openldap-bugs November 2017

openldap-bugs@openldap.org

15 participants
32 discussions

(ITS#8772) Build fail: thr_posix.c:329:16: error: only weak aliases are supported on darwin
by minfrin＠sharp.fm 15 Nov '17

15 Nov '17

Full_Name: Graham Leggett Version: git master OS: MacOS Sierra URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (5.56.169.82) Hi all, I am seeing a build failure when trying to build openldap master on MacOS Sierra: cc -g -O2 -I../../include -I../../include -DLDAP_R_COMPILE -I./../libldap -DLDAP_LIBRARY -c thr_posix.c -fno-common -DPIC -o .libs/thr_posix.o thr_posix.c:329:16: error: only weak aliases are supported on darwin LDAP_GCCATTR((alias("ldap_pvt_thread_mutex_destroy"))); ^ thr_posix.c:331:16: error: only weak aliases are supported on darwin LDAP_GCCATTR((alias("ldap_pvt_thread_mutex_lock"))); ^ thr_posix.c:333:16: error: only weak aliases are supported on darwin LDAP_GCCATTR((alias("ldap_pvt_thread_mutex_trylock"))); ^ thr_posix.c:335:16: error: only weak aliases are supported on darwin LDAP_GCCATTR((alias("ldap_pvt_thread_mutex_unlock"))); ^ 4 errors generated. make[2]: *** [thr_posix.lo] Error 1 make[1]: *** [all-common] Error 1 make: *** [all-common] Error 1 Regards, Graham --

1 0

Re: (ITS#8767) Binddn issue with a comma in the DN
by clement.oudot＠savoirfairelinux.com 12 Nov '17

12 Nov '17

Le 02/11/2017 =C3=A0 07:26, clement.oudot(a)savoirfairelinux.com a =C3=A9cr= it : > Le 31/10/2017 =3DC3=3DA0 17:39, michael(a)stroeder.com a =3DC3=3DA9crit : >> The ITS is only for reporting bugs. >> This is not a bug. It's a usage question. >> >> You should post such questions to openldap-technical mailing list afte= r >> subscribing to it: >> >> https://www.openldap.org/lists/mm/listinfo/openldap-technical >> >> A short hint about escaping, e.g. a comma in DN string representation: >> >> https://tools.ietf.org/html/rfc4514#section-2.4 >> >> Note that depending on your client config system more escaping might b= e >> needed because of the config syntax. > > > > Hello Michael, > > it seems to be a bug, as if I escape the comma in slapd.conf, I still=3D= 20 > have the error. > > =3D3D=3D3D slapd.conf =3D3D=3D3D > idassert-bind bindmethod=3D3D"simple" binddn=3D3D"cn=3D3DLastname\,=3D2= 0 > Firstname,ou=3D3Dusers,dc=3D3Dexample,dc=3D3Dcom" credentials=3D3D"secr= et" mode=3D3D=3D > "legacy"=3D20 > flags=3D3D"non-prescriptive" > > =3D3D=3D3D slaptest -f slapd.conf =3D3D=3D3D > 59faba5e invalid bind config value binddn=3D3Dcn=3D3DLastname,=3D20 > Firstname,ou=3D3Dusers,dc=3D3Dexample,dc=3D3Dcom > 59faba5e slapd.conf: line 31: "idassert-bind <args>": unable to parse=3D= 20 > field "binddn=3D3Dcn=3D3DLastname, Firstname,ou=3D3Dusers,dc=3D3Dexampl= e,dc=3D3Dcom=3D > ". > slaptest: bad configuration file! > > > Seems the escaping is not taken into account. Hello, can someone confirm this is not a bug? In this case; how should we=20 escape the value? I tried several things, without success. Cl=C3=A9ment.

1 0

(ITS#8771) slapd.backends(5) needs updating
by quanah＠openldap.org 08 Nov '17

08 Nov '17

Full_Name: Quanah Gibson-Mount Version: 2.4.45 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) The man page for slapd.backends(5) says that back-hdb is the "recommended primary backend". This needs to be updated to note that back-mdb is the "recommended primary backend" and the text for the bdb & hdb backends updated along the same lines.

1 0

Re: (ITS#8461) Unable to import LDIF from back-hdb DB to back-mdb db
by quanah＠symas.com 08 Nov '17

08 Nov '17

--On Friday, July 08, 2016 5:33 PM +0000 quanah(a)openldap.org wrote: > In moving off of back-hdb, encountered a scenario where importing the = LDIF > exported via slapcat failed when loading into back-mdb via slapadd. > There is nothing technically wrong with the entry. Will provide the > problematic entry elsewhere, as it contains PII. To note, the problematic entry has an RDN value > 512 characters.=20 Anonymizing the problem DN, we have: dn=3D"zimbraSignatureName=3Dxxxxx xxxxxxxxxxxxx xxxxxx xx xxxx x xxxx! = ..xxxxxx=20 xx xxxxxxxx xxx'x xxxx xxxxx xxxxx xxxxxx=E2=80=A6 & xxxx xx x xxxxx xx xx = xxxx=20 xxxx xxxxx!?! =E2=80=A6x xxxx xxxxx xx xxxxxxxxxx xxxxxxxxx xxxxxxxxx = xxxxxxx:=20 xxxxxx & xxxxxxxx & xxxxxx xxxxx x xxxxxx xx xxx xxxxxx=20 xxxxxxx.,uid=3Dxxxxxxxxxxxx,ou=3Dpeople,dc=3Dxxxx,dc=3Dxx" = (line=3D89392876):=20 txn_aborted! MDB_BAD_VALSIZE: Too big key/data, key is empty, or wrong=20 DUPFIXED size (-30781) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8753) Public key pinning support in libldap
by ondra＠mistotebe.net 07 Nov '17

07 Nov '17

On Tue, Oct 10, 2017 at 10:43:42AM +0000, ondra(a)openldap.org wrote: > URL: https://github.com/mistotebe/openldap/tree/its8753 > > A new libldap option LDAP_OPT_X_TLS_PEERKEY_HASH that accepts a string > 'hashname/base64_hash_of_public_key'. If a TLS session is already present on the > main connection, it is also checked immediately. > > It introduces a dependency on liblutil by depending on the symbol > lutil_b64_pton. Somehow, this breaks the build for the ldap* tools, not sure why > or how to fix that yet. A new version is now at the same place (see above), it moves the ldif.c in-place base64 decoding into a separate function and reuses that. Other changes: - pin hash algorithm separator changes to ':' - pin can now be set from the environment - can now better deal with connection freeing and/or changes to the global ldap options -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8770) dsaschema seg faults
by michael＠stroeder.com 06 Nov '17

06 Nov '17

Canned config available: https://stroeder.com/temp/openldap-testbed-its8770.tar.gz Seg faults with 2.4.45 and current RE24 branch: $ cd openldap-testbed-its8770 $ ./start-slapd.sh [..] 5a009864 slapd.conf: line 19 (moduleload back_mdb) 5a009864 loaded module back_mdb 5a009864 mdb_back_initialize: initialize MDB backend 5a009864 mdb_back_initialize: LMDB 0.9.21: (June 1, 2017) 5a009864 module back_mdb: null module registered 5a009864 slapd.conf: line 22 (moduleload dsaschema.so schema/oath-ldap-dsa.schema) 5a009864 loaded module dsaschema.so ./start-slapd.sh: line 11: 29304 Segmentation fault (core dumped) ${OPENLDAP_PREFIX}/lib64/slapd -d config,stats,stats2,acl,args,trace,sync -h "ldap://0.0.0.0:2071 ldapi://slapd1-socket" -n slapd-its8770 -f slapd.conf

1 0

(ITS#8770) dsaschema seg faults
by michael＠stroeder.com 06 Nov '17

06 Nov '17

Full_Name: Version: RE24 OS: URL: Submission from: (NULL) (213.240.182.108) This leads to a seg fault: moduleload dsaschema.so /home/michael/Proj/oath-ldap/oath-ldap-dsa.schema More information to come...

1 0

(ITS#8769) Docs: Fix oid search extension syntax
by lukas.juhrich＠agdsn.de 03 Nov '17

03 Nov '17

Full_Name: Lukas Juhrich Version: 2.4.45 OS: Arch Linux, Debian Stretch URL: http://agdsn.me/~lukasjuhrich/openldap/ Submission from: (NULL) (141.76.119.134) This is a small syntax fix to adapt the documentation to how the code actually parses `-E <oid>` options. Quicklink to the code responsible for parsing: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=clients/to… I was not sure whether patches should also follow the naming convention, so I provided the same patch using two different names, the original one and the one adhering to the naming convention.

1 0

Re: (ITS#8768) Syncprov shouldn't send a new cookie at the end of delete phase
by ondra＠mistotebe.net 02 Nov '17

02 Nov '17

On Thu, Nov 02, 2017 at 03:55:02PM +0000, ondra(a)mistotebe.net wrote: > On Tue, Oct 31, 2017 at 05:34:05PM +0000, ondra(a)openldap.org wrote: > > If sessionlog data is available and found useful, syncprov will send a cookie at > > the end of delete phase, itself followed by the entries modified since time > > recorded in the client's original cookie. > > > > Some of those entries might have been last modified before the new cookie's > > recorded time and if the connection is severed before this is communicated, they > > would not be re-sent under the new cookie. > > There are other problems with this. I have always assumed that CSN of > each write is globally unique in a well-configured system and that this > is preserved across replication, since MMR needs that to function > properly. This assumption is clearly invalid if UUIDs are sent in a > delete SyncInfo message (consumer that needs to determine CSNs that > apply can only pick a single CSN for all of the deletes). > > So this is a problem in MMR situations where the cookie carries semantic > information between MMR nodes. > > An MMR member receiving such a message has to pick a CSN to apply here: > - either the cookie (if present at all) - leads to problems described > above > - or some other CSN - the deletes could be lost or propagate to other > masters as a fresh mod, either smells of replication problems down the > line Even assuming we never send a batch delete, sessionlog is a problem in the MMR case: - to end up in the sessionlog, we need a CSN for the delete to be transmitted - if we send all deletes first, then modified entries, we can't use the cookie to send the information that's needed to create a sessionlog entry - we can't reasonably send all entries in CSN order with the deletes interspersed at the relevant place in the stream, that would require holding onto the (UUID, CSN) list for a very long time, not to mention that we'd need the backend to guarantee search entry ordering in the first place Maybe if we track more information in the cookie MMR nodes might have what they needed to populate sessionlog and standards compliant syncrepl clients would keep working as well? Maybe storing progress of the delete phase (optional) and general replication progress (CSN as usual) in the cookie might do it. Question is whether that is enough, doesn't introduce new problems and doesn't make the code even more complex and harder to maintain? That, even if workable wouldn't get it into 2.4, so an upgrade would have to be a lock-step affair for at least the masters/nodes with syncprov running. > This shouldn't affect deltaMMR environments, though, AFAIK they never use > sessionlog in any way, so batched deletes don't get sent over the wire > at all. Quanah mentions that deltaMMR can hit this issue if we have to fall-back to plain syncrepl in the case of a conflict (and we don't want a full present phase to happen at that point). -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8768) Syncprov shouldn't send a new cookie at the end of delete phase
by ondra＠mistotebe.net 02 Nov '17

02 Nov '17

On Tue, Oct 31, 2017 at 05:34:05PM +0000, ondra(a)openldap.org wrote: > If sessionlog data is available and found useful, syncprov will send a cookie at > the end of delete phase, itself followed by the entries modified since time > recorded in the client's original cookie. > > Some of those entries might have been last modified before the new cookie's > recorded time and if the connection is severed before this is communicated, they > would not be re-sent under the new cookie. There are other problems with this. I have always assumed that CSN of each write is globally unique in a well-configured system and that this is preserved across replication, since MMR needs that to function properly. This assumption is clearly invalid if UUIDs are sent in a delete SyncInfo message (consumer that needs to determine CSNs that apply can only pick a single CSN for all of the deletes). So this is a problem in MMR situations where the cookie carries semantic information between MMR nodes. An MMR member receiving such a message has to pick a CSN to apply here: - either the cookie (if present at all) - leads to problems described above - or some other CSN - the deletes could be lost or propagate to other masters as a fresh mod, either smells of replication problems down the line This shouldn't affect deltaMMR environments, though, AFAIK they never use sessionlog in any way, so batched deletes don't get sent over the wire at all. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs November 2017