openldap-bugs May 2012

openldap-bugs@openldap.org

23 participants
78 discussions

Re: (ITS#7277) Slapadd segfaults if binddn contains ou or dc statements
by o.loch＠gmx.net 21 May '12

21 May '12

--Apple-Mail=_E91EDB34-885C-4527-B3A7-0CF927EAA88D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Hello, thanks for the reply. I followed your advice and played a bit with it = and now it's working. It's interesting that you always have to include the core.schema even if = you use a replicated config. Sorry for the wrong bug report and thanks again! KR, Oliver=20 Am 21.05.2012 um 01:46 schrieb Howard Chu: >> I played with it a bit and as soon as one adds "ou=3D..." or "dc=3D..."= to the >> binddn it raises an error. In this example config and in the "real = world". >>=20 >> Imho there aren't any limitations to the binddn option? >=20 > No, there are no limitations on binddn. Your example is invalid since = you have not loaded any schema to define the "ou" or "dc" attributes. = The error message from slapadd is correct. >=20 > --=20 > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >=20 >=20 --Apple-Mail=_E91EDB34-885C-4527-B3A7-0CF927EAA88D Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINRDCCBjQw ggQcoAMCAQICAR4wDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDE1NVoX DTE3MTAyNDIxMDE1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMcJg8zOLdgasSmkLhOrlr6KMoOMpohBllVHrdRvEg/q6r8jR+EK 75xCGhR8ToREoqe7zM9/UnC6TS2y9UKTpT1v7RSMzR0t6ndl0TWBuUr/UXBhPk+Kmy7bI4yW4urC +y7P3/1/X7U8ocb8VpH/Clt+4iq7nirMcNh6qJR+xjOhV+VHzQMALuGYn5KZmc1NbJQYclsGkDxD z2UbFqE2+6vIZoL+jb9x4Pa5gNf1TwSDkOkikZB1xtB4ZqtXThaABSONdfmv/Z1pua3FYxnCFmdr /+N2JLKutIxMYqQOJebr/f/h5t95m4JgrM3Y/w7YX9d7YAL9jvN4SydHsU6n65cCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRTcu2SnODaywFc fH6WNU7y1LhRgjAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBAAqDCH14qywG XLhjjF6uHLkjd02hcdh9hrw+VUsv+q1eeQWB21jWj3kJ96AUlPCoEGZ/ynJNScWy6QMVQjbbMXlt UfO4n4bGGdKo3awPWp61tjAFgraLJgDk+DsSvUD6EowjMTNx25GQgyYJ5RPIzKKR9tQW8gGK+2+R HxkUCTbYFnL6kl8Ch507rUdPPipJ9CgJFws3kDS3gOS5WFMxcjO5DwKfKSETEPrHh7p5shuuNktv sv6hxHTLhiMKX893gxdT3XLS9OKmCv87vkINQcNEcIIoFWbP9HORz9v3vQwR4e3ksLc2JZOAFK+s sS5XMEoznzpihEP0PLc4dCBYjbvSD7kxgDwZ+Aj8Q9PkbvE9sIPP7ON0fz095HdThKjiVJe6vofq +n6b1NBc8XdrQvBmunwxD5nvtTW4vtN6VY7mUCmxsCieuoBJ9OlqmsVWQvifIYf40dJPZkk9YgGT zWLpXDSfLSplbY2LL9C9U0ptvjcDjefLTvqSFc7tw1sEhF0n/qpA2r0GpvkLRDmcSwVyPvmjFBGq Up/pNy8ZuPGQmHwFi2/14+xeSUDG2bwnsYJQG2EdJCB6luQ57GEnTA/yKZSTKI8dDQa8Sd3zfXb1 9mOgSF0bBdXbuKhEpuP9wirslFe6fQ1t5j5R0xi72MZ8ikMu1RQZKCyDbMwazlHiMIIHCDCCBfCg AwIBAgIDA6CuMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcN MTIwMTI5MTQ0MTM3WhcNMTMwMTI5MjE0MTE4WjBTMRkwFwYDVQQNExB6N0V1VjY4Q0xvemRSRHkx MRcwFQYDVQQDDA5vLmxvY2hAZ214Lm5ldDEdMBsGCSqGSIb3DQEJARYOby5sb2NoQGdteC5uZXQw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmfq20gcAUPUePSPavAqfHQTuq75yNv9dj TkYkP1kWeohKxHnznc1so0WuaMo1Azt/01Z1zdMZ3m5Ix3Q1UxuVRh+ciRockHJZ36uWWesMLdwh /cdvgEeR+wqfceYuuW4Du8MDh9/+z4NCBJ6kvYQUXKZibthLaLssazBoHmvVDiwvmvDk2bLim+sC ywRelWWFAnlVDGFTsHN9DKe1jXljLDnNwcHRzJroSx01Dh4AhMMkz8ZUQtx3GInhZLjErRCdZ3Oj HDmZ8U2ABo1W7Hccux1U/70y6fOVOrQW7hkv1jPpGp1+713ONg4wc8PiGOHZHnIENBGBKOCGjd70 7zU9AgMBAAGjggOpMIIDpTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEF BQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFBF4b2lWP7cPi3uyf1fhXOfHBuA7MB8GA1UdIwQYMBaA FFNy7ZKc4NrLAVx8fpY1TvLUuFGCMBkGA1UdEQQSMBCBDm8ubG9jaEBnbXgubmV0MIICIQYDVR0g BIICGDCCAhQwggIQBgsrBgEEAYG1NwECAjCCAf8wLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3Rh cnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29t L2ludGVybWVkaWF0ZS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRpZmljYXRp b24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBpc3N1ZWQgYWNjb3JkaW5n IHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBD QSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBs aWFuY2Ugb2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMIGcBggrBgEFBQcCAjCBjzAn FiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgECGmRMaWFiaWxpdHkgYW5kIHdh cnJhbnRpZXMgYXJlIGxpbWl0ZWQhIFNlZSBzZWN0aW9uICJMZWdhbCBhbmQgTGltaXRhdGlvbnMi IG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3kuMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwu c3RhcnRzc2wuY29tL2NydHUxLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGG LWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MxL2NsaWVudC9jYTBCBggrBgEFBQcw AoY2aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMS5jbGllbnQuY2EuY3J0 MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUFAAOCAQEA aFgkPDQLgfzA2OCcUUaavf3yBb0JX83kkHtqpPJPs8AM7MEHgSwPtvDPfrArLZRVleQ5rE42QDrl UJQ1FBrSaRaGERjihOvbXy3UglGk23zZfpV+tG3FM/K6r3aoOTghqldly/nnXptgUiV+Xc8GVZgZ 3v9M8bqx4ypL4VTxZ9FrIKQ6IoLyuxCFRUutk/UaN9bT4bVjLrlC3E5jltmtdjFPcQOGsZ3B5IeC A8wWWiUrClvj1WJvBvgJ7o48F6mjdJYWZqzAQkQVkA0GmPsEb9YdWEyqygCnb1/oHmPYLzd7GZMS 8Yr0BFbSWB4vFdCI+eQg+xwBLD+bp8s4M+DodTGCA28wggNrAgEBMIGUMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlm aWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVk aWF0ZSBDbGllbnQgQ0ECAwOgrjAJBgUrDgMCGgUAoIIBrzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0xMjA1MjExNzI3MDFaMCMGCSqGSIb3DQEJBDEWBBR7+zXEwhx2 T0J+cWFbzao725HBOjCBpQYJKwYBBAGCNxAEMYGXMIGUMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UE ChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2ln bmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGll bnQgQ0ECAwOgrjCBpwYLKoZIhvcNAQkQAgsxgZeggZQwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu dCBDQQIDA6CuMA0GCSqGSIb3DQEBAQUABIIBACE6nneTvZzl9cCgd7q/2Ee65O3vXs3BzLCeXlCC iS1yOOvo9udFSZlwY8tpSo8fKX6YDHAmRVliE/X+dUOPtIboyYJPIx+pJM66sULMDya194rYd9He VeHA0//o0hTeGBzVBoWto3+qH3fmQKNCrHd1mZOhfVgkWAn0W9K2YayJGV0sFDJaTYQ+2jlgrZHM AC1vhQltCcdOh5qF1X6YaOueFupm86bVo3YKuwY42VxkCAl9fAanwKR61pmXcH0wvACPgjO0d81w oUwhlNJ7aTJ2/yMrAh13qn06nwLMxjjUE1HzYH78zHLLoSZVmo0p49ykzLYVVRQzZVMtBpmMy7UA AAAAAAA= --Apple-Mail=_E91EDB34-885C-4527-B3A7-0CF927EAA88D--

1 0

Re: (ITS#7248) Cast to string in back-sql when upper_needs_cast is declared in slapd.conf
by rene.snajder＠i-med.ac.at 21 May '12

21 May '12

Dear OpenLDAP Devs, I would like to ask if there is anything else I can do to speed up the inclusion of my patch?

1 0

Re: (ITS#7277) Slapadd segfaults if binddn contains ou or dc statements
by hyc＠symas.com 20 May '12

20 May '12

> I played with it a bit and as soon as one adds "ou=..." or "dc=..." to the > binddn it raises an error. In this example config and in the "real world". > > Imho there aren't any limitations to the binddn option? No, there are no limitations on binddn. Your example is invalid since you have not loaded any schema to define the "ou" or "dc" attributes. The error message from slapadd is correct. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#7277) Slapadd segfaults if binddn contains ou or dc statements
by o.loch＠gmx.net 19 May '12

19 May '12

Full_Name: Oliver Loch Version: 2.4.31 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (88.134.36.68) Hello, first of all some basic information: OpenLDAP Version: [root@ls1 slapd.d]# slapd -V @(#) $OpenLDAP: slapd 2.4.31 (Apr 24 2012 01:06:25) $ nobody@ovide:/build/src/openldap-2.4.31/servers/slapd [root@ls1 slapd.d]# OS: Linux ls1 3.3.6-1-ARCH #1 SMP PREEMPT Sun May 13 10:52:32 CEST 2012 x86_64 GNU/Linux Distribution: ArchLinux What I'm doing: I have a Master/Master setup with actually two masters. To roll out the second master I created a small configuration that is added to the OpenLDAP database via slapadd. The config: ======>8========SNIP======================== dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1 ldap://server1.foo.bar olcServerID: 2 ldap://server2.foo.bar dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}back_bdb.la olcModuleLoad: {1}back_hdb.la olcModuleLoad: {2}accesslog olcModuleLoad: {3}memberof olcModuleLoad: {4}refint olcModuleLoad: {5}unique olcModuleLoad: {6}syncprov olcModulePath: /usr/lib/openldap dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=master,cn=config olcRootPW: {SSHA}5e/wtWWZVQPCNf+92o8jYiO56wvh5cRQ olcSyncrepl: rid=001 provider=ldap://server1.foo.bar bindmethod=simple timeout=0 network-timeout=0 binddn="cn=syncer1,ou=users,cn=foo,cn=bar" credentials="supersecret" keepalive=0:0:0 starttls=no searchbase="cn=config" scope=sub schemachecking=off type=refreshAndPersist retry="5 +" olcMirrorMode: TRUE dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov ===========SNAP========8<==================== When adding the configuration to the - empty - slapd.d configuration directory via: slapadd -F /etc/openldap/slapd.d -n 0 -l /root/base.ldif "slapadd" segfaults as soon as the "binddn" parameter inside the olcSyncrepl attribute contains things like "ou" or "dc". So using "cn=syncer1,ou=users,dc=foo,dc=bar" as binddn is not possible: =========SNIP=======>8======================= [root@ls1 slapd.d]# slapadd -F /etc/openldap/slapd.d/ -n 0 -l /root/base.ldif 4fb89a89 invalid bind config value binddn=cn=syncer1,ou=users,dc=foo,dc=bar 4fb89a89 olcSyncrepl: value #0: Error: parse_syncrepl_line: unable to parse "binddn=cn=syncer1,ou=users,dc=foo,dc=bar" . 4fb89a89 failed to add syncinfo slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=19): _################# 86.13% eta none elapsed none spd 313.2 k/s Closing DB...Segmentation fault [root@ls1 slapd.d]# ===========SNAP========8<==================== But using "cn=syncer1,cn=users,cn=foo,cn=bar" is: ========>8==================SNIP============== [root@ls1 slapd.d]# slapadd -F /etc/openldap/slapd.d/ -n 0 -l /root/base.ldif _#################### 100.00% eta none elapsed none fast! Closing DB... [root@ls1 slapd.d]# ======SNAP================8<================= I played with it a bit and as soon as one adds "ou=..." or "dc=..." to the binddn it raises an error. In this example config and in the "real world". Imho there aren't any limitations to the binddn option? If you need further information feel free to contact me. Thanks! Kr, Oliver Loch

1 0

(ITS#7276) [PATCH] MozNSS: allow CA certdb together with PEM CA bundle file
by jvcelak＠redhat.com 18 May '12

18 May '12

Full_Name: Jan Vcelak Version: master OS: Linux URL: ftp://ftp.openldap.org/incoming/jvcelak-20120518-update-nss-allow-ca-certdb… Submission from: (NULL) (209.132.186.34) With Mozilla NSS crypto backend: Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate database and TLS_CACERT was set to a PEM bundle file with CA certificates, the PEM file content was not loaded. With this patch and the same settings, OpenLDAP can verify certificates which are signed by CAs stored both in certdb and PEM bundle file. This problem was found with FreeIPA which is setting CA PEM bundle using ldap_set_option(&ld, LDAP_OPT_X_TLS_CACERTFILE, ...), while TLS_CACERTDIR with certdb is set in system ldap.conf file. The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under the following terms. Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Re: (ITS#7274) delta-syncrepl MMR infinite loop
by quanah＠zimbra.com 17 May '12

17 May '12

--On Wednesday, May 16, 2012 10:27 PM +0000 quanah(a)OpenLDAP.org wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.31 > OS: Linux 2.6 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (75.108.184.39) We can see that the script turning it into a master ran here: Thu May 17 16:05:46 2012 *** Running as zimbra user: /opt/zimbra/libexec/zmldapenable-mmr -s 2 -m ldap://zre-ldap002.eng.vmware.com:389/ so 16:05:46 In the accesslog, we see: dn: cn=accesslog objectClass: auditContainer cn: accesslog structuralObjectClass: auditContainer contextCSN: 20120517225152.913667Z#000000#000#000000 contextCSN: 20120517230823.615364Z#000000#001#000000 contextCSN: 20120517230546.409118Z#000000#002#000000 dn: reqStart=20120517230546.000019Z,cn=accesslog objectClass: auditAdd structuralObjectClass: auditAdd reqStart: 20120517230546.000019Z reqEnd: 20120517230546.000020Z reqType: add reqSession: 100 reqAuthzID: cn=config reqDN: cn=zimbra reqResult: 0 reqMod: objectClass:+ organizationalRole reqMod: description:+ Zimbra Systems Application Data reqMod: cn:+ zimbra reqMod: structuralObjectClass:+ organizationalRole reqMod: entryUUID:+ 40f78bea-34be-1031-8a5d-e1466f667e19 reqMod: creatorsName:+ cn=config reqMod: createTimestamp:+ 20120517224907Z reqMod: entryCSN:+ 20120517224907.221672Z#000000#000#000000 reqMod: modifiersName:+ cn=config reqMod: modifyTimestamp:+ 20120517224907Z reqEntryUUID: 40f78bea-34be-1031-8a5d-e1466f667e19 entryUUID: 948929e2-34c0-1031-9a14-c93bd10ff0f2 creatorsName: cn=config createTimestamp: 20120517224907Z entryCSN: 20120517224907.221672Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20120517224907Z so it is tracking "000" as a third master? This seems to be why the original server (which was 000 before being promoted to 001) replicates these entries back to itself. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#7133) slapd dies with SIGSEGV on SIGHUP
by openldap＠stormcloud9.net 16 May '12

16 May '12

I too am experiencing this issue. I attempted to apply the patch from commit 7ff18967d7d2e49baa9d80f1b9408b276f3982e0, but it wont apply cleanly to 2.4.31. I was going to apply it by hand, but it appears the last 2 chunks have had a lot of changes in that area of the code. Is there any chance of getting the patch re-based for 2.4.31? Thanks

1 0

(ITS#7274) delta-syncrepl MMR infinite loop
by quanah＠OpenLDAP.org 16 May '12

16 May '12

Full_Name: Quanah Gibson-Mount Version: 2.4.31 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.108.184.39) The following problem did not occur for me in previous OpenLDAP releases. However, I can reproduce it 100% of the time with OpenLDAP 2.4.31. Basic configuration scenario is as follows: Set up a stand alone OpenLDAP server -- Just cn=config and primary DB. Basic database for the server is created (note all entries now have SID value 0) Update the server to be delta-sync MMR -- Set sid=1, Mirror Mode, and add accesslog DB. Add syncrepl stanza for a second server Install second server as a delta-sycnrepl MMR pair -- cn=config, accesslog DB, primary DB, SID=2 Servers now go into infinite loops due to the SID=0 entries. Server SID=1 logs: May 16 14:33:24 zre-ldap002 slapd[17422]: do_syncrep2: rid=100 cookie=rid=100,sid=002,csn=20120516212017.543213Z#000000#000#000000 May 16 14:33:24 zre-ldap002 slapd[17422]: slap_queue_csn: queing 0x58d2ced 20120516212017.543213Z#000000#000#000000 May 16 14:33:24 zre-ldap002 slapd[17422]: slap_graduate_commit_csn: removing 0x4699f50 20120516212017.543213Z#000000#000#000000 May 16 14:33:24 zre-ldap002 slapd[17422]: syncrepl_message_to_op: rid=100 be_add cn=zimbra (68) May 16 14:33:24 zre-ldap002 slapd[17422]: do_syncrep2: rid=100 delta-sync lost sync on (reqStart=20120516213237.000019Z,cn=accesslog), switching to REFRESH May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_message_to_entry: rid=100 DN: cn=zimbra, UUID: add167b2-33e8-1031-8f62-f1c6fd57f8b3 May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 inserted UUID add167b2-33e8-1031-8f62-f1c6fd57f8b3 May 16 14:33:25 zre-ldap002 slapd[17422]: dn_callback : entries have identical CSN cn=zimbra 20120516212017.543213Z#000000#000#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 be_search (0) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 cn=zimbra May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 entry unchanged, ignored (cn=zimbra) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_message_to_entry: rid=100 DN: cn=admins,cn=zimbra, UUID: add18ab2-33e8-1031-8f63-f1c6fd57f8b3 May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 inserted UUID add18ab2-33e8-1031-8f63-f1c6fd57f8b3 May 16 14:33:25 zre-ldap002 slapd[17422]: dn_callback : entries have identical CSN cn=admins,cn=zimbra 20120516212017.544170Z#000000#000#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 be_search (0) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 cn=admins,cn=zimbra May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 entry unchanged, ignored (cn=admins,cn=zimbra) (etc, going through all 000 SID entries). Once it finishes, it starts over: May 16 14:33:25 zre-ldap002 slapd[17422]: dn_callback : entries have identical CSN cn=com_zimbra_click2call_mitel,cn=zimlets,cn=zimbra 20120516212615.543144Z#000000#000#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 be_search (0) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 cn=com_zimbra_click2call_mitel,cn=zimlets,cn=zimbra May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 entry unchanged, ignored (cn=com_zimbra_click2call_mitel,cn=zimlets,cn=zimbra) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_message_to_entry: rid=100 DN: cn=zre-ldap003.eng.vmware.com,cn=servers,cn=zimbra, UUID: 5a64830a-33ea-1031-8fbb-f1c6fd57f8b3 May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 inserted UUID 5a64830a-33ea-1031-8fbb-f1c6fd57f8b3 May 16 14:33:25 zre-ldap002 slapd[17422]: dn_callback : entries have identical CSN cn=zre-ldap003.eng.vmware.com,cn=servers,cn=zimbra 20120516213323.905859Z#000000#001#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 be_search (0) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 cn=zre-ldap003.eng.vmware.com,cn=servers,cn=zimbra May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 entry unchanged, ignored (cn=zre-ldap003.eng.vmware.com,cn=servers,cn=zimbra) May 16 14:33:25 zre-ldap002 slapd[17422]: do_syncrep2: rid=100 LDAP_RES_SEARCH_RESULT May 16 14:33:25 zre-ldap002 slapd[17422]: do_syncrep2: rid=100 cookie=rid=100,sid=002,csn=20120516213323.905859Z#000000#001#000000;20120516213237.680889Z#000000#002#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: slap_queue_csn: queing 0x5805da0 20120516213237.680889Z#000000#002#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: slap_graduate_commit_csn: removing 0x5805620 20120516213237.680889Z#000000#002#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: do_syncrep2: rid=100 cookie=rid=000,sid=002,csn=20120516212017.543213Z#000000#000#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: slap_queue_csn: queing 0x58d2ced 20120516212017.543213Z#000000#000#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: slap_graduate_commit_csn: removing 0x5805bc0 20120516212017.543213Z#000000#000#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_message_to_op: rid=100 be_add cn=zimbra (68) May 16 14:33:25 zre-ldap002 slapd[17422]: do_syncrep2: rid=100 delta-sync lost sync on (reqStart=20120516213237.000019Z,cn=accesslog), switching to REFRESH May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_message_to_entry: rid=100 DN: cn=zimbra, UUID: add167b2-33e8-1031-8f62-f1c6fd57f8b3 May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 inserted UUID add167b2-33e8-1031-8f62-f1c6fd57f8b3 May 16 14:33:25 zre-ldap002 slapd[17422]: dn_callback : entries have identical CSN cn=zimbra 20120516212017.543213Z#000000#000#000000 May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 be_search (0) May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 cn=zimbra May 16 14:33:25 zre-ldap002 slapd[17422]: syncrepl_entry: rid=100 entry unchanged, ignored (cn=zimbra) On the second MMR master server, it logs: May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138856 SRCH attr=* + May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138856 SEARCH RESULT tag=101 err=0 nentries=0 text= May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138857 SRCH base="cn=accesslog" scope=2 deref=0 filter="(&(objectClass=auditWriteObject)(reqResult=0))" May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138857 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN May 16 14:36:15 zre-ldap003 slapd[26137]: syncprov_search_response: cookie=rid=100,sid=002,csn=20120516212644.426510Z#000000#000#000000;20120516213448.200519Z#000000#001#000000;20120516213237.680085Z#000000#002#000000 May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138858 ABANDON msg=138858 May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138859 SRCH base="" scope=2 deref=0 filter="(objectClass=*)" May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138859 SRCH attr=* + May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138859 SEARCH RESULT tag=101 err=0 nentries=0 text= May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138860 SRCH base="cn=accesslog" scope=2 deref=0 filter="(&(objectClass=auditWriteObject)(reqResult=0))" May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138860 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138861 ABANDON msg=138861 May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138862 SRCH base="" scope=2 deref=0 filter="(objectClass=*)" May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138862 SRCH attr=* + May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138862 SEARCH RESULT tag=101 err=0 nentries=0 text= May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138863 SRCH base="cn=accesslog" scope=2 deref=0 filter="(&(objectClass=auditWriteObject)(reqResult=0))" May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138863 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138864 ABANDON msg=138864 May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138865 SRCH base="" scope=2 deref=0 filter="(objectClass=*)" May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138865 SRCH attr=* + May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138865 SEARCH RESULT tag=101 err=0 nentries=0 text= May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138866 SRCH base="cn=accesslog" scope=2 deref=0 filter="(&(objectClass=auditWriteObject)(reqResult=0))" May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138866 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN May 16 14:36:15 zre-ldap003 slapd[26137]: syncprov_search_response: cookie=rid=100,sid=002,csn=20120516212644.426510Z#000000#000#000000;20120516213448.200519Z#000000#001#000000;20120516213237.680085Z#000000#002#000000 May 16 14:36:15 zre-ldap003 slapd[26137]: conn=1002 op=138867 ABANDON msg=138867 However, I can get a working delta-sync MMR pair if I do the following: Set up a stand alone OpenLDAP server -- Just cn=config and primary DB. Basic database for the server is created (note all entries now have SID value 0) Update the server to be delta-sync master: add accesslog DB. Install second server as a replica. Update first server to be delta-sync MMR: Set sid=1, mirrormode=true on primary DB, add syncrepl stanza for second server Update second server to be delta-sync MMR: Set sid=2, mirrormode=true on primary DB, add accesslog DB, add syncprel stanza for first server In this scenario everything works as expected. The issue seems to be caused in the first scenario by server 2 replicating the DB with SID=0 bits from the primary server, and that looping back to the first server endlessly, instead of being permanently ignored. --Quanah

1 0

(ITS#7273) Sig abort crash in slapd using GSSAPI auth in slap_listener at daemon.c:1891
by stefan.wold＠su.se 15 May '12

15 May '12

Full_Name: Stefan Wold Version: 2.4.31 OS: Ubuntu and Lunar Linux URL: Submission from: (NULL) (77.238.32.111) I can reproduce a sig abort crash in both Ubuntu and Lunar Linux using OpenLDAP 2.4.31. This crash only seem occur when I run ~20 concurrent ldap searches using -YGSSAPI for authentication, using simple bind (-x) I can't reproduce the crash. Usually slapd crash within a couple of hours using GSSAPI. My test case is quite simple, I start 20 threads that loop the following command: ldapsearch -h server -YGSSAPI uid=user In Ubuntu openldap is linked against cyrus-sasl which links to MIT kerberos. In Lunar Linux cyrus-sasl is linked against heimdal. In this case it doesn't seem to matter which kerberos implementation is used. Here's a brief gdb backtrace: Core was generated by `/usr/lib/slapd -d 0 -h ldap:/// ldaps:/// -f /etc/openldap/slapd.conf'. Program terminated with signal 6, Aborted. #0 0x00007f70313293c5 in raise () from /lib/libc.so.6 (gdb) bt #0 0x00007f70313293c5 in raise () from /lib/libc.so.6 #1 0x00007f703132a83b in abort () from /lib/libc.so.6 #2 0x00007f703132226e in __assert_fail_base () from /lib/libc.so.6 #3 0x00007f7031322312 in __assert_fail () from /lib/libc.so.6 #4 0x00000000004310e7 in slap_listener (sl=0x15c30d0) at daemon.c:1891 #5 0x0000000000431109 in slap_listener_thread (ctx=<optimized out>, ptr=<optimized out>) at daemon.c:2093 #6 0x00007f7032e7dcda in ldap_int_thread_pool_wrapper (xpool=0x15ff920) at tpool.c:688 #7 0x00007f703165cce0 in start_thread () from /lib/libpthread.so.0 #8 0x00007f70313c7abd in clone () from /lib/libc.so.6 For a full backtrace: https://gist.github.com/a82d5b3dfdac7abc8e27 -- Sincerely Stefan Wold IT services, Stockholm University Sweden

1 0

Re: (ITS#7272) Implement hasSubordinates in back-ldif
by h.b.furuseth＠usit.uio.no 14 May '12

14 May '12

michael(a)stroeder.com wrote: > It would be handy to have operational attribute 'hasSubordinates' > returned for entries under cn=config. If so, that can hopefully be done in back-config. It'd be a bit costly in back-ldif - one stat() per read_entry, plus an attempted rmdir(parent dir) in delete/modifyDN so that read_entry can assume there are subordinates if the dir exists. Hallvard

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2012