Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by michael@stroeder.com
Mark A. Ziesemer wrote:
> 2010/5/14 Michael Ströder <michael(a)stroeder.com
> <mailto:michael@stroeder.com>>
> 'shadowLastChange' is rather a POSIX account attribute which from my
> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be
> extended...
>
> I guess I wouldn't have any objections if all the references to "shadow"
> were renamed to "posix". However, the shadowLastChange attribute is
> part of the shadowAccount objectClass - with neither of these names
> referring to POSIX.
I didn't consider to change the name of the attribute. With POSIX account data
I rather wanted to point to RFC 2307 where posixAccount and shadowAccount
object classes and the accompanying attributes are defined.
Don't get me wrong. I support the idea of setting shadowLastChange even if
Howard considers it to be deprecated. And I have no objections to a
one-sets-all-of-these overlay.
But I'd even like to see this overlay available as standard feature. Since in
the current state it has build dependencies to Kerberos libs this is not easy.
Only building the Samba support is possible and needs some tweaking of the
Makefile.
> There are many issues posted online with all the password attributes
> except shadowLastChange getting updated. This patch should provide a
> solution for many of these cases.
Yupp. I already thought these problems long ago when implementing the
different password change use-cases in web2ldap.
Ciao, Michael.
13 years
Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by online@mark.ziesemer.com
--00504501586f17398e04868dddb7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
2010/5/14 Michael Str=F6der <michael(a)stroeder.com>
> online(a)mark.ziesemer.com wrote:
> > Full_Name: Mark A. Ziesemer
> > Version: 2.4.21 / HEAD
> > OS: Ubuntu Linux
> > URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch
> > Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)
> >
> > Using the PasswordModify Extended Operation (exop) along with the
> smbk5pwd slapd
> > overlay provides several benefits, but does not currently include the
> > shadowLastChange attribute of the shadowAccount class. This means the
> > shadowLastChange is missed from update, unless specially done along wit=
h
> a
> > PasswordModify.
>
> While I agree that this could be useful in general I'd rather argue that
> for
> Samba 3 'sambaPwdLastSet' should be set.
>
sambaPwdLastSet is already handled by the "samba" portion of this overlay.
'shadowLastChange' is rather a POSIX account attribute which from my
> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could b=
e
> extended...
>
I guess I wouldn't have any objections if all the references to "shadow"
were renamed to "posix". However, the shadowLastChange attribute is part o=
f
the shadowAccount objectClass - with neither of these names referring to
POSIX.
I had considered a separate overlay. However, in terms of purpose, shared
code, functionality, and performance, it seems to make the most sense to
include this addition into the smbk5pwd overlay.
Both pam_ldap and the Samba client support use of exop password changes.
Additionally, pam_ldap doesn't appear to support hashing to SSHA (only MD5,
which is also the default) - so setting to "exop" also allows for a stronge=
r
hash of the password to be stored.
With the unpatched overlay, doing an exop password change updates
userPassword (used by POSIX), as well as all the Samba attributes:
sambaLMPassword, sambaNTPassword, and sambaPwdLastSet . This allows Samba
clients to use the updated password as well as seeing when the password was
last set, but POSIX clients do not see an updated shadowLastChange. This
patch adds support for the otherwise missing shadowLastChange, keeping
everything consistent.
There are many issues posted online with all the password attributes except
shadowLastChange getting updated. This patch should provide a solution for
many of these cases.
> Ciao, Michael.
>
--
Mark A. Ziesemer
www.ziesemer.com
--00504501586f17398e04868dddb7
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div class=3D"gmail_quote">2010/5/14 Michael Str=F6der <span dir=3D"ltr">&l=
t;<a href=3D"mailto:michael@stroeder.com">michael(a)stroeder.com</a>></spa=
n><br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex;=
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<a href=3D"mailto:online@mark.ziesemer.com">online(a)mark.ziesemer.com</a> wr=
ote:<br>
> Full_Name: Mark A. Ziesemer<br>
> Version: 2.4.21 / HEAD<br>
> OS: Ubuntu Linux<br>
> URL: <a href=3D"ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc=
h" target=3D"_blank">ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patc=
h</a><br>
> Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)<br>
><br>
> Using the PasswordModify Extended Operation (exop) along with the smbk=
5pwd slapd<br>
> overlay provides several benefits, but does not currently include the<=
br>
> shadowLastChange attribute of the shadowAccount class. =A0This means t=
he<br>
> shadowLastChange is missed from update, unless specially done along wi=
th a<br>
> PasswordModify.<br>
<br>
While I agree that this could be useful in general I'd rather argue tha=
t for<br>
Samba 3 'sambaPwdLastSet' should be set.<br></blockquote><div><br>s=
ambaPwdLastSet is already handled by the "samba" portion of this =
overlay. <br><br></div><blockquote class=3D"gmail_quote" style=3D"margin: 0=
pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: =
1ex;">
'shadowLastChange' is rather a POSIX account attribute which from m=
y<br>
understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be<=
br>
extended...<br></blockquote><div><br>I guess I wouldn't have any object=
ions if all the references to "shadow" were renamed to "posi=
x".=A0 However, the shadowLastChange attribute is part of the shadowAc=
count objectClass - with neither of these names referring to POSIX.<br>
<br>I had considered a separate overlay.=A0 However, in terms of purpose, s=
hared code, functionality, and performance, it seems to make the most sense=
to include this addition into the smbk5pwd overlay.<br><br>Both pam_ldap a=
nd the Samba client support use of exop password=20
changes.=A0 Additionally, pam_ldap doesn't appear to support hashing to=
=20
SSHA (only MD5, which is also the default) - so setting to "exop"=
also=20
allows for a stronger hash of the password to be stored.<br>
<br>With the unpatched overlay, doing an exop password change updates userP=
assword (used by POSIX), as well as all the Samba attributes: sambaLMPasswo=
rd, sambaNTPassword, and sambaPwdLastSet .=A0 This allows Samba clients to =
use the updated password as well as seeing when the password was last set, =
but POSIX clients do not see an updated shadowLastChange.=A0 This patch add=
s support for the otherwise missing shadowLastChange, keeping everything co=
nsistent.<br>
=A0<br>There are many issues posted online with all the password attributes=
except shadowLastChange getting updated.=A0 This patch should provide a so=
lution for many of these cases.<br><br></div><blockquote class=3D"gmail_quo=
te" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204=
, 204); padding-left: 1ex;">
<br>
Ciao, Michael.<br></blockquote><div>=A0</div></div>--<br>Mark A. Ziesemer<b=
r><a href=3D"http://www.ziesemer.com">www.ziesemer.com</a><br>
--00504501586f17398e04868dddb7--
13 years
Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by hyc@symas.com
michael(a)stroeder.com wrote:
> michael(a)stroeder.com wrote:
>> I'd rather argue that for
>> Samba 3 'sambaPwdLastSet' should be set.
>
> Uumpf! This is already set. Sorry for the noise.
>
>> 'shadowLastChange' is rather a POSIX account attribute which from my
>> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be
>> extended...
>
> But still it's the question whether we want to have this functionality for
> various password-related attribute all in on overlay or whether there should
> be distinct overlays for each account type (posixAccount/shadowAccount,
> sambaSAMAccount, Kerberos user).
shadowAccount is deprecated. LDAP ppolicy already provides a pwdChangedTime
attribute.
> Personally I'd like to see this overlay moved from contrib/ into the standard
> build. But for Kerberos-related attributes the build and schema dependencies
> are an obstacle. => separate overlays at least for KDC/LDAP and Samba-Posix/LDAP.
Ultimately both Kerberos and Samba will just be using LDAP ppolicy. But yes,
the build dependencies are still annoying.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
13 years
Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by michael@stroeder.com
michael(a)stroeder.com wrote:
> I'd rather argue that for
> Samba 3 'sambaPwdLastSet' should be set.
Uumpf! This is already set. Sorry for the noise.
> 'shadowLastChange' is rather a POSIX account attribute which from my
> understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be
> extended...
But still it's the question whether we want to have this functionality for
various password-related attribute all in on overlay or whether there should
be distinct overlays for each account type (posixAccount/shadowAccount,
sambaSAMAccount, Kerberos user).
Personally I'd like to see this overlay moved from contrib/ into the standard
build. But for Kerberos-related attributes the build and schema dependencies
are an obstacle. => separate overlays at least for KDC/LDAP and Samba-Posix/LDAP.
Ciao, Michael.
13 years
Re: (ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by michael@stroeder.com
online(a)mark.ziesemer.com wrote:
> Full_Name: Mark A. Ziesemer
> Version: 2.4.21 / HEAD
> OS: Ubuntu Linux
> URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch
> Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)
>
> Using the PasswordModify Extended Operation (exop) along with the smbk5pwd slapd
> overlay provides several benefits, but does not currently include the
> shadowLastChange attribute of the shadowAccount class. This means the
> shadowLastChange is missed from update, unless specially done along with a
> PasswordModify.
While I agree that this could be useful in general I'd rather argue that for
Samba 3 'sambaPwdLastSet' should be set.
'shadowLastChange' is rather a POSIX account attribute which from my
understanding is out-of-scope for slapo-smbk5pwd. Well, the scope could be
extended...
Ciao, Michael.
13 years
(ITS#6550) Patch for smbk5pwd slapd overlay to include shadowLastChange
by online@mark.ziesemer.com
Full_Name: Mark A. Ziesemer
Version: 2.4.21 / HEAD
OS: Ubuntu Linux
URL: ftp://ftp.openldap.org/incoming/smbk5pwd-shadow-b.patch
Submission from: (NULL) (2001:470:1f11:3ae:dc54:73ba:be16:148)
Using the PasswordModify Extended Operation (exop) along with the smbk5pwd slapd
overlay provides several benefits, but does not currently include the
shadowLastChange attribute of the shadowAccount class. This means the
shadowLastChange is missed from update, unless specially done along with a
PasswordModify.
This patch adds support for updating shadowLastChange into the smbk5pwd overlay
for slapd.
An added benefit is that once the updated overlay is in effect, write access to
the shadowLastChange attribute can optionally be restricted by configuration,
preventing users from updating shadowLastChange without actually updating their
password.
The SHA-1 hash of the provided patch (smbk5pwd-shadow-b.patch) is
c29ff518ea4fe03a4c5ee87d07a3af0082256950 . (Please discard
"smbk5pwd-shadow.patch".)
Patch was generated against HEAD just now, but also applies cleanly to 2.4.21.
I am currently using the patched overlay in my current environment without
noticeable issue. However, C is not current primary language, so please give
appropriate attention to review.
This patch file is derived from OpenLDAP Software. All of the modifications to
OpenLDAP Software represented in the following patch were developed by Mark A.
Ziesemer <online(a)mark.ziesemer.com>. I have not assigned rights and/or interest
in this work to any party.
I, Mark A. Ziesemer, hereby place the following modifications to OpenLDAP
Software (and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.
13 years
Re: (ITS#6545) delta-syncrepl rejects modification master accepted
by masarati@aero.polimi.it
I checked with HEAD and re24 (basically, 2.4.22 from CVS) and I couldn't
reproduce the issue. Can you provide the configuration and an example
LDIF that triggers the issue? I simply ran test043, restart both servers,
and perform a modification similar to yours, and it went through with no
problems.
p.
> Full_Name: Francis Swasey
> Version: 2.4.22
> OS: Red Hat Enterprise Linux 5 update 5 64-bit
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (132.198.107.64)
>
>
> Platform: Red Hat Enterprise Linux 5, update 5, 64-bit
> OpenLDAP: 2.4.22 (locally compiled), configured with delta-syncrepl.
>
> The following modify ldif successfully applies to the master:
>
> dn: uid=fcswasey,ou=People,dc=uvm,dc=edu
> changetype: modify
> replace: sn
> sn: Swasey
> -
> replace: sn
> sn: Swasey
> -
>
> In OpenLDAP 2.3 -- this modify ldif deck failed because the "sn"
> attribute is presented twice. In OpenLDAP 2.4 -- it works, but the
> delta-syncrepl replica pukes on it with this error:
>
> syncrepl_message_to_op: rid=100 mods check (sn: value #0 provided more
> than once)
>
>
>
13 years
Re: (ITS#6545) delta-syncrepl rejects modification master accepted
by quanah@zimbra.com
--On May 12, 2010 1:06:53 PM +0000 Frank.Swasey(a)uvm.edu wrote:
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enig666A26622E67D44DE6AFFA9C
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> I see someone has tagged this as unreproducable in head/re24.=20
>
> Ok.... Are you saying that 2.4.23 will not have this bug or that I did
> something wrong in compiling 2.4.22????
Pierangelo made that note, but failed to follow up with the ITS in any way.
Maybe he will be willing to provide more information, since RE24 and 2.4.22
are identical.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
13 years
(ITS#6549) test043 hasSubordinates attribute inconsistencies
by mhardin@symas.com
Full_Name: Matt Hardin
Version: 2.4.22
OS: Red Hat AS 4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (74.38.117.141)
In test043 the test database defines a root entry of dc=example,dc=com. For this
entry, the results of the ldapsearch do not include the hasSubordinates
attribute at all, in spite of the fact that the entry does have subordinates.
Test043 passes, due to the fact that this attribute is missing from the root
entry in both the provider and the consumer.
Other entries with subordinates do include this attribute and its value is
correct in all the cases I examined.
Here is the snippet from tests/testrun/server1.flt:
dn: dc=example,dc=com
dc: example
objectClass: organization
objectClass: domainRelatedObject
objectClass: dcObject
l: Anytown, Michigan
st: Michigan
o: Example, Inc.
o: EX
o: Ex.
description: The Example, Inc. at Anytown
postalAddress: Example, Inc. $ 535 W. William St. $ Anytown, MI 48109 $ US
telephoneNumber: +1 313 555 1817
associatedDomain: example.com
structuralObjectClass: organization
entryUUID: e2d47ecc-f24a-102e-90fb-9f641f00f9d2
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20100512194705Z
entryCSN: 20100512194705.076849Z#000000#000#000000
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20100512194705Z
contextCSN: 20100512194748.621773Z#000000#000#000000
entryDN: dc=example,dc=com
subschemaSubentry: cn=Subschema
The version of BDB in use here is 4.8.30, although I note this happens with
earlier releases of BDB as well.
Also of interest is the fact that this test fails on some platforms (e.g.
Windows), because the provider slapd correctly reports hasSubordinates=TRUE,
while the consumer omits the attribute entirely, in spite of the fact that
subordinate entries do exist on the consumer.
-Matt
13 years
Re: (ITS#6548) Many "connection_read(): no connection!" warnings when using ldapi:/// and a bind DN (no external authentication)
by online@mark.ziesemer.com
--00c09f76b87ebad978048667feb6
Content-Type: text/plain; charset=ISO-8859-1
On Wed, May 12, 2010 at 10:05 AM, Howard Chu <hyc(a)symas.com> wrote:
> online(a)mark.ziesemer.com wrote:
>
>> Full_Name: Mark A. Ziesemer
>> Version: 2.4.21
>> OS: Ubuntu Linux 10.04
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (2001:470:1f11:3ae:4d6d:3d3e:faa6:ee3d)
>>
>>
>> Many "connection_read(): no connection!" warnings are written to
>> /var/log/debug
>> and /var/log/syslog by slapd. As stated at
>> http://www.openldap.org/lists/openldap-software/200811/msg00079.html ,
>> this is
>> apparently not a problem with slapd, but a client that is disconnecting
>> without
>> first unbinding.
>>
>
> This also happens when the connection manager queues up a thread to handle
> a "socket is readable" event on a socket that's in the process of closing.
> Pretty much unavoidable, when a lot of threads are active. I don't see this
> as a high enough priority to warrant fixing.
>
This was not happening under a high load, but with only 1-2 connections
active.
I might not have focused on it enough in the original report, but isn't this
looking like it is probably an issue with the libldap client library
(provided by OpenLDAP), rather than the slapd daemon? Looking at the
provided logs, it appears that no do_unbind request is received (not sent by
the client) when using ldapi:/// with a bind DN.
If it can't / won't be fixed, can the logging of the "connection_read(): no
connection!" event in slapd at least be demoted to a lower level so that it
doesn't fill the default logging output, without having to change the
overall configured logging level and potentially missing other logged events
that do require attention?
> This appears to be an issue with the libldap client library provided by
>> OpenLDAP
>> itself (2.4.21), and not the slapd daemon.
>>
>> Issue is reproducible even by just using "ldapsearch -H ldapi:///", but
>> only if
>> a bind DN is specified (-D) and external authentication is not used.
>>
>> Running slapd with logging enabled (-d 8) shows the following 3 sequences
>> -
>> ldapsearch command followed by the slapd logs. Note that the
>> "connection_read(): no connection!" is only visible on the middle pair.
>>
>>
>> $ ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ""
>> SASL/EXTERNAL authentication started
>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> SASL SSF: 0
>> No such object (32)
>>
>> slap_listener_activate(9):
>>
>>> slap_listener(ldapi:///)
>>>>>
>>>> connection_get(14): got connid=1000
>> connection_read(14): checking for input on id=1000
>> ber_get_next
>> ber_get_next: tag 0x30 len 24 contents:
>> op tag 0x60, time 1273546410
>> ber_get_next
>> conn=1000 op=0 do_bind
>> ber_scanf fmt ({imt) ber:
>> ber_scanf fmt ({m) ber:
>> ber_scanf fmt (m) ber:
>> ber_scanf fmt (}}) ber:
>>
>>> dnPrettyNormal:<>
>>>>>
>>>> <<< dnPrettyNormal:<>,<>
>> do_bind: dn () SASL mech EXTERNAL
>> ==>slap_sasl2dn: converting SASL name
>> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN
>> <==slap_sasl2dn: Converted SASL name to<nothing>
>> SASL Authorize [conn=1000]: proxy authorization allowed authzDN=""
>> send_ldap_sasl: err=0 len=-1
>> do_bind: SASL/EXTERNAL bind:
>> dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0
>> send_ldap_response: msgid=1 tag=97 err=0
>> ber_flush2: 14 bytes to sd 14
>> <== slap_sasl_bind: rc=0
>> connection_get(14): got connid=1000
>> connection_read(14): checking for input on id=1000
>> ber_get_next
>> ber_get_next: tag 0x30 len 37 contents:
>> op tag 0x63, time 1273546410
>> ber_get_next
>> conn=1000 op=1 do_search
>> ber_scanf fmt ({miiiib) ber:
>>
>>> dnPrettyNormal:<>
>>>>>
>>>> <<< dnPrettyNormal:<>,<>
>> ber_scanf fmt (m) ber:
>> ber_scanf fmt ({M}}) ber:
>> send_ldap_result: conn=1000 op=1 p=3
>> send_ldap_response: msgid=2 tag=101 err=32
>> ber_flush2: 14 bytes to sd 14
>> connection_get(14): got connid=1000
>> connection_read(14): checking for input on id=1000
>> ber_get_next
>> ber_get_next: tag 0x30 len 5 contents:
>> op tag 0x42, time 1273546410
>> ber_get_next
>> conn=1000 op=2 do_unbind
>> connection_close: conn=1000 sd=14
>>
>> $ ldapsearch -H ldapi:/// -D "cn=admin,dc=example,dc=com" -b "" -W
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
>>
>> slap_listener_activate(9):
>>
>>> slap_listener(ldapi:///)
>>>>>
>>>> connection_get(14): got connid=1001
>> connection_read(14): checking for input on id=1001
>> ber_get_next
>> ber_get_next: tag 0x30 len 44 contents:
>> op tag 0x60, time 1273546420
>> ber_get_next
>> conn=1001 op=0 do_bind
>> ber_scanf fmt ({imt) ber:
>> ber_scanf fmt (m}) ber:
>>
>>> dnPrettyNormal:<cn=admin,dc=example,dc=com>
>>>>>
>>>> <<<
>> dnPrettyNormal:<cn=admin,dc=example,dc=com>,<cn=admin,dc=example,dc=com>
>> do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128
>> send_ldap_result: conn=1001 op=0 p=3
>> send_ldap_response: msgid=1 tag=97 err=49
>> ber_flush2: 14 bytes to sd 14
>> connection_get(14): got connid=1001
>> connection_read(14): checking for input on id=1001
>> ber_get_next
>> ber_get_next on fd 14 failed errno=0 (Success)
>> connection_close: conn=1001 sd=14
>> connection_read(14): no connection!
>> connection_read(14): no connection!
>>
>> $ ldapsearch -H ldap:/// -D "cn=admin,dc=example,dc=com" -b "" -W
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
>>
>> slap_listener_activate(8):
>>
>>> slap_listener(ldap:///)
>>>>>
>>>> connection_get(14): got connid=1002
>> connection_read(14): checking for input on id=1002
>> ber_get_next
>> ber_get_next: tag 0x30 len 44 contents:
>> op tag 0x60, time 1273546425
>> ber_get_next
>> conn=1002 op=0 do_bind
>> ber_scanf fmt ({imt) ber:
>> ber_scanf fmt (m}) ber:
>>
>>> dnPrettyNormal:<cn=admin,dc=example,dc=com>
>>>>>
>>>> <<<
>> dnPrettyNormal:<cn=admin,dc=example,dc=com>,<cn=admin,dc=example,dc=com>
>> do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128
>> send_ldap_result: conn=1002 op=0 p=3
>> send_ldap_response: msgid=1 tag=97 err=49
>> ber_flush2: 14 bytes to sd 14
>> connection_get(14): got connid=1002
>> connection_read(14): checking for input on id=1002
>> ber_get_next
>> ber_get_next on fd 14 failed errno=0 (Success)
>> connection_close: conn=1002 sd=14
>>
>>
>>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
--
Mark A. Ziesemer
www.ziesemer.com
--00c09f76b87ebad978048667feb6
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div class=3D"gmail_quote">On Wed, May 12, 2010 at 10:05 AM, Howard Chu <sp=
an dir=3D"ltr"><<a href=3D"mailto:hyc@symas.com">hyc(a)symas.com</a>></=
span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt =
0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<a href=3D"mailto:online@mark.ziesemer.com" target=3D"_blank">online(a)mark.z=
iesemer.com</a> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Full_Name: Mark A. Ziesemer<br>
Version: 2.4.21<br>
OS: Ubuntu Linux 10.04<br>
URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_blank">ftp://f=
tp.openldap.org/incoming/</a><br>
Submission from: (NULL) (2001:470:1f11:3ae:4d6d:3d3e:faa6:ee3d)<br>
<br>
<br>
Many "connection_read(): no connection!" warnings are written to =
/var/log/debug<br>
and /var/log/syslog by slapd. =A0As stated at<br>
<a href=3D"http://www.openldap.org/lists/openldap-software/200811/msg00079.=
html" target=3D"_blank">http://www.openldap.org/lists/openldap-software/200=
811/msg00079.html</a> , this is<br>
apparently not a problem with slapd, but a client that is disconnecting wit=
hout<br>
first unbinding.<br>
</blockquote>
<br>
This also happens when the connection manager queues up a thread to handle =
a "socket is readable" event on a socket that's in the proces=
s of closing. Pretty much unavoidable, when a lot of threads are active. I =
don't see this as a high enough priority to warrant fixing.<br>
</blockquote><div><br>This was not happening under a high load, but with on=
ly 1-2 connections active.<br><br>I might not have focused on it enough in =
the original report, but isn't this looking like it is probably an issu=
e with the libldap client library (provided by OpenLDAP), rather than the s=
lapd daemon?=A0 Looking at the provided logs, it appears that no do_unbind =
request is received (not sent by the client) when using ldapi:/// with a bi=
nd DN.<br>
<br>If it can't / won't be fixed, can the logging of the "conn=
ection_read(): no connection!" event in slapd at least be demoted to a=
lower level so that it doesn't fill the default logging output, withou=
t having to change the overall configured logging level and potentially mis=
sing other logged events that do require attention?<br>
=A0<br>
</div><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex;=
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote=
class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px=
solid rgb(204, 204, 204); padding-left: 1ex;">
This appears to be an issue with the libldap client library provided by Ope=
nLDAP<br>
itself (2.4.21), and not the slapd daemon.<br>
<br>
Issue is reproducible even by just using "ldapsearch -H ldapi:///"=
;, but only if<br>
a bind DN is specified (-D) and external authentication is not used.<br>
<br>
Running slapd with logging enabled (-d 8) shows the following 3 sequences -=
<br>
ldapsearch command followed by the slapd logs. =A0Note that the<br>
"connection_read(): no connection!" is only visible on the middle=
pair.<br>
<br>
<br>
$ ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ""<br>
SASL/EXTERNAL authentication started<br>
SASL username: gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn=
=3Dauth<br>
SASL SSF: 0<br>
No such object (32)<br>
<br>
slap_listener_activate(9):<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid=
rgb(204, 204, 204); padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
slap_listener(ldapi:///)<br>
</blockquote></blockquote></blockquote>
connection_get(14): got connid=3D1000<br>
connection_read(14): checking for input on id=3D1000<br>
ber_get_next<br>
ber_get_next: tag 0x30 len 24 contents:<br>
op tag 0x60, time 1273546410<br>
ber_get_next<br>
conn=3D1000 op=3D0 do_bind<br>
ber_scanf fmt ({imt) ber:<br>
ber_scanf fmt ({m) ber:<br>
ber_scanf fmt (m) ber:<br>
ber_scanf fmt (}}) ber:<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid=
rgb(204, 204, 204); padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
dnPrettyNormal:<><br>
</blockquote></blockquote></blockquote>
<<< =A0dnPrettyNormal:<>,<><br>
do_bind: dn () SASL mech EXTERNAL<br>
=3D=3D>slap_sasl2dn: converting SASL name<br>
gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn=3Dauth to a DN<b=
r>
<=3D=3Dslap_sasl2dn: Converted SASL name to<nothing><br>
SASL Authorize [conn=3D1000]: =A0proxy authorization allowed authzDN=3D&quo=
t;"<br>
send_ldap_sasl: err=3D0 len=3D-1<br>
do_bind: SASL/EXTERNAL bind:<br>
dn=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dexternal,cn=3Daut=
h" sasl_ssf=3D0<br>
send_ldap_response: msgid=3D1 tag=3D97 err=3D0<br>
ber_flush2: 14 bytes to sd 14<br>
<=3D=3D slap_sasl_bind: rc=3D0<br>
connection_get(14): got connid=3D1000<br>
connection_read(14): checking for input on id=3D1000<br>
ber_get_next<br>
ber_get_next: tag 0x30 len 37 contents:<br>
op tag 0x63, time 1273546410<br>
ber_get_next<br>
conn=3D1000 op=3D1 do_search<br>
ber_scanf fmt ({miiiib) ber:<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid=
rgb(204, 204, 204); padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
dnPrettyNormal:<><br>
</blockquote></blockquote></blockquote>
<<< =A0dnPrettyNormal:<>,<><br>
ber_scanf fmt (m) ber:<br>
ber_scanf fmt ({M}}) ber:<br>
send_ldap_result: conn=3D1000 op=3D1 p=3D3<br>
send_ldap_response: msgid=3D2 tag=3D101 err=3D32<br>
ber_flush2: 14 bytes to sd 14<br>
connection_get(14): got connid=3D1000<br>
connection_read(14): checking for input on id=3D1000<br>
ber_get_next<br>
ber_get_next: tag 0x30 len 5 contents:<br>
op tag 0x42, time 1273546410<br>
ber_get_next<br>
conn=3D1000 op=3D2 do_unbind<br>
connection_close: conn=3D1000 sd=3D14<br>
<br>
$ ldapsearch -H ldapi:/// -D "cn=3Dadmin,dc=3Dexample,dc=3Dcom" -=
b "" -W<br>
Enter LDAP Password:<br>
ldap_bind: Invalid credentials (49)<br>
<br>
slap_listener_activate(9):<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid=
rgb(204, 204, 204); padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
slap_listener(ldapi:///)<br>
</blockquote></blockquote></blockquote>
connection_get(14): got connid=3D1001<br>
connection_read(14): checking for input on id=3D1001<br>
ber_get_next<br>
ber_get_next: tag 0x30 len 44 contents:<br>
op tag 0x60, time 1273546420<br>
ber_get_next<br>
conn=3D1001 op=3D0 do_bind<br>
ber_scanf fmt ({imt) ber:<br>
ber_scanf fmt (m}) ber:<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid=
rgb(204, 204, 204); padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
dnPrettyNormal:<cn=3Dadmin,dc=3Dexample,dc=3Dcom><br>
</blockquote></blockquote></blockquote>
<<< =A0dnPrettyNormal:<cn=3Dadmin,dc=3Dexample,dc=3Dcom>,<=
;cn=3Dadmin,dc=3Dexample,dc=3Dcom><br>
do_bind: version=3D3 dn=3D"cn=3Dadmin,dc=3Dexample,dc=3Dcom" meth=
od=3D128<br>
send_ldap_result: conn=3D1001 op=3D0 p=3D3<br>
send_ldap_response: msgid=3D1 tag=3D97 err=3D49<br>
ber_flush2: 14 bytes to sd 14<br>
connection_get(14): got connid=3D1001<br>
connection_read(14): checking for input on id=3D1001<br>
ber_get_next<br>
ber_get_next on fd 14 failed errno=3D0 (Success)<br>
connection_close: conn=3D1001 sd=3D14<br>
connection_read(14): no connection!<br>
connection_read(14): no connection!<br>
<br>
$ ldapsearch -H ldap:/// -D "cn=3Dadmin,dc=3Dexample,dc=3Dcom" -b=
"" -W<br>
Enter LDAP Password:<br>
ldap_bind: Invalid credentials (49)<br>
<br>
slap_listener_activate(8):<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid=
rgb(204, 204, 204); padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
slap_listener(ldap:///)<br>
</blockquote></blockquote></blockquote>
connection_get(14): got connid=3D1002<br>
connection_read(14): checking for input on id=3D1002<br>
ber_get_next<br>
ber_get_next: tag 0x30 len 44 contents:<br>
op tag 0x60, time 1273546425<br>
ber_get_next<br>
conn=3D1002 op=3D0 do_bind<br>
ber_scanf fmt ({imt) ber:<br>
ber_scanf fmt (m}) ber:<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid=
rgb(204, 204, 204); padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
dnPrettyNormal:<cn=3Dadmin,dc=3Dexample,dc=3Dcom><br>
</blockquote></blockquote></blockquote>
<<< =A0dnPrettyNormal:<cn=3Dadmin,dc=3Dexample,dc=3Dcom>,<=
;cn=3Dadmin,dc=3Dexample,dc=3Dcom><br>
do_bind: version=3D3 dn=3D"cn=3Dadmin,dc=3Dexample,dc=3Dcom" meth=
od=3D128<br>
send_ldap_result: conn=3D1002 op=3D0 p=3D3<br>
send_ldap_response: msgid=3D1 tag=3D97 err=3D49<br>
ber_flush2: 14 bytes to sd 14<br>
connection_get(14): got connid=3D1002<br>
connection_read(14): checking for input on id=3D1002<br>
ber_get_next<br>
ber_get_next on fd 14 failed errno=3D0 (Success)<br>
connection_close: conn=3D1002 sd=3D14<br>
<br>
<br>
</blockquote>
<br>
<br>
-- <br>
=A0-- Howard Chu<br>
=A0CTO, Symas Corp. =A0 =A0 =A0 =A0 =A0 <a href=3D"http://www.symas.com" t=
arget=3D"_blank">http://www.symas.com</a><br>
=A0Director, Highland Sun =A0 =A0 <a href=3D"http://highlandsun.com/hyc/" =
target=3D"_blank">http://highlandsun.com/hyc/</a><br>
=A0Chief Architect, OpenLDAP =A0<a href=3D"http://www.openldap.org/project=
/" target=3D"_blank">http://www.openldap.org/project/</a><br>
</blockquote></div><br>--<br>Mark A. Ziesemer<br><a href=3D"http://www.zies=
emer.com">www.ziesemer.com</a><br>
<br>
--00c09f76b87ebad978048667feb6--
13 years