openldap-bugs December 2011

openldap-bugs@openldap.org

20 participants
34 discussions

Re: (ITS#7117) Documentation typo
by hyc＠symas.com 27 Dec '11

27 Dec '11

hydrapolic(a)gmail.com wrote: > Full_Name: hydra > Version: 2.4 > OS: Any > URL: http://www.openldap.org/doc/admin24/slapdconf2.html > Submission from: (NULL) (195.91.56.62) > > > Table 5.1: Debugging Levels > trace function callss Thanks, fixed now in git master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7116) pwdAccountLockedTime not honoured by PAM
by hyc＠symas.com 27 Dec '11

27 Dec '11

rajnesh.siwal(a)gmail.com wrote: > Full_Name: Rajnesh Siwal > Version: 2.4.21-0ubuntu5.6 > OS: Ubuntu 10.4 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (122.180.141.110) > > > The user account has been locked by the parameter "pwdAccountLockedTime" and > still we are able to login into the linux servers (LDAP clients) using the LDAP > credentials. > Please suggest what the reason could be. The ITS is for actual bug reports, not help requests. Please post your question to the openldap-technical mailing list. This ITS will be closed. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7118) [PATCH] Improve SASL plugin handling
by thomas＠koeller.dyndns.org 26 Dec '11

26 Dec '11

Full_Name: Thomas Koeller Version: 2.4.28 OS: Linux x86_64 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (80.171.14.55) I had a problem with slapd always segfaulting. A little debugging revealed that slapd allocated the thread-safe version of 'struct ldapoptions', since it is linked with libldap_r.so. However, the destructor function ldap_int_destroy_global_options() invoked during cleanup seemed to be the non-threadsafe version which assumes a different layout of 'struct ldapoptions' (the ldo_mutex field is missing). I noticed that that SASL loaded all its plugins, including the 'ldapdb' module which is present in my SASL installation, and that ldapdb.so was linked against the non-threadsafe libldap.so. I still do not quite understand the exact reason why this confusion arose, because AFAIK theoretically both libraries should be able to co-exist. However, I did not investigate that problem any further, because I think that loading all sasl plugins is just wrong, because slapd only uses its own internal auxprop module and does not need any of them. I tried the proposed method of excluding ldapdb by having a slapd.conf file containing 'pwcheck_method: auxprop' and 'auxprop_plugin: slapd',but that did not improve anything. I therefore changed slapd to no longer load any sasl plugins whatsoever. With this change, everything works fine. Btw., my SASL installation is cyrus-sasl-2.1.25. Here is the patch I created, along with the required legalese: The inlined patch below is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Thomas Koeller <thomas(a)koeller.dyndns.org>. I have not assigned rights and/or interest in this work to any party. I, Thomas Koeller, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. diff -brpu openldap-2.4.28-orig/servers/slapd/sasl.c openldap-2.4.28/servers/slapd/sasl.c --- openldap-2.4.28-orig/servers/slapd/sasl.c 2011-11-25 19:52:29.000000000 +0100 +++ openldap-2.4.28/servers/slapd/sasl.c 2011-12-26 15:40:14.000000000 +0100 @@ -67,6 +67,16 @@ char *slap_sasl_auxprops; #ifdef HAVE_CYRUS_SASL +/* Do not load any plugin modules, only use internal auxprop */ +static int +slap_sasl_verifyfile( + void *context, + const char *file, + sasl_verify_type_t type) +{ + return type == SASL_VRFY_PLUGIN ? SASL_CONTINUE : SASL_OK; +} + /* Just use our internal auxprop by default */ static int slap_sasl_getopt( @@ -1111,6 +1121,7 @@ int slap_sasl_init( void ) static sasl_callback_t server_callbacks[] = { { SASL_CB_LOG, &slap_sasl_log, NULL }, { SASL_CB_GETOPT, &slap_sasl_getopt, NULL }, + { SASL_CB_VERIFYFILE, &slap_sasl_verifyfile, NULL }, { SASL_CB_LIST_END, NULL, NULL } }; #endif

1 0

(ITS#7117) Documentation typo
by hydrapolic＠gmail.com 26 Dec '11

26 Dec '11

Full_Name: hydra Version: 2.4 OS: Any URL: http://www.openldap.org/doc/admin24/slapdconf2.html Submission from: (NULL) (195.91.56.62) Table 5.1: Debugging Levels trace function callss

1 0

(ITS#7116) pwdAccountLockedTime not honoured by PAM
by rajnesh.siwal＠gmail.com 26 Dec '11

26 Dec '11

Full_Name: Rajnesh Siwal Version: 2.4.21-0ubuntu5.6 OS: Ubuntu 10.4 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (122.180.141.110) The user account has been locked by the parameter "pwdAccountLockedTime" and still we are able to login into the linux servers (LDAP clients) using the LDAP credentials. Please suggest what the reason could be.

1 0

Re: (ITS#7045) "ldapsearch -Z" should continue using TLS one cert mis-match
by bgmilne＠staff.telkomsa.net 21 Dec '11

21 Dec '11

On Monday, 19 September 2011 02:41:30 Jason_Haar(a)trimble.com wrote: > > (I'm using ldapsearch to dump Active Directory LDAP data via the DNS > round-robin entry for the domain name: as such the LDAP host *never* > matches the hostname DNS round-robin gives back - and I don't care - I > just don't want the network group sniffing my password ;-) Then your 'Active Directory' servers should have subjectAltName extensions for the DNS round-robin hostname ...

1 0

Re: (ITS#7114) Password synchronization is not working
by quanah＠zimbra.com 20 Dec '11

20 Dec '11

--On Tuesday, December 20, 2011 4:02 PM +0000 venkata.udumula(a)yahoo.co.in wrote: > Full_Name: venkata reddy > Version: 2.4.26 > OS: Windows server 2008 R2 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (170.252.70.4) The ITS System is for bug reports, not help with how to use openldap. The proper forum for your question is to use the openldap-technical(a)openldap.org mailing list. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#7114) Password synchronization is not working
by venkata.udumula＠yahoo.co.in 20 Dec '11

20 Dec '11

Full_Name: venkata reddy Version: 2.4.26 OS: Windows server 2008 R2 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (170.252.70.4) Hi, I am setting up a Forefront Identity Manager (FIM) infrastructure. I installed the FIM software. Our Active Directory is already exists. And I have to use another LDAP system for testing the my FIM setup. I chose OpenLDAP for Windows, as i am comfortable with only windows applications. I am assuming that your Tech support team would have some idea of what FIM does. I have setup the management agents on the FIM synchronize server to FIM, AD and OpenLDAP. For FIM and AD management agents are available by default in the FIM synchronization server. But for OpenLDAP i used OpenLDAP XMA management agent provided by sourceforge. With the management agents I am able to move the user and group objects between all the systems successfully. When a new user is created the password is moved to the OpenLDAP system successfully. But when I change the password in the FIM portal, it should automatically update it in all the systems. It is updating in the FIM and AD. But not in OpenLDAP. I am not aware of any configuration settings I have to change to make it work in OpenLDAP. Could you please help me resolving this issue? At the time of installation instead of using the default port numbers I used 50000 for LDAP and 50001 for LDAPS. Is it a problem? Thanks,

1 0

Re: (ITS#7107) cn=config syncrepl fails with "controls require LDAPv3" on bound v3 connection
by hume-ol＠bofh.ca 19 Dec '11

19 Dec '11

On 12/15/11 11:14 PM, Howard Chu wrote: > > A fix for this is in git master, please test. > Built and deployed, I've allowed to run for 72h and problem has yet to show. I believe this particular bug has been squashed.

1 0

(ITS#7113) broken read-only replica results in assertion failure and crash on master slapd process
by kacarstensen＠csupomona.edu 19 Dec '11

19 Dec '11

Full_Name: Kevan Carstensen Version: 2.4.28 OS: gentoo linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (134.71.248.23) During a heavy update load, replication from our master to one of our read-only ldap replicas started failing due to locking errors on the replica. Dec 14 04:01:08 pip-dev slapd[12645]: bdb(dc=csupomona,dc=edu): Lock table is out of available lock entries Dec 14 04:01:08 pip-dev slapd[12645]: => bdb_idl_delete_key: c_get failed: Cannot allocate memory (12) Dec 14 04:01:08 pip-dev slapd[12645]: conn=-1 op=0: attribute "memberUid" index delete failure Dec 14 04:01:08 pip-dev slapd[12645]: null_callback : error code 0x50 Dec 14 04:01:08 pip-dev slapd[12645]: syncrepl_entry: rid=001 be_modify failed (80) Dec 14 04:01:08 pip-dev slapd[12645]: do_syncrepl: rid=001 rc 80 retrying (these are due to an incorrect DB_CONFIG on the replica and are not related to this issue; I include them in case their impact on how/when the replica connects to the master are important) After about ten minutes of the replica trying and failing to start its syncrepl again, the master slapd crashed. Nothing in the master slapd logs specifically references the crash or indicates why it happened. Shortly after the replica broke, some unusual messages started showing up in the logs on the master: Dec 14 03:50:11 fosse slapd[22596]: connection_read(65): no connection! Dec 14 03:50:22 fosse slapd[22596]: send_search_entry: conn 7535053 ber write failed. Dec 14 03:50:32 fosse slapd[22596]: send_search_entry: conn 7535061 ber write failed. Dec 14 03:50:42 fosse slapd[22596]: send_search_entry: conn 7535065 ber write failed. Dec 14 03:50:56 fosse slapd[22596]: send_search_entry: conn 7535068 ber write failed. Dec 14 03:51:06 fosse slapd[22596]: connection_read(65): no connection! Dec 14 03:51:06 fosse slapd[22596]: connection_read(65): no connection! These continued until the crash, persisted after the master slapd was successfully restarted, and went away when I turned the broken replica off. I found similar behavior in a development setup similar to our production setup. There is one master, and there are two read-only replicas configured to replicate from the master with the following syncrepl stanza: syncrepl rid=1 provider=ldaps://master-2.ldap.csupomona.edu/ type=refreshAndPersist retry="10 10 60 +" searchbase="dc=csupomona,dc=edu" bindmethod=simple binddn=cn=slapd-syncrepl,ou=user,ou=service,dc=csupomona,dc=edu credentials=__PASSWORD__ (there are two replicas because I couldn't reliably produce a crash with one replica) The replicas have a DB_CONFIG that causes their replication attempts to fail with the same error as we saw in our production setup. The master database is initialized so that the replicas have a lot of changes to catch up on, as was the case when our production setup failed. Even with loglevel -1, there's nothing specifically referencing the crash in the master slapd's logs. There's an assertion failure in the backtrace: slapd: daemon.c:942: slapd_clr_write: Assertion `((slap_daemon[id].sd_index[(s)]) != -1)' failed. Program received signal SIGABRT, Aborted. [Switching to Thread 0x7fffea863700 (LWP 27623)] 0x00007ffff6a95175 in raise () from /lib64/libc.so.6 (gdb) bt full #0 0x00007ffff6a95175 in raise () from /lib64/libc.so.6 No symbol table info available. #1 0x00007ffff6a96590 in abort () from /lib64/libc.so.6 No symbol table info available. #2 0x00007ffff6a8e201 in __assert_fail () from /lib64/libc.so.6 No symbol table info available. #3 0x000000000042ec9b in slapd_clr_write (s=<value optimized out>, wake=0) at daemon.c:942 id = 0 __PRETTY_FUNCTION__ = "slapd_clr_write" #4 0x000000000043419b in connection_write (s=17) at connection.c:1896 c = <value optimized out> op = <value optimized out> __PRETTY_FUNCTION__ = "connection_write" #5 0x000000000043006a in slapd_daemon_task (ptr=<value optimized out>) at daemon.c:2782 rc = 1 fd = 17 w = 6 ns = 1 at = 0 revents = <value optimized out> tvp = <value optimized out> cat = {tv_sec = 1324320980, tv_usec = 0} i = 0 now = <value optimized out> tv = {tv_sec = 1135, tv_usec = 0} rtask = <value optimized out> l = <value optimized out> last_idle_check = 1324317380 ebadf = 0 tid = <value optimized out> #6 0x00007ffff71ed914 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #7 0x00007ffff6b347dd in clone () from /lib64/libc.so.6 No symbol table info available. The master and replicas in my development setup all run 2.4.28. The production master runs 2.4.26. I successfully reproduced the issue on both 2.4.26 and 2.4.28, but only have a backtrace for 2.4.28. If you want a backtrace for 2.4.26, I can get one. Thanks.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs December 2011