openldap-bugs

openldap-bugs@openldap.org

1 participants
21065 discussions

Re: slapo-unique man page misleading (ITS#5908)
by ando＠sys-net.it 29 Jan '09

29 Jan '09

quanah(a)zimbra.com wrote: > --On January 28, 2009 10:39:41 PM +0000 Magne.Land(a)citrix.com wrote: > >> Hi, >> Please see this thread for background info: >> http://www.openldap.org/lists/openldap-software/200901/msg00112.html >> >> To me, something is either guaranteed or not. And I think "enforce" means >> something that is guaranteed. In this case, the uniqueness is not >> guaranteed, therefore it is not enforced. > > Set up slapo-accesslog on your master. Then uniqueness is guaranteed. Are you sure about this? I didn't look in detail to the code, so I can't tell whether serializing writes that way will cause the desired behavior, since slapo-unique is using internal writes. As Gavin says,. if this is the case then it should be at least documented, and not only in slapo-unique, but also for any overlay/module that does internal writes. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: slapo-unique man page misleading (ITS#5908)
by ghenry＠suretecsystems.com 29 Jan '09

29 Jan '09

----- quanah(a)zimbra.com wrote: > --On January 28, 2009 10:39:41 PM +0000 Magne.Land(a)citrix.com wrote: > > > Hi, > > Please see this thread for background info: > > > http://www.openldap.org/lists/openldap-software/200901/msg00112.html > > > > To me, something is either guaranteed or not. And I think "enforce" > means > > something that is guaranteed. In this case, the uniqueness is not > > guaranteed, therefore it is not enforced. > > Set up slapo-accesslog on your master. Then uniqueness is > guaranteed. We don't document this requirement in slapo-unique.5 though. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

1 0

Re: (ITS#5909) stack overflow in tavl_delete (libraries/liblutil/tavl.c)?
by ulrich.windl＠rz.uni-regensburg.de 29 Jan '09

29 Jan '09

On 29 Jan 2009 at 2:21, Howard Chu wrote: > Hardcoding arbitrary limits in portable code is stupid. ("No one will ever > need more than 640K...") What may seem (im)practical to you today may be > commonplace tomorrow. This code will be maintenance-free no matter what class > of machine it's built on, forever. That's *excellent* programming. Howard, my proposals were related to the virtual address space, and the specific value for 64 bit was assuming that no more than 800GB of tree nodes are allocated. Your settings relate the depth of the tree to the width of a pointer multiplied by a hardcoded value without further explanation. > > There is no bug here, this ITS is closed. To make a long discussion short, you cold add a comment regarding the use of "8". Regards, Ulrich > > Ulrich Windl wrote: > > On 28 Jan 2009 at 13:06, Howard Chu wrote: > > > >> Ulrich.Windl(a)rz.uni-regensburg.de wrote: > >>> Full_Name: Ulrich Windl > >>> Version: 2.4.11 > >>> OS: Linux > >>> URL: ftp://ftp.openldap.org/incoming/ > >>> Submission from: (NULL) (132.199.156.178) > >>> > >>> > >>> Looking for a threaded AVL tree implementation that is supposed to work, I found > >>> libraries/liblutil/tavl.c in openLDAP. I'm no expert on threaded AVL trees, but > >>> there's thing that worries me: > >>> tavl_delete uses two stacks (pptr, pdir) with a size of 8 elements on the > >>> routine' stack. While locating the element to delete, it pushes the parent node > >>> onto the stack. > >> You're misreading the code. The stack is 8*sizeof(void *) which means 32 > >> elements deep on a 32 bit machine, and 64 deep on a 64 bit machine. There is > >> no possibility of overflow now or for several years to come. > > > > OK! I was confused by the terrible programming style at that point: as the array > > elements are of the proper type (and not bytes), there is no need for a sizeof > > here: I see no reason why the depth of the tree to be allowed should depend on the > > length of a pointer, maning: If you want 32, why don't you write 32? So the worst > > case stack depth would be something like "log2(2^32/(sizeof(void *) * 5))" ("5" > > being 2 links + 2 threading marks + 1 data pointer), something near 32-5 == 27 > > (for 32-bit machines) and 64-6 == 58. Practically the latter could be safely > > reduced to a value around 42 IMHO. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5909) stack overflow in tavl_delete (libraries/liblutil/tavl.c)?
by hyc＠symas.com 29 Jan '09

29 Jan '09

Hardcoding arbitrary limits in portable code is stupid. ("No one will ever need more than 640K...") What may seem (im)practical to you today may be commonplace tomorrow. This code will be maintenance-free no matter what class of machine it's built on, forever. That's *excellent* programming. There is no bug here, this ITS is closed. Ulrich Windl wrote: > On 28 Jan 2009 at 13:06, Howard Chu wrote: > >> Ulrich.Windl(a)rz.uni-regensburg.de wrote: >>> Full_Name: Ulrich Windl >>> Version: 2.4.11 >>> OS: Linux >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (132.199.156.178) >>> >>> >>> Looking for a threaded AVL tree implementation that is supposed to work, I found >>> libraries/liblutil/tavl.c in openLDAP. I'm no expert on threaded AVL trees, but >>> there's thing that worries me: >>> tavl_delete uses two stacks (pptr, pdir) with a size of 8 elements on the >>> routine' stack. While locating the element to delete, it pushes the parent node >>> onto the stack. >> You're misreading the code. The stack is 8*sizeof(void *) which means 32 >> elements deep on a 32 bit machine, and 64 deep on a 64 bit machine. There is >> no possibility of overflow now or for several years to come. > > OK! I was confused by the terrible programming style at that point: as the array > elements are of the proper type (and not bytes), there is no need for a sizeof > here: I see no reason why the depth of the tree to be allowed should depend on the > length of a pointer, maning: If you want 32, why don't you write 32? So the worst > case stack depth would be something like "log2(2^32/(sizeof(void *) * 5))" ("5" > being 2 links + 2 threading marks + 1 data pointer), something near 32-5 == 27 > (for 32-bit machines) and 64-6 == 58. Practically the latter could be safely > reduced to a value around 42 IMHO. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5909) stack overflow in tavl_delete (libraries/liblutil/tavl.c)?
by ulrich.windl＠rz.uni-regensburg.de 29 Jan '09

29 Jan '09

On 28 Jan 2009 at 13:06, Howard Chu wrote: > Ulrich.Windl(a)rz.uni-regensburg.de wrote: > > Full_Name: Ulrich Windl > > Version: 2.4.11 > > OS: Linux > > URL: ftp://ftp.openldap.org/incoming/ > > Submission from: (NULL) (132.199.156.178) > > > > > > Looking for a threaded AVL tree implementation that is supposed to work, I found > > libraries/liblutil/tavl.c in openLDAP. I'm no expert on threaded AVL trees, but > > there's thing that worries me: > > tavl_delete uses two stacks (pptr, pdir) with a size of 8 elements on the > > routine' stack. While locating the element to delete, it pushes the parent node > > onto the stack. > > You're misreading the code. The stack is 8*sizeof(void *) which means 32 > elements deep on a 32 bit machine, and 64 deep on a 64 bit machine. There is > no possibility of overflow now or for several years to come. OK! I was confused by the terrible programming style at that point: as the array elements are of the proper type (and not bytes), there is no need for a sizeof here: I see no reason why the depth of the tree to be allowed should depend on the length of a pointer, maning: If you want 32, why don't you write 32? So the worst case stack depth would be something like "log2(2^32/(sizeof(void *) * 5))" ("5" being 2 links + 2 threading marks + 1 data pointer), something near 32-5 == 27 (for 32-bit machines) and 64-6 == 58. Practically the latter could be safely reduced to a value around 42 IMHO. > > > So from my knowledge this means that for a perfectly filled balanced tree, the > > stack will overflow when the tree consists of 2^8 (2^0 + 2^1 + 2^2 + ... + 2^7) > > or more nodes, and you are locating a leaf node. Maybe even with fewer nodes. > > As the algorithm also pushes an other element onto the stack, the problem could > > appear even before 128 nodes. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: slapo-unique man page misleading (ITS#5908)
by quanah＠zimbra.com 29 Jan '09

29 Jan '09

--On January 28, 2009 10:39:41 PM +0000 Magne.Land(a)citrix.com wrote: > Hi, > Please see this thread for background info: > http://www.openldap.org/lists/openldap-software/200901/msg00112.html > > To me, something is either guaranteed or not. And I think "enforce" means > something that is guaranteed. In this case, the uniqueness is not > guaranteed, therefore it is not enforced. Set up slapo-accesslog on your master. Then uniqueness is guaranteed. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#5911) password policy - alternate lockout mechanism
by aravind＠freeshell.org 28 Jan '09

28 Jan '09

Full_Name: Aravind Gottipati Version: 2.4.13 OS: Linux - RHEL5 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (63.245.220.241) I'd like to propose a change to how the password lockouts work. The current system does not differentiate between multiple bind attempts with a single (or even a few) incorrect password(s) vs. multiple bind attempts with different incorrect passwords. In our case, this results in a ton of false positives when folks change their password, but don't propagate their password change to all the applications/machines that use it. This causes a bunch of un-necessary lockouts. A real crack attempt on the other hand would most likely try a bunch of passwords (none of which repeat). I have posted the same on the openldap-software mailing lists and Jeff Clowser proposed a scheme that should work to solve the problem. Record each failed bind attempt as a (hash,timestamp) pair. If there is another failed attempt, check the password against these (hash, timestamp) pairs and update the timestamp if the hash is found. If its a new password that hasn't been attempted before, then create a new (hash,timestamp) pair. Lock the account out if there are more than pwdMaxFailure hashes stored. http://www.openldap.org/lists/openldap-software/200901/msg00147.html

1 0

Re: slapo-unique man page misleading (ITS#5908)
by Magne.Land＠citrix.com 28 Jan '09

28 Jan '09

Hi, Please see this thread for background info: http://www.openldap.org/lists/openldap-software/200901/msg00112.html To me, something is either guaranteed or not. And I think "enforce" means something that is guaranteed. In this case, the uniqueness is not guaranteed, therefore it is not enforced. Regards, Magne Land On 1/28/09 2:33 PM, "Gavin Henry" <openldap-its(a)OpenLDAP.org> wrote: > Full_Name: Magne Land > Version: 2.3.43 > OS: RHEL 5.1 64-bit > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (72.37.244.20) > > > Currently the man page of slapo-unique says "enforce uniqueness", which I find > misleading. > Would it be possible to change it to say "makes the best effort to enforce > uniqueness" or something to that effect? > > It would need more words than that to comment on what exactly happens i.e. why it is a "best effort".

1 0

Re: (ITS#5909) stack overflow in tavl_delete (libraries/liblutil/tavl.c)?
by hyc＠symas.com 28 Jan '09

28 Jan '09

Ulrich.Windl(a)rz.uni-regensburg.de wrote: > Full_Name: Ulrich Windl > Version: 2.4.11 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (132.199.156.178) > > > Looking for a threaded AVL tree implementation that is supposed to work, I found > libraries/liblutil/tavl.c in openLDAP. I'm no expert on threaded AVL trees, but > there's thing that worries me: > tavl_delete uses two stacks (pptr, pdir) with a size of 8 elements on the > routine' stack. While locating the element to delete, it pushes the parent node > onto the stack. You're misreading the code. The stack is 8*sizeof(void *) which means 32 elements deep on a 32 bit machine, and 64 deep on a 64 bit machine. There is no possibility of overflow now or for several years to come. > So from my knowledge this means that for a perfectly filled balanced tree, the > stack will overflow when the tree consists of 2^8 (2^0 + 2^1 + 2^2 + ... + 2^7) > or more nodes, and you are locating a leaf node. Maybe even with fewer nodes. > As the algorithm also pushes an other element onto the stack, the problem could > appear even before 128 nodes. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#5910) Minor fixes to test scripts
by rein＠OpenLDAP.org 28 Jan '09

28 Jan '09

Full_Name: Rein Tollevik Version: CVS HEAD OS: Irrelevant URL: Submission from: (NULL) (81.93.160.250) Submitted by: rein test006 truncates its log file instead of appending to it. test048 substitutes pathnames wrong if it happens to be run from a directory which includes ".2." in the path. Fixes are coming.. Rein Tollevik Basefarm AS

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs