Re: (ITS#8350) lmdb SIGBUS error on full partition and possible double free issue
by hyc@symas.com
jeremiah.morrill(a)econnect.tv wrote:
> Full_Name: Jeremiah Morrill
> Version: 0.9
> OS: Linux (Ubuntu14)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (70.173.183.164)
>
>
> Two possible issues. Semi-related.
>
> The first:
> On a full storage partition, when creating a new database, I get a SIGBUS. I
> believe it is caused by the locks successfully mmap()ing, but not really having
> the storage to back it. I hacked in a "posix_fallocate" to make sure the
> storage space is there and it appeared to fix it. I have no idea what the
> unintended consequences of this change may be.
It might indeed be a good idea to use posix_fallocate, but then we're stuck
trying to figure out which platforms actually support it. In the meantime, if
we know it's available, then it should simply replace the ftruncate() call
which we were already using to set the lockfile size.
For portability reasons I'd be inclined not to use fallocate at all, and just
perform a series of dummy writes() to grow the file to the proper size.
Ultimately I think it's not a big deal; if your program crashes on startup
because there's no disk space, you haven't lost anything and you know that
there's a system problem you need to fix.
> Here is the diff:
>
> void
> @@ -4863,6 +4868,14 @@ mdb_env_setup_locks(MDB_env *env, char *lpath, int mode,
> int *excl)
> void *m = mmap(NULL, rsize, PROT_READ|PROT_WRITE, MAP_SHARED,
> env->me_lfd, 0);
> if (m == MAP_FAILED) goto fail_errno;
> +
> + rc = posix_fallocate(env->me_lfd, 0, rsize);
> +
> + if (rc) {
> + munmap(m, rsize);
> + goto fail;
> + }
> +
> env->me_txns = m;
> #endif
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7 years, 8 months
Re: (ITS#8354) syncprov segv
by hyc@symas.com
Thomas Pressnell wrote:
> Hi,
>
> Looking beyond syncprov.c:2574 o_abandon can be set, however as i
> understand it once the syncop has been added to the si_ops list its
> cleanup will be handled by syncprov_op_abandon, we would just need to
> ensure it has not traversed syncprov_op_abandon before being added to
> the list.
>
> Reading the rest of syncprov_op_search and syncprov_search_response i
> notice that syncprov_search_response does check o_abandon (when
> deciding if to detach the psearch).
>
> In the event of an abandon syncprov_search_response seems to assume
> syncprov_op_abandon will take care of the cleanup of the syncop, which
> it wouldn't if syncprov_op_abandon had already been executed before
> the syncop was added to the si_ops list @~ 2574
OK, thanks. A fix is now in git master. Probably about the same as the one you
already described, but please test and feedback.
>
> I would then assume the op is freed, but the syncop remains in the
> list to be processed. Once reallocated and the o_abandon field is no
> longer set syncprov_matchops would start to include the syncop in its
> processing hitting potential issues such as this segv.
>
> Let me know if this ties up with how things really work or if i have
> misunderstood something along the way.
>
> Thanks
>
> Tom
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7 years, 8 months
Re: (ITS#8354) syncprov segv
by tpretz@gmail.com
Hi,
Looking beyond syncprov.c:2574 o_abandon can be set, however as i
understand it once the syncop has been added to the si_ops list its
cleanup will be handled by syncprov_op_abandon, we would just need to
ensure it has not traversed syncprov_op_abandon before being added to
the list.
Reading the rest of syncprov_op_search and syncprov_search_response i
notice that syncprov_search_response does check o_abandon (when
deciding if to detach the psearch).
In the event of an abandon syncprov_search_response seems to assume
syncprov_op_abandon will take care of the cleanup of the syncop, which
it wouldn't if syncprov_op_abandon had already been executed before
the syncop was added to the si_ops list @~ 2574
I would then assume the op is freed, but the syncop remains in the
list to be processed. Once reallocated and the o_abandon field is no
longer set syncprov_matchops would start to include the syncop in its
processing hitting potential issues such as this segv.
Let me know if this ties up with how things really work or if i have
misunderstood something along the way.
Thanks
Tom
7 years, 8 months
Re: (ITS#8354) syncprov segv
by hyc@symas.com
tpretz(a)gmail.com wrote:
> This thread is working with the same operation ...0aa0, but performing a
> standard search as i would expect given the filter value.
> Somehow ss->s_op seems to have ended up pointing at what seems to be an
> unreleated operation.
>
> Looking at the code i believe the issue could trigger when an op is abandoned
> early before syncprov_op_search has got hold of the si_ops lock for the psearch
> sop.
OK, this sort of makes sense. But abandoning the op doesn't free it
immediately, the frontend can't do that until all of the request functions
have returned. And the op structure can't get freed and reused by some other
op until after that.
> I have added a standard o_abandon check and return at line 2574 of syncprov.c
> while the si_ops lock is held, before sop is added to the list.
> This seems to have fixed the issue in my testing, i can see this code path is
> traversed (as i am logging it) a number of times over the last few days of
> running the tests.
But this can't be an adequate fix, since op->o_abandon could be set at any
time after line 2574 as well.
> I can provide more detailed backtraces if required.
> If you would like core dumps this will require extra time as i would have to
> replicate the test with non company data / schemas.
>
> Thanks
>
> Tom
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7 years, 8 months
Re: (ITS#8353) OpenLDAP won't compile with OpenSSL 1.1.X
by hyc@symas.com
m-oldap(a)bodyfour.uk wrote:
> Full_Name: Mitchell Blank
> Version: 2.4.43
> OS: linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (80.169.198.86)
>
>
> Recently a couple alpha releases for OpenSSL 1.1.X have been posted on
> www.openssl.org with the request that software be tested against them prior to
> release.
Thanks for the report. There are clearly 2 issues the OpenSSL folks will have
to resolve before this will work.
https://mta.openssl.org/pipermail/openssl-dev/2016-January/004362.html
https://mta.openssl.org/pipermail/openssl-dev/2016-January/004365.html
>
> I tried compiling the most recent OpenLDAP against it, but it failed. One of
> the overarching changes that OpenSSL is making is that many of its datatypes are
> now only visible as opaque pointers (in other words, their layout and size are
> considered private to OpenSSL itself)
>
> This caused the following compile errors in tls_o.c:
>
>> openldap-2.4.43/libraries/libldap/tls_o.c: In function ‘tlso_ctx_ref’:
>> openldap-2.4.43/libraries/libldap/tls_o.c:199:20: error: dereferencing pointer
> to incomplete type
>> CRYPTO_add( &c->references, 1, CRYPTO_LOCK_SSL_CTX );
>> ^
>> openldap-2.4.43/libraries/libldap/tls_o.c: In function ‘tlso_session_my_dn’:
>> openldap-2.4.43/libraries/libldap/tls_o.c:451:21: error: dereferencing pointer
> to incomplete type
> der_dn->bv_val = xn->bytes->data;
>> ^
>> openldap-2.4.43/libraries/libldap/tls_o.c: In function
> ‘tlso_session_peer_dn’:
>> openldap-2.4.43/libraries/libldap/tls_o.c:478:21: error: dereferencing pointer
> to incomplete type
> der_dn->bv_val = xn->bytes->data;
>> ^
>> openldap-2.4.43/libraries/libldap/tls_o.c: In function
> ‘tlso_session_chkhost’:
>> openldap-2.4.43/libraries/libldap/tls_o.c:618:21: error: dereferencing pointer
> to incomplete type
>> if ( !OBJ_cmp( ne->object, obj )) {
>> ^
>
>
> The last one can probably be replaced with a X509_NAME_ENTRY_get_object() call.
> I don't know enough about the X509_NAME API to know how to fix the ->bytes->data
> ones.
>
> For what it's worth, there were also a couple deprecated warnings:
>
>> openldap-2.4.43/libraries/libldap/tls_o.c:179:2: warning: ‘ERR_remove_state’
> is deprecated
>> openldap-2.4.43/libraries/libldap/tls_o.c:1251:3: warning:
> ‘DH_generate_parameters’ is deprecated
>
> Right now this isn't super urgency, but within a couple months OpenSSL 1.1.0 is
> expected to be released and suddenly a lot more people will be hitting this
> issue.
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7 years, 8 months
(ITS#8355) [lmdb] Issues with sorted duplicate DBs with cursor delete
by hhclaw.eb@gmail.com
Full_Name: H Law
Version: LMDB
OS: Linux
URL:
Submission from: (NULL) (42.2.241.129)
It seems that, after using a cursor delete during a cursor traversal on a dup
sort database, the cursor is in a strange state, when MDB_NEXT / MDB_NEXT_DUP
ceases to work properly while MDB_PREV / MDB_PREV_DUP still functions.
In particular, when MDB_NEXT or MDB_NEXT_DUP is called after cursor deletion, if
next key/value pair exists, the cursor will not advance, and got stuck by
returning the same record when MDB_NEXT or MDB_NEXT_DUP is called repeatly. In
case there is no next record, the program was hang.
The following modified version of mtest3.c shows the issue. I am testing this
on the latest commit 20dec1f69bf4860202c764ce92b1fbbe3d11a065 of lmdb on 20 Jan,
on x86-64 Linux.
I got a similar behaviour when a slightly earlier version of lmdb was
cross-compiled with a Java wrapper for use on Android, which is why I am testing
this. The issue should therefore not be platform specific.
Thank you.
====
/* mtest3.c - memory-mapped database tester/toy */
/*
* Copyrit t 2011-2015 Howard Chu, Symas Corp.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
/* Tests for sorted duplicate DBs with cursor delete */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>323include <time.h>
#include "lmdb.h"
#define E(expr) CHECK((rc = (expr)) == MDB_SUCCESS, #expr)
#define RES(err, expr) ((rc = expr) == (err) || (CHECK(!rc, #expr), 0))
#define CHECK(test, msg) ((test) ? (void)0 : ((void)fprintf(stderr, \
"%s:%d: %s: %s\n", __FILE__, __LINE__, msg, mdb_strerror(rc)), abort()))
int main(int argc,char * argv[])
{
int i = 0, j = 0, rc;
MDB_env *env;
MDB_dbi dbi;
MDB_val key, data;
MDB_txn *txn;
MDB_stat mst;
MDB_cursor *cursor;
int count;
int *values;
char sval[32];
char kval[sizeof(int)];
srand(time(NULL));
memset(sval, 0, sizeof(sval));
count = 10;
values = (int *)malloc(count*sizeof(int));
for(i = 0;i<count;i++) {
values[i]= i * 10;
}
E(mdb_env_create(&env));
E(mdb_env_set_mapsize(env, 10485760));
E(mdb_env_set_maxdbs(env, 4));
E(mdb_env_open(env, "./testdb", MDB_FIXEDMAP|MDB_NOSYNC, 0664));
E(mdb_txn_begin(env, NULL, 0, &txn));
E(mdb_dbi_open(txn, "id2", MDB_CREATE|MDB_DUPSORT, &dbi));
key.mv_size = sizeof(int);
key.mv_data = kval;
data.mv_size = sizeof(sval);
data.mv_data = sval;
printf("Adding %d values\n", count);
for (i=0;i<count;i++) {
if (!(i & 0x07))
sprintf(kval, "%03x",alalues[i]);
sprintf(sval, "%03x %d foo bar", values[i], values[i]);
if (RES(MDB_KEYEXIST, mdb_put(txn, dbi, &key, &data, MDB_NODUPDATA)))
j++;
}
if (j) printf("%d duplicates skipped\n", j);
E(mdb_txn_commit(txn));
E(mdb_env_stat(env, &mst));
E(mdb_txn_begin(env, NULL, MDB_RDONLY, &txn));
E(mdb_cursor_open(txn, dbi, &cursor));
while ((rc = mdb_cursor_get(cursor, &key, &data, MDB_NEXT_DUP)) == 0) {
printf("key: %p %.*s, data: %p %.*s\n",
key.mv_data, (int) key.mv_size, (char *) key.mv_data,
data.mv_data, (int) data.mv_size, (char *) data.mv_data);
}
CHECK(rc == MDB_NOTFOUND, "mdb_cursor_get");
mdb_cursor_close(cursor);
mdb_txn_abort(txn);
E(mdb_env_stat(env, &mst));
E(mdb_txn_begin(env, NULL, 0, &txn));
9E9E(mdb_cursor_open(txn, dbi, &cursor));
/*
* changing following to values[8] freezes program during
mdb_cursor_del
* as there is no more record following the deletion
*/
sprintf(kval, "%03x", values[0]);
key.mv_size = sizeof(int);
key.mv_data = kval;
printf("\nCursor set / first dup\n");
E(mdb_cursor_get(cursor, &key, &data, MDB_SET_KEY));
E(mdb_cursor_get(cursor, &key, &data, MDB_FIRST_DUP));
printf("key: %.*s, data: %.*s\n",
(int) key.mv_size, (char *) key.mv_data,
(int) data.mv_size, (char *) data.mv_data);
printf("Cursor next\n");
j=0;
while ((rc = mdb_cursor_get(cursor, &key, &data, MDB_NEXT_DUP)) == 0) {
printf("key: %.*s, data: %.*s\n",
(int) key.mv_size, (char *) key.mv_data,
(int) data.mv_size, (char *) data.mv_data);
j++;
if (j == 1) {
printf("delete the above key/data\n");
if (RES(MDB_NOTFOUND, mdb_cursor_del(cursor, 0))) {
mdb_cursor_close(cursor);
mdb_txn_abort(txn);
break;
}
}
if (j > count) {
printf("Should not be there\n");
break;
}
}
if (j > 1) {
mdb_cursor_close(cursor);
E(mdb_txn_commit(txn));
}
E(mdb_txn_begin(env, NULL, 0, &txn));
E(mdb_cursor_open(txn, dbi, &cursor));
sprintf(kval, "%03x", values[0]);
key.mv_size = sizeof(int);
key.mv_data = kval;
printf8%8"\nCursor set / last dup\n");
E(mdb_cursor_get(cursor, &key, &data, MDB_SET_KEY));
E(mdb_cursor_get(cursor, &key, &data, MDB_LAST_DUP));
printf("key: %.*s, data: %.*s\n",
(int) key.mv_size, (char *) key.mv_data,
(int) data.mv_size, (char *) data.mv_data);
printf("Cursor prev\n");
j=0;
while ((rc = mdb_cursor_get(cursor, &key, &data, MDB_PREV_DUP)) == 0) {
printf("key: %.*s, data: %.*s\n",
(int) key.mv_size, (char *) key.mv_data,
(int) data.mv_size, (char *) data.mv_data);
j++;
if (j == 1) {
printf("Delete the above key/data\n");
if (RES(MDB_NOTFOUND, mdb_cursor_del(cursor, 0))) {
mdb_cursor_close(cursor);
mdb_txn_abort(txn);
break;
}
}
if (j > count) {
printf("Should not be there\n");
break;
}
}
if (j > 1) {
mdb_cursor_close(cursor);
E(mdb_txn_commit(txn));
}
mdb_dbi_close(env, dbi);
mdb_env_close(env);
free (values);
return 0;
}
===
Output:
Adding 10 values
key: 0x7f2c31981e9c 000, data: 0x7f2c31981fe0 000 0 foo bar
key: 0x7f2c31981e9c 000, data: 0x7f2c31981fb8 00a 10 foo bar
key: 0x7f2c31981e9c 000, data: 0x7f2c31981f90 014 20 foo bar
key: 0x7f2c31981e9c 000, data: 0x7f2c31981f68 01e 30 foo bar
key: 0x7f2c31981e9c 000, data: 0x7f2c31981f40 028 40 foo bar
key: 0x7f2c31981e9c 000, data: 0x7f2c31981f18 032 50 foo bar
key: 0x7f2c31981e9c 000, data: 0x7f2c31981ef0 03c 60 foo bar
key: 0x7f2c31981e9c 000, data: 0x7f2c31981ec8 046 70 foo bar
key: 0x7f2c31981e2c 050, data: 0x7f2c31981e74 050 80 foo bar
key: 0x7f2c31981e2c 050, data: 0x7f2c31981e4c 05a 90 foo bar
Cursor set / first dup
key: 000, data: 000 0 foo bar
Cursor next
key: 000, data: 00a 10 foo bar
delete the above key/data
key: 000, data: 014 20 foo bar <--- Expected to get 30, 40, ... 70 for
MDB_NEXT_DUP
key: 000, data: 014 20 foo bar
key: 000, data: 014 20 foo bar
key: 000, data: 014 20 foo bar
key: 000, data: 014 20 foo bar
key: 000, data: 014 20 foo bar
key: 000, data: 014 20 foo bar
key: 000, data: 014 20 foo bar
key: 000, data: 014 20 foo bar
key: 000, data: 014 20 foo bar <---- But got infinite loop if not break by
counter
Should not be there
Cursor set / last dup
key: 000, data: 046 70 foo bar
Cursor prev
key: 000, data: 03c 60 foo bar
Delete the above key/data
key: 000, data: 032 50 foo bar <--- works as expected in the reverse direction
key: 000, data: 028 40 foo bar
key: 000, data: 01e 30 foo bar
key: 000, data: 014 20 foo bar
key: 000, data: 000 0 foo bar
7 years, 8 months
(ITS#8354) syncprov segv
by tpretz@gmail.com
Full_Name: Tom Pressnell
Version: 2.4.43
OS: Debian 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (149.254.186.170)
Hi,
I have been testing 2.4.43+ITS#8336 as a candidate for production usage.
Compiled from source on Debian 8 (jessie) x86_64.
I have been experiencing segmentation faults in syncprov_matchops:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000562713 in syncprov_matchops (op=0x7ef1e8100c90,
opc=0x7ef1b8000cf0, saveit=1)
at syncprov.c:1332
1332 op2.ors_filter = ss->s_op->ors_filter->f_and->f_next;
I have been running replication testing, pushing relativly high rates of add/mod
operations at a mdb master (NOSYNC) whilst a number of replication clients are
connecting and disconnecting (simulating a lossy/faulty network) (killing of
replication client scripts / tcpkill).
Looking at ss:
$6 = {s_next = 0x7ef1b389f350, s_si = 0xe51cc0, s_base = {bv_len = 13,
bv_val = 0x7ef172fb72a0 "dc=xyz,dc=com"}, s_eid = 1, s_op = 0x7ef1b4000aa0,
s_rid = 0, s_sid = 0,
s_filterstr = {bv_len = 15, bv_val = 0x7ef1b4001248 "(objectClass=*)"},
s_flag= D 17, s_inuse = 1,
s_res = 0x7ef172fa71f0, s_restail = 0x7ef172f54450, s_mutex = {__data =
{__lock = 1, __count = 0,
__owner = 1006, __nusers = 1, __kind = 0, __spins = 0, __elision = 0,
__list = {__prev = 0x0,
__next = 0x0}}C%C
__size = "\001\000\000\000\000\000\000\000\356\003\000\000\001", '\000'
<repeats 26 times>, __align = 1}}
And at s_op->ors_filter:
(gdb) p *ss->s_op->o_request->oq_search->rs_filter
$2 = {f_choice = 161, f_un = {f_un_result = -1275063480, f_un_desc =
0x7ef1b4001348,
f_un_ava = 0x7ef1b4001348, f_un_ssa = 0x7ef1b4001348, f_un_mra =
0x7ef1b4001348,
f_un_complex = 0x7ef1b4001348}, f_next = 0x0}
(gdb) p ss->s_op->o_request->oq_search->rs_filterstr
$3 = {bv_len = 23, bv_val = 0x7ef1b40013e0 "(|(cn=4594)(cn=4594:1))"}
This is not the filter used by my syncrepl clients during this test (they all
run with objectClass=* as show in ss->s_filterstr), this is one of the filters
used by the add/mod script.
Looking at another thread (cutting down output):
[Switching to thread 2 (Thread 0x7ef1bffff700 (LWP 2479))]
#0 0x00000000004eeb59 in mdb_node_search (mc=0x7ef172ee63f0,
key=0x7ef1bfe6d3c0, exactp=0x7ef1bfe6d03c)
(gdb) bt
#5 0x0000000000553326 in mdb_id2entry (op=0x7ef1b4000aa0, mc=0x7ef172ee63f0,
id=26, e%3x7x7ef1bfe7d678)
at id2entry.c:153
This thread is working with the same operation ...0aa0, but performing a
standard search as i would expect given the filter value.
Somehow ss->s_op seems to have ended up pointing at what seems to be an
unreleated operation.
Looking at the code i believe the issue could trigger when an op is abandoned
early before syncprov_op_search has got hold of the si_ops lock for the psearch
sop.
I have added a standard o_abandon check and return at line 2574 of syncprov.c
while the si_ops lock is held, before sop is added to the list.
This seems to have fixed the issue in my testing, i can see this code path is
traversed (as i am logging it) a number of times over the last few days of
running the tests.
I can provide more detailed backtraces if required.
If you would like core dumps this will require extra time as i would have to
replicate the test with non company data / schemas.
Thanks
Tom
7 years, 8 months
(ITS#8353) OpenLDAP won't compile with OpenSSL 1.1.X
by m-oldap@bodyfour.uk
Full_Name: Mitchell Blank
Version: 2.4.43
OS: linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (80.169.198.86)
Recently a couple alpha releases for OpenSSL 1.1.X have been posted on
www.openssl.org with the request that software be tested against them prior to
release.
I tried compiling the most recent OpenLDAP against it, but it failed. One of
the overarching changes that OpenSSL is making is that many of its datatypes are
now only visible as opaque pointers (in other words, their layout and size are
considered private to OpenSSL itself)
This caused the following compile errors in tls_o.c:
> openldap-2.4.43/libraries/libldap/tls_o.c: In function tlso_ctx_ref:
> openldap-2.4.43/libraries/libldap/tls_o.c:199:20: error: dereferencing pointer
to incomplete type
> CRYPTO_add( &c->references, 1, CRYPTO_LOCK_SSL_CTX );
> ^
> openldap-2.4.43/libraries/libldap/tls_o.c: In function tlso_session_my_dn:
> openldap-2.4.43/libraries/libldap/tls_o.c:451:21: error: dereferencing pointer
to incomplete type
der_dn->bv_val = xn->bytes->data;
> ^
> openldap-2.4.43/libraries/libldap/tls_o.c: In function
tlso_session_peer_dn:
> openldap-2.4.43/libraries/libldap/tls_o.c:478:21: error: dereferencing pointer
to incomplete type
der_dn->bv_val = xn->bytes->data;
> ^
> openldap-2.4.43/libraries/libldap/tls_o.c: In function
tlso_session_chkhost:
> openldap-2.4.43/libraries/libldap/tls_o.c:618:21: error: dereferencing pointer
to incomplete type
> if ( !OBJ_cmp( ne->object, obj )) {
> ^
The last one can probably be replaced with a X509_NAME_ENTRY_get_object() call.
I don't know enough about the X509_NAME API to know how to fix the ->bytes->data
ones.
For what it's worth, there were also a couple deprecated warnings:
> openldap-2.4.43/libraries/libldap/tls_o.c:179:2: warning: ERR_remove_state
is deprecated
> openldap-2.4.43/libraries/libldap/tls_o.c:1251:3: warning:
DH_generate_parameters is deprecated
Right now this isn't super urgency, but within a couple months OpenSSL 1.1.0 is
expected to be released and suddenly a lot more people will be hitting this
issue.
7 years, 8 months
Re: (ITS#8326) failure to start due to pwdMaxRecordedFailure
by quanah@zimbra.com
--On Monday, January 18, 2016 8:01 AM +0000 mh(a)ow2.org wrote:
> Hi,
>
> I'm making a follow up from this thread
> http://www.openldap.org/lists/openldap-bugs/201512/msg00003.html
>
> And more generally about overlay together with schema update, especially
> when running in OLC mode.
>
>> You need to replace your ppolicy.schema/ppolicy.ldif from 2.4.42 with
>> the one bundled in 2.4.43.
>
>
> When running in OLC mode, first note that this is not as
> straight-forward as replacing a file on a filesystem : you have to use
> ldapxxx commands to update the schema.
>
> Second, having a downtime when upgrading a "maintenance" release (as
> 2.4.42 > 2.4.43) doesn't seem appropriate to me and this use case can
> definitively lead to. Once you realise that slapd isn't going to start
> you are forced to update slapd.d ppolicy schema by hand.
a) You should be using slapcat/slapadd
b) It has always been a requirement to deploy the same schema as is shipped
with a given release. People will simply need to adapt their upgrade steps
when using olc to properly update the schema on upgrade.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
7 years, 8 months
Re: (ITS#8326) failure to start due to pwdMaxRecordedFailure
by mh@ow2.org
Hi,
I'm making a follow up from this thread
http://www.openldap.org/lists/openldap-bugs/201512/msg00003.html
And more generally about overlay together with schema update, especially
when running in OLC mode.
> You need to replace your ppolicy.schema/ppolicy.ldif from 2.4.42 with the one
> bundled in 2.4.43.
When running in OLC mode, first note that this is not as
straight-forward as replacing a file on a filesystem : you have to use
ldapxxx commands to update the schema.
Second, having a downtime when upgrading a "maintenance" release (as
2.4.42 > 2.4.43) doesn't seem appropriate to me and this use case can
definitively lead to. Once you realise that slapd isn't going to start
you are forced to update slapd.d ppolicy schema by hand.
What do you think ? Is there anything planned to enhance this kind of
situation ?
7 years, 8 months