openldap-bugs January 2011

openldap-bugs@openldap.org

36 participants
177 discussions

Re: (ITS#6810) slapd crashes writing to bdb backend
by quanah＠zimbra.com 31 Jan '11

31 Jan '11

--On Friday, January 28, 2011 9:47 AM +0000 bruno_haleblian(a)carrefour.com wrote: > Full_Name: Bruno HALEBLIAN > Version: 2.4.23 > OS: RHEL 5.5/64 bits > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (92.243.12.111) > > > Hello, > I'm stuck with "random" slapd crashes, my slapd has been tested > successfully in read mode but since I run updates, I get several crashes > a day, with no BDB corruption (recover and restart OK) but I can't let > this go to production stage. > > Here's the first core stack I caught, I'll send more if I meet different > ones. > > Thanks for your help. Hi Bruno, What type of filesystem is BDB located on? I.e., NFS, ext3, SAN, etc. Also, what version of BDB are you using from Oracle? Can you provide your configuration file/cn=config directory (minus any passwords)? Thanks, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#6816) Patch - Mozilla NSS - documentation changes
by quanah＠zimbra.com 31 Jan '11

31 Jan '11

--On Monday, January 31, 2011 9:04 PM +0000 hyc(a)symas.com wrote: > rmeggins(a)redhat.com wrote: >> Full_Name: Rich Megginson >> Version: 2.4.23 (current CVS HEAD) >> OS: RHEL6 >> URL: >> ftp://ftp.openldap.org/incoming/openldap-2.4.23-add-moznss-to-docs-20110 >> 130.patch Submission from: (NULL) (76.113.111.209) >> >> >> This adds documentation for Mozilla NSS. Man page TLS settings and >> directives, and Admin Guide. I tested the man pages, but I wasn't sure >> how to generate the docs from the .sdf files - hopefully they will work >> ok without extensive changes. > > Thanks, just needed some minor touch up. With this in place I've decided > we're ready to advertise support for Mozilla NSS now, so I've rolled in > the configure.in patch (from ITS#5698) into RE24. technically, ITS#5696, if anyone is tracking this bug. :P --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#6816) Patch - Mozilla NSS - documentation changes
by hyc＠symas.com 31 Jan '11

31 Jan '11

rmeggins(a)redhat.com wrote: > Full_Name: Rich Megginson > Version: 2.4.23 (current CVS HEAD) > OS: RHEL6 > URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-add-moznss-to-docs-20110130… > Submission from: (NULL) (76.113.111.209) > > > This adds documentation for Mozilla NSS. Man page TLS settings and directives, > and Admin Guide. I tested the man pages, but I wasn't sure how to generate the > docs from the .sdf files - hopefully they will work ok without extensive > changes. Thanks, just needed some minor touch up. With this in place I've decided we're ready to advertise support for Mozilla NSS now, so I've rolled in the configure.in patch (from ITS#5698) into RE24. > These patch files are derived from OpenLDAP Software. All of the > modifications to OpenLDAP Software represented in the following > patch(es) were developed by Red Hat. Red Hat has not assigned rights > and/or interest in this work to any party. I, Rich Megginson am > authorized by Red Hat, my employer, to release this work under the > following terms. > > Red Hat hereby place the following modifications to OpenLDAP Software > (and only these modifications) into the public domain. Hence, these > modifications may be freely used and/or redistributed for any purpose > with or without attribution and/or other notice. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#6818) back-meta: do not denormalize attrs without equality rule
by masarati＠aero.polimi.it 31 Jan '11

31 Jan '11

Full_Name: Pierangelo Masarati Version: HEAD/re24 OS: irrelevant URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2.40.14.92) Submitted by: ando A fix is coming. p.

1 0

(ITS#6817) idassert-bind with SASL issues
by masarati＠aero.polimi.it 31 Jan '11

31 Jan '11

Full_Name: Pierangelo Masarati Version: HEAD/re24 OS: irrelevant URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2.40.14.92) Submitted by: ando When idassert-bind is configured to use SASL bind, an "authcID" needs to be provided, while the "binddn" is not needed. However, if a "binddn" is not provided as well, in some cases the proxiedAuthz control may be used incorrectly. The need to configure the "binddn" is not documented, so this ITS is minimally addressed by documenting this requirement. If the "binddn" is provided, everything works as expected, with the only minor issue that the DN of the user as it is known to back-meta may not match the actual identity the "authcID" assumed on the remote server. The "right" way to address this problem consists in performing a "WhoAmI" (RFC 4532) right after the bind, or better use a "authorization identity control" (RFC 3829) along with the bind operation. Both approaches should be implemented, but they should not be used unless explicitly requested. p.

1 0

(ITS#6816) Patch - Mozilla NSS - documentation changes
by rmeggins＠redhat.com 31 Jan '11

31 Jan '11

Full_Name: Rich Megginson Version: 2.4.23 (current CVS HEAD) OS: RHEL6 URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-add-moznss-to-docs-20110130… Submission from: (NULL) (76.113.111.209) This adds documentation for Mozilla NSS. Man page TLS settings and directives, and Admin Guide. I tested the man pages, but I wasn't sure how to generate the docs from the .sdf files - hopefully they will work ok without extensive changes. These patch files are derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Rich Megginson am authorized by Red Hat, my employer, to release this work under the following terms. Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
by subbarao＠computer.org 31 Jan '11

31 Jan '11

This is a multi-part message in MIME format. --------------090509020601080703090604 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 01/28/2011 08:27 PM, Howard Chu wrote: >> I'm running into multiple problems here. The core problem seems to be >> that enabling ppolicy_forward_updates breaks the chaining overlay such that >> it binds anonymously instead of with SASL EXTERNAL. > > That's because your authz-regexp is wrong. You mapped "cn=localhost" but > when using SASL EXTERNAL, the user's DN is the complete certificate DN. > In your case, "cn=localhost,o=OpenLDAP,st=Some-State,c=US" > > The reason this didn't break replication is because in this test, > everything has anonymous read access so the consumer was able to pull > what it needed. Hmm, I'm not quite seeing what you're saying here. For example, in slapd.1.log, *before* ppolicy_forward_updates (olcPPolicyForwardUpdates) is enabled, I can see the certificate being mapped exactly as I expect it: ===== ==> rewrite_context_apply [depth=1] res={0,'cn=localhost,dc=example,dc=com'} [rw] authid: "cn=localhost,o=openldap,st=some-state,c=us" -> "cn=localhost,dc=example,dc=com" [...] <==slap_sasl2dn: Converted SASL name to cn=localhost,dc=example,dc=com slap_sasl_getdn: dn:id converted to cn=localhost,dc=example,dc=com SASL Canonicalize [conn=1004]: slapAuthcDN="cn=localhost,dc=example,dc=com" SASL proxy authorize [conn=1004]: authcid="cn=localhost,o=openldap,st=some-state,c=us" authzid="cn=localhost,o=openldap,st=some-state,c=us" conn=1004 op=1 BIND authcid="cn=localhost,o=openldap,st=some-state,c=us" authzid="cn=localhost,o=openldap,st=some-state,c=us" SASL Authorize [conn=1004]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=-1 conn=1004 op=1 BIND dn="cn=localhost,dc=example,dc=com" mech=EXTERNAL sasl_ssf=0 ssf=256 do_bind: SASL/EXTERNAL bind: dn="cn=localhost,dc=example,dc=com" sasl_ssf=0 ===== Based on this, I'm assuming that my authz-regexp is behaving as I'm intending -- looking for a certificate with "cn=localhost" anywhere in the subject DN, and mapping that to the DN cn=localhost,dc=example,dc=com in the directory. It's only *after* olcPPolicyForwardUpdates is enabled that the SASL EXTERNAL authentication stops working. Can you help me understand the disconnect between what I'm seeing and what you're saying? > I didn't get this far because your test certificate is now expired. I > guess I can substitute some other certs and look at it again, but I > think the core issue is your misconfigured authz-regexp. I have updated the expiration date on the certificate and have attached it to this message. > Better to rename your scripts when you modify one of our existing ones. > E.g. test999-xxxxxx and just create new data files instead of modifying > ours. Ok, will keep this in mind. Thanks, -Kartik --------------090509020601080703090604 Content-Type: text/plain; name="localhost.crt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="localhost.crt" -----BEGIN CERTIFICATE----- MIICCTCCAXICCQC1gKCIQ2we4DANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJV UzETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIT3BlbkxEQVAxEjAQBgNV BAMTCWxvY2FsaG9zdDAeFw0xMTAxMzExNjE1NTdaFw0xMjAxMzExNjE1NTdaMEkx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMREwDwYDVQQKEwhPcGVu TERBUDESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQCqZU3fA/o/y5gHXxm0JpdMoV64LAOIPgcZTHv4+OkVjoW2gMHT8AMerJzk Cr07y1JjfeqV1c7sZl6+aqC3H+HLs0cCtXFKPFY9FmoehO9KBksDaH5o2f7h104r s/xg2cNTDy1dFFJUzMWQIc8TU7+GpjS3gP0/9gNlIyiLdio9LwIDAQABMA0GCSqG SIb3DQEBBQUAA4GBAGFeVSjX4ZjLmrU7oob4CyoWO2ekeVyldWLjVOUCyeSMae3n I1/kQ5AbGrJdtQQeLyRhIQKUM2a1AqjPLW1QKPXHnHnbsnzuWmC2C9fIw1C3o0yZ UBsxlqoA7K486qeyAb6bUO5X2JD2rOng+HL/pgKlo9h8dW23tWj4CEUMepOh -----END CERTIFICATE----- --------------090509020601080703090604--

1 0

Re: (ITS#6806) Invalid ldapadd crashes openldap with ndb backend
by anderson＠vailsys.com 31 Jan '11

31 Jan '11

I thought I had attached the backtrace when I opened this, sorry. Here is the backtrack from 2.4.23. Compile Options: ./configure --enable-ndb --enable-passwd --enable-modules --enable-slp --enable-crypt --enable-overlays --enable-dynamic --enable-syslog --enable-debug --enable-auditlog --disable-cleartext --enable-wrappers --enable-ppolicy mysql-cluster-gpl-7.1.9a binary distribution from oracle. Line 339 in NdbTransaction.cpp didn't refer to a file that I saw. Let me know if anything else is needed. #0 NdbTransaction::execute (this=0x7fa1ae235659, aTypeOfExec=NdbTransaction::Rollback, abortOption=NdbOperation::DefaultAbortOption, forceSend=0) at NdbTransaction.cpp:339 339 NdbTransaction.cpp: No such file or directory. in NdbTransaction.cpp (gdb) bt #0 NdbTransaction::execute (this=0x7fa1ae235659, aTypeOfExec=NdbTransaction::Rollback, abortOption=NdbOperation::DefaultAbortOption, forceSend=0) at NdbTransaction.cpp:339 #1 0x00000000004f8608 in ndb_back_add () #2 0x000000000043ce34 in fe_op_add () #3 0x000000000043d695 in do_add () #4 0x0000000000435dd9 in ?? () #5 0x000000000043662d in ?? () #6 0x00007fa1b0f43538 in ldap_int_thread_pool_wrapper (xpool=<value optimized out>) at tpool.c:685 #7 0x00007fa1af7729ca in start_thread () from /lib/libpthread.so.0 #8 0x00007fa1ae27a70d in clone () from /lib/libc.so.6 #9 0x0000000000000000 in ?? () > As always, when you get a core dump, post the gdb backtrace of the dump. Use > the most recent release version, and make sure you use a non-optimized debug > build with all debug symbols intact. All of these instructions are written on > the page where you submit new Issues. >

1 0

Re: (ITS#6684) Patch for autogroup overlay
by moenoel＠informatik.uni-bremen.de 31 Jan '11

31 Jan '11

Am 29.01.2011 21:10, schrieb hyc(a)symas.com: > moenoel(a)informatik.uni-bremen.de wrote: >>> 1) it should simply be comparing the AttributeDescription pointers >>> 2) since the "memberof" attribute is actually configurable in the memberof >>> overlay, there's no guarantee that this is the correct attribute to be looking >>> for. It should also be configurable in your patch. >>> >>> You're using strcasecmp, but your inputs are already normalized values. You >>> should just use ber_bvcmp. >>> >> >> Since I am also interested in this, I took some time to make a new >> patch. I took Norberts original patch, applied it to a current checkout >> from HEAD and tried to fix the issues mentioned by Howard. My initial >> tests are looking good. >> >> My C skills are rather mediocre, though, so I hope I didn't slaughter >> the thing :-) >> >> http://www.informatik.uni-bremen.de/~moenoel/ldap/christian-manal-autogroup… > > This patch looks pretty good. There are only one or two minor issues with it, > which I will clean up. (E.g., config actions require no mutexes; slapd is > always single-threaded when processing config changes.) > Great, thanks!

1 0

ITS#6815
by masarati＠aero.polimi.it 30 Jan '11

30 Jan '11

> This request is spotted by some ldap clients that I have that every > 30seconds do a dummy ldap search only to keep alive their connection > to the ldap server. These searches are frequent and I have many of > these clients in my deploy, so my accesslog become full of not > significant entries. For this specific purpose, your clients could perform an operation that is not logged; for example, search the rootDSE. p.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs January 2011