openldap-bugs October 2018

openldap-bugs@openldap.org

16 participants
44 discussions

(ITS#8929) syncrepl retry parameter ignored
by openldap-its＠plumbe.de 24 Oct '18

24 Oct '18

Full_Name: Markus Joosten Version: 2.4.44-15.el7 OS: CentOS 7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (62.8.242.42) Hello, I'm running 2 OpenLDAP servers on CentOS 7 using the cn=config backend. My main database dc=example,dc=com is replicated using syncrepl, however the retry parameter is completely ignored. I'm seeing the following log message every time I recreate the replication: syncrepl rid=001 searchbase="dc=example,dc=com": no retry defined, using default Steps to reproduce: - setup two OpenLDAP servers - create replication with the retry parameter specified - retry parameter will be ignored Regards, Markus

1 0

Re: (ITS#8322) mdb_env_set_mapsize default size mismatch
by myk＠mykzilla.org 19 Oct '18

19 Oct '18

This is a multi-part message in MIME format. --------------D22E8F79C8A3AF5F4EEDBDD5 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Here's a patch (in git-format-patch format, per the Guidelines for Contributing) that changes the code comment on mdb_env_set_mapsize to be consistent with the value of DEFAULT_MAPSIZE. https://github.com/LMDB/lmdb/compare/mdb.master...mykmelez:default-mapsize.… (I haven't provided a Notice of Origin nor Rights Statement, as, per the Guidelines for Contributing, this patch doesn't represent "significant blocks of new code (10 lines or greater)." It's a one-line change.) -myk --------------D22E8F79C8A3AF5F4EEDBDD5 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html><head> <meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body text="#000000" bgcolor="#FFFFFF"> Here's a patch (in git-format-patch format, per the Guidelines for Contributing) that changes the code comment on mdb_env_set_mapsize to be consistent with the value of DEFAULT_MAPSIZE. <a class="moz-txt-link-freetext" href="https://github.com/LMDB/lmdb/compare/mdb.master...mykmelez:default-mapsize.…">https://github.com/LMDB/lmdb/compare/mdb.master...mykmelez:default-mapsize.…</a> (I haven't provided a Notice of Origin nor Rights Statement, as, per the Guidelines for Contributing, this patch doesn't represent "significant blocks of new code (10 lines or greater)." It's a one-line change.) -myk </body> </html> --------------D22E8F79C8A3AF5F4EEDBDD5--

1 0

Re: (ITS#8925) Please remove the entry for mirror.switch.ch from the Download page
by thomas.lenggenhager＠switch.ch 18 Oct '18

18 Oct '18

Hello Quanah Many thanks for your action and answer. In the mean time I noticed that in this file ftp://ftp.openldap.org/pub/OpenLDAP/MIRRORS the mirrors are still listed. Could you please update that as well? Kind regards Thomas > Hi Thomas, > > --On Thursday, October 11, 2018 12:08 PM +0000 switchmirror(a)switch.ch wrote: > >> I already sent twice a message to info(a)openldap.org, but no action or >> answer received. > > The ITS system is the correct spot for this request. ;) > >> So I try it on this channel. >> >> Please drop the reference to SWITCH (Switzerland, mirror.switch.ch) on the >> Download web page: >> http://www.openldap.org/software/download/ > > Done. > >> BTW: I noticed that the Austrian mirror on gd.tuwien.ac.at has completely >> disappeared, there is no DNS entry for it anymore. > > Thanks, I removed that one as well. > > Warm regards, > Quanah -- SWITCH Thomas Lenggenhager, Trust & Identity Werdstrasse 2, P.O. Box, 8021 Zurich, SWITZERLAND phone +41 44 268 1505 direct +41 44 268 1541 https://www.switch.ch

1 0

Re: (ITS#8373) replica with multiple providers hits errors
by quanah＠symas.com 18 Oct '18

18 Oct '18

--On Friday, February 19, 2016 1:33 AM +0000 quanah(a)zimbra.com wrote: Played around with this again today, and the issue no longer occurs. It seems one of the many replication related fixes since I reported this ITS has solved the problem. Closing the ITS. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8928) Reproducibility: Remove user, hostname, pwd from version string
by douglas.royds＠taitradio.com 17 Oct '18

17 Oct '18

Full_Name: Douglas Royds Version: HEAD OS: Ubuntu 16.04 URL: ftp://ftp.openldap.org/incoming/douglas-royds-181017.patch Submission from: (NULL) (202.37.96.2) To achieve binary-reproducible builds across different build hosts, build paths, and users, we need to set the WHOWHERE value with something fixed. In this patch I set it to the SOURCE_DATE_EPOCH if set (see https://reproducible-builds.org/specs/source-date-epoch/). If you're not trying to do a reproducible build, it won't be set, so the existing WHOWHERE string will apply. Debian have set this string to their own Debian-specific value: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833179 WHOWHERE="$(dpkg-vendor --query vendor) package version $(dpkg-parsechangelog -SVersion)" Tait Communications Ltd hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Re: (ITS#8925) Please remove the entry for mirror.switch.ch from the Download page
by quanah＠symas.com 17 Oct '18

17 Oct '18

Hi Thomas, --On Thursday, October 11, 2018 12:08 PM +0000 switchmirror(a)switch.ch wrote: > I already sent twice a message to info(a)openldap.org, but no action or > answer received. The ITS system is the correct spot for this request. ;) > So I try it on this channel. > > Please drop the reference to SWITCH (Switzerland, mirror.switch.ch) on the > Download web page: > http://www.openldap.org/software/download/ Done. > BTW: I noticed that the Austrian mirror on gd.tuwien.ac.at has completely > disappeared, there is no DNS entry for it anymore. Thanks, I removed that one as well. Warm regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re:Re: (ITS#8924) Installed openldap2.4.46 and openssl1.1.1, the client and server still used TLS1.2 to negotiated
by quanah＠symas.com 17 Oct '18

17 Oct '18

--On Sunday, October 14, 2018 10:03 PM +0800 =E8=8E=AB=E4=BA=9A=E7=94=B7 = <nanmor(a)126.com>=20 wrote: > Run ' ldd /usr/local/openldap.2.4.46/bin/ldapsearch' in Redhat, result: > linux-vdso.so.1 =3D> (0x00007ffd959d6000) > libsasl2.so.3 =3D> /lib64/libsasl2.so.3 (0x00007fae80012000) > libssl.so.10 =3D> /lib64/libssl.so.10 (0x00007fae7fd9f000) > libcrypto.so.10 =3D> /lib64/libcrypto.so.10 Your Redhat build is linked to the system OpenSSL 1.0.2k release. This=20 clearly won't support TLS 1.3. lrwxrwxrwx 1 root root 16 Jun 19 14:00 libssl.so.10 -> libssl.so.1.0.2k Closing this ITS as invalid. I suggest fixing your build process on your=20 RedHat box to link to the correct OpenSSL build. It appears you have the=20 RH openssl development package installed, which is why you're encountering=20 various issues. However, none of this is related to OpenLDAP itself, which = as I've already noted, behaves correctly when all sides (client & server)=20 are linked to OpenSSL 1.1.1. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8927) slapo-ppolicy is destructive to delta-sync replication
by quanah＠symas.com 16 Oct '18

16 Oct '18

--On Tuesday, October 16, 2018 1:30 PM +0200 Ond=C5=99ej Kuzn=C3=ADk=20 <ondra(a)mistotebe.net> wrote: >> - test we're a replicated op, not just on shadow > > The patch is available here: > https://github.com/mistotebe/openldap/tree/its8927 I still get err 16 with this patch and the servers fall back to REFRESH. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8927) slapo-ppolicy is destructive to delta-sync replication
by ondra＠mistotebe.net 16 Oct '18

16 Oct '18

On Fri, Oct 12, 2018 at 05:32:52PM +0000, quanah(a)symas.com wrote: > --On Friday, October 12, 2018 5:27 PM +0000 quanah(a)symas.com wrote: > > > So this should succeed, and yet it fails. Need to figure out why. > > I dug into this further with Ondrej, and the issue is that ppolicy was > never updated to work correctly in a delta-sync MMR environment. ppolicy on > the receiving server currently has logic to test if it is a shadow (i.e., > replica) and if so, change its behavior. But there is no similar logic to > handle the case if the receiving server is an MMR node (i.e., a shadow and > a master). > > The following 3 changes to the code base for ppolicy would alleviate this > issue and other potential issues: > > - test we're a replicated op, not just on shadow The patch is available here: https://github.com/mistotebe/openldap/tree/its8927 > - issue MOD_REPLACE (concurrent binds could have cleared that attribute on > the other servers) > - expect MOD_REPLACE as well as MOD_DELETE on replicated ops Maybe not exactly required since ppolicy will actually treat these deletes as soft deletes if needed. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

Re: (ITS#8125) MMR throws away valid changes causing drift
by ondra＠mistotebe.net 16 Oct '18

16 Oct '18

On Mon, Oct 15, 2018 at 02:54:56PM +0000, hyc(a)symas.com wrote: > Ondřej Kuzník wrote: >> On Mon, Oct 15, 2018 at 01:53:30PM +0000, hyc(a)symas.com wrote: >>> ondra(a)mistotebe.net wrote: >>>> Also, whenever we fall back from deltasync into plain syncrepl, >>>> we should make sure that the accesslog entries we generate from >>>> this are never used for further replication which might be >>>> thought to be a separate issue. >>> >>> That should already be the case, since none of these ops will have a >>> valid CSN. >> >> I faintly remember Quanah seeing these accesslog entries used by >> consumers at some point, but I might be mistaken. >> >> The more general point is making sure its potential syncrepl consumer >> not even try and use the accesslog entries we added before these - the >> refresh has created a strange gap in the middle (or worse, duplicated >> ops if a contextCSN element jumped backwards). But if we enforced that, >> the question is how to get modifications originating from this replica >> replicated elsewhere - unless we decide they can't be salvaged? > > We could set the replica to reject user mods while in refresh phase. > Not sure how friendly that is, whether apps would be smart enough to > retry somewhere else. The concern here is about changes that have happened before we found out we can't replicate from another server. And it is likely some of these changes are the reason we couldn't reconcile with our provider and would cause the same if we decided to push them. >> And should the contextCSN reset terminate not just all inbound syncrepl >> sessions, but the outbound ones as well? > > Need to be careful about race conditions here, or you could end up > with all nodes just terminating each other and everything halting. Yes, that would actually happen... The existing state seems quite destructive though, if you have that same situation now (two masters in present phase from each other at the same time), you lose data. The question is what is the priority here? Currently it seems we want replication to continue at the expense of losing modifications on conflict. We might at least log that happened and allow someone to revert this decision later. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs October 2018