Re: (ITS#8181) LMDB page leaks etc when treating DBs as data
by hyc@symas.com
juerg.bircher(a)helmedica.com wrote:
> --_000_D1E06B6B7E2juergbircherhelmedicacom_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> Hi Howard,
>
> I am new to lmdb. I have been working with lmdb intensively for one month. =
> I really appreciate your great work. Good efficient C code is not always fo=
> und!
> Well I like to follow up on that reported issue.
> I am using multiple databases on the same environment. I was a bit confused=
> about your statement that most application use never subDBs? I think it is=
> a great feature that helps to support multiple indexes.
> I ran unintentionally into a related problem as I set the compare function =
> for the main db to an integer based one opposite to the literal compare fun=
> ction which is the default. Therefore when opening a database by its name t=
> he wrong database might be returned as the integer compare function might t=
> hink names are equal as only 96 bits (in my function) are compared. So the =
> compare function only compares the prefix of the database names!
> Maybe the database meta should be kept in a private space. But I also agree=
> on your statement to keep things simple. I solved the problem by never usi=
> ng the main db so under no circumstances the database meta is corrupted. I =
> think the price paid for having only named databases is very cheap as I ope=
> n databases at startup and keep the database index (dbi).
Thanks for the feedback. Yes, this is the best practice - if you're using
named databases, you should not use the main DB. (Or just make sure you don't
create name collisions.)
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
8 years, 1 month
Re: (ITS#8181) LMDB page leaks etc when treating DBs as data
by juerg.bircher@helmedica.com
Sorry the mail before was not as plain text. Here again...
Hi Howard,
I am new to lmdb. I have been working with lmdb intensively for one month.
I really appreciate your great work. Good efficient C code is not always
found!
Well I like to follow up on that reported issue.
I am using multiple databases on the same environment. I was a bit
confused about your statement that most application use never subDBs? I
think it is a great feature that helps to support multiple indexes.
I ran unintentionally into a related problem as I set the compare function
for the main db to an integer based one opposite to the literal compare
function which is the default. Therefore when opening a database by its
name the wrong database might be returned as the integer compare function
might think names are equal as only 96 bits (in my function) are compared.
So the compare function only compares the prefix of the database names!
Maybe the database meta should be kept in a private space. But I also
agree on your statement to keep things simple. I solved the problem by
never using the main db so under no circumstances the database meta is
corrupted. I think the price paid for having only named databases is very
cheap as I open databases at startup and keep the database index (dbi).
Regards
J=FCrg
Rockethealth by Helmedica AG
Web: www.rockethealth.ch
J=FCrg Bircher
Chief Technology Officer
Mail: juerg.bircher(a)helmedica.ch
8 years, 1 month
Re: (ITS#8181) LMDB page leaks etc when treating DBs as data
by juerg.bircher@helmedica.com
--_000_D1E06B6B7E2juergbircherhelmedicacom_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi Howard,
I am new to lmdb. I have been working with lmdb intensively for one month. =
I really appreciate your great work. Good efficient C code is not always fo=
und!
Well I like to follow up on that reported issue.
I am using multiple databases on the same environment. I was a bit confused=
about your statement that most application use never subDBs? I think it is=
a great feature that helps to support multiple indexes.
I ran unintentionally into a related problem as I set the compare function =
for the main db to an integer based one opposite to the literal compare fun=
ction which is the default. Therefore when opening a database by its name t=
he wrong database might be returned as the integer compare function might t=
hink names are equal as only 96 bits (in my function) are compared. So the =
compare function only compares the prefix of the database names!
Maybe the database meta should be kept in a private space. But I also agree=
on your statement to keep things simple. I solved the problem by never usi=
ng the main db so under no circumstances the database meta is corrupted. I =
think the price paid for having only named databases is very cheap as I ope=
n databases at startup and keep the database index (dbi).
Regards
J=FCrg
Rockethealth by Helmedica AG
Web: www.rockethealth.ch<http://www.rockethealth.ch/>
J=FCrg Bircher
Chief Technology Officer
Mail: juerg.bircher(a)helmedica.ch<mailto:christoph.baumann@helmedica.ch>
--_000_D1E06B6B7E2juergbircherhelmedicacom_
Content-Type: text/html; charset="iso-8859-1"
Content-ID: <86943131EABB0349A4C3B75E01000508(a)eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Calibri, sans-serif;">
<div>Hi Howard,</div>
<div><br>
</div>
<div>I am new to lmdb. I have been working with lmdb intensively for one mo=
nth. I really appreciate your great work. Good efficient C code is not alwa=
ys found! </div>
<div>Well I like to follow up on that reported issue.</div>
<div>I am using multiple databases on the same environment. I was a bit con=
fused about your statement that most application use never subDBs? I think =
it is a great feature that helps to support multiple indexes. </div>
<div>I ran unintentionally into a related problem as I set the compare func=
tion for the main db to an integer based one opposite to the literal compar=
e function which is the default. Therefore when opening a database by its n=
ame the wrong database might be
returned as the integer compare function might think names are equal as on=
ly 96 bits (in my function) are compared. So the compare function only comp=
ares the prefix of the database names!</div>
<div>Maybe the database meta should be kept in a private space. But I also =
agree on your statement to keep things simple. I solved the problem by neve=
r using the main db so under no circumstances the database meta is corrupte=
d. I think the price paid for having
only named databases is very cheap as I open databases at startup and keep=
the database index (dbi).</div>
<div><br>
</div>
<div>Regards</div>
<div>J=FCrg</div>
<div><br>
</div>
<p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt; =
line-height: 11pt;">
<b><span lang=3D"EN-US" style=3D"font-size: 9pt; color: rgb(139, 141, 141);=
font-family: 'FS Joey Medium';">Rockethealth by Helmedica AG<o:p></o:p></s=
pan></b></p>
<p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt;"=
><span lang=3D"EN-US" style=3D"font-size: 9pt; color: gray;">Web</span><spa=
n lang=3D"EN-US" style=3D"font-size: 9pt; color: rgb(31, 73, 125);">: =
</span><span style=3D"font-size: 9pt; color: rgb(31, 73, 125);"><a href=3D"=
http://www.rockethealth.ch/" style=3D"color: rgb(149, 79, 114);"><span lang=
=3D"EN-US" style=3D"color: blue;">www.rockethealth.ch</span></a></span><spa=
n style=3D"font-size: 9pt; color: rgb(31, 73, 125);"></span><span lang=3D"E=
N-US" style=3D"color: rgb(31, 73, 125);"><o:p></o:p></span></p>
<p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt;"=
><span lang=3D"EN-US" style=3D"font-size: 9pt; color: gray;">J=FCrg Bircher=
</span></p>
<p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt;"=
><span style=3D"color: gray; font-size: 9pt;">Chief Technology </span>=
<span style=3D"color: rgb(128, 128, 128); font-size: 12px;">Officer</span><=
/p>
<p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt;"=
><span lang=3D"EN-US" style=3D"font-size: 9pt; color: gray;">Mail: </s=
pan><span style=3D"font-size: 9pt; color: rgb(31, 73, 125);"><a href=3D"mai=
lto:christoph.baumann@helmedica.ch" style=3D"color: rgb(149, 79, 114);"><sp=
an lang=3D"EN-US" style=3D"color: blue;">juerg.bircher(a)helmedica.ch</span><=
/a></span><span lang=3D"EN-US" style=3D"color: rgb(31, 73, 125);"><o:p></o:=
p></span></p>
<p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt; font-size: 11pt;"=
><span style=3D"color: gray; font-size: 11pt;"> </span><span style=3D"=
font-size: 14px;"> </span></p>
</body>
</html>
--_000_D1E06B6B7E2juergbircherhelmedicacom_--
8 years, 1 month
Re: (ITS#8207) ppolicy: pwdMinLength not checked if pwdInHistory == 0
by porjo38@yahoo.com.au
Thanks, I will try with 2.4.41 and let you know. I may not get a chance
to test until this weekend.
Relevant output from slapcat:
dn: uid=ian,ou=UserAccounts,o=cwa
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: ldapPublicKey
givenName: Ian
displayName: Ian Bishop
uid: ian
homeDirectory: /home/ian
loginShell: /bin/bash
cn: Ian Bishop
structuralObjectClass: inetOrgPerson
entryUUID: 767c952c-c867-1034-933d-53d15af42765
creatorsName: cn=admin,o=cwa
createTimestamp: 20150727045535Z
gidNumber: 1000
sn: Bishop
uidNumber: 10000
userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
pwdChangedTime: 20150729140556Z
pwdHistory:
20150729140556Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}xxxxxxxxxx
entryCSN: 20150729140556.659729Z#000000#000#000000
modifiersName: cn=admin,o=cwa
modifyTimestamp: 20150729140556Z
dn: cn=passwordDefault,ou=policies,o=cwa
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 0
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: TRUE
structuralObjectClass: person
entryUUID: 3314dc02-ca3f-1034-825a-9d42205b22be
creatorsName: cn=config
createTimestamp: 20150729131225Z
pwdMinLength: 6
pwdLockoutDuration: 300
pwdInHistory: 1
entryCSN: 20150729135535.164545Z#000000#000#000000
modifiersName: cn=admin,o=cwa
modifyTimestamp: 20150729135535Z
On 30/07/15 03:01, Michael Ströder wrote:
> porjo38(a)yahoo.com.au wrote:
>> Using password policy overlay, pwdMinLength is not checked when pwdInHistory ==
>> 0.
>
> I tried to reproduce this with my local OpenLDAP 2.4.41 installation.
> In one case I thought to see this but I could not reproduce all the time.
> Maybe there's another condition for this to happen.
>
> Could you please also test with release 2.4.41?
>
> And please also post the entry with the password (and relevant pwd* attrs) and
> the pwdPolicy entry used, both as LDIF (minus sensitive data).
>
> Ciao, Michael.
>
8 years, 1 month
Re: (ITS#8209) Broken MDB_CP_COMPACT threading
by h.b.furuseth@usit.uio.no
On 29/07/15 21:25, h.b.furuseth(a)usit.uio.no wrote:
> (...)And copythr should set mc_new=0 before exiting also when setting
> mc_status. so copyfd1 won't just sit and wait.
I forgot it clears mc_new before setting mc_status. It's if it didn't
keep the mutex it would have to set mc_new afterwards (after locking
the mutex).
8 years, 1 month
(ITS#8209) Broken MDB_CP_COMPACT threading
by h.b.furuseth@usit.uio.no
Full_Name: Hallvard B Furuseth
Version: LMDB_0.9.15
OS:
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (81.191.45.5)
Submitted by: hallvard
mdb_env_copyfd1() and mdb_env_copythr() synchronize via my->mc_new,
but incorrectly.
copythr() starts before there is any data to consume, and copyfd1()
does not tell it (by setting mc_new and signalling) when there is
data. Instead it sets mc_new before it has finished producing the
data. I suppose copythr just waits for a spurious wakeup, I haven't
looked closely. It got it right originally when copyfd1 did not start
the new thread until data (metapages) was ready. Or copyfd1 could
start with mc_new = 0, and set it and signal when data is ready.
copythr holds the mutex while writing. That's not how conds are
supposed to be used. Threads are supposed to grab the mutex briefly
around code which operates on mc_new.
mc_status can be lost. Copyfd1 does not always use it, or it discards
it. And copythr should set mc_new=0 before exiting also when setting
mc_status. so copyfd1 won't just sit and wait.
8 years, 1 month
Re: (ITS#8208) ppolicy supportedControl not visible in root DSE
by michael@stroeder.com
robert.brooks(a)reporo.com wrote:
> with ppolicy overlay loaded (and functioning) the following root DSE is=
:
> [..]
> I would expect to see output similar to...
>=20
> http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-=
directory-info.html#read-root-dse
> D0D
> specifilllly line 12 (and maybe line 40).
It's a bit hard to follow line number references in a web page. :-/
But I guess you mean the OIDs coming from draft-vchu-ldap-pwd-policy [1].=
Note that AFAIK OpenDJ supports old draft-vchu-ldap-pwd-policy which is v=
ery
outdated and not supported by LDAP servers without Netscape roots.
slapo-ppolicy implements draft-behera-ldap-password-policy [2].
> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> pam_lookup_policy yes
>=20
> does not make pam_ldap to interact with password policies against when
> configured in openldap.
Using pam_ldap is NOT recommended nowadays for a bunch of reasons. Use
nss-pam-ldapd, sssd or OpenLDAP's slapo-nssov. AFAIK all of them support
draft-behera-ldap-password-policy.
But such usage discussion belong on the openldap-technical mailing list a=
nd
not in the ITS.
Ciao, Michael.
[1] https://tools.ietf.org/html/draft-vchu-ldap-pwd-policy
[2] https://tools.ietf.org/html/draft-behera-ldap-password-policy
8 years, 1 month
Re: (ITS#8208) ppolicy supportedControl not visible in root DSE
by hyc@symas.com
robert.brooks(a)reporo.com wrote:
> Full_Name: Robert Brooks
> Version: openldap-2.4.41
> OS: Ubuntu 14.04
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (38.99.38.134)
>
>
> Hi,
>
> with ppolicy overlay loaded (and functioning) the following root DSE is:
> I believe this is why the following pam_ldap config:
>
> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> pam_lookup_policy yes
>
> does not make pam_ldap to interact with password policies against when
> configured in openldap.
No. That controls compatibility with the obsolete/non-standard
Netscape-specific password policy attributes.
But pam_ldap itself is also obsolete. Pretty sure Ubuntu ships with nslcd and
nss-pam-ldapd now.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
8 years, 1 month
(ITS#8208) ppolicy supportedControl not visible in root DSE
by robert.brooks@reporo.com
Full_Name: Robert Brooks
Version: openldap-2.4.41
OS: Ubuntu 14.04
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (38.99.38.134)
Hi,
with ppolicy overlay loaded (and functioning) the following root DSE is:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ldap,dc=example,dc=org
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
entryDN:
subschemaSubentry: cn=Subschema
I would expect to see output similar to...
http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-di...
D0D
specifilllly line 12 (and maybe line 40).
I believe this is why the following pam_ldap config:
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
pam_lookup_policy yes
does not make pam_ldap to interact with password policies against when
configured in openldap.
Regards,
Rob
8 years, 1 month
Re: (ITS#8206) ldapsearch incorrectly cannonicalizes dns names for GSSAPI
by michael@stroeder.com
Calvin Winkowski wrote:
>> Did you already try with -N?
>
> Nope, a bit embarrassed that I didn't find that on my own. Thanks! It
> does work with the -N flag.
>
> I think there is still argument for making that the default and
> providing a flag to canonicalize the hostname, but I don't know enough
> about GSSAPI's standard to say for certain. I've only used it with
> Kerberos.
IIRC there was a long-winding sasl-no-canonicalize debate on the mailing lists
a while ago. I'm pretty sure nobody wants to repeat that.
Ciao, Michael.
8 years, 1 month