10

Full_Name: Mark A. Ziesemer Version: 2.4.21 / HEAD OS: Ubuntu Linux URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148) Using the PasswordModify Extended Operation (exop) along with the smbk5pwd slapd overlay provides several benefits, but does not currently include the shadowLastChange attribute of the shadowAccount class. This means the shadowLastChange is missed from update, unless specially done along with a PasswordModify. This patch adds support for updating shadowLastChange into the smbk5pwd overlay for slapd. An added benefit is that once the updated overlay is in effect, write access to the shadowLastChange attribute can optionally be restricted by configuration, preventing users from updating shadowLastChange without actually updating their password. The SHA-1 hash of the provided patch (smbk5pwd-shadow-b.patch) is c29ff518ea4fe03a4c5ee87d07a3af0082256950 . (Please discard "smbk5pwd-shadow.patch".) Patch was generated against HEAD just now, but also applies cleanly to 2.4.21. I am currently using the patched overlay in my current environment without noticeable issue. However, C is not current primary language, so please give appropriate attention to review. This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch were developed by Mark A. Ziesemer <online(a)mark.ziesemer.com>. I have not assigned rights and/or interest in this work to any party. I, Mark A. Ziesemer, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Re: (ITS#6545) delta-syncrepl rejects modification master accepted
by masarati＠aero.polimi.it 13 May '10

13 May '10

I checked with HEAD and re24 (basically, 2.4.22 from CVS) and I couldn't reproduce the issue. Can you provide the configuration and an example LDIF that triggers the issue? I simply ran test043, restart both servers, and perform a modification similar to yours, and it went through with no problems. p. > Full_Name: Francis Swasey > Version: 2.4.22 > OS: Red Hat Enterprise Linux 5 update 5 64-bit > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (132.198.107.64) > > > Platform: Red Hat Enterprise Linux 5, update 5, 64-bit > OpenLDAP: 2.4.22 (locally compiled), configured with delta-syncrepl. > > The following modify ldif successfully applies to the master: > > dn: uid=fcswasey,ou=People,dc=uvm,dc=edu > changetype: modify > replace: sn > sn: Swasey > - > replace: sn > sn: Swasey > - > > In OpenLDAP 2.3 -- this modify ldif deck failed because the "sn" > attribute is presented twice. In OpenLDAP 2.4 -- it works, but the > delta-syncrepl replica pukes on it with this error: > > syncrepl_message_to_op: rid=100 mods check (sn: value #0 provided more > than once) > > >

1 0

Re: (ITS#6545) delta-syncrepl rejects modification master accepted
by quanah＠zimbra.com 13 May '10

13 May '10

--On May 12, 2010 1:06:53 PM +0000 Frank.Swasey(a)uvm.edu wrote: > This is an OpenPGP/MIME signed message (RFC 2440 and 3156) > --------------enig666A26622E67D44DE6AFFA9C > Content-Type: text/plain; charset=ISO-8859-1 > Content-Transfer-Encoding: quoted-printable > > I see someone has tagged this as unreproducable in head/re24.=20 > > Ok.... Are you saying that 2.4.23 will not have this bug or that I did > something wrong in compiling 2.4.22???? Pierangelo made that note, but failed to follow up with the ITS in any way. Maybe he will be willing to provide more information, since RE24 and 2.4.22 are identical. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#6549) test043 hasSubordinates attribute inconsistencies
by mhardin＠symas.com 12 May '10

12 May '10

Full_Name: Matt Hardin Version: 2.4.22 OS: Red Hat AS 4 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.38.117.141) In test043 the test database defines a root entry of dc=example,dc=com. For this entry, the results of the ldapsearch do not include the hasSubordinates attribute at all, in spite of the fact that the entry does have subordinates. Test043 passes, due to the fact that this attribute is missing from the root entry in both the provider and the consumer. Other entries with subordinates do include this attribute and its value is correct in all the cases I examined. Here is the snippet from tests/testrun/server1.flt: dn: dc=example,dc=com dc: example objectClass: organization objectClass: domainRelatedObject objectClass: dcObject l: Anytown, Michigan st: Michigan o: Example, Inc. o: EX o: Ex. description: The Example, Inc. at Anytown postalAddress: Example, Inc. $ 535 W. William St. $ Anytown, MI 48109 $ US telephoneNumber: +1 313 555 1817 associatedDomain: example.com structuralObjectClass: organization entryUUID: e2d47ecc-f24a-102e-90fb-9f641f00f9d2 creatorsName: cn=Manager,dc=example,dc=com createTimestamp: 20100512194705Z entryCSN: 20100512194705.076849Z#000000#000#000000 modifiersName: cn=Manager,dc=example,dc=com modifyTimestamp: 20100512194705Z contextCSN: 20100512194748.621773Z#000000#000#000000 entryDN: dc=example,dc=com subschemaSubentry: cn=Subschema The version of BDB in use here is 4.8.30, although I note this happens with earlier releases of BDB as well. Also of interest is the fact that this test fails on some platforms (e.g. Windows), because the provider slapd correctly reports hasSubordinates=TRUE, while the consumer omits the attribute entirely, in spite of the fact that subordinate entries do exist on the consumer. -Matt

1 0

Re: (ITS#6548) Many "connection_read(): no connection!" warnings when using ldapi:/// and a bind DN (no external authentication)
by online＠mark.ziesemer.com 12 May '10

12 May '10

--00c09f76b87ebad978048667feb6 Content-Type: text/plain; charset=ISO-8859-1 On Wed, May 12, 2010 at 10:05 AM, Howard Chu <hyc(a)symas.com> wrote: > online(a)mark.ziesemer.com wrote: > >> Full_Name: Mark A. Ziesemer >> Version: 2.4.21 >> OS: Ubuntu Linux 10.04 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (2001:470:1f11:3ae:4d6d:3d3e:faa6:ee3d) >> >> >> Many "connection_read(): no connection!" warnings are written to >> /var/log/debug >> and /var/log/syslog by slapd. As stated at >> http://www.openldap.org/lists/openldap-software/200811/msg00079.html , >> this is >> apparently not a problem with slapd, but a client that is disconnecting >> without >> first unbinding. >> > > This also happens when the connection manager queues up a thread to handle > a "socket is readable" event on a socket that's in the process of closing. > Pretty much unavoidable, when a lot of threads are active. I don't see this > as a high enough priority to warrant fixing. > This was not happening under a high load, but with only 1-2 connections active. I might not have focused on it enough in the original report, but isn't this looking like it is probably an issue with the libldap client library (provided by OpenLDAP), rather than the slapd daemon? Looking at the provided logs, it appears that no do_unbind request is received (not sent by the client) when using ldapi:/// with a bind DN. If it can't / won't be fixed, can the logging of the "connection_read(): no connection!" event in slapd at least be demoted to a lower level so that it doesn't fill the default logging output, without having to change the overall configured logging level and potentially missing other logged events that do require attention? > This appears to be an issue with the libldap client library provided by >> OpenLDAP >> itself (2.4.21), and not the slapd daemon. >> >> Issue is reproducible even by just using "ldapsearch -H ldapi:///", but >> only if >> a bind DN is specified (-D) and external authentication is not used. >> >> Running slapd with logging enabled (-d 8) shows the following 3 sequences >> - >> ldapsearch command followed by the slapd logs. Note that the >> "connection_read(): no connection!" is only visible on the middle pair. >> >> >> $ ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "" >> SASL/EXTERNAL authentication started >> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >> SASL SSF: 0 >> No such object (32) >> >> slap_listener_activate(9): >> >>> slap_listener(ldapi:///) >>>>> >>>> connection_get(14): got connid=1000 >> connection_read(14): checking for input on id=1000 >> ber_get_next >> ber_get_next: tag 0x30 len 24 contents: >> op tag 0x60, time 1273546410 >> ber_get_next >> conn=1000 op=0 do_bind >> ber_scanf fmt ({imt) ber: >> ber_scanf fmt ({m) ber: >> ber_scanf fmt (m) ber: >> ber_scanf fmt (}}) ber: >> >>> dnPrettyNormal:<> >>>>> >>>> <<< dnPrettyNormal:<>,<> >> do_bind: dn () SASL mech EXTERNAL >> ==>slap_sasl2dn: converting SASL name >> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN >> <==slap_sasl2dn: Converted SASL name to<nothing> >> SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" >> send_ldap_sasl: err=0 len=-1 >> do_bind: SASL/EXTERNAL bind: >> dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0 >> send_ldap_response: msgid=1 tag=97 err=0 >> ber_flush2: 14 bytes to sd 14 >> <== slap_sasl_bind: rc=0 >> connection_get(14): got connid=1000 >> connection_read(14): checking for input on id=1000 >> ber_get_next >> ber_get_next: tag 0x30 len 37 contents: >> op tag 0x63, time 1273546410 >> ber_get_next >> conn=1000 op=1 do_search >> ber_scanf fmt ({miiiib) ber: >> >>> dnPrettyNormal:<> >>>>> >>>> <<< dnPrettyNormal:<>,<> >> ber_scanf fmt (m) ber: >> ber_scanf fmt ({M}}) ber: >> send_ldap_result: conn=1000 op=1 p=3 >> send_ldap_response: msgid=2 tag=101 err=32 >> ber_flush2: 14 bytes to sd 14 >> connection_get(14): got connid=1000 >> connection_read(14): checking for input on id=1000 >> ber_get_next >> ber_get_next: tag 0x30 len 5 contents: >> op tag 0x42, time 1273546410 >> ber_get_next >> conn=1000 op=2 do_unbind >> connection_close: conn=1000 sd=14 >> >> $ ldapsearch -H ldapi:/// -D "cn=admin,dc=example,dc=com" -b "" -W >> Enter LDAP Password: >> ldap_bind: Invalid credentials (49) >> >> slap_listener_activate(9): >> >>> slap_listener(ldapi:///) >>>>> >>>> connection_get(14): got connid=1001 >> connection_read(14): checking for input on id=1001 >> ber_get_next >> ber_get_next: tag 0x30 len 44 contents: >> op tag 0x60, time 1273546420 >> ber_get_next >> conn=1001 op=0 do_bind >> ber_scanf fmt ({imt) ber: >> ber_scanf fmt (m}) ber: >> >>> dnPrettyNormal:<cn=admin,dc=example,dc=com> >>>>> >>>> <<< >> dnPrettyNormal:<cn=admin,dc=example,dc=com>,<cn=admin,dc=example,dc=com> >> do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128 >> send_ldap_result: conn=1001 op=0 p=3 >> send_ldap_response: msgid=1 tag=97 err=49 >> ber_flush2: 14 bytes to sd 14 >> connection_get(14): got connid=1001 >> connection_read(14): checking for input on id=1001 >> ber_get_next >> ber_get_next on fd 14 failed errno=0 (Success) >> connection_close: conn=1001 sd=14 >> connection_read(14): no connection! >> connection_read(14): no connection! >> >> $ ldapsearch -H ldap:/// -D "cn=admin,dc=example,dc=com" -b "" -W >> Enter LDAP Password: >> ldap_bind: Invalid credentials (49) >> >> slap_listener_activate(8): >> >>> slap_listener(ldap:///) >>>>> >>>> connection_get(14): got connid=1002 >> connection_read(14): checking for input on id=1002 >> ber_get_next >> ber_get_next: tag 0x30 len 44 contents: >> op tag 0x60, time 1273546425 >> ber_get_next >> conn=1002 op=0 do_bind >> ber_scanf fmt ({imt) ber: >> ber_scanf fmt (m}) ber: >> >>> dnPrettyNormal:<cn=admin,dc=example,dc=com> >>>>> >>>> <<< >> dnPrettyNormal:<cn=admin,dc=example,dc=com>,<cn=admin,dc=example,dc=com> >> do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128 >> send_ldap_result: conn=1002 op=0 p=3 >> send_ldap_response: msgid=1 tag=97 err=49 >> ber_flush2: 14 bytes to sd 14 >> connection_get(14): got connid=1002 >> connection_read(14): checking for input on id=1002 >> ber_get_next >> ber_get_next on fd 14 failed errno=0 (Success) >> connection_close: conn=1002 sd=14 >> >> >> > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > -- Mark A. Ziesemer www.ziesemer.com --00c09f76b87ebad978048667feb6 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <div class=3D"gmail_quote">On Wed, May 12, 2010 at 10:05 AM, Howard Chu <sp= an dir=3D"ltr"><<a href=3D"mailto:hyc@symas.com">hyc(a)symas.com</a>></= span> wrote: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt = 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <a href=3D"mailto:online@mark.ziesemer.com" target=3D"_blank">online(a)mark.z= iesemer.com</a> wrote: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> Full_Name: Mark A. Ziesemer Version: 2.4.21 OS: Ubuntu Linux 10.04 URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_blank">ftp://f= tp.openldap.org/incoming/</a> Submission from: (NULL) (2001:470:1f11:3ae:4d6d:3d3e:faa6:ee3d) Many "connection_read(): no connection!" warnings are written to = /var/log/debug and /var/log/syslog by slapd. =A0As stated at <a href=3D"http://www.openldap.org/lists/openldap-software/200811/msg00079.= html" target=3D"_blank">http://www.openldap.org/lists/openldap-software/200= 811/msg00079.html</a> , this is apparently not a problem with slapd, but a client that is disconnecting wit= hout first unbinding. </blockquote> This also happens when the connection manager queues up a thread to handle = a "socket is readable" event on a socket that's in the proces= s of closing. Pretty much unavoidable, when a lot of threads are active. I = don't see this as a high enough priority to warrant fixing. </blockquote><div> This was not happening under a high load, but with on= ly 1-2 connections active. I might not have focused on it enough in = the original report, but isn't this looking like it is probably an issu= e with the libldap client library (provided by OpenLDAP), rather than the s= lapd daemon?=A0 Looking at the provided logs, it appears that no do_unbind = request is received (not sent by the client) when using ldapi:/// with a bi= nd DN. If it can't / won't be fixed, can the logging of the "conn= ection_read(): no connection!" event in slapd at least be demoted to a= lower level so that it doesn't fill the default logging output, withou= t having to change the overall configured logging level and potentially mis= sing other logged events that do require attention? =A0 </div><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex;= border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote= class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px= solid rgb(204, 204, 204); padding-left: 1ex;"> This appears to be an issue with the libldap client library provided by Ope= nLDAP itself (2.4.21), and not the slapd daemon. Issue is reproducible even by just using "ldapsearch -H ldapi:///&quot= ;, but only if a bind DN is specified (-D) and external authentication is not used. Running slapd with logging enabled (-d 8) shows the following 3 sequences -= ldapsearch command followed by the slapd logs. =A0Note that the "connection_read(): no connection!" is only visible on the middle= pair. $ ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "" SASL/EXTERNAL authentication started SASL username: gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn= =3Dauth SASL SSF: 0 No such object (32) slap_listener_activate(9): <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class= =3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid= rgb(204, 204, 204); padding-left: 1ex;"> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> slap_listener(ldapi:///) </blockquote></blockquote></blockquote> connection_get(14): got connid=3D1000 connection_read(14): checking for input on id=3D1000 ber_get_next ber_get_next: tag 0x30 len 24 contents: op tag 0x60, time 1273546410 ber_get_next conn=3D1000 op=3D0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class= =3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid= rgb(204, 204, 204); padding-left: 1ex;"> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> dnPrettyNormal:<> </blockquote></blockquote></blockquote> <<< =A0dnPrettyNormal:<>,<> do_bind: dn () SASL mech EXTERNAL =3D=3D>slap_sasl2dn: converting SASL name gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn=3Dauth to a DN<b= r> <=3D=3Dslap_sasl2dn: Converted SASL name to<nothing> SASL Authorize [conn=3D1000]: =A0proxy authorization allowed authzDN=3D&quo= t;" send_ldap_sasl: err=3D0 len=3D-1 do_bind: SASL/EXTERNAL bind: dn=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn=3Daut= h" sasl_ssf=3D0 send_ldap_response: msgid=3D1 tag=3D97 err=3D0 ber_flush2: 14 bytes to sd 14 <=3D=3D slap_sasl_bind: rc=3D0 connection_get(14): got connid=3D1000 connection_read(14): checking for input on id=3D1000 ber_get_next ber_get_next: tag 0x30 len 37 contents: op tag 0x63, time 1273546410 ber_get_next conn=3D1000 op=3D1 do_search ber_scanf fmt ({miiiib) ber: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class= =3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid= rgb(204, 204, 204); padding-left: 1ex;"> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> dnPrettyNormal:<> </blockquote></blockquote></blockquote> <<< =A0dnPrettyNormal:<>,<> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: send_ldap_result: conn=3D1000 op=3D1 p=3D3 send_ldap_response: msgid=3D2 tag=3D101 err=3D32 ber_flush2: 14 bytes to sd 14 connection_get(14): got connid=3D1000 connection_read(14): checking for input on id=3D1000 ber_get_next ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1273546410 ber_get_next conn=3D1000 op=3D2 do_unbind connection_close: conn=3D1000 sd=3D14 $ ldapsearch -H ldapi:/// -D "cn=3Dadmin,dc=3Dexample,dc=3Dcom" -= b "" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) slap_listener_activate(9): <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class= =3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid= rgb(204, 204, 204); padding-left: 1ex;"> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> slap_listener(ldapi:///) </blockquote></blockquote></blockquote> connection_get(14): got connid=3D1001 connection_read(14): checking for input on id=3D1001 ber_get_next ber_get_next: tag 0x30 len 44 contents: op tag 0x60, time 1273546420 ber_get_next conn=3D1001 op=3D0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class= =3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid= rgb(204, 204, 204); padding-left: 1ex;"> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> dnPrettyNormal:<cn=3Dadmin,dc=3Dexample,dc=3Dcom> </blockquote></blockquote></blockquote> <<< =A0dnPrettyNormal:<cn=3Dadmin,dc=3Dexample,dc=3Dcom>,&lt= ;cn=3Dadmin,dc=3Dexample,dc=3Dcom> do_bind: version=3D3 dn=3D"cn=3Dadmin,dc=3Dexample,dc=3Dcom" meth= od=3D128 send_ldap_result: conn=3D1001 op=3D0 p=3D3 send_ldap_response: msgid=3D1 tag=3D97 err=3D49 ber_flush2: 14 bytes to sd 14 connection_get(14): got connid=3D1001 connection_read(14): checking for input on id=3D1001 ber_get_next ber_get_next on fd 14 failed errno=3D0 (Success) connection_close: conn=3D1001 sd=3D14 connection_read(14): no connection! connection_read(14): no connection! $ ldapsearch -H ldap:/// -D "cn=3Dadmin,dc=3Dexample,dc=3Dcom" -b= "" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) slap_listener_activate(8): <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class= =3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid= rgb(204, 204, 204); padding-left: 1ex;"> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> slap_listener(ldap:///) </blockquote></blockquote></blockquote> connection_get(14): got connid=3D1002 connection_read(14): checking for input on id=3D1002 ber_get_next ber_get_next: tag 0x30 len 44 contents: op tag 0x60, time 1273546425 ber_get_next conn=3D1002 op=3D0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class= =3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid= rgb(204, 204, 204); padding-left: 1ex;"> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde= r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> dnPrettyNormal:<cn=3Dadmin,dc=3Dexample,dc=3Dcom> </blockquote></blockquote></blockquote> <<< =A0dnPrettyNormal:<cn=3Dadmin,dc=3Dexample,dc=3Dcom>,&lt= ;cn=3Dadmin,dc=3Dexample,dc=3Dcom> do_bind: version=3D3 dn=3D"cn=3Dadmin,dc=3Dexample,dc=3Dcom" meth= od=3D128 send_ldap_result: conn=3D1002 op=3D0 p=3D3 send_ldap_response: msgid=3D1 tag=3D97 err=3D49 ber_flush2: 14 bytes to sd 14 connection_get(14): got connid=3D1002 connection_read(14): checking for input on id=3D1002 ber_get_next ber_get_next on fd 14 failed errno=3D0 (Success) connection_close: conn=3D1002 sd=3D14 </blockquote> -- =A0-- Howard Chu =A0CTO, Symas Corp. =A0 =A0 =A0 =A0 =A0 <a href=3D"http://www.symas.com" t= arget=3D"_blank">http://www.symas.com</a> =A0Director, Highland Sun =A0 =A0 <a href=3D"http://highlandsun.com/hyc/" = target=3D"_blank">http://highlandsun.com/hyc/</a> =A0Chief Architect, OpenLDAP =A0<a href=3D"http://www.openldap.org/project= /" target=3D"_blank">http://www.openldap.org/project/</a> </blockquote></div> -- Mark A. Ziesemer <a href=3D"http://www.zies= emer.com">www.ziesemer.com</a> --00c09f76b87ebad978048667feb6--

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2010