openldap-bugs

openldap-bugs@openldap.org

1 participants
21001 discussions

ITS#6712
by masarati＠aero.polimi.it 18 Nov '10

18 Nov '10

Thanks for the report. "hasSubordinates" is generated, not stored in the database; this may explain why multiple values appear despite its "single-valuedness". I'm investigating... p.

1 0

ITS#6713
by masarati＠aero.polimi.it 18 Nov '10

18 Nov '10

Please note that the current release is 2.4.23; since 2.4.16 many issues have been fixed. If the problem persists after upgrading, please make sure you provide useful information, as illustrated here <http://www.openldap.org/faq/data/cache/56.html> and in subordinate links. p.

1 0

(ITS#6713) slad crashing automatically in production server
by devman1624＠yahoo.com 18 Nov '10

18 Nov '10

Full_Name: DevMan Version: 2.4.16 OS: RHEL5.4 64 bit URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (12.191.136.3) Hi All, I am facing issue in my prod server. PLease find the below details: DS: Openldap2.4.16(2 Multimaster with one slave) Database: BDB4.7.25 OS: RHEL5.4 64 bit Number of databases: 2 Number of entries in one database is 9lakhs and in second database is 2000. RAM: 2GB CPU: 2(Model name: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz) Issue: slapd automatically killed once in a day or some time 3 in a day. I have run the below command and found segfault error 4: [root@MYINSGGNSBILDAP2 openldap]# dmesg |grep slapd slapd[30387]: segfault at 0000000000000017 rip 00000000004dca25 rsp 00007fff61425f80 error 4 slapd[32121]: segfault at 0000000000000048 rip 0000003cd8008950 rsp 0000000042554948 error 4 slapd[1013]: segfault at 0000000000000048 rip 0000003cd8008950 rsp 000000004233c948 error 4 slapd[13060]: segfault at 0000000000000000 rip 0000003cd747997a rsp 00000000422408e8 error 4 slapd[24417]: segfault at 0000000000000008 rip 000000000048d6b2 rsp 0000000046333560 error 4 slapd[694]: segfault at 0000000000000008 rip 000000000048d6b2 rsp 0000000043cfa560 error 4 slapd[1068]: segfault at 0000000000000008 rip 000000000048d6b2 rsp 0000000041446560 error 4 slapd[5557]: segfault at 0000000000000008 rip 000000000048d6b2 rsp 0000000041fd2560 error 4 slapd[15633]: segfault at 0000000000000008 rip 000000000048d6b2 rsp 0000000041a9d560 error 4 slapd[31922]: segfault at 0000000000000008 rip 000000000048d6b2 rsp 0000000043312560 error 4 slapd[13961]: segfault at 0000000000000000 rip 0000003cd747997a rsp 000000004230f4e8 error 4 slapd[14807]: segfault at 0000000000000048 rip 0000003cd8008950 rsp 0000000041523948 error 4 Please help me here to resolve this problem. Thx DevMan

1 0

(ITS#6712) dont-use-copy/syncrepl/chain hasSubordinates extra vals
by david.delaharpe.golden＠ichec.ie 17 Nov '10

17 Nov '10

Full_Name: David De La Harpe Golden (ICHEC) Version: 2.4.23 OS: debian/unstable URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (193.1.200.66) I was playing with the experimental "dont-use-copy" ldap control in conjunction with a basic test provider-consumer syncrepl setup and chain overlay back to the provider on the consumer. I realise the control is experimental and the issue is not major, but anyway, better to report these things: Seems that when the control is used in a search request to the consumer, hasSubordinates on the returned value is getting extra values. As hasSubordinates is AFAICS defined as a single-value attribute, that's strange. # e.g. Test using python-ldap import ldap from ldap.controls import LDAPControl class _ExpDontUseCopyControl(LDAPControl): controlType = '1.3.6.1.4.1.4203.666.5.15' provider = ldap.open('localhost', 3389) consumer = ldap.open('localhost', 389) provider.bind('cn=something,dc=example,dc=com', 'somepw') consumer.bind('cn=something,dc=example,dc=com', 'somepw') provider.search_ext_s('cn=foo,dc=example,dc=com', ldap.SCOPE_BASE, '(objectClass=*)', ['hasSubordinates'], serverctrls=[]) => [('cn=foo,dc=example,dc=com', {'hasSubordinates': ['FALSE']})] provider.search_ext_s('cn=foo,dc=example,dc=com', ldap.SCOPE_BASE, '(objectClass=*)', ['hasSubordinates'], serverctrls=[_ExpDontUseCopyControl(True)]) => [('cn=foo,dc=example,dc=com', {'hasSubordinates': ['FALSE']})] consumer.search_ext_s('cn=foo,dc=example,dc=com', ldap.SCOPE_BASE, '(objectClass=*)', ['hasSubordinates'], serverctrls=[]) => [('cn=foo,dc=example,dc=com', {'hasSubordinates': ['FALSE']})] consumer.search_ext_s('cn=foo,dc=example,dc=com', ldap.SCOPE_BASE, '(objectClass=*)', ['hasSubordinates'], serverctrls=[_ExpDontUseCopyControl(True)]) => [('cn=foo,dc=example,dc=com', {'hasSubordinates': ['FALSE', 'FALSE']})]

1 0

(ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
by subbarao＠computer.org 17 Nov '10

17 Nov '10

Full_Name: Kartik Subbarao Version: 2.4.23 OS: Debian Linux 5.0.5 URL: ftp://ftp.openldap.org/incoming/kartik_subbarao.101116.tgz Submission from: (NULL) (76.99.175.5) I'm trying to get a consumer server to forward ppolicy-related updates to its provider server, and to use certificate-based authentication (SASL EXTERNAL) over STARTTLS when authenticating to the provider. I'm running into multiple problems here. The core problem seems to be that enabling ppolicy_forward_updates breaks the chaining overlay such that it binds anonymously instead of with SASL EXTERNAL. Another problem is that bind operations to the consumer server start to return two result messages -- one with the error code of the chained operation, and one with the error code of the bind operation. To simplify reproducing the problem, I've worked with test022-ppolicy in the openldap test framework. Here, I ran into another issue. I can't seem to be able to configure sasl external/starttls chaining properly with the cn=config style configuration that test022-ppolicy applies. The self-signed cert that I'm using works fine with replication, but it doesn't seem to work with chaining. This may or may not be another issue that needs to be resolved. In any case, with the attached files in the ITS, I hope that what I'm trying to do and the results that I'm getting should be as clear as possible.

1 0

Re: (ITS#6703) Patch - Mozilla NSS - reject non-file key and cert files
by rmeggins＠redhat.com 15 Nov '10

15 Nov '10

On 11/15/2010 01:22 PM, Howard Chu wrote: > rmeggins(a)redhat.com wrote: >> On 11/15/2010 12:39 PM, Howard Chu wrote: >>> rmeggins(a)redhat.com wrote: >>>> Full_Name: Rich Megginson >>>> Version: 2.4.23 (current CVS HEAD) >>>> OS: RHEL5 >>>> URL: >>>> ftp://ftp.openldap.org/incoming/openldap-2.4.23-reject_non_file_key_cert_pe… >>>> >>>> Submission from: (NULL) (76.113.111.209) >>>> >>>> >>>> If you specify a directory instead of a file to TLS_CACERT, or if one >>>> of the >>>> items in the TLS_CACERTDIR is a directory, the NSS PEM reader will >>>> crash. This >>>> patch rejects any item which looks like a directory. >>> >>> It sounds like this is a bug that ought to be patched in the NSS PEM >>> reader instead, no? >>> >> Yes, you are correct. I have filed this bug - >> https://bugzilla.redhat.com/show_bug.cgi?id=653619 >> But the patch to openldap will allow it to bypass this problem. > > OK. I've reviewed and committed all of your patches 6703-6706. > Thanks!

1 0

Re: (ITS#6703) Patch - Mozilla NSS - reject non-file key and cert files
by hyc＠symas.com 15 Nov '10

15 Nov '10

rmeggins(a)redhat.com wrote: > On 11/15/2010 12:39 PM, Howard Chu wrote: >> rmeggins(a)redhat.com wrote: >>> Full_Name: Rich Megginson >>> Version: 2.4.23 (current CVS HEAD) >>> OS: RHEL5 >>> URL: >>> ftp://ftp.openldap.org/incoming/openldap-2.4.23-reject_non_file_key_cert_pe… >>> Submission from: (NULL) (76.113.111.209) >>> >>> >>> If you specify a directory instead of a file to TLS_CACERT, or if one >>> of the >>> items in the TLS_CACERTDIR is a directory, the NSS PEM reader will >>> crash. This >>> patch rejects any item which looks like a directory. >> >> It sounds like this is a bug that ought to be patched in the NSS PEM >> reader instead, no? >> > Yes, you are correct. I have filed this bug - > https://bugzilla.redhat.com/show_bug.cgi?id=653619 > But the patch to openldap will allow it to bypass this problem. OK. I've reviewed and committed all of your patches 6703-6706. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6703) Patch - Mozilla NSS - reject non-file key and cert files
by rmeggins＠redhat.com 15 Nov '10

15 Nov '10

On 11/15/2010 12:39 PM, Howard Chu wrote: > rmeggins(a)redhat.com wrote: >> Full_Name: Rich Megginson >> Version: 2.4.23 (current CVS HEAD) >> OS: RHEL5 >> URL: >> ftp://ftp.openldap.org/incoming/openldap-2.4.23-reject_non_file_key_cert_pe… >> Submission from: (NULL) (76.113.111.209) >> >> >> If you specify a directory instead of a file to TLS_CACERT, or if one >> of the >> items in the TLS_CACERTDIR is a directory, the NSS PEM reader will >> crash. This >> patch rejects any item which looks like a directory. > > It sounds like this is a bug that ought to be patched in the NSS PEM > reader instead, no? > Yes, you are correct. I have filed this bug - https://bugzilla.redhat.com/show_bug.cgi?id=653619 But the patch to openldap will allow it to bypass this problem.

1 0

Re: (ITS#6703) Patch - Mozilla NSS - reject non-file key and cert files
by hyc＠symas.com 15 Nov '10

15 Nov '10

rmeggins(a)redhat.com wrote: > Full_Name: Rich Megginson > Version: 2.4.23 (current CVS HEAD) > OS: RHEL5 > URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-reject_non_file_key_cert_pe… > Submission from: (NULL) (76.113.111.209) > > > If you specify a directory instead of a file to TLS_CACERT, or if one of the > items in the TLS_CACERTDIR is a directory, the NSS PEM reader will crash. This > patch rejects any item which looks like a directory. It sounds like this is a bug that ought to be patched in the NSS PEM reader instead, no? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#6710) Mods already refreshed on a forwarding server is lost by its consumer
by rein＠OpenLDAP.org 15 Nov '10

15 Nov '10

Full_Name: Rein Tollevik Version: CVS head OS: Irrelevant URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.215.59.121) Submitted by: rein New syncprov consumers connecting to a forwarding server and presenting an apperently up-to-date cookie will loose any mods that have already taken place on the forwarding server if it itself is refreshing from its provider. This should not be a problem if the forwarding server have a sufficiently large syncprov log, but a fix for servers without is coming. -- Rein Tollevik Basefarm AS

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs