openldap-bugs February 2011

openldap-bugs@openldap.org

35 participants
158 discussions

Re: (ITS#6845) sortvals oddities - with more information
by hyc＠symas.com 28 Feb '11

28 Feb '11

Andrew Elble wrote: > Howard Chu<hyc(a)symas.com> writes: > >>> It would seem that attr_merge() (in attr.c) should have something like this: >>> >>> if ( *a == NULL ) { >>> *a = attr_alloc( desc ); >>> if (desc->ad_type->sat_flags& SLAP_AT_SORTED_VAL) { >>> (*a)->a_flags |= SLAP_ATTR_SORTED_VALS; >>> } >>> } else { >> >> This is now fixed in HEAD in value.c. > > Tested, bad behavior still persists. The call path I've observed > is as follows: > > T@5 : | | | | |>bdb_modify_internal > T@5 : | | | | | |>modify_add_values > T@5 : | | | | | | |>attr_merge > T@5 : | | | | | | | |>attr_alloc > > ordered_value_add() doesn't seem to be involved (I can provide the > entire trace if necessary) Thanks, my mistake. Fixed now in HEAD attr.c (redundant code removed from add.c) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#6848) wait timeout for slapd startup
by quanah＠OpenLDAP.org 28 Feb '11

28 Feb '11

Full_Name: Quanah Gibson-Mount Version: 2.4.24 OS: NA URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.111.45.108) When LDAP is used as a dependency for other software during the init process (as a kerberos backend, for example), the fact that slapd exits with success prior to it being ready to accept connections can cause problems for the later services that depend on it. It would be useful to have an (optional) flag "-w <seconds>" that if provided, would have slapd wait up until <seconds> amount of time has passed for the daemon to fully initialize. If it fails to initialize and be ready to accept connections by the end of the time period (when specified), slapd should exit with a new unique error code. This would allow for avoiding the startup problem. An example of this (and a terrible solution) can be found in: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589915 Debian implemented a broken solution for this, but it is a general issue for anyone who has dependencies on slapd being ready.

1 0

Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
by subbarao＠computer.org 28 Feb '11

28 Feb '11

> On 02/28/2011 04:57 AM, Howard Chu wrote: >> Right, no problem. I've run your updated script against HEAD and see no >> errors, nor is there a duplicate result sent for the Bind operation. > > That's a good datapoint. I'll look into building HEAD on my system and > validate that the duplicate result messages are gone. I was able to build HEAD pretty quickly (much quicker than I've been able to in the past :-) ), and was able to validate that the test succeeds. -Kartik

1 0

Re: (ITS#6845) sortvals oddities - with more information
by aweits＠rit.edu 28 Feb '11

28 Feb '11

Howard Chu <hyc(a)symas.com> writes: >> It would seem that attr_merge() (in attr.c) should have something like this: >> >> if ( *a == NULL ) { >> *a = attr_alloc( desc ); >> if (desc->ad_type->sat_flags& SLAP_AT_SORTED_VAL) { >> (*a)->a_flags |= SLAP_ATTR_SORTED_VALS; >> } >> } else { > > This is now fixed in HEAD in value.c. Tested, bad behavior still persists. The call path I've observed is as follows: T@5 : | | | | | >bdb_modify_internal T@5 : | | | | | | >modify_add_values T@5 : | | | | | | | >attr_merge T@5 : | | | | | | | | >attr_alloc ordered_value_add() doesn't seem to be involved (I can provide the entire trace if necessary) >> Further pursuing the issue, I started to focus on the index deletion >> code that was changed as a part of ITS#5183. Specifically, the >> portion of code within bdb_modify_internal() (in back-bdb/modify.c) >> that is commented: >> >> /* Move deleted values to end of array */ >> >> This code modifies save_attrs, which is actually apparently a pointer >> to memory that resides within the cache. If a deadlock occurs, these >> changes are not reverted, thereby corrupting the entry in the cache. I >> replaced this code with the pre-ITS#5183 code and I am no longer able >> to 'break' the object and insert duplicate member/memberUids. > > This is now fixed in HEAD. Looks good, thanks. -- Andrew W. Elble aweits(a)discipline.rit.edu Infrastructure Engineer, Communications Technical Lead Rochester Institute of Technology PGP: BFAD 8461 4CCF DC95 DA2C B0EB 965B 082E 863E C912 CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.

1 0

Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
by subbarao＠computer.org 28 Feb '11

28 Feb '11

On 02/28/2011 04:57 AM, Howard Chu wrote: > Kartik Subbarao wrote: >> I'd like to add one clarification to this message. I named the attached >> test script that illustrates the two RESULT messages problem >> test099-ppolicy-update, per Howard's previous advice not to duplicate >> existing names. But I just realized that this script relies on the same >> data files that I previously submitted (slapd-ppolicy.conf, >> ppolicy.ldif) so when running this script please ensure that those files >> are in place. > > Right, no problem. I've run your updated script against HEAD and see no > errors, nor is there a duplicate result sent for the Bind operation. That's a good datapoint. I'll look into building HEAD on my system and validate that the duplicate result messages are gone. Alternatively, is there an easy way for you to run the script against 2.4.23 on your side? If so, and if you can reproduce the error that I got with 2.4.23, that would be a solid confirmation that the bug has since been fixed. Don't worry about it though if it would be too much of a hassle -- I appreciate all your help with this. Thanks, -Kartik

1 0

Re: (ITS#6817) idassert-bind with SASL issues
by hyc＠symas.com 28 Feb '11

28 Feb '11

masarati(a)aero.polimi.it wrote: > Full_Name: Pierangelo Masarati > Version: HEAD/re24 > OS: irrelevant > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2.40.14.92) > Submitted by: ando > > > When idassert-bind is configured to use SASL bind, an "authcID" needs to be > provided, while the "binddn" is not needed. However, if a "binddn" is not > provided as well, in some cases the proxiedAuthz control may be used > incorrectly. The need to configure the "binddn" is not documented, so this ITS > is minimally addressed by documenting this requirement. I tripped over this change while investigating #6711. Adding this requirement is certainly not the right solution; SASL Binds ordinarily don't require a BindDN and requiring it here just makes things confusing. Also with the fixes that I made for #6711 I don't believe the issue exists any more. Please describe the conditions where the problem occurs. > If the "binddn" is provided, everything works as expected, with the only minor > issue that the DN of the user as it is known to back-meta may not match the > actual identity the "authcID" assumed on the remote server. The "right" way to > address this problem consists in performing a "WhoAmI" (RFC 4532) right after > the bind, or better use a "authorization identity control" (RFC 3829) along with > the bind operation. Both approaches should be implemented, but they should not > be used unless explicitly requested. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
by hyc＠symas.com 28 Feb '11

28 Feb '11

Kartik Subbarao wrote: > I'd like to add one clarification to this message. I named the attached > test script that illustrates the two RESULT messages problem > test099-ppolicy-update, per Howard's previous advice not to duplicate > existing names. But I just realized that this script relies on the same > data files that I previously submitted (slapd-ppolicy.conf, > ppolicy.ldif) so when running this script please ensure that those files > are in place. Right, no problem. I've run your updated script against HEAD and see no errors, nor is there a duplicate result sent for the Bind operation. There's a config error because back-ldap in HEAD now always requires the binddn to be set in the idassert-bind directive. I have a feeling that this new requirement is bogus, and I just patched your script to set binddn="" to get around it for the moment. > Thanks, > > -Kartik > > On 02/02/2011 11:50 AM, Kartik Subbarao wrote: >>>> Another problem is that bind operations to the consumer server start to >> >> return two result messages -- one with the error code of the chained >> >> operation, and one with the error code of the bind operation. >> >> I'm continuing to see this problem, even after I fix the acl-bind and >> the 'manage' ACL configuration. See the attached for an updated test >> script that illustrates the problem -- I've added a bind with an >> incorrect password which should return 49, but instead is returning 0 to >> the client. >> >> The last line of output from the test script is: >> >> ldap bind operation returned 0, expected 49 >> >> For the relevant operation in slapd.2.log, I see the following: >> >> conn=1003 op=0 RESULT tag=103 err=0 text= >> [...] >> conn=1003 op=0 RESULT tag=97 err=49 text= >> >> slapd is returning two RESULT messages for the BIND operation. Error 0 >> seems to be from the successful chained modification of the >> pwdFailureTime attribute, and Error 49 seems to be for the incorrect >> password. >> >> -Kartik > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6847) slapd segmentation fault
by Howard Chu 28 Feb '11

28 Feb '11

The information you provided is useless. Please read http://www.openldap.org/faq/data/cache/59.html

1 0

Re: (ITS#6845) sortvals oddities - with more information
by hyc＠symas.com 28 Feb '11

28 Feb '11

aweits(a)rit.edu wrote: > Full_Name: Andrew Elble > Version: 2.4.24 / CVS Head > OS: Solaris / MacOS > URL: > Submission from: (NULL) (129.21.6.207) > Thanks for the detailed report. > > We are using sortvals on both member and memberUid. We have been > seeing duplicate member/memberUid attributes on some objects that have > been modified (as well as a lack of sorting on those attributes). It > seemed that there was a correlation between modifies to objects that > experienced deadlocks and the objects that had duplicate > member/memberUid attributes on them. We put the seqmod overlay in > place - and this reduced the number of occurrences of the issue but > did not eliminate them. > > Upon further investigation, I discovered that it was possible to > bypass the sorting behavior if the object was not created with an > instance of the attribute with sorting enabled as a part of it. > > It would seem that attr_merge() (in attr.c) should have something like this: > > if ( *a == NULL ) { > *a = attr_alloc( desc ); > if (desc->ad_type->sat_flags& SLAP_AT_SORTED_VAL) { > (*a)->a_flags |= SLAP_ATTR_SORTED_VALS; > } > } else { This is now fixed in HEAD in value.c. > Further pursuing the issue, I started to focus on the index deletion > code that was changed as a part of ITS#5183. Specifically, the > portion of code within bdb_modify_internal() (in back-bdb/modify.c) > that is commented: > > /* Move deleted values to end of array */ > > This code modifies save_attrs, which is actually apparently a pointer > to memory that resides within the cache. If a deadlock occurs, these > changes are not reverted, thereby corrupting the entry in the cache. I > replaced this code with the pre-ITS#5183 code and I am no longer able > to 'break' the object and insert duplicate member/memberUids. This is now fixed in HEAD. > I also found it surprising that the call to bdb_idl_cache_del() in > bdb_idl_delete_key() in back-bdb/idl.c occurred prior to any calls to > the database? I see what you mean. I don't think this causes any harm though. > I can answer any questions about the specifics of the environment > in which where we are seeing this - it is a somewhat difficult problem to > reproduce outside of our production environment. I'm not terribly > familiar with the code - I'm looking to see if I have collected enough > data here to open an ITS to have this fixed. (or if I'm just way off base) > > > Thanks, > > Andy > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#6847) slapd segmentation fault
by dkastens＠uos.de 28 Feb '11

28 Feb '11

Full_Name: Dirk Kastens Version: 2.4.24 OS: Red Hat Enterprise Linux Server release 5.6 (kernel 2.6.18-238.1.1.el5xen) URL: Submission from: (NULL) (2001:638:508:3d0:74e8:28f7:184a:4cdf) I updated our openldap master and two replica servers to 2.4.24 (self-compiled) last week. Saturday morning, both replicas crashed at the same time with a segementation fault: kernel: slapd[2150]: segfault at 0000000000000059 rip 00000000004fb9e7 rsp 0000000042f9e630 error 4 kernel: slapd[9451]: segfault at 0000000000000059 rip 00000000004fb9e7 rsp 000000004563f630 error 4 Running slapd with valgrind --tool=memcheck --leak-check=full gives: ==31485== LEAK SUMMARY: ==31485== definitely lost: 0 bytes in 0 blocks ==31485== indirectly lost: 0 bytes in 0 blocks ==31485== possibly lost: 110,162 bytes in 4,698 blocks ==31485== still reachable: 6,942,591 bytes in 26,974 blocks ==31485== suppressed: 0 bytes in 0 blocks ==31485== Reachable blocks (those to which a pointer was found) are not shown. ==31485== To see them, rerun with: --leak-check=full --show-reachable=yes ==31485== ==31485== For counts of detected and suppressed errors, rerun with: -v ==31485== ERROR SUMMARY: 256 errors from 256 contexts (suppressed: 16 from 7) ==31485== Warning: set address range perms: large range [0xba78000, 0x1fa7a000) (defined) ==31485== Warning: set address range perms: large range [0xba78000, 0x1fa7a000) (noaccess) ==31485== Warning: invalid file descriptor -1 in syscall read()

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs February 2011