openldap-bugs July 2015

openldap-bugs@openldap.org

24 participants
75 discussions

Re: (ITS#8181) LMDB page leaks etc when treating DBs as data
by hyc＠symas.com 30 Jul '15

30 Jul '15

juerg.bircher(a)helmedica.com wrote: > --_000_D1E06B6B7E2juergbircherhelmedicacom_ > Content-Type: text/plain; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > Hi Howard, > > I am new to lmdb. I have been working with lmdb intensively for one month. = > I really appreciate your great work. Good efficient C code is not always fo= > und! > Well I like to follow up on that reported issue. > I am using multiple databases on the same environment. I was a bit confused= > about your statement that most application use never subDBs? I think it is= > a great feature that helps to support multiple indexes. > I ran unintentionally into a related problem as I set the compare function = > for the main db to an integer based one opposite to the literal compare fun= > ction which is the default. Therefore when opening a database by its name t= > he wrong database might be returned as the integer compare function might t= > hink names are equal as only 96 bits (in my function) are compared. So the = > compare function only compares the prefix of the database names! > Maybe the database meta should be kept in a private space. But I also agree= > on your statement to keep things simple. I solved the problem by never usi= > ng the main db so under no circumstances the database meta is corrupted. I = > think the price paid for having only named databases is very cheap as I ope= > n databases at startup and keep the database index (dbi). Thanks for the feedback. Yes, this is the best practice - if you're using named databases, you should not use the main DB. (Or just make sure you don't create name collisions.) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8181) LMDB page leaks etc when treating DBs as data
by juerg.bircher＠helmedica.com 30 Jul '15

30 Jul '15

Sorry the mail before was not as plain text. Here again... Hi Howard, I am new to lmdb. I have been working with lmdb intensively for one month. I really appreciate your great work. Good efficient C code is not always found! Well I like to follow up on that reported issue. I am using multiple databases on the same environment. I was a bit confused about your statement that most application use never subDBs? I think it is a great feature that helps to support multiple indexes. I ran unintentionally into a related problem as I set the compare function for the main db to an integer based one opposite to the literal compare function which is the default. Therefore when opening a database by its name the wrong database might be returned as the integer compare function might think names are equal as only 96 bits (in my function) are compared. So the compare function only compares the prefix of the database names! Maybe the database meta should be kept in a private space. But I also agree on your statement to keep things simple. I solved the problem by never using the main db so under no circumstances the database meta is corrupted. I think the price paid for having only named databases is very cheap as I open databases at startup and keep the database index (dbi). Regards J=FCrg Rockethealth by Helmedica AG Web: www.rockethealth.ch J=FCrg Bircher Chief Technology Officer Mail: juerg.bircher(a)helmedica.ch

1 0

Re: (ITS#8181) LMDB page leaks etc when treating DBs as data
by juerg.bircher＠helmedica.com 30 Jul '15

30 Jul '15

--_000_D1E06B6B7E2juergbircherhelmedicacom_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Howard, I am new to lmdb. I have been working with lmdb intensively for one month. = I really appreciate your great work. Good efficient C code is not always fo= und! Well I like to follow up on that reported issue. I am using multiple databases on the same environment. I was a bit confused= about your statement that most application use never subDBs? I think it is= a great feature that helps to support multiple indexes. I ran unintentionally into a related problem as I set the compare function = for the main db to an integer based one opposite to the literal compare fun= ction which is the default. Therefore when opening a database by its name t= he wrong database might be returned as the integer compare function might t= hink names are equal as only 96 bits (in my function) are compared. So the = compare function only compares the prefix of the database names! Maybe the database meta should be kept in a private space. But I also agree= on your statement to keep things simple. I solved the problem by never usi= ng the main db so under no circumstances the database meta is corrupted. I = think the price paid for having only named databases is very cheap as I ope= n databases at startup and keep the database index (dbi). Regards J=FCrg Rockethealth by Helmedica AG Web: www.rockethealth.ch<http://www.rockethealth.ch/> J=FCrg Bircher Chief Technology Officer Mail: juerg.bircher(a)helmedica.ch<mailto:christoph.baumann@helmedica.ch> --_000_D1E06B6B7E2juergbircherhelmedicacom_ Content-Type: text/html; charset="iso-8859-1" Content-ID: <86943131EABB0349A4C3B75E01000508(a)eurprd03.prod.outlook.com> Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> </head> <body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin= e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami= ly: Calibri, sans-serif;"> <div>Hi Howard,</div> <div><br> </div> <div>I am new to lmdb. I have been working with lmdb intensively for one mo= nth. I really appreciate your great work. Good efficient C code is not alwa= ys found! </div> <div>Well I like to follow up on that reported issue.</div> <div>I am using multiple databases on the same environment. I was a bit con= fused about your statement that most application use never subDBs? I think = it is a great feature that helps to support multiple indexes. </div> <div>I ran unintentionally into a related problem as I set the compare func= tion for the main db to an integer based one opposite to the literal compar= e function which is the default. Therefore when opening a database by its n= ame the wrong database might be returned as the integer compare function might think names are equal as on= ly 96 bits (in my function) are compared. So the compare function only comp= ares the prefix of the database names!</div> <div>Maybe the database meta should be kept in a private space. But I also = agree on your statement to keep things simple. I solved the problem by neve= r using the main db so under no circumstances the database meta is corrupte= d. I think the price paid for having only named databases is very cheap as I open databases at startup and keep= the database index (dbi).</div> <div><br> </div> <div>Regards</div> <div>J=FCrg</div> <div><br> </div> <p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt; = line-height: 11pt;"> <b><span lang=3D"EN-US" style=3D"font-size: 9pt; color: rgb(139, 141, 141);= font-family: 'FS Joey Medium';">Rockethealth by Helmedica AG<o:p></o:p></s= pan></b></p> <p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt;"= ><span lang=3D"EN-US" style=3D"font-size: 9pt; color: gray;">Web</span><spa= n lang=3D"EN-US" style=3D"font-size: 9pt; color: rgb(31, 73, 125);">: = </span><span style=3D"font-size: 9pt; color: rgb(31, 73, 125);"><a href=3D"= http://www.rockethealth.ch/" style=3D"color: rgb(149, 79, 114);"><span lang= =3D"EN-US" style=3D"color: blue;">www.rockethealth.ch</span></a></span><spa= n style=3D"font-size: 9pt; color: rgb(31, 73, 125);"></span><span lang=3D"E= N-US" style=3D"color: rgb(31, 73, 125);"><o:p></o:p></span></p> <p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt;"= ><span lang=3D"EN-US" style=3D"font-size: 9pt; color: gray;">J=FCrg Bircher= </span></p> <p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt;"= ><span style=3D"color: gray; font-size: 9pt;">Chief Technology </span>= <span style=3D"color: rgb(128, 128, 128); font-size: 12px;">Officer</span><= /p> <p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt;"= ><span lang=3D"EN-US" style=3D"font-size: 9pt; color: gray;">Mail: </s= pan><span style=3D"font-size: 9pt; color: rgb(31, 73, 125);"><a href=3D"mai= lto:christoph.baumann@helmedica.ch" style=3D"color: rgb(149, 79, 114);"><sp= an lang=3D"EN-US" style=3D"color: blue;">juerg.bircher(a)helmedica.ch</span><= /a></span><span lang=3D"EN-US" style=3D"color: rgb(31, 73, 125);"><o:p></o:= p></span></p> <p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt;"= ><span style=3D"color: gray; font-size: 11pt;"> </span><span style=3D"= font-size: 14px;"> </span></p> </body> </html> --_000_D1E06B6B7E2juergbircherhelmedicacom_--

1 0

Re: (ITS#8207) ppolicy: pwdMinLength not checked if pwdInHistory == 0
by porjo38＠yahoo.com.au 29 Jul '15

29 Jul '15

Thanks, I will try with 2.4.41 and let you know. I may not get a chance to test until this weekend. Relevant output from slapcat: dn: uid=ian,ou=UserAccounts,o=cwa objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: ldapPublicKey givenName: Ian displayName: Ian Bishop uid: ian homeDirectory: /home/ian loginShell: /bin/bash cn: Ian Bishop structuralObjectClass: inetOrgPerson entryUUID: 767c952c-c867-1034-933d-53d15af42765 creatorsName: cn=admin,o=cwa createTimestamp: 20150727045535Z gidNumber: 1000 sn: Bishop uidNumber: 10000 userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx pwdChangedTime: 20150729140556Z pwdHistory: 20150729140556Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}xxxxxxxxxx entryCSN: 20150729140556.659729Z#000000#000#000000 modifiersName: cn=admin,o=cwa modifyTimestamp: 20150729140556Z dn: cn=passwordDefault,ou=policies,o=cwa objectClass: pwdPolicy objectClass: person objectClass: top cn: passwordDefault sn: passwordDefault pwdAttribute: userPassword pwdCheckQuality: 0 pwdMinAge: 0 pwdMaxAge: 0 pwdMaxFailure: 3 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdAllowUserChange: TRUE pwdExpireWarning: 0 pwdGraceAuthNLimit: 0 pwdMustChange: FALSE pwdSafeModify: TRUE structuralObjectClass: person entryUUID: 3314dc02-ca3f-1034-825a-9d42205b22be creatorsName: cn=config createTimestamp: 20150729131225Z pwdMinLength: 6 pwdLockoutDuration: 300 pwdInHistory: 1 entryCSN: 20150729135535.164545Z#000000#000#000000 modifiersName: cn=admin,o=cwa modifyTimestamp: 20150729135535Z On 30/07/15 03:01, Michael Ströder wrote: > porjo38(a)yahoo.com.au wrote: >> Using password policy overlay, pwdMinLength is not checked when pwdInHistory == >> 0. > > I tried to reproduce this with my local OpenLDAP 2.4.41 installation. > In one case I thought to see this but I could not reproduce all the time. > Maybe there's another condition for this to happen. > > Could you please also test with release 2.4.41? > > And please also post the entry with the password (and relevant pwd* attrs) and > the pwdPolicy entry used, both as LDIF (minus sensitive data). > > Ciao, Michael. >

1 0

Re: (ITS#8209) Broken MDB_CP_COMPACT threading
by h.b.furuseth＠usit.uio.no 29 Jul '15

29 Jul '15

On 29/07/15 21:25, h.b.furuseth(a)usit.uio.no wrote: > (...)And copythr should set mc_new=0 before exiting also when setting > mc_status. so copyfd1 won't just sit and wait. I forgot it clears mc_new before setting mc_status. It's if it didn't keep the mutex it would have to set mc_new afterwards (after locking the mutex).

1 0

(ITS#8209) Broken MDB_CP_COMPACT threading
by h.b.furuseth＠usit.uio.no 29 Jul '15

29 Jul '15

Full_Name: Hallvard B Furuseth Version: LMDB_0.9.15 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (81.191.45.5) Submitted by: hallvard mdb_env_copyfd1() and mdb_env_copythr() synchronize via my->mc_new, but incorrectly. copythr() starts before there is any data to consume, and copyfd1() does not tell it (by setting mc_new and signalling) when there is data. Instead it sets mc_new before it has finished producing the data. I suppose copythr just waits for a spurious wakeup, I haven't looked closely. It got it right originally when copyfd1 did not start the new thread until data (metapages) was ready. Or copyfd1 could start with mc_new = 0, and set it and signal when data is ready. copythr holds the mutex while writing. That's not how conds are supposed to be used. Threads are supposed to grab the mutex briefly around code which operates on mc_new. mc_status can be lost. Copyfd1 does not always use it, or it discards it. And copythr should set mc_new=0 before exiting also when setting mc_status. so copyfd1 won't just sit and wait.

1 0

Re: (ITS#8208) ppolicy supportedControl not visible in root DSE
by michael＠stroeder.com 29 Jul '15

29 Jul '15

robert.brooks(a)reporo.com wrote: > with ppolicy overlay loaded (and functioning) the following root DSE is= : > [..] > I would expect to see output similar to... >=20 > http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-= directory-info.html#read-root-dse > D0D > specifilllly line 12 (and maybe line 40). It's a bit hard to follow line number references in a web page. :-/ But I guess you mean the OIDs coming from draft-vchu-ldap-pwd-policy [1].= Note that AFAIK OpenDJ supports old draft-vchu-ldap-pwd-policy which is v= ery outdated and not supported by LDAP servers without Netscape roots. slapo-ppolicy implements draft-behera-ldap-password-policy [2]. > # Search the root DSE for the password policy (works > # with Netscape Directory Server) > pam_lookup_policy yes >=20 > does not make pam_ldap to interact with password policies against when > configured in openldap. Using pam_ldap is NOT recommended nowadays for a bunch of reasons. Use nss-pam-ldapd, sssd or OpenLDAP's slapo-nssov. AFAIK all of them support draft-behera-ldap-password-policy. But such usage discussion belong on the openldap-technical mailing list a= nd not in the ITS. Ciao, Michael. [1] https://tools.ietf.org/html/draft-vchu-ldap-pwd-policy [2] https://tools.ietf.org/html/draft-behera-ldap-password-policy

1 0

Re: (ITS#8208) ppolicy supportedControl not visible in root DSE
by hyc＠symas.com 29 Jul '15

29 Jul '15

robert.brooks(a)reporo.com wrote: > Full_Name: Robert Brooks > Version: openldap-2.4.41 > OS: Ubuntu 14.04 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (38.99.38.134) > > > Hi, > > with ppolicy overlay loaded (and functioning) the following root DSE is: > I believe this is why the following pam_ldap config: > > # Search the root DSE for the password policy (works > # with Netscape Directory Server) > pam_lookup_policy yes > > does not make pam_ldap to interact with password policies against when > configured in openldap. No. That controls compatibility with the obsolete/non-standard Netscape-specific password policy attributes. But pam_ldap itself is also obsolete. Pretty sure Ubuntu ships with nslcd and nss-pam-ldapd now. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8208) ppolicy supportedControl not visible in root DSE
by robert.brooks＠reporo.com 29 Jul '15

29 Jul '15

Full_Name: Robert Brooks Version: openldap-2.4.41 OS: Ubuntu 14.04 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (38.99.38.134) Hi, with ppolicy overlay loaded (and functioning) the following root DSE is: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=ldap,dc=example,dc=org supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: CRAM-MD5 entryDN: subschemaSubentry: cn=Subschema I would expect to see output similar to... http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-dire… D0D specifilllly line 12 (and maybe line 40). I believe this is why the following pam_ldap config: # Search the root DSE for the password policy (works # with Netscape Directory Server) pam_lookup_policy yes does not make pam_ldap to interact with password policies against when configured in openldap. Regards, Rob

1 0

Re: (ITS#8206) ldapsearch incorrectly cannonicalizes dns names for GSSAPI
by michael＠stroeder.com 29 Jul '15

29 Jul '15

Calvin Winkowski wrote: >> Did you already try with -N? > > Nope, a bit embarrassed that I didn't find that on my own. Thanks! It > does work with the -N flag. > > I think there is still argument for making that the default and > providing a flag to canonicalize the hostname, but I don't know enough > about GSSAPI's standard to say for certain. I've only used it with > Kerberos. IIRC there was a long-winding sasl-no-canonicalize debate on the mailing lists a while ago. I'm pretty sure nobody wants to repeat that. Ciao, Michael.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs July 2015