Re: (ITS#7694) cldap fails with IPv6 due to wrong size sockaddr
by stefw@redhat.com
On 10.10.2013 12:59, Howard Chu wrote:
> stefw(a)redhat.com wrote:
>> Full_Name: Stef Walter
>> Version: 2.4.35
>> OS: Fedora 19
>> Submission from: (NULL) (46.5.2.70)
>>
>>
>> Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is
>> broken for
>> IPv6 for current versions of openldap. Tested with version 2.4.35
>>
>> It's not clear if this ever worked properly.
>
> No, clearly not, the code was written and deprecated before IPv6
> existed. Nobody should be using this code today.
Interesting. FWIW, the code is packaged by RHEL and Fedora, and is in
use by several projects.
> Even if it were to be used, the patch would break slapd; your
> getnameinfo patch changes the format of the peername string. The format
> of this string is not arbitrary, it's used in ACLs and the format is
> documented in slapd.access(5).
>
> In the future, write patches that fix one single issue. Don't make
> gratuitous changes, particularly if you haven't researched what you're
> changing.
Sorry bout that. Here's a new patch without the slapd change:
ftp://ftp.openldap.org/incoming/stef-walter-131010.patch
Cheers,
Stef
9 years, 11 months
Re: (ITS#7710) contextCSN values not updated by internal non-replicated ops
by michael@stroeder.com
On Thu, 10 Oct 2013 11:05:28 GMT hyc(a)symas.com wrote
> michael(a)stroeder.com wrote:
> > With current master and re24 which have the fix for this ITS I now see seg
> > faults in test023-refint test057-memberof-refint.
>
> Fixed now in master.
Thanks. These tests are passing now.
@Quanah: Would be nice if this last fix could be also ported to RE24. Thanks in
advance.
Ciao, Michael.
9 years, 11 months
Re: (ITS#7694) cldap fails with IPv6 due to wrong size sockaddr
by hyc@symas.com
stefw(a)redhat.com wrote:
> Full_Name: Stef Walter
> Version: 2.4.35
> OS: Fedora 19
> URL: ftp://ftp.openldap.org/incoming/stef-walter-130912.patch
> Submission from: (NULL) (46.5.2.70)
>
>
> Connectionless LDAP (ie: cldap enabled with -DLDAP_CONNECTIONLESS) is broken for
> IPv6 for current versions of openldap. Tested with version 2.4.35
>
> It's not clear if this ever worked properly.
No, clearly not, the code was written and deprecated before IPv6 existed.
Nobody should be using this code today.
Even if it were to be used, the patch would break slapd; your getnameinfo
patch changes the format of the peername string. The format of this string is
not arbitrary, it's used in ACLs and the format is documented in slapd.access(5).
In the future, write patches that fix one single issue. Don't make gratuitous
changes, particularly if you haven't researched what you're changing.
> Connections immediately fail with:
>
> ldap_search_ext: Can't contact LDAP server (-1)
>
> The reason for this is that the LDAP_CONNECTIONLESS buffers include a prefix
> containing an address in a "struct sockaddr". However, struct sockaddr, is not a
> concrete type. In particular struct sockaddr_in6 is longer than struct
> sockaddr.
>
> Noted here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=librarie...
>
> So this leads to failures when using IPv6 as the code assumes that the address
> length is equal to sizeof (struct sockaddr). Seen here:
>
> http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=librarie...
>
> Example command:
>
> $ ldapsearch -d -1 -LL -H 'cldap://[2620:52:0:2223::1:1]' -b '' -s base
> '(&(DnsDomain=ad.baseos.qe)(NtVer=\06\00\00\00))' NetLogon
>
> Output will contain this:
>
> ldap_write: want=96 error=Invalid argument
>
> Which is the EINVAL resulting from bad value passed to sendto().
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9 years, 11 months
Re: (ITS#7694) cldap fails with IPv6 due to wrong size sockaddr
by hyc@symas.com
quanah(a)zimbra.com wrote:
> --On Thursday, September 12, 2013 4:04 PM +0000 stefw(a)redhat.com wrote:
>
>>> 2.4.35 is not the current version of OpenLDAP, 2.4.36 is. There were
>>> fixes to CLDAP made in 2.4.36. Please test against 2.4.36 and report
>>> back, thanks.
>>
>> This patch is against master.
>>
>> However master cldap support is broken in additional ways, and I'll be
>> filing further bugs/patches.
>
> Hi Stef,
>
> Thanks! In the future then, if it is an issue with the current 2.4 release
> series still, you can just put RE24 as the version. ;) Then I won't spend
> time trying to see if it's a known issue already fixed via the changes log.
The CLDAP code is a remnant from pre-LDAPv3, there was no such thing as IPv6
when it was written, so no, this has never worked with IPv6.
Who still uses CLDAP today? This code has no valid reason to exist any more.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9 years, 11 months
Re: (ITS#7710) contextCSN values not updated by internal non-replicated ops
by michael@stroeder.com
michael(a)stroeder.com wrote:
> On Wed, 09 Oct 2013 08:13:24 -0700 Howard Chu <hyc(a)symas.com> wrote
>> slapd already strips DSA-specific attributes before sending a syncrepl entry.
>> memberOf is not marked in the schema as DSA-specific. This is working as
>> designed.
>
> IIRC attribute 'memberOf' was replicated in former releases. So it was not
> DSA-specific back then.
>
> Then the behaviour was changed in a more recent OpenLDAP release. Nowadays each
> replica has to be configured with slapo-memberof performing *local* operations.
> Therefore I'd argue that 'memberOf' should be marked DSA-specific now since the
> *local* configuration is significant for its content.
> Note that there is no formal specification for attribute 'memberOf' at all.
>
> I have deployments where most users are member of more than 10 groups,
> sometimes more than 20. So not sending 'memberOf' could save quite a lot of
> network traffic.
>
> What are your objections against marking 'memberOf' as DSA-specific?
>
> (I vaguely remember this being discussed before without result though.)
Additionally consider partial replication where only a subset of group entries
is present on a certain consumer. One would not want to have 'memberOf' point
to group entries not really existing on that consumer.
=> 'memberOf' is definitely DSA-specific.
Ciao, Michael.
9 years, 11 months
Re: (ITS#7710) contextCSN values not updated by internal non-replicated ops
by michael@stroeder.com
On Wed, 09 Oct 2013 08:13:24 -0700 Howard Chu <hyc(a)symas.com> wrote
> slapd already strips DSA-specific attributes before sending a syncrepl entry.
> memberOf is not marked in the schema as DSA-specific. This is working as
> designed.
IIRC attribute 'memberOf' was replicated in former releases. So it was not
DSA-specific back then.
Then the behaviour was changed in a more recent OpenLDAP release. Nowadays each
replica has to be configured with slapo-memberof performing *local* operations.
Therefore I'd argue that 'memberOf' should be marked DSA-specific now since the
*local* configuration is significant for its content.
Note that there is no formal specification for attribute 'memberOf' at all.
I have deployments where most users are member of more than 10 groups,
sometimes more than 20. So not sending 'memberOf' could save quite a lot of
network traffic.
What are your objections against marking 'memberOf' as DSA-specific?
(I vaguely remember this being discussed before without result though.)
Ciao, Michael.
9 years, 11 months
Re: (ITS#7710) contextCSN values not updated by internal non-replicated ops
by hyc@symas.com
Michael Ströder wrote:
> On Wed, 9 Oct 2013 14:05:52 GMT hyc(a)symas.com wrote
>> Howard Chu wrote:
>>> Michael Ströder wrote:
>>>> But now I see this during initial refresh phase of second server:
>>>>
>>>> send_ldap_result: err=20 matched="" text="modify/add: memberOf: value #0
>>>> already exists"
>>>>
>>>> Is that expected?
>>>
>>> Not seeing that with your testcase.
>>>
>> Ah, I see it now. Yes, it's normal; memberOf on the provider already added
>> the relevant values. The consumer receives a group entry and performs the
>> same set of memberof updates, which are redundant at that point. It's
>> harmless.
>
> Hmm, wouldn't it be reasonable to strip those attributes marked as
> non-replication attrs when generating syncrepl search results at the provider?
> (Even if consumer asks for attrs=*,+)
slapd already strips DSA-specific attributes before sending a syncrepl entry.
memberOf is not marked in the schema as DSA-specific. This is working as designed.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9 years, 11 months
Re: (ITS#7710) contextCSN values not updated by internal non-replicated ops
by michael@stroeder.com
On Wed, 9 Oct 2013 14:05:52 GMT hyc(a)symas.com wrote
> Howard Chu wrote:
> > Michael Ströder wrote:
> >> But now I see this during initial refresh phase of second server:
> >>
> >> send_ldap_result: err=20 matched="" text="modify/add: memberOf: value #0
> >> already exists"
> >>
> >> Is that expected?
> >
> > Not seeing that with your testcase.
> >
> Ah, I see it now. Yes, it's normal; memberOf on the provider already added
> the relevant values. The consumer receives a group entry and performs the
> same set of memberof updates, which are redundant at that point. It's
> harmless.
Hmm, wouldn't it be reasonable to strip those attributes marked as
non-replication attrs when generating syncrepl search results at the provider?
(Even if consumer asks for attrs=*,+)
Ciao, Michael.
9 years, 11 months