Re: (ITS#6810) slapd crashes writing to bdb backend
by quanah@zimbra.com
--On Friday, January 28, 2011 9:47 AM +0000 bruno_haleblian(a)carrefour.com
wrote:
> Full_Name: Bruno HALEBLIAN
> Version: 2.4.23
> OS: RHEL 5.5/64 bits
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (92.243.12.111)
>
>
> Hello,
> I'm stuck with "random" slapd crashes, my slapd has been tested
> successfully in read mode but since I run updates, I get several crashes
> a day, with no BDB corruption (recover and restart OK) but I can't let
> this go to production stage.
>
> Here's the first core stack I caught, I'll send more if I meet different
> ones.
>
> Thanks for your help.
Hi Bruno,
What type of filesystem is BDB located on? I.e., NFS, ext3, SAN, etc.
Also, what version of BDB are you using from Oracle? Can you provide your
configuration file/cn=config directory (minus any passwords)?
Thanks,
Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
12 years, 10 months
Re: (ITS#6816) Patch - Mozilla NSS - documentation changes
by quanah@zimbra.com
--On Monday, January 31, 2011 9:04 PM +0000 hyc(a)symas.com wrote:
> rmeggins(a)redhat.com wrote:
>> Full_Name: Rich Megginson
>> Version: 2.4.23 (current CVS HEAD)
>> OS: RHEL6
>> URL:
>> ftp://ftp.openldap.org/incoming/openldap-2.4.23-add-moznss-to-docs-20110
>> 130.patch Submission from: (NULL) (76.113.111.209)
>>
>>
>> This adds documentation for Mozilla NSS. Man page TLS settings and
>> directives, and Admin Guide. I tested the man pages, but I wasn't sure
>> how to generate the docs from the .sdf files - hopefully they will work
>> ok without extensive changes.
>
> Thanks, just needed some minor touch up. With this in place I've decided
> we're ready to advertise support for Mozilla NSS now, so I've rolled in
> the configure.in patch (from ITS#5698) into RE24.
technically, ITS#5696, if anyone is tracking this bug. :P
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
12 years, 10 months
Re: (ITS#6816) Patch - Mozilla NSS - documentation changes
by hyc@symas.com
rmeggins(a)redhat.com wrote:
> Full_Name: Rich Megginson
> Version: 2.4.23 (current CVS HEAD)
> OS: RHEL6
> URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-add-moznss-to-docs-201101...
> Submission from: (NULL) (76.113.111.209)
>
>
> This adds documentation for Mozilla NSS. Man page TLS settings and directives,
> and Admin Guide. I tested the man pages, but I wasn't sure how to generate the
> docs from the .sdf files - hopefully they will work ok without extensive
> changes.
Thanks, just needed some minor touch up. With this in place I've decided we're
ready to advertise support for Mozilla NSS now, so I've rolled in the
configure.in patch (from ITS#5698) into RE24.
> These patch files are derived from OpenLDAP Software. All of the
> modifications to OpenLDAP Software represented in the following
> patch(es) were developed by Red Hat. Red Hat has not assigned rights
> and/or interest in this work to any party. I, Rich Megginson am
> authorized by Red Hat, my employer, to release this work under the
> following terms.
>
> Red Hat hereby place the following modifications to OpenLDAP Software
> (and only these modifications) into the public domain. Hence, these
> modifications may be freely used and/or redistributed for any purpose
> with or without attribution and/or other notice.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12 years, 10 months
(ITS#6817) idassert-bind with SASL issues
by masarati@aero.polimi.it
Full_Name: Pierangelo Masarati
Version: HEAD/re24
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2.40.14.92)
Submitted by: ando
When idassert-bind is configured to use SASL bind, an "authcID" needs to be
provided, while the "binddn" is not needed. However, if a "binddn" is not
provided as well, in some cases the proxiedAuthz control may be used
incorrectly. The need to configure the "binddn" is not documented, so this ITS
is minimally addressed by documenting this requirement.
If the "binddn" is provided, everything works as expected, with the only minor
issue that the DN of the user as it is known to back-meta may not match the
actual identity the "authcID" assumed on the remote server. The "right" way to
address this problem consists in performing a "WhoAmI" (RFC 4532) right after
the bind, or better use a "authorization identity control" (RFC 3829) along with
the bind operation. Both approaches should be implemented, but they should not
be used unless explicitly requested.
p.
12 years, 10 months
(ITS#6816) Patch - Mozilla NSS - documentation changes
by rmeggins@redhat.com
Full_Name: Rich Megginson
Version: 2.4.23 (current CVS HEAD)
OS: RHEL6
URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-add-moznss-to-docs-201101...
Submission from: (NULL) (76.113.111.209)
This adds documentation for Mozilla NSS. Man page TLS settings and directives,
and Admin Guide. I tested the man pages, but I wasn't sure how to generate the
docs from the .sdf files - hopefully they will work ok without extensive
changes.
These patch files are derived from OpenLDAP Software. All of the
modifications to OpenLDAP Software represented in the following
patch(es) were developed by Red Hat. Red Hat has not assigned rights
and/or interest in this work to any party. I, Rich Megginson am
authorized by Red Hat, my employer, to release this work under the
following terms.
Red Hat hereby place the following modifications to OpenLDAP Software
(and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose
with or without attribution and/or other notice.
12 years, 10 months
Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
by subbarao@computer.org
This is a multi-part message in MIME format.
--------------090509020601080703090604
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
On 01/28/2011 08:27 PM, Howard Chu wrote:
>> I'm running into multiple problems here. The core problem seems to be
>> that enabling ppolicy_forward_updates breaks the chaining overlay such that
>> it binds anonymously instead of with SASL EXTERNAL.
>
> That's because your authz-regexp is wrong. You mapped "cn=localhost" but
> when using SASL EXTERNAL, the user's DN is the complete certificate DN.
> In your case, "cn=localhost,o=OpenLDAP,st=Some-State,c=US"
>
> The reason this didn't break replication is because in this test,
> everything has anonymous read access so the consumer was able to pull
> what it needed.
Hmm, I'm not quite seeing what you're saying here. For example, in
slapd.1.log, *before* ppolicy_forward_updates (olcPPolicyForwardUpdates)
is enabled, I can see the certificate being mapped exactly as I expect it:
=====
==> rewrite_context_apply [depth=1] res={0,'cn=localhost,dc=example,dc=com'}
[rw] authid: "cn=localhost,o=openldap,st=some-state,c=us" ->
"cn=localhost,dc=example,dc=com"
[...]
<==slap_sasl2dn: Converted SASL name to cn=localhost,dc=example,dc=com
slap_sasl_getdn: dn:id converted to cn=localhost,dc=example,dc=com
SASL Canonicalize [conn=1004]: slapAuthcDN="cn=localhost,dc=example,dc=com"
SASL proxy authorize [conn=1004]:
authcid="cn=localhost,o=openldap,st=some-state,c=us"
authzid="cn=localhost,o=openldap,st=some-state,c=us"
conn=1004 op=1 BIND authcid="cn=localhost,o=openldap,st=some-state,c=us"
authzid="cn=localhost,o=openldap,st=some-state,c=us"
SASL Authorize [conn=1004]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
conn=1004 op=1 BIND dn="cn=localhost,dc=example,dc=com" mech=EXTERNAL
sasl_ssf=0 ssf=256
do_bind: SASL/EXTERNAL bind: dn="cn=localhost,dc=example,dc=com" sasl_ssf=0
=====
Based on this, I'm assuming that my authz-regexp is behaving as I'm
intending -- looking for a certificate with "cn=localhost" anywhere in
the subject DN, and mapping that to the DN
cn=localhost,dc=example,dc=com in the directory.
It's only *after* olcPPolicyForwardUpdates is enabled that the SASL
EXTERNAL authentication stops working.
Can you help me understand the disconnect between what I'm seeing and
what you're saying?
> I didn't get this far because your test certificate is now expired. I
> guess I can substitute some other certs and look at it again, but I
> think the core issue is your misconfigured authz-regexp.
I have updated the expiration date on the certificate and have attached
it to this message.
> Better to rename your scripts when you modify one of our existing ones.
> E.g. test999-xxxxxx and just create new data files instead of modifying
> ours.
Ok, will keep this in mind.
Thanks,
-Kartik
--------------090509020601080703090604
Content-Type: text/plain;
name="localhost.crt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="localhost.crt"
-----BEGIN CERTIFICATE-----
MIICCTCCAXICCQC1gKCIQ2we4DANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMIT3BlbkxEQVAxEjAQBgNV
BAMTCWxvY2FsaG9zdDAeFw0xMTAxMzExNjE1NTdaFw0xMjAxMzExNjE1NTdaMEkx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMREwDwYDVQQKEwhPcGVu
TERBUDESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCqZU3fA/o/y5gHXxm0JpdMoV64LAOIPgcZTHv4+OkVjoW2gMHT8AMerJzk
Cr07y1JjfeqV1c7sZl6+aqC3H+HLs0cCtXFKPFY9FmoehO9KBksDaH5o2f7h104r
s/xg2cNTDy1dFFJUzMWQIc8TU7+GpjS3gP0/9gNlIyiLdio9LwIDAQABMA0GCSqG
SIb3DQEBBQUAA4GBAGFeVSjX4ZjLmrU7oob4CyoWO2ekeVyldWLjVOUCyeSMae3n
I1/kQ5AbGrJdtQQeLyRhIQKUM2a1AqjPLW1QKPXHnHnbsnzuWmC2C9fIw1C3o0yZ
UBsxlqoA7K486qeyAb6bUO5X2JD2rOng+HL/pgKlo9h8dW23tWj4CEUMepOh
-----END CERTIFICATE-----
--------------090509020601080703090604--
12 years, 10 months
Re: (ITS#6806) Invalid ldapadd crashes openldap with ndb backend
by anderson@vailsys.com
I thought I had attached the backtrace when I opened this, sorry. Here
is the backtrack from 2.4.23.
Compile Options: ./configure --enable-ndb --enable-passwd
--enable-modules --enable-slp --enable-crypt --enable-overlays
--enable-dynamic --enable-syslog --enable-debug --enable-auditlog
--disable-cleartext --enable-wrappers --enable-ppolicy
mysql-cluster-gpl-7.1.9a binary distribution from oracle.
Line 339 in NdbTransaction.cpp didn't refer to a file that I saw. Let me
know if anything else is needed.
#0 NdbTransaction::execute (this=0x7fa1ae235659,
aTypeOfExec=NdbTransaction::Rollback,
abortOption=NdbOperation::DefaultAbortOption, forceSend=0)
at NdbTransaction.cpp:339
339 NdbTransaction.cpp: No such file or directory.
in NdbTransaction.cpp
(gdb) bt
#0 NdbTransaction::execute (this=0x7fa1ae235659,
aTypeOfExec=NdbTransaction::Rollback,
abortOption=NdbOperation::DefaultAbortOption, forceSend=0)
at NdbTransaction.cpp:339
#1 0x00000000004f8608 in ndb_back_add ()
#2 0x000000000043ce34 in fe_op_add ()
#3 0x000000000043d695 in do_add ()
#4 0x0000000000435dd9 in ?? ()
#5 0x000000000043662d in ?? ()
#6 0x00007fa1b0f43538 in ldap_int_thread_pool_wrapper (xpool=<value
optimized out>) at tpool.c:685
#7 0x00007fa1af7729ca in start_thread () from /lib/libpthread.so.0
#8 0x00007fa1ae27a70d in clone () from /lib/libc.so.6
#9 0x0000000000000000 in ?? ()
> As always, when you get a core dump, post the gdb backtrace of the dump. Use
> the most recent release version, and make sure you use a non-optimized debug
> build with all debug symbols intact. All of these instructions are written on
> the page where you submit new Issues.
>
12 years, 10 months
Re: (ITS#6684) Patch for autogroup overlay
by moenoel@informatik.uni-bremen.de
Am 29.01.2011 21:10, schrieb hyc(a)symas.com:
> moenoel(a)informatik.uni-bremen.de wrote:
>>> 1) it should simply be comparing the AttributeDescription pointers
>>> 2) since the "memberof" attribute is actually configurable in the memberof
>>> overlay, there's no guarantee that this is the correct attribute to be looking
>>> for. It should also be configurable in your patch.
>>>
>>> You're using strcasecmp, but your inputs are already normalized values. You
>>> should just use ber_bvcmp.
>>>
>>
>> Since I am also interested in this, I took some time to make a new
>> patch. I took Norberts original patch, applied it to a current checkout
>> from HEAD and tried to fix the issues mentioned by Howard. My initial
>> tests are looking good.
>>
>> My C skills are rather mediocre, though, so I hope I didn't slaughter
>> the thing :-)
>>
>> http://www.informatik.uni-bremen.de/~moenoel/ldap/christian-manal-autogro...
>
> This patch looks pretty good. There are only one or two minor issues with it,
> which I will clean up. (E.g., config actions require no mutexes; slapd is
> always single-threaded when processing config changes.)
>
Great, thanks!
12 years, 10 months
ITS#6815
by masarati@aero.polimi.it
> This request is spotted by some ldap clients that I have that every
> 30seconds do a dummy ldap search only to keep alive their connection
> to the ldap server. These searches are frequent and I have many of
> these clients in my deploy, so my accesslog become full of not
> significant entries.
For this specific purpose, your clients could perform an operation that is
not logged; for example, search the rootDSE.
p.
12 years, 10 months