openldap-bugs December 2012

openldap-bugs@openldap.org

17 participants
50 discussions

Re: (ITS#7466) syncreplication causes massive explosion in database size
by hyc＠symas.com 09 Dec '12

09 Dec '12

andrew.findlay(a)skills-1st.co.uk wrote: > On Fri, Dec 07, 2012 at 08:29:59PM +0000, quanah(a)zimbra.com wrote: > >> Subject: Re: (ITS#7466) syncreplication causes massive explosion in >> database size > >> Closing. Issue was actually triggered by the core dump in ITS#7465, which >> left a read txn lock on the primary database, causing the freelist to not >> be able to compact. Rebuilding the database cleared the lock and things >> went back to normal. > > Would it be possible for slapd to recover from such a case > automatically on startup? If so, then I think it should. > If not, then I think it is worth mentioning this in the > documentation or an FAQ. The library is designed to clean up automatically. The outstanding bugs (#7465) prevent that from working at the moment in RE24. This is not going to be an issue in the released code. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7466) syncreplication causes massive explosion in database size
by andrew.findlay＠skills-1st.co.uk 09 Dec '12

09 Dec '12

On Fri, Dec 07, 2012 at 08:29:59PM +0000, quanah(a)zimbra.com wrote: > Subject: Re: (ITS#7466) syncreplication causes massive explosion in > database size > Closing. Issue was actually triggered by the core dump in ITS#7465, which > left a read txn lock on the primary database, causing the freelist to not > be able to compact. Rebuilding the database cleared the lock and things > went back to normal. Would it be possible for slapd to recover from such a case automatically on startup? If so, then I think it should. If not, then I think it is worth mentioning this in the documentation or an FAQ. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

1 0

(ITS#7468) ppolicy and rwm/relay segfaulting
by tim.j.watts＠kcl.ac.uk 08 Dec '12

08 Dec '12

Full_Name: Tim Watts Version: 2.4.23 OS: Debian 6/amd64 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (81.2.78.46) Hi, We load slapd up with actual entries for the dc=new,dc=example,dc=com domain. slapd is configured to map all records with rwm/relay to dc=old,dc=example,dc=com so clients with the old config still work. ie we load a real record: 1) dn: uid=testuser,ou=people,dc=new,dc=example,dc=com and we want clients asking about 2) dn: uid=testuser,ou=people,dc=old,dc=example,dc=com will be served from (1) ======== OK here's an example ================ === Server ==== Running debian 6 server with debian slapd 2.4.23-7.2 /usr/sbin/slapd -d 4 -h "ldap:/// ldaps:/// ldapi:///" -g openldap -u openldap -f /etc/ldap/slapd.conf === Test client === Running test against the "old" realm: ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com # Enter the wrong password and it fails correctly and server runs OK. # Enter the right password and the client says: ldap_result: Can't contact LDAP server (-1) Server says (last few lines from slapd): [rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" -> "uid=testuser,ou=people,dc=old,dc=example,dc=com" [rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" -> "uid=testuser,ou=people,dc=new,dc=example,dc=com" => ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com,0) <= ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" => bdb_entry_get: ndn: "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" ==> hdb_bind: dn: uid=testuser,ou=people,dc=new,dc=example,dc=com send_ldap_result: err=0 matched="" text="" => bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" Segmentation fault However, queries against the "new" domain work: ldapwhoami -x -W -D uid=testuser,ou=people,dc=new,dc=example,dc=com Enter LDAP Password: dn:uid=testuser,ou=people,dc=new,dc=example,dc=com If I disable ppolicy in slapd.conf, queries agains the "old" domain work: root@ldaptest1:/etc# ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com Enter LDAP Password: dn:uid=testuser,ou=people,dc=new,dc=example,dc=com (the rewrite is not perfect - but that may not matter for my clients). Almost certainly I have done something stupid - and it seems clear that ppolicy is being upset by the relay mappings. Any ideas how to fix would be *very* welcome - I have been all over Google and the man pages. All the best! Tim OK - boring stuff: slapd.conf ########################################### ####################################################################### # Global Directives: # Features to permit allow bind_anon_cred bind_anon_dn update_anon # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ppolicy.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel sync stats sizelimit 5000 tool-threads 1 modulepath /usr/lib/ldap moduleload back_hdb moduleload back_relay moduleload rwm moduleload ppolicy overlay rwm rwm-rewriteEngine on backend hdb ####################################################################### # Global ACLs # # Ensure read access to the base for things like # supportedSASLMechanisms. access to dn.base="" by * read # The userPassword by default can be changed # by the entry owning it if they are authenticated. # This ACL must be first or password leakage will happen!!! access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" manage by dn="cn=admin,dc=new,dc=example,dc=com" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write by self write by * auth # The admin dn has full write access, everyone else # can read everything. Local unix domain socket (root only) # Can do everything access to * by peername.path="/var/run/slapd/ldapi" manage by dn="cn=admin,dc=new,dc=example,dc=com" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write by * read ####################################################################### # Main new.example.com authoritative database # database hdb suffix dc=new,dc=example,dc=com rootdn "cn=admin,dc=new,dc=example,dc=com" rootpw "{SSHA}NoNoNooo..." directory "/var/lib/ldap" dbconfig set_cachesize 0 134217728 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30 ####################################################################### # # Password Policy # # overlay ppolicy ppolicy_default "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext ####################################################################### # Virtual maps - compatibility with old.example.com only # # map dc=old to dc=new # database relay suffix "dc=old,dc=example,dc=com" relay "dc=new,dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=new,dc=example,dc=com" ########################################### Initial database loaded with slapadd from this ldif: ########################################### dn: dc=new,dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: new.example.com dc: new dn: cn=admin,dc=new,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: NoNoNoooo... dn: ou=people,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: ou=pwpolicies,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: pwpolicies # # # Standard policy for normal people # dn: cn=default,ou=pwpolicies,dc=new,dc=example,dc=com objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 15811200 pwdExpireWarning: 1814400 pwdGraceAuthnLimit: 3 pwdInHistory: 6 pwdCheckQuality: 2 pwdMaxFailure: 5 pwdMinLength: 8 pwdLockout: TRUE pwdLockoutDuration: 300 pwdFailureCountInterval: 300 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE dn: uid=testuser,ou=people,dc=new,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Test User employeeType: Staff gecos: Test User gidNumber: 1000 givenName: Test homeDirectory: /homes/testuser loginShell: /bin/bash mail: testuser(a)new.example.com sn: User uid: testuser uidNumber: 1000 userPassword: {SSHA}NoNoNoooo... dn: cn=ddh-staff,ou=groups,dc=new,dc=example,dc=com objectClass: top objectClass: posixGroup cn: ddh-staff description: Test Group gidNumber: 1000 memberUid: testuser dn: cn=sysadmin,ou=groups,dc=new,dc=example,dc=com objectClass: top objectClass: posixGroup cn: sysadmin description: Staff: System Admin Group gidNumber: 1001 memberUid: testuser ###########################################

1 0

(ITS#7467) mdb_stat improvements
by quanah＠OpenLDAP.org 07 Dec '12

07 Dec '12

Full_Name: Quanah Gibson-Mount Version: master OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.196.25.250) It would be helpful to expand the functionality of mdb_stat: a) Merge in mfree b) Show the reader table c) Add option to zero out dead locker entries without interrupting anything

1 0

Re: (ITS#7466) syncreplication causes massive explosion in database size
by quanah＠zimbra.com 07 Dec '12

07 Dec '12

--On Friday, December 07, 2012 7:56 PM +0000 quanah(a)OpenLDAP.org wrote: > Full_Name: Quanah Gibson-Mount > Version: RE24 12/7/2012 > OS: Linux 2.6 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (74.196.25.250) Closing. Issue was actually triggered by the core dump in ITS#7465, which left a read txn lock on the primary database, causing the freelist to not be able to compact. Rebuilding the database cleared the lock and things went back to normal. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#7466) syncreplication causes massive explosion in database size
by quanah＠OpenLDAP.org 07 Dec '12

07 Dec '12

Full_Name: Quanah Gibson-Mount Version: RE24 12/7/2012 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.196.25.250) In a master/replica environment, sync replication causes a massive explosion in database size on the replica. For example, with a 25MB database, the size on disk grew from 25MB to 50MB in the space of an hour (and it shows no signs of slowing down). Entries in the freelist grows without reducing: [zimbra@ldap02-zcs ~]$ mdb_stat -f data/ldap/mdb/db Freelist Status Tree depth: 2 Branch pages: 1 Leaf pages: 43 Overflow pages: 0 Entries: 987 Free pages: 7441 In monitoring, it appears every change adds about 6 entries and 40+ free pages. id2e database looks the same as on the master.

1 0

(ITS#7465) mdb_stat core dumps when used with -a -s
by quanah＠OpenLDAP.org 07 Dec '12

07 Dec '12

Full_Name: Quanah Gibson-Mount Version: RE24 12/7/2012 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.196.25.250) I believe the mdb_stat options "-a" and "-s <db>" are supposed to be mutually exclusive. However, if they are used in conjunction with one another, mdb_stat core dumps: [zimbra@ldap02-zcs ~]$ mdb_stat -a -e data/ldap/mdb/db -s id2e Environment Info Map address: (nil) Map size: 85899345920 Page size: 4096 Max pages: 20971520 Number of pages used: 6309 Last transaction ID: 434 Max readers: 126 Number of readers used: 7 Status of id2e Tree depth: 3 Branch pages: 6 Leaf pages: 678 Overflow pages: 1957 Entries: 2963 mdb_stat: mdb.c:4297: mdb_cursor_set: Assertion `key->mv_size > 0' failed. Aborted (core dumped)

1 0

Re: (ITS#7464) ldap_back_dobind_int breaking binded user
by prune＠lecentre.net 07 Dec '12

07 Dec '12

--20cf307811d03117ef04d043e582 Content-Type: text/plain; charset=ISO-8859-1 Setting the timeout to 4294967294 should to the trick for now... but this is really a sort of bug to me as back-ldap should not behave this way when he have no credentials to use... Surely, closing the connexion with the client may be the best solution... 2012/12/6 Pierangelo Masarati <masarati(a)aero.polimi.it> > > > --20cf307811d0eb756704d0342092 > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Actualy I had this before and that did not change anything. I don't think > > this directive is used for this kind of "timeouts"... > > > > I also tried : > > > > *chase-referrals yes (this is default)* > > *rebind-as-user yes (as suggested here)** > > * > > *single-conn yes (default to NO)** > > * > > * > > * > > I also tried some combinings of idassert-bind options with no luck (as > the > > backend does not support identity assertion). > > By backend do you mean the remote server you're trying to proxy? > > I see your problem. Indeed, when a connection is pruned (in your case > because it timed out), information about client's credentials is lost. > Back-ldap is working incorrectly, since it falls back to trying to rebind > anonymously. However, the only other reasonable option could only be to > return a meaningful error (or dropping the connection with the client). > > Things work fine with identity assertion, because in that case the > client's credentials are no longer needed, what counts is that the > client's connection is alive and authenticated, so the client's identity > can be asserted. > > You'd need to do something like > > idassert-bind bindmethod=simple > binddn="<authorizing dn>" > credentials="<authorizing credentials>" > mode=self > flags=override > > (tested, works fine). However, I understood from what you wrote above > that this is not an option. > > I see one quick solution: bail out when the connection is lost and > idassert is not going to take place. This requires a minimal patch. > > An alternative could be to find a decent manner to store the client's > credentials in the frontend's connection with the client (as much as we do > for the client's identity in c_authz). This will live as long as the > client's connection stays alive (something like what we do for paged > results). > > [disclaimer: I'll look into this time permitting; I can't commit to fixing > it any soon] > > p. > > -- > Pierangelo Masarati > Associate Professor > Dipartimento di Ingegneria Aerospaziale > Politecnico di Milano > > --20cf307811d03117ef04d043e582 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Setting the timeout to=A0<span style=3D"color:rgb(80,0,80);font-family:aria= l,sans-serif;font-size:13px">4294967294 should to the trick for now... but = this is really a sort of bug to me as back-ldap should not behave this way = when he have no credentials to use...</span><div> <span style=3D"color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13= px">Surely, closing the connexion =A0with the client may be the best soluti= on...</span></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_qu= ote"> 2012/12/6 Pierangelo Masarati <span dir=3D"ltr"><<a href=3D"mailto:masar= ati(a)aero.polimi.it" target=3D"_blank">masarati(a)aero.polimi.it</a>></span= ><br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-le= ft:1px #ccc solid;padding-left:1ex"> <br> > --20cf307811d0eb756704d0342092<br> > Content-Type: text/plain; charset=3DISO-8859-1<br> <div class=3D"im">><br> > Actualy I had this before and that did not change anything. I don'= t think<br> > this directive is used for this kind of "timeouts"...<br> ><br> > I also tried :<br> ><br> </div>> *chase-referrals yes (this is default)*<br> > *rebind-as-user yes (as suggested here)**<br> > *<br> > *single-conn yes (default to NO)**<br> > *<br> > *<br> <div class=3D"im">> *<br> > I also tried some combinings of idassert-bind options with no luck (as= the<br> > backend does not support identity assertion).<br> <br> </div>By backend do you mean the remote server you're trying to proxy?<= br> <br> I see your problem. =A0Indeed, when a connection is pruned (in your case<br= > because it timed out), information about client's credentials is lost.<= br> Back-ldap is working incorrectly, since it falls back to trying to rebind<b= r> anonymously. =A0However, the only other reasonable option could only be to<= br> return a meaningful error (or dropping the connection with the client).<br> <br> Things work fine with identity assertion, because in that case the<br> client's credentials are no longer needed, what counts is that the<br> client's connection is alive and authenticated, so the client's ide= ntity<br> can be asserted.<br> <br> You'd need to do something like<br> <br> idassert-bind bindmethod=3Dsimple<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 binddn=3D"<authorizing dn>"<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 credentials=3D"<authorizing credentials= >"<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 mode=3Dself<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 flags=3Doverride<br> <br> (tested, works fine). =A0However, I understood from what you wrote above<br= > that this is not an option.<br> <br> I see one quick solution: bail out when the connection is lost and<br> idassert is not going to take place. =A0This requires a minimal patch.<br> <br> An alternative could be to find a decent manner to store the client's<b= r> credentials in the frontend's connection with the client (as much as we= do<br> for the client's identity in c_authz). =A0This will live as long as the= <br> client's connection stays alive (something like what we do for paged<br= > results).<br> <br> [disclaimer: I'll look into this time permitting; I can't commit to= fixing<br> it any soon]<br> <div class=3D"HOEnZb"><div class=3D"h5"><br> p.<br> <br> --<br> Pierangelo Masarati<br> Associate Professor<br> Dipartimento di Ingegneria Aerospaziale<br> Politecnico di Milano<br> <br> </div></div></blockquote></div><br></div> --20cf307811d03117ef04d043e582--

1 0

Re: (ITS#7464) ldap_back_dobind_int breaking binded user
by masarati＠aero.polimi.it 06 Dec '12

06 Dec '12

> --20cf307811d0eb756704d0342092 > Content-Type: text/plain; charset=ISO-8859-1 > > Actualy I had this before and that did not change anything. I don't think > this directive is used for this kind of "timeouts"... > > I also tried : > > *chase-referrals yes (this is default)* > *rebind-as-user yes (as suggested here)** > * > *single-conn yes (default to NO)** > * > * > * > I also tried some combinings of idassert-bind options with no luck (as the > backend does not support identity assertion). By backend do you mean the remote server you're trying to proxy? I see your problem. Indeed, when a connection is pruned (in your case because it timed out), information about client's credentials is lost. Back-ldap is working incorrectly, since it falls back to trying to rebind anonymously. However, the only other reasonable option could only be to return a meaningful error (or dropping the connection with the client). Things work fine with identity assertion, because in that case the client's credentials are no longer needed, what counts is that the client's connection is alive and authenticated, so the client's identity can be asserted. You'd need to do something like idassert-bind bindmethod=simple binddn="<authorizing dn>" credentials="<authorizing credentials>" mode=self flags=override (tested, works fine). However, I understood from what you wrote above that this is not an option. I see one quick solution: bail out when the connection is lost and idassert is not going to take place. This requires a minimal patch. An alternative could be to find a decent manner to store the client's credentials in the frontend's connection with the client (as much as we do for the client's identity in c_authz). This will live as long as the client's connection stays alive (something like what we do for paged results). [disclaimer: I'll look into this time permitting; I can't commit to fixing it any soon] p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano

1 0

Re: (ITS#7464) ldap_back_dobind_int breaking binded user
by prune＠lecentre.net 06 Dec '12

06 Dec '12

--20cf307d04d2686d3904d0343c02 Content-Type: text/plain; charset=ISO-8859-1 Here is a quick python script that can be used to query a LDAP proxy. Running it while the proxy is configured with conn-ttl = 5 will trigget the error after 5 seconds: import ldap, sys, pprint, time ldap_server = "localhost" dn="cn=ldapintbind,o=corp" pw="your password here" con = ldap.initialize('ldap://' + ldap_server) try: #l.start_tls_s() con.simple_bind_s(dn, pw) con.set_option(ldap.OPT_DEREF,3) scope = ldap.SCOPE_SUBTREE base = "o=corp" filter ="(&(objectClass=*)(uid=dln))" retrieve_attributes = ["uid"] result_data = [] result_set = [] timeout = 0 essai=0 while 1: print(str(essai) + ".") essai+=1 result_id = con.search_s(base, scope, filter, retrieve_attributes) #pprint.pprint(result_id) time.sleep(1) except ldap.LDAPError, e: print e.message['info'] if type(e.message) == dict and e.message.has_key('desc'): print e.message['desc'] else: print e sys.exit() 2012/12/6 Sebastien Thomas <prune(a)lecentre.net> > Actualy I had this before and that did not change anything. I don't think > this directive is used for this kind of "timeouts"... > > I also tried : > > *chase-referrals yes (this is default)* > *rebind-as-user yes (as suggested here)** > * > *single-conn yes (default to NO)** > * > * > * > I also tried some combinings of idassert-bind options with no luck (as > the backend does not support identity assertion). > > > 2012/12/6 Pierangelo Masarati <masarati(a)aero.polimi.it> > >> >> > --20cf307811d0d379c404d032d6ee >> > Content-Type: text/plain; charset=ISO-8859-1 >> > >> > Config is basic (with special timeout tests commented out) : >> > >> > database ldap >> > suffix "o=corp" >> > uri ldaps://10.100.120.153 >> > >> > # close connection after a timeout >> > #idletimeout 100 >> > # causes a cached connection to be dropped an recreated after a given >> ttl >> > #conn-ttl 4294967294 >> > # close connection after a timeout for ldap backend >> > #idle-timeout 4294967294 >> > # Discards current cached connection when the client rebinds - default >> to >> > No >> > #single-conn no >> >> >> Try adding a "rebind-as-user" here. This forces back-ldap to store >> client's credentials in order to rebind when needed (e.g. because a >> persistent connection timed out). >> >> p. >> >> > overlay rwm >> > rwm-suffixmassage "o=corp" "o=int" >> > >> > >> > 2012/12/6 Pierangelo Masarati <masarati(a)aero.polimi.it> >> > >> >> >> >> > Full_Name: Sebastien Prune THOMAS >> >> > Version: slapd 2.4.31 >> >> > OS: Linux CentOS >> >> > URL: ftp://ftp.openldap.org/incoming/ >> >> > Submission from: (NULL) (206.167.157.64) >> >> > >> >> > >> >> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory >> >> LDAP >> >> > server. >> >> > Every once and a while I have long lasting connections re-binding as >> >> > anonymous, >> >> > breaking the actual bind. >> >> > This usualy happen after hitting either the idle-timeout or the >> >> conn-ttl >> >> > limit. >> >> > I wasn't able to find out what these values are when not set... but >> >> > setting them >> >> > low can help reproduce the problem : >> >> >> >> What is the configuration of back-ldap? Can you post it (after >> >> sanitizing >> >> sensitive info)? >> >> >> >> p. >> >> >> >> -- >> >> Pierangelo Masarati >> >> Associate Professor >> >> Dipartimento di Ingegneria Aerospaziale >> >> Politecnico di Milano >> >> >> >> >> > >> > --20cf307811d0d379c404d032d6ee >> > Content-Type: text/html; charset=ISO-8859-1 >> > Content-Transfer-Encoding: quoted-printable >> > >> > <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with >> > spec= >> > ial timeout tests commented out) :</div><div >> > style=3D"font-family:Tahoma;fo= >> > nt-size:13px">=A0</div><div >> > style=3D"font-family:Tahoma;font-size:13px">dat= >> > abase =A0 =A0 =A0ldap<br> >> > suffix =A0 =A0 =A0 =A0 =A0 >> > =A0"o=3Dcorp"<br>uri=A0=A0=A0=A0=A0=A0= >> > =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div >> > style= >> > =3D"font-family:Tahoma;font-size:13px">=A0</div><div >> > style=3D"font-family:T= >> > ahoma;font-size:13px"># close connection after a timeout<br> >> > #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be >> dropped >> > = >> > an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0 >> > 4294967294= >> > <br># close connection after a timeout for ldap >> > backend<br>#idle-timeout=A0= >> > =A0=A0 4294967294<br># Discards current cached connection when the >> client >> > r= >> > ebinds - default to No<br> >> > #single-conn=A0=A0=A0=A0 no</div><div >> > style=3D"font-family:Tahoma;font-size= >> > :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage >> > "o= >> > =3Dcorp" "o=3Dint"</div><div >> > class=3D"gmail_extra"><br><br><= >> > div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span >> > dir=3D"ltr">&= >> > lt;<a href=3D"mailto:masarati@aero.polimi.it" >> > target=3D"_blank">masarati@ae= >> > ro.polimi.it</a>></span><br> >> > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 >> > .8ex;border-left:1p= >> > x #ccc solid;padding-left:1ex"><br> >> > > Full_Name: Sebastien Prune THOMAS<br> >> > > Version: slapd 2.4.31<br> >> > > OS: Linux CentOS<br> >> > > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" >> > target=3D"_blank">ft= >> > p://ftp.openldap.org/incoming/</a><br> >> > > Submission from: (NULL) (206.167.157.64)<br> >> > ><br> >> > ><br> >> > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory >> > LD= >> > AP<br> >> > > server.<br> >> > > Every once and a while I have long lasting connections re-binding >> > as<b= >> > r> >> > > anonymous,<br> >> > > breaking the actual bind.<br> >> > > This usualy happen after hitting either the idle-timeout or the >> > conn-t= >> > tl<br> >> > > limit.<br> >> > > I wasn't able to find out what these values are when not set... >> > bu= >> > t<br> >> > > setting them<br> >> > > low can help reproduce the problem :<br> >> > <br> >> > What is the configuration of back-ldap? =A0Can you post it (after >> > sanitizin= >> > g<br> >> > sensitive info)?<br> >> > <span class=3D"HOEnZb"><font color=3D"#888888"><br> >> > p.<br> >> > <br> >> > --<br> >> > Pierangelo Masarati<br> >> > Associate Professor<br> >> > Dipartimento di Ingegneria Aerospaziale<br> >> > Politecnico di Milano<br> >> > <br> >> > </font></span></blockquote></div><br></div> >> > >> > --20cf307811d0d379c404d032d6ee-- >> > >> > >> > >> > >> > >> >> >> -- >> Pierangelo Masarati >> Associate Professor >> Dipartimento di Ingegneria Aerospaziale >> Politecnico di Milano >> >> > --20cf307d04d2686d3904d0343c02 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Here is a quick python script that can be used to query a LDAP proxy. Runni= ng it while the proxy is configured with conn-ttl =3D 5 will trigget the er= ror after 5 seconds:<div><br></div><div><br></div><div><br></div><div><div = style=3D"font-family:Tahoma;font-size:13px"> import ldap, sys, pprint, time</div><div style=3D"font-family:Tahoma;font-s= ize:13px">=A0</div><div style=3D"font-family:Tahoma;font-size:13px">ldap_se= rver =3D "localhost"<br>dn=3D"cn=3Dldapintbind,o=3Dcorp&quot= ;<br>pw=3D"your password here"</div> <div style=3D"font-family:Tahoma;font-size:13px">=A0</div><div style=3D"fon= t-family:Tahoma;font-size:13px">con =3D ldap.initialize('ldap://' += ldap_server)<br>try:<br>=A0=A0=A0 #l.start_tls_s()<br>=A0=A0=A0 con.simple= _bind_s(dn, pw)<br> =A0=A0=A0 con.set_option(ldap.OPT_DEREF,3)<br>=A0 =A0=A0</div><div style=3D= "font-family:Tahoma;font-size:13px">=A0=A0=A0 scope =3D ldap.SCOPE_SUBTREE<= br>=A0=A0=A0 base =3D "o=3Dcorp"<br>=A0=A0=A0 filter =3D"(&a= mp;(objectClass=3D*)(uid=3Ddln))"<br> =A0=A0=A0 retrieve_attributes =3D ["uid"]<br>=A0=A0=A0 result_dat= a =3D []<br>=A0=A0=A0 result_set =3D []<br>=A0=A0=A0 timeout =3D 0</div><di= v style=3D"font-family:Tahoma;font-size:13px">=A0</div><div style=3D"font-f= amily:Tahoma;font-size:13px">=A0=A0=A0 essai=3D0<br> =A0=A0=A0 while 1:<br>=A0=A0=A0=A0=A0=A0=A0 print(str(essai) + ".&quot= ;)<br>=A0=A0=A0=A0=A0=A0=A0 essai+=3D1</div><div style=3D"font-family:Tahom= a;font-size:13px">=A0</div><div style=3D"font-family:Tahoma;font-size:13px"= >=A0=A0=A0=A0=A0=A0=A0 result_id =3D con.search_s(base, scope, filter, retr= ieve_attributes)<br> =A0=A0=A0=A0=A0=A0=A0 #pprint.pprint(result_id)</div><div style=3D"font-fam= ily:Tahoma;font-size:13px">=A0</div><div style=3D"font-family:Tahoma;font-s= ize:13px">=A0 =A0 =A0 =A0 time.sleep(1)<br></div><div style=3D"font-family:= Tahoma;font-size:13px">=A0</div> <div style=3D"font-family:Tahoma;font-size:13px"><br>except ldap.LDAPError,= e:<br>=A0=A0=A0 print e.message['info']<br>=A0=A0=A0 if type(e.mes= sage) =3D=3D dict and e.message.has_key('desc'):<br>=A0=A0=A0=A0=A0= =A0=A0 print e.message['desc']<br> =A0=A0=A0 else:<br>=A0=A0=A0=A0=A0=A0=A0 print e<br>=A0=A0=A0 sys.exit()</d= iv></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2012= /12/6 Sebastien Thomas <span dir=3D"ltr"><<a href=3D"mailto:prune@lecent= re.net" target=3D"_blank">prune(a)lecentre.net</a>></span><br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"><span style=3D"font-family:arial,sans-serif;= font-size:13px">Actualy I had this before and that did not change anything.= I don't think this directive is used for this kind of "timeouts&q= uot;...</span><br> <div><span style=3D"font-family:arial,sans-serif;font-size:13px"><br> </span></div><div><span style=3D"font-family:arial,sans-serif;font-size:13p= x">I also tried :</span></div><div><span style=3D"font-family:arial,sans-se= rif;font-size:13px"><br></span></div><div><b style=3D"font-size:13px;font-f= amily:arial,sans-serif">chase-referrals yes (this is default)</b><span styl= e=3D"font-family:arial,sans-serif;font-size:13px"><br> </span></div><div><b style=3D"font-size:13px;font-family:arial,sans-serif">= rebind-as-user yes (as suggested here)</b><b style=3D"font-size:13px;font-f= amily:arial,sans-serif"><br></b></div><div> <b style=3D"font-size:13px;font-family:arial,sans-serif">single-conn yes (d= efault to NO)</b><b style=3D"font-size:13px;font-family:arial,sans-serif"><= br></b></div><div><b style=3D"font-size:13px;font-family:arial,sans-serif">= <br> </b></div><div><span style=3D"font-size:13px;font-family:arial,sans-serif">= I also tried some combinings of=A0</span><span style=3D"font-size:13px;font= -family:arial,sans-serif">idassert-bind options with no luck (as the backen= d does not support identity assertion).</span></div> <div class=3D"HOEnZb"><div class=3D"h5"> <div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2012/12/6 Pie= rangelo Masarati <span dir=3D"ltr"><<a href=3D"mailto:masarati@aero.poli= mi.it" target=3D"_blank">masarati(a)aero.polimi.it</a>></span><br><blockqu= ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc s= olid;padding-left:1ex"> <br> > --20cf307811d0d379c404d032d6ee<br> > Content-Type: text/plain; charset=3DISO-8859-1<br> <div>><br> > Config is basic (with special timeout tests commented out) :<br> ><br> > database =A0 =A0 =A0ldap<br> > suffix =A0 =A0 =A0 =A0 =A0 =A0"o=3Dcorp"<br> > uri =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ldaps://<a href=3D"http://10.100.1= 20.153" target=3D"_blank">10.100.120.153</a><br> ><br> > # close connection after a timeout<br> > #idletimeout =A0 =A0 100<br> > # causes a cached connection to be dropped an recreated after a given = ttl<br> > #conn-ttl =A0 =A0 =A0 =A04294967294<br> > # close connection after a timeout for ldap backend<br> > #idle-timeout =A0 =A04294967294<br> > # Discards current cached connection when the client rebinds - default= to<br> > No<br> > #single-conn =A0 =A0 no<br> <br> <br> </div>Try adding a "rebind-as-user" here. =A0This forces back-lda= p to store<br> client's credentials in order to rebind when needed (e.g. because a<br> persistent connection timed out).<br> <br> p.<br> <div><div><br> > overlay =A0 =A0 =A0 =A0 rwm<br> > rwm-suffixmassage "o=3Dcorp" "o=3Dint"<br> ><br> ><br> > 2012/12/6 Pierangelo Masarati <<a href=3D"mailto:masarati@aero.poli= mi.it" target=3D"_blank">masarati(a)aero.polimi.it</a>><br> ><br> >><br> >> > Full_Name: Sebastien Prune THOMAS<br> >> > Version: slapd 2.4.31<br> >> > OS: Linux CentOS<br> >> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_= blank">ftp://ftp.openldap.org/incoming/</a><br> >> > Submission from: (NULL) (206.167.157.64)<br> >> ><br> >> ><br> >> > I use OpenLdap to proxy (with the module back-ldap) to a eDir= ectory<br> >> LDAP<br> >> > server.<br> >> > Every once and a while I have long lasting connections re-bin= ding as<br> >> > anonymous,<br> >> > breaking the actual bind.<br> >> > This usualy happen after hitting either the idle-timeout or t= he<br> >> conn-ttl<br> >> > limit.<br> >> > I wasn't able to find out what these values are when not = set... but<br> >> > setting them<br> >> > low can help reproduce the problem :<br> >><br> >> What is the configuration of back-ldap? =A0Can you post it (after<= br> >> sanitizing<br> >> sensitive info)?<br> >><br> >> p.<br> >><br> >> --<br> >> Pierangelo Masarati<br> >> Associate Professor<br> >> Dipartimento di Ingegneria Aerospaziale<br> >> Politecnico di Milano<br> >><br> >><br> ><br> </div></div>> --20cf307811d0d379c404d032d6ee<br> > Content-Type: text/html; charset=3DISO-8859-1<br> > Content-Transfer-Encoding: quoted-printable<br> ><br> > <div style=3D3D"font-family:Tahoma;font-size:13px">Con= fig is basic (with<br> > spec=3D<br> > ial timeout tests commented out) :</div><div<br> > style=3D3D"font-family:Tahoma;fo=3D<br> > nt-size:13px">=3DA0</div><div<br> > style=3D3D"font-family:Tahoma;font-size:13px">dat=3D<br> > abase =3DA0 =3DA0 =3DA0ldap<br><br> > suffix =3DA0 =3DA0 =3DA0 =3DA0 =3DA0<br> > =3DA0&quot;o=3D3Dcorp&quot;<br>uri=3DA0=3DA0=3DA0=3DA0= =3DA0=3DA0=3D<br> > =3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0 =3DA0 =3DA0<a>ldaps://<a hre= f=3D"http://10.100.120.153" target=3D"_blank">10.100.120.153</a></a>&= lt;/div><div<br> > style=3D<br> > =3D3D"font-family:Tahoma;font-size:13px">=3DA0</div&gt= ;<div<br> > style=3D3D"font-family:T=3D<br> > ahoma;font-size:13px"># close connection after a timeout<br= ><br> > #idletimeout=3DA0=3DA0=3DA0=3DA0 100<br># causes a cached connec= tion to be dropped<br> > =3D<br> > an recreated after a given ttl<br>#conn-ttl=3DA0=3DA0=3DA0=3DA0= =3DA0=3DA0=3DA0<br> > 4294967294=3D<br> > <br># close connection after a timeout for ldap<br> > backend<br>#idle-timeout=3DA0=3D<br> > =3DA0=3DA0 4294967294<br># Discards current cached connection wh= en the client<br> > r=3D<br> > ebinds - default to No<br><br> > #single-conn=3DA0=3DA0=3DA0=3DA0 no</div><div<br> > style=3D3D"font-family:Tahoma;font-size=3D<br> > :13px"><br>overlay=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3D= A0 rwm<br>rwm-suffixmassage<br> > &quot;o=3D<br> > =3D3Dcorp&quot; &quot;o=3D3Dint&quot;</div><div<b= r> > class=3D3D"gmail_extra"><br><br><=3D<br> > div class=3D3D"gmail_quote">2012/12/6 Pierangelo Masarati= <span<br> > dir=3D3D"ltr">&=3D<br> > lt;<a href=3D3D"mailto:<a href=3D"mailto:masarati@aero.polimi.= it" target=3D"_blank">masarati(a)aero.polimi.it</a>"<br> > target=3D3D"_blank">masarati@ae=3D<br> > <a href=3D"http://ro.polimi.it" target=3D"_blank">ro.polimi.it</a><= /a>&gt;</span><br><br> > <blockquote class=3D3D"gmail_quote" style=3D3D"margi= n:0 0 0<br> > .8ex;border-left:1p=3D<br> > x #ccc solid;padding-left:1ex"><br><br> > &gt; Full_Name: Sebastien Prune THOMAS<br><br> > &gt; Version: slapd 2.4.31<br><br> > &gt; OS: Linux CentOS<br><br> > &gt; URL: <a href=3D3D"<a href=3D"ftp://ftp.openldap.org/i= ncoming/" target=3D"_blank">ftp://ftp.openldap.org/incoming/</a>"<br> > target=3D3D"_blank">ft=3D<br> > p://<a href=3D"http://ftp.openldap.org/incoming/" target=3D"_blank">ft= p.openldap.org/incoming/</a></a><br><br> > &gt; Submission from: (NULL) (206.167.157.64)<br><br> > &gt;<br><br> > &gt;<br><br> > &gt; I use OpenLdap to proxy (with the module back-ldap) to a eDir= ectory<br> > LD=3D<br> > AP<br><br> > &gt; server.<br><br> > &gt; Every once and a while I have long lasting connections re-bin= ding<br> > as<b=3D<br> > r><br> > &gt; anonymous,<br><br> > &gt; breaking the actual bind.<br><br> > &gt; This usualy happen after hitting either the idle-timeout or t= he<br> > conn-t=3D<br> > tl<br><br> > &gt; limit.<br><br> > &gt; I wasn&#39;t able to find out what these values are when = not set...<br> > bu=3D<br> > t<br><br> > &gt; setting them<br><br> > &gt; low can help reproduce the problem :<br><br> > <br><br> > What is the configuration of back-ldap? =3DA0Can you post it (after<br= > > sanitizin=3D<br> > g<br><br> > sensitive info)?<br><br> > <span class=3D3D"HOEnZb"><font color=3D3D"#888= 888"><br><br> > p.<br><br> > <br><br> > --<br><br> > Pierangelo Masarati<br><br> > Associate Professor<br><br> > Dipartimento di Ingegneria Aerospaziale<br><br> > Politecnico di Milano<br><br> > <br><br> > </font></span></blockquote></div><br>&lt= ;/div><br> ><br> > --20cf307811d0d379c404d032d6ee--<br> <div><div>><br> ><br> ><br> ><br> ><br> <br> <br> --<br> Pierangelo Masarati<br> Associate Professor<br> Dipartimento di Ingegneria Aerospaziale<br> Politecnico di Milano<br> <br> </div></div></blockquote></div><br></div> </div></div></blockquote></div><br></div> --20cf307d04d2686d3904d0343c02--

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs December 2012