Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
by michael@stroeder.com
On Tue, 15 Jan 2013 13:37:06 GMT masarati(a)aero.polimi.it wrote
> On 01/15/2013 01:56 PM, hyc(a)symas.com wrote:
> > On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael(a)stroeder.com wrote:
> >> Full_Name:
> >> Version: RE24 6f33e2c
> >> OS:
> >> URL:
> >> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
> >>
> >>
> >> It seems that operational attributes generated by slapo-allowed are
> >> replicated. >
> > Works as designed. These attributes are directoryOperation, not
> > DSA-specific.
>
> I see the point; since they're generated by the overlay in response to
> search operations, either they should not be replicated, or replication
> should accept them.
>
> Their value depends on ACLs, so in order to reflect ACLs on a specific
> DSA they should be generated; however, I concur ACLs should not depend
> on the specific DSA of a replication setup.
The values depend on local ACLs *and* current authz-DN.
=> These attributes MUST NOT be replicated.
Ciao, Michael.
10 years, 10 months
Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
by michael@stroeder.com
On Tue, 15 Jan 2013 12:56:35 GMT hyc(a)symas.com wrote
> > It seems that operational attributes generated by slapo-allowed are
> > replicated.
>
> Works as designed. These attributes are directoryOperation, not DSA-specific.
> Closing this ITS.
The fact that slapo-allowed in contrib/ does not declare the attribute types as
DSA-specific does not mean that they are not DSA-specific. I guess MS AD does
not care about subschema DSA-specific or not so we have to apply common sense
here.
The allowed* attr values are supposed to be generated based on the local access
control configuration. Since with OpenLDAP local configuration and therefore
local ACLs can differ on different replicas these attrs MUST NOT be replicated.
Please re-open the ITS.
Ciao, Michael.
10 years, 10 months
Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
by masarati@aero.polimi.it
On 01/15/2013 01:56 PM, hyc(a)symas.com wrote:
> On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael(a)stroeder.com wrote:
>> Full_Name:
>> Version: RE24 6f33e2c
>> OS:
>> URL:
>> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
>>
>>
>> It seems that operational attributes generated by slapo-allowed are replicated.
>
> Works as designed. These attributes are directoryOperation, not DSA-specific.
I see the point; since they're generated by the overlay in response to
search operations, either they should not be replicated, or replication
should accept them.
Their value depends on ACLs, so in order to reflect ACLs on a specific
DSA they should be generated; however, I concur ACLs should not depend
on the specific DSA of a replication setup.
I'm open to suggestions about how to fix this.
p.
--
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano
10 years, 10 months
Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
by hyc@symas.com
On Tue, Jan 15, 2013 at 12:18:59PM +0000, michael(a)stroeder.com wrote:
> Full_Name:
> Version: RE24 6f33e2c
> OS:
> URL:
> Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
>
>
> It seems that operational attributes generated by slapo-allowed are replicated.
Works as designed. These attributes are directoryOperation, not DSA-specific.
Closing this ITS.
> Syslog shows:
> mods check (allowedAttributes: value #0 invalid per syntax)
>
10 years, 10 months
(ITS#7493) slapo-allowed: allowed* attrs are replicated
by michael@stroeder.com
Full_Name:
Version: RE24 6f33e2c
OS:
URL:
Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)
It seems that operational attributes generated by slapo-allowed are replicated.
Syslog shows:
mods check (allowedAttributes: value #0 invalid per syntax)
10 years, 10 months
(ITS#7492) add "onerr" to back-ldap
by masarati@aero.polimi.it
Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2.40.21.25)
Submitted by: ando
back-meta supports "onerr" to determine search behavior when an error is
returned by a remote server; a similar behavior may be desirable for back-ldap.
Right now, when an error occurs, back-ldap stops sending entries and returns
success. The "onerr stop" directive makes back-ldap return the error instead;
"onerr continue" produces the current behavior.
10 years, 10 months
Re: (ITS#7491) mdb write bus error before adding 5 million keys
by clayton.stangeland@gmail.com
Thank you. I did not consider the transaction size.
On 1/11/13, Howard Chu <hyc(a)symas.com> wrote:
> clayton.stangeland(a)gmail.com wrote:
>> Full_Name: Clayton Stangeland
>> Version: git mdb.master last commit
>> fed573cb86ed99f37bd062908ec814ee0ca47053
>> OS: Fedora 17 64 bit
>> URL: ftp://ftp.openldap.org/incoming/mtest-big.c
>> Submission from: (NULL) (192.94.73.31)
>>
>>
>> Building and running mdb from git branch mdb.master commit
>> fed573cb86ed99f37bd062908ec814ee0ca47053 on Fedora 17 64 bit I get a bus
>> error.
>
> Thanks for the report. The bus error is now fixed in git mdb.master. We
> assume
> that most users will not batch so many operations into a single
> transaction.
>>
>> When running the test below, which is a modification of mtest.c, I get a
>> Bus
>> error. This happens while trying to write the file. gdb reports line 3936
>> of
>> mdb.c as the erroring line inside mdb_page_search_root: while
>> (IS_BRANCH(mp)) {
>>
>> If I set count to 4 million instead of 5 million it works, and adding back
>> in
>> all the other mtest.c tests works as well then.
>>
>> Here is the code:
>> /* mtest.c - memory-mapped database tester/toy */
>> /*
>> * Copyright 2011 Howard Chu, Symas Corp.
>> * All rights reserved.
>> *
>> * Redistribution and use in source and binary forms, with or without
>> * modification, are permitted only as authorized by the OpenLDAP
>> * Public License.
>> *
>> * A copy of this license is available in the file LICENSE in the
>> * top-level directory of the distribution or, alternatively, at
>> * <http://www.OpenLDAP.org/license.html>.
>> */
>> #define _XOPEN_SOURCE 500 /* srandom(), random() */
>> #include <stdio.h>
>> #include <stdlib.h>
>> #include <time.h>
>> #include "lmdb.h"
>>
>> int main(int argc,char * argv[])
>> {
>> int i = 0, j = 0, rc;
>> MDB_env *env;
>> MDB_dbi dbi;
>> MDB_val key, data;
>> MDB_txn *txn;
>> MDB_stat mst;
>> MDB_cursor *cursor;
>> int count;
>> int *values;
>> char sval[32];
>>
>> srandom(time(NULL));
>>
>> count = (5000000) + 64;
>> values = (int *)malloc(count*sizeof(int));
>>
>> for(i = 0;i<count;i++) {
>> values[i] = random()%1000000000;
>> }
>>
>> rc = mdb_env_create(&env);
>> rc = mdb_env_set_mapsize(env, 10485760000);
>> rc = mdb_env_open(env, "./testdb", MDB_FIXEDMAP
>> /*|MDB_NOSYNC*/,
>> 0664);
>> rc = mdb_txn_begin(env, NULL, 0, &txn);
>> rc = mdb_open(txn, NULL, 0, &dbi);
>>
>> key.mv_size = sizeof(sval);
>> key.mv_data = sval;
>> data.mv_size = sizeof(sval);
>> data.mv_data = sval;
>>
>> for (i=0;i<count;i++) {
>> sprintf(sval, "%08x %d foo bar", values[i],
>> values[i]);
>> rc = mdb_put(txn, dbi, &key, &data,
>> MDB_NOOVERWRITE);
>> if (rc) j++;
>> }
>> if (j) printf("%d duplicates skipped\n", j);
>> rc = mdb_txn_commit(txn);
>> rc = mdb_env_stat(env, &mst);
>>
>> free(values);
>> mdb_close(env, dbi);
>> mdb_env_close(env);
>>
>> return 0;
>>
>> }
>>
>>
>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
10 years, 10 months
Re: (ITS#7491) mdb write bus error before adding 5 million keys
by hyc@symas.com
clayton.stangeland(a)gmail.com wrote:
> Full_Name: Clayton Stangeland
> Version: git mdb.master last commit fed573cb86ed99f37bd062908ec814ee0ca47053
> OS: Fedora 17 64 bit
> URL: ftp://ftp.openldap.org/incoming/mtest-big.c
> Submission from: (NULL) (192.94.73.31)
>
>
> Building and running mdb from git branch mdb.master commit
> fed573cb86ed99f37bd062908ec814ee0ca47053 on Fedora 17 64 bit I get a bus error.
Thanks for the report. The bus error is now fixed in git mdb.master. We assume
that most users will not batch so many operations into a single transaction.
>
> When running the test below, which is a modification of mtest.c, I get a Bus
> error. This happens while trying to write the file. gdb reports line 3936 of
> mdb.c as the erroring line inside mdb_page_search_root: while (IS_BRANCH(mp)) {
>
> If I set count to 4 million instead of 5 million it works, and adding back in
> all the other mtest.c tests works as well then.
>
> Here is the code:
> /* mtest.c - memory-mapped database tester/toy */
> /*
> * Copyright 2011 Howard Chu, Symas Corp.
> * All rights reserved.
> *
> * Redistribution and use in source and binary forms, with or without
> * modification, are permitted only as authorized by the OpenLDAP
> * Public License.
> *
> * A copy of this license is available in the file LICENSE in the
> * top-level directory of the distribution or, alternatively, at
> * <http://www.OpenLDAP.org/license.html>.
> */
> #define _XOPEN_SOURCE 500 /* srandom(), random() */
> #include <stdio.h>
> #include <stdlib.h>
> #include <time.h>
> #include "lmdb.h"
>
> int main(int argc,char * argv[])
> {
> int i = 0, j = 0, rc;
> MDB_env *env;
> MDB_dbi dbi;
> MDB_val key, data;
> MDB_txn *txn;
> MDB_stat mst;
> MDB_cursor *cursor;
> int count;
> int *values;
> char sval[32];
>
> srandom(time(NULL));
>
> count = (5000000) + 64;
> values = (int *)malloc(count*sizeof(int));
>
> for(i = 0;i<count;i++) {
> values[i] = random()%1000000000;
> }
>
> rc = mdb_env_create(&env);
> rc = mdb_env_set_mapsize(env, 10485760000);
> rc = mdb_env_open(env, "./testdb", MDB_FIXEDMAP /*|MDB_NOSYNC*/,
> 0664);
> rc = mdb_txn_begin(env, NULL, 0, &txn);
> rc = mdb_open(txn, NULL, 0, &dbi);
>
> key.mv_size = sizeof(sval);
> key.mv_data = sval;
> data.mv_size = sizeof(sval);
> data.mv_data = sval;
>
> for (i=0;i<count;i++) {
> sprintf(sval, "%08x %d foo bar", values[i], values[i]);
> rc = mdb_put(txn, dbi, &key, &data, MDB_NOOVERWRITE);
> if (rc) j++;
> }
> if (j) printf("%d duplicates skipped\n", j);
> rc = mdb_txn_commit(txn);
> rc = mdb_env_stat(env, &mst);
>
> free(values);
> mdb_close(env, dbi);
> mdb_env_close(env);
>
> return 0;
>
> }
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10 years, 10 months
(ITS#7491) mdb write bus error before adding 5 million keys
by clayton.stangeland@gmail.com
Full_Name: Clayton Stangeland
Version: git mdb.master last commit fed573cb86ed99f37bd062908ec814ee0ca47053
OS: Fedora 17 64 bit
URL: ftp://ftp.openldap.org/incoming/mtest-big.c
Submission from: (NULL) (192.94.73.31)
Building and running mdb from git branch mdb.master commit
fed573cb86ed99f37bd062908ec814ee0ca47053 on Fedora 17 64 bit I get a bus error.
When running the test below, which is a modification of mtest.c, I get a Bus
error. This happens while trying to write the file. gdb reports line 3936 of
mdb.c as the erroring line inside mdb_page_search_root: while (IS_BRANCH(mp)) {
If I set count to 4 million instead of 5 million it works, and adding back in
all the other mtest.c tests works as well then.
Here is the code:
/* mtest.c - memory-mapped database tester/toy */
/*
* Copyright 2011 Howard Chu, Symas Corp.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
#define _XOPEN_SOURCE 500 /* srandom(), random() */
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include "lmdb.h"
int main(int argc,char * argv[])
{
int i = 0, j = 0, rc;
MDB_env *env;
MDB_dbi dbi;
MDB_val key, data;
MDB_txn *txn;
MDB_stat mst;
MDB_cursor *cursor;
int count;
int *values;
char sval[32];
srandom(time(NULL));
count = (5000000) + 64;
values = (int *)malloc(count*sizeof(int));
for(i = 0;i<count;i++) {
values[i] = random()%1000000000;
}
rc = mdb_env_create(&env);
rc = mdb_env_set_mapsize(env, 10485760000);
rc = mdb_env_open(env, "./testdb", MDB_FIXEDMAP /*|MDB_NOSYNC*/,
0664);
rc = mdb_txn_begin(env, NULL, 0, &txn);
rc = mdb_open(txn, NULL, 0, &dbi);
key.mv_size = sizeof(sval);
key.mv_data = sval;
data.mv_size = sizeof(sval);
data.mv_data = sval;
for (i=0;i<count;i++) {
sprintf(sval, "%08x %d foo bar", values[i], values[i]);
rc = mdb_put(txn, dbi, &key, &data, MDB_NOOVERWRITE);
if (rc) j++;
}
if (j) printf("%d duplicates skipped\n", j);
rc = mdb_txn_commit(txn);
rc = mdb_env_stat(env, &mst);
free(values);
mdb_close(env, dbi);
mdb_env_close(env);
return 0;
}
10 years, 10 months
(ITS#7490) Security weakness in sha2 password module
by mhardin@symas.com
Full_Name: Matthew Hardin
Version: 2.4.33+
OS: All
URL: ftp://ftp.openldap.org/incoming/sha2.c-diff.txt
Submission from: (NULL) (69.43.206.100)
contrib/slapd-modules/passwd/sha2/sha2.c uses a series of context buffers and
zeros them out in several places using the following macro:
MEMSET_BZERO(context, sizeof(context))
The variable 'context' is a pointer to a context buffer, so sizeof will evaluate
to the size of a pointer for the particular platform. As a result, the context
buffer is only partially zeroed.
The correct invocation is:
MEMSET_BZERO(context, sizeof(*context))
which will zero out the complete context buffer.
The referenced diff details the changes to sha2.c that are necessary to correct
this issue.
Note this also cleans up warnings reported by MacOS's clang compiler.
I, Matthew Hardin, hereby place the following modifications to OpenLDAP Software
(and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.
10 years, 10 months
