openldap-bugs July 2020

openldap-bugs@openldap.org

2 participants
120 discussions

[Issue 9294] New: ppolicy and replication: Multiple values for pwdLockedTime in violation of schema
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9294 Issue ID: 9294 Summary: ppolicy and replication: Multiple values for pwdLockedTime in violation of schema Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- If you have the following setup, a replica can end up with user entries in a non-schema compliant state: a) ppolicy is configured on provider(s) and replicas. Replica has schemachecking=off in its syncrepl configuration b) account gets locked on the replica, so pwdAccountLockedTime is set on the replica but not on the provider(s) c) admin does a MOD/ADD op against a provider for the user entry to add a value to pwdAccountLockedTime dn: ... changetype: modify add: pwdAccountLockedTime pwdAccountLockedTime: ... d) provider accepts this modification. e) replica accepts this modification f) account entry on replica now has two values for pwdAccountLockedTime in violation of it being a single valued attribute: "( 1.3.6.1.4.1.42.2.27.8.1.17 " "NAME ( 'pwdAccountLockedTime' ) " "DESC 'The time an user account was locked' " "EQUALITY generalizedTimeMatch " "ORDERING generalizedTimeOrderingMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " "SINGLE-VALUE " -- You are receiving this mail because: You are on the CC list for the issue.

1 4

[Issue 9289] New: Broken link to dmoz.org
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9289 Issue ID: 9289 Summary: Broken link to dmoz.org Product: website Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: website Assignee: bugs(a)openldap.org Reporter: cleydyr(a)gmail.com Target Milestone: --- At https://www.openldap.org/doc/admin24/intro.html, there's the following paragraph: --- A web directory, such as provided by the Open Directory Project <http://dmoz.org>, is a good example of a directory service. These services catalog web pages and are specifically designed to support browsing and searching. --- However, the Dmoz site is not at http://dmoz.org anymore. The user is redirected to an error page of a AWS S3 service if they try to access the link. Currently Dmoz has an archived version at https://dmoz-odp.org/ -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9287] New: ldap_create cause 10s delay in some scenario
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9287 Issue ID: 9287 Summary: ldap_create cause 10s delay in some scenario Product: OpenLDAP Version: 2.4.44 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs(a)openldap.org Reporter: happy.mu(a)nokia-sbell.com Target Milestone: --- hi LDAP guys there has some issue in our product when we integrate ipv6. scenario: ipv4 internal + ipv6 external after ldap search finish, we need build ldap message by ldap_create function. some times the ldap_create message will cause 10s delay. for example: the ldap search has 4 ocs, and only the first oc's ldap_create will cause 10s delay, the fellowing ocs is within 0.0001s. we just think it may because the mutext is global and locked by other thread. could you help on this ? LOGs: there has 10s delay, and only execute ldap_create between them. 2020/07/08-16:32:11.942114-[INFO] 13 (DBL) [DBL_LlbSearchResponse:76]LLB replied successfully with [4] entries 2020/07/08-16:32:11.942181- [INFO] 13 (DBL) [DBL_LlbSearchResponse:125]Entry Buffer[0] : l_entryBerBufferPtr="0x64820136xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" 2020/07/08-16:32:21.957488 [INFO] 13 (DBL) [DBL_LlbSearchResponse:138]Successfully created LDAP dummy handle -- You are receiving this mail because: You are on the CC list for the issue.

1 16

[Issue 9285] New: Expose ppolicy control in the rootDSE
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9285 Issue ID: 9285 Summary: Expose ppolicy control in the rootDSE Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- Currently the rootDSE does not expose the ppolicy control when ppolicy is instantiated. Generally the project has had a policy of not exposing controls for items that are not on a released RFC/standard. However, at this point, ppolicy is widely used, been around for years, and (eventually) the draft should get finalized. It would be useful to expose the control at this point. -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Issue 9279] New: Support for Netscape password expiry controls
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9279 Issue ID: 9279 Summary: Support for Netscape password expiry controls Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- Add support for legacy clients expecting the LDAP server to attach these controls on relevant bind responses: - Password Expired Control (2.16.840.1.113730.3.4.4) - Password Expiration Warning Control (2.16.840.1.113730.3.4.5) Decisions as configured by regular password policy. -- You are receiving this mail because: You are on the CC list for the issue.

1 24

[Issue 9275] New: Replace all references to master/slave with appropriate terminology
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9275 Issue ID: 9275 Summary: Replace all references to master/slave with appropriate terminology Product: OpenLDAP Version: 2.4.51 Hardware: All OS: All Status: UNCONFIRMED Severity: blocker Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- We need to replace all references to master/slave in the documentation, code comments etc. provider, consumer multimaster -> multiprovider -- You are receiving this mail because: You are on the CC list for the issue.

1 6

[Issue 9271] New: ldap_parse_intermediate undocumented
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9271 Issue ID: 9271 Summary: ldap_parse_intermediate undocumented Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs(a)openldap.org Reporter: ondra(a)mistotebe.net Target Milestone: --- ldap_parse_intermediate is missing from manpages, should probably be included in ldap_parse_result.3. -- You are receiving this mail because: You are on the CC list for the issue.

1 5

[Issue 9263] New: test064 fails on FreeBSD
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9263 Issue ID: 9263 Summary: test064 fails on FreeBSD Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: build Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- test064 fails when executed on FreeBSD because it tries to use /bin/bash. On FrreeBSD, this is /usr/local/bin/bash -- You are receiving this mail because: You are on the CC list for the issue.

1 3

[Bug 9262] New: Segmentation Fault on ldap_chain_op during Network Issues
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9262 Bug ID: 9262 Summary: Segmentation Fault on ldap_chain_op during Network Issues Product: OpenLDAP Version: 2.4.49 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: jeremy.diaz(a)rexconsulting.net Target Milestone: --- Created attachment 733 --> https://bugs.openldap.org/attachment.cgi?id=733&action=edit Full backtrace This is a follow up to the following OpenLDAP mailing list post: https://www.openldap.org/lists/openldap-technical/202001/msg00045.html The issue is as follows: Slapd crashes with a segmentation fault periodically and seems to occur most often during periods of high load. The issue seems to be related to the chain overlay. Some background info: This environment was originally made up of 3 producers and 6 consumers all on OpenLdap 2.4.48. Initially the issue did not appear to be caused directly by high load. We noticed that there was an uptick in saslauthd errors around the time when a crash occurred: Dec 11 07:23:20 {REDACTED} saslauthd[2720]: user ldap_search_st() failed: Timed out Dec 11 07:23:30 {REDACTED} saslauthd[2718]: user ldap_search_st() failed: Timed out Dec 11 07:23:40 {REDACTED} saslauthd[2718]: user ldap_search_st() failed: Timed out Dec 11 07:23:56 {REDACTED} saslauthd[2717]: user ldap_search_st() failed: Timed out Dec 11 07:23:57 {REDACTED} saslauthd[2720]: user ldap_search_st() failed: Timed out Dec 11 07:23:57 {REDACTED} saslauthd[2719]: user ldap_search_st() failed: Timed out Dec 11 07:24:05 {REDACTED} saslauthd[2718]: user ldap_search_st() failed: Timed out Dec 11 07:24:06 {REDACTED} saslauthd[2717]: user ldap_search_st() failed: Timed out Dec 11 07:24:54 {REDACTED} saslauthd[2719]: : write failure Dec 11 07:24:54 {REDACTED} saslauthd[2717]: : write failure Dec 11 07:24:54 {REDACTED} saslauthd[2719]: : write: Broken pipe Dec 11 07:24:54 {REDACTED} saslauthd[2717]: : write: Broken pipe Dec 11 07:24:54 {REDACTED} saslauthd[2718]: : write failure Dec 11 07:24:54 {REDACTED} saslauthd[2720]: : write failure Dec 11 07:24:54 {REDACTED} saslauthd[2718]: : write: Broken pipe Dec 11 07:24:54 {REDACTED} saslauthd[2720]: : write: Broken pipe Dec 11 07:25:04 {REDACTED} saslauthd[2721]: : write failure Dec 11 07:25:04 {REDACTED} saslauthd[2721]: : write: Broken pipe This seemed to indicate an issue with either AD, saslauthd or the ldap meta instance. Slapd with log level -1 did not return any obvious error messages. One consumer server was particularly problematic since it was in a data center that had a slower network connection. This server was also dealing with a subset of traffic corresponding to another one of our applications so overall there was more traffic going into this server than some the other servers. After some network improvements the segfault occurences dropped to about 1 every couple of days mostly confined to the problematic server. The environment was eventually updated to 2.4.49 but there was no obvious reduction in the number of segfaults. A while after an incident occurred that caused an increase in the latency of the network connections causing most of the slapd instances to crash constantly every few minutes. The crashing stopped only after the network latency was reduced. Ultimately what seemed to significantly reduce the number of segfaults was adding another 3 consumers to further reduce the load on each server. The following backtrace we captured seems to indicate that there is an issue with the chain overlay: #0 ldap_chain_op (op=op@entry=0x7ffbe41f0870, rs=rs@entry=0x7ffbf09bbb20, op_f=0x4a845e <ldap_back_search>, ref=ref@entry=0x0, depth=depth@entry=0) at chain.c:422 #1 0x00000000004e61da in ldap_chain_response (op=0x7ffbe41f0870, rs=0x7ffbf09bbb20) at chain.c:1090 #2 0x000000000049d323 in over_back_response (op=0x7ffbe41f0870, rs=0x7ffbf09bbb20) at backover.c:237 #3 0x0000000000447c1a in slap_response_play (op=op@entry=0x7ffbe41f0870, rs=rs@entry=0x7ffbf09bbb20) at result.c:508 #4 0x00000000004480f5 in send_ldap_response (op=op@entry=0x7ffbe41f0870, rs=rs@entry=0x7ffbf09bbb20) at result.c:583 The issue ultimately seems to stem from slapd being really sensitive to network latency. The chain overlay appears to be attempting to dereference a value that never gets set due to a timeout mechanism being exceeded because of high load and/or high network latency as chain.c:422 seems to suggest: for ( ; !BER_BVISNULL( ref ); ref++ ) { Attached is the updated full backtrace of all the threads and below is the relevant portions of our olc configuration regarding the chain overlay: dn: olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {1}chain olcChainCacheURI: FALSE olcChainMaxReferralDepth: 1 olcChainReturnError: TRUE dn: olcDatabase={0}ldap,olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbStartTLS: ldaps starttls=no olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: TRUE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 dn: olcDatabase={1}ldap,olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {1}ldap olcDbURI: “{REDACTED URI 1}“ olcDbStartTLS: ldaps starttls=no tls_cacert=“/{REDACTED}/openldap/tls/ cacerts.cer" tls_reqcert=demand tls_crlcheck=none olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn={REDACTED} credentials={REDACTED} keepalive=0:0:0 olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: TRUE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 dn: olcDatabase={2}ldap,olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {2}ldap olcDbURI: “{REDACTED URI 2}“ olcDbStartTLS: ldaps starttls=no tls_cacert=“/{REDACTED}/openldap/tls/ cacerts.cer" tls_reqcert=demand tls_crlcheck=none olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn={REDACTED} credentials={REDACTED} keepalive=0:0:0 olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: TRUE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 dn: olcDatabase={3}ldap,olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {3}ldap olcDbURI: “{REDACTED URI 3}“ olcDbStartTLS: ldaps starttls=no tls_cacert=“/{REDACTED}/openldap/tls/ cacerts.cer" tls_reqcert=demand tls_crlcheck=none olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn={REDACTED} credentials={REDACTED} keepalive=0:0:0 olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: TRUE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 -- You are receiving this mail because: You are on the CC list for the bug.

1 12

[Bug 9248] New: argon2 Makefile detects prefix incorrectly
by openldap-its＠openldap.org 19 Aug '20

19 Aug '20

https://bugs.openldap.org/show_bug.cgi?id=9248 Bug ID: 9248 Summary: argon2 Makefile detects prefix incorrectly Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: contrib Assignee: bugs(a)openldap.org Reporter: ryan(a)openldap.org Target Milestone: --- argon2 tries to auto-detect the prefix from the core Makefile, but gets it slightly wrong. $ make DESTDIR=/home/ryan/tmp/sysroot install mkdir -p /home/ryan/tmp/sysroot`grep -e "^prefix =" ../../../../Makefile | cut -d= -f2`/libexec/openldap mkdir: cannot create directory ‘/usr/libexec’: Permission denied make: *** [Makefile:63: install-lib] Error 1 $ grep -e "^prefix =" ../../../../Makefile | cut -d= -f2 /usr $ grep -e "^prefix =" ../../../../Makefile prefix = /usr The problem is the space after the equals sign. I'd probably just remove this auto-detection and default it to prefix=/usr/local, like every other contrib Makefile does, for the sake of simplicity. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

← Newer
1
...
5
6
7
8
9
10
11
12
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs July 2020