openldap-bugs

openldap-bugs@openldap.org

1 participants
20963 discussions

Re: (ITS#5854) Double send response in meta backend
by ando＠sys-net.it 12 Dec '08

12 Dec '08

jorge.perez(a)adaptia.net wrote: > Full_Name: Jorge Perez Burgos > Version: 2.4.11 > OS: SLES 10 > URL: ftp://ftp.openldap.org/incoming/back-meta_changes.diff.gz > Submission from: (NULL) (194.237.142.20) > > > Meta backend send two response codes when trying to reconnect to other slapd. > > Steps to reproduce: > Configure two slapds, slapd_A and slapd_B. slapd_A connects to slapd_B trough > meta backend. Do some traffic operations. Restart slapd_B and do some modify, > delete or add operation, response code 52 is received although the operation is > sucessful. Using a tcpdump you can see two response codes for the request. > > I attach a possible patch for this issue. Thanks. I've committed an alternative fix to this issue, in line with the analogous code in back-ldap. It makes use of the specific bit of the ldap_back_send_t mask instead of an additional argument. Please test. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5768) [enhancement] add support for Dereference Control
by ando＠sys-net.it 11 Dec '08

11 Dec '08

Andrew Bartlett wrote: > On Thu, 2008-12-11 at 23:17 +0100, Pierangelo Masarati wrote: >> Andrew Bartlett wrote: >>> On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote: >>>> A tentative implementation is in HEAD, please test. You need to: >>> Thankyou very much. I downloaded CVS HEAD and tested it out (finally - >>> the Samba4 side of the implementation took far longer than I expected). >>> >>>> - configure as --enable-deref >>>> >>>> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't >>>> work as global overlay yet, sorry). >>> This is something Samba4 will need, as many of our links are >>> cross-database. But fixing this for a single DB is a big help in any >>> case. >>> >>>> - run searches like >>>> >>>> $ ldapsearch -x -b dc=example,dc=com -E 'deref=member:entryUUID' >>>> >>>> you'll see results like >>> When using Samba4's client, it seems to work, but it is as if it extends >>> the control to the full expected length, but not the data. Ie, attached >>> this is the control response I got back from the 'make testenv' >>> environment in Samba4. I've also attached the full LDAP request. >>> >>> The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4 >>> parsing bug). >> I've found the bug (erroneous manipulation of octet strings containing >> '\0' octets). The objectSid is octet string-valued. Should be fixed >> now; please test. > > While I'm mostly at sea on ASN.1, I don't think the OpenLDAP's > implementation matches your IETF draft (if not, an education on subtle > details of ASN.1 will be appreciated) > > draft-masarati-ldap-deref-00 > > >> 2.3. Control Response >> >> >> The control type is deref-oid (IANA assigned; see Section 6). The >> specification of the Dereference Control response is: >> >> controlValue ::= SEQUENCE OF derefRes DerefRes >> >> DerefRes ::= SEQUENCE { >> derefAttr AttributeDescription, >> derefVal LDAPDN, >> attrVals [0] PartialAttributeList OPTIONAL } >> >> PartialAttributeList ::= SEQUENCE OF >> partialAttribute PartialAttribute >> >> PartialAttribute is defined in [RFC4511]; the definition is reported >> here for clarity: >> >> PartialAttribute ::= SEQUENCE { >> type AttributeDescription, >> vals SET OF value AttributeValue } >> > > the output of dumpasn1 on the control: > >> 0 983: SEQUENCE { >> 4 168: SEQUENCE { >> 7 8: OCTET STRING 'memberOf' >> 17 56: OCTET STRING >> : 'cn=Enterprise Admins,cn=Users,dc=samba,dc=exampl' >> : 'e,dc=com' >> 75 98: [0] { >> 77 51: SEQUENCE { > > Shouldn't there be another SEQUENCE { here? Well, that was my intention when I ber_printf("{{OOt{{O[W]}{O[W]}}}}"), which, AFAIK, means: "{" SEQUENCE "{" SEQUENCE "OO" derefAttr, derefVal "t" [0] "{" SEQUENCE "{O[W]}" SEQUENCE, type, SET OF vals Am I missing anything? Couldn't "[0] {" be a shortcut in dumpasn1 to indicate SEQUENCE OF and the presence of a context+constructed tag? Looking at the raw data of an example, I see a sequence 240 126 060 063 004 011 which means: 240 context + constructed 126 (the length, 86 octets) 060 sequence 063 (the length, 51 octets) 004 octet string 011 (the length, 9 octets: "entryUUID") I'm not an expert in ASN.1, but from what I infer by looking at LDAP specs and at OpenLDAP implementation, this is consistent with the way similar cases are dealt with (e.g. the "Controls" at the end of a request message). p. > >> 79 9: OCTET STRING 'entryUUID' >> 90 38: SET { >> 92 36: OCTET STRING >> '24476f18-5c24-102d-9945-7320c1040f54' >> : } >> : } >> 130 43: SEQUENCE { >> 132 9: OCTET STRING 'objectSid' >> 143 30: SET { >> 145 28: OCTET STRING >> : 01 05 00 00 00 00 00 05 15 00 00 00 AB BE DB 7B >> : 16 72 AE E6 53 BE 65 6F 07 02 00 00 >> : } >> : } >> : } >> : } >> > > Thanks, > > Andrew Bartlett > Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5854) Double send response in meta backend
by ando＠sys-net.it 11 Dec '08

11 Dec '08

hyc(a)symas.com wrote: > Thanks for your report. Sounds a lot like ITS#4782... Howard, the proposed fix is fine, but I think the issue is better addressed in back-ldap by means of the ldap_back_send_t mask without the need of an additional argument. I'm testing a different fix. p. > On Thu, Dec 11, 2008 at 10:14:23AM +0000, jorge.perez(a)adaptia.net wrote: >> Full_Name: Jorge Perez Burgos >> Version: 2.4.11 >> OS: SLES 10 >> URL: ftp://ftp.openldap.org/incoming/back-meta_changes.diff.gz >> Submission from: (NULL) (194.237.142.20) >> >> >> Meta backend send two response codes when trying to reconnect to other slapd. >> >> Steps to reproduce: >> Configure two slapds, slapd_A and slapd_B. slapd_A connects to slapd_B trough >> meta backend. Do some traffic operations. Restart slapd_B and do some modify, >> delete or add operation, response code 52 is received although the operation is >> sucessful. Using a tcpdump you can see two response codes for the request. >> >> I attach a possible patch for this issue. >> >> > > Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5854) Double send response in meta backend
by hyc＠symas.com 11 Dec '08

11 Dec '08

Thanks for your report. Sounds a lot like ITS#4782... On Thu, Dec 11, 2008 at 10:14:23AM +0000, jorge.perez(a)adaptia.net wrote: > Full_Name: Jorge Perez Burgos > Version: 2.4.11 > OS: SLES 10 > URL: ftp://ftp.openldap.org/incoming/back-meta_changes.diff.gz > Submission from: (NULL) (194.237.142.20) > > > Meta backend send two response codes when trying to reconnect to other slapd. > > Steps to reproduce: > Configure two slapds, slapd_A and slapd_B. slapd_A connects to slapd_B trough > meta backend. Do some traffic operations. Restart slapd_B and do some modify, > delete or add operation, response code 52 is received although the operation is > sucessful. Using a tcpdump you can see two response codes for the request. > > I attach a possible patch for this issue. > >

1 0

Re: (ITS#5768) [enhancement] add support for Dereference Control
by abartlet＠samba.org 11 Dec '08

11 Dec '08

--=-3TUJtt6yg+CvD9VzraMk Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2008-12-11 at 23:22 +0100, Pierangelo Masarati wrote: > Andrew Bartlett wrote: > > On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote: > >> A tentative implementation is in HEAD, please test. You need to: > >=20 > > Thankyou very much. I downloaded CVS HEAD and tested it out (finally - > > the Samba4 side of the implementation took far longer than I expected). > >=20 > >> - configure as --enable-deref > >> > >> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't > >> work as global overlay yet, sorry). > >=20 > > This is something Samba4 will need, as many of our links are > > cross-database. But fixing this for a single DB is a big help in any > > case. >=20 > Apparently this was fixed during the overlay's shakedown, as it seems to=20 > work as expected when only instantiated as global. In fact, nothing was=20 > preventing it from working this way by design, it only didn't work at=20 > some point of its evolution. Please test. Indeed, it works well as a global. Thanks! My only issue remaining is the clarification over the ASN.1 encoding of the control. Andrew Bartlett --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. --=-3TUJtt6yg+CvD9VzraMk Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBJQdk5z4A8Wyi0NrsRAiiOAKCUywnlFS2RIZlclADU/woC7id7OwCfbfwD fh4vPeyWTWqBYACEYVFgdZA= =UdNB -----END PGP SIGNATURE----- --=-3TUJtt6yg+CvD9VzraMk--

1 0

Re: (ITS#5768) [enhancement] add support for Dereference Control
by abartlet＠samba.org 11 Dec '08

11 Dec '08

--=-WGywWWDfCXc78PSX7dDA Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2008-12-11 at 23:17 +0100, Pierangelo Masarati wrote: > Andrew Bartlett wrote: > > On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote: > >> A tentative implementation is in HEAD, please test. You need to: > >=20 > > Thankyou very much. I downloaded CVS HEAD and tested it out (finally - > > the Samba4 side of the implementation took far longer than I expected). > >=20 > >> - configure as --enable-deref > >> > >> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't > >> work as global overlay yet, sorry). > >=20 > > This is something Samba4 will need, as many of our links are > > cross-database. But fixing this for a single DB is a big help in any > > case. > >=20 > >> - run searches like > >> > >> $ ldapsearch -x -b dc=3Dexample,dc=3Dcom -E 'deref=3Dmember:entryUUID' > >> > >> you'll see results like > >=20 > > When using Samba4's client, it seems to work, but it is as if it extend= s > > the control to the full expected length, but not the data. Ie, attache= d > > this is the control response I got back from the 'make testenv' > > environment in Samba4. I've also attached the full LDAP request. > >=20 > > The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4 > > parsing bug). >=20 > I've found the bug (erroneous manipulation of octet strings containing=20 > '\0' octets). The objectSid is octet string-valued. Should be fixed=20 > now; please test. While I'm mostly at sea on ASN.1, I don't think the OpenLDAP's implementation matches your IETF draft (if not, an education on subtle details of ASN.1 will be appreciated) draft-masarati-ldap-deref-00 > 2.3. Control Response >=20 >=20 > The control type is deref-oid (IANA assigned; see Section 6). The > specification of the Dereference Control response is: >=20 > controlValue ::=3D SEQUENCE OF derefRes DerefRes >=20 > DerefRes ::=3D SEQUENCE { > derefAttr AttributeDescription, > derefVal LDAPDN, > attrVals [0] PartialAttributeList OPTIONAL } >=20 > PartialAttributeList ::=3D SEQUENCE OF > partialAttribute PartialAttribute >=20 > PartialAttribute is defined in [RFC4511]; the definition is reported > here for clarity: >=20 > PartialAttribute ::=3D SEQUENCE { > type AttributeDescription, > vals SET OF value AttributeValue } >=20 the output of dumpasn1 on the control: > 0 983: SEQUENCE { > 4 168: SEQUENCE { > 7 8: OCTET STRING 'memberOf' > 17 56: OCTET STRING > : 'cn=3DEnterprise Admins,cn=3DUsers,dc=3Dsamba,dc=3Dexamp= l' > : 'e,dc=3Dcom' > 75 98: [0] { > 77 51: SEQUENCE { Shouldn't there be another SEQUENCE { here? > 79 9: OCTET STRING 'entryUUID' > 90 38: SET { > 92 36: OCTET STRING > '24476f18-5c24-102d-9945-7320c1040f54' > : } > : } > 130 43: SEQUENCE { > 132 9: OCTET STRING 'objectSid' > 143 30: SET { > 145 28: OCTET STRING > : 01 05 00 00 00 00 00 05 15 00 00 00 AB BE DB 7B > : 16 72 AE E6 53 BE 65 6F 07 02 00 00 > : } > : } > : } > : } >=20 Thanks, Andrew Bartlett --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. --=-WGywWWDfCXc78PSX7dDA Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBJQa1Nz4A8Wyi0NrsRAtyAAJ9Dqzqn3DknKqThzy7KML5Z+i/h2wCfZ2nM d8HdE9UXPLaN2DZRwIseCk0= =HFZS -----END PGP SIGNATURE----- --=-WGywWWDfCXc78PSX7dDA--

1 0

Re: (ITS#5768) [enhancement] add support for Dereference Control
by ando＠sys-net.it 11 Dec '08

11 Dec '08

Andrew Bartlett wrote: > On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote: >> A tentative implementation is in HEAD, please test. You need to: > > Thankyou very much. I downloaded CVS HEAD and tested it out (finally - > the Samba4 side of the implementation took far longer than I expected). > >> - configure as --enable-deref >> >> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't >> work as global overlay yet, sorry). > > This is something Samba4 will need, as many of our links are > cross-database. But fixing this for a single DB is a big help in any > case. Apparently this was fixed during the overlay's shakedown, as it seems to work as expected when only instantiated as global. In fact, nothing was preventing it from working this way by design, it only didn't work at some point of its evolution. Please test. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5768) [enhancement] add support for Dereference Control
by ando＠sys-net.it 11 Dec '08

11 Dec '08

Andrew Bartlett wrote: > On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote: >> A tentative implementation is in HEAD, please test. You need to: > > Thankyou very much. I downloaded CVS HEAD and tested it out (finally - > the Samba4 side of the implementation took far longer than I expected). > >> - configure as --enable-deref >> >> - enable the "deref" overlay in slapd, with "overlay deref" (doesn't >> work as global overlay yet, sorry). > > This is something Samba4 will need, as many of our links are > cross-database. But fixing this for a single DB is a big help in any > case. > >> - run searches like >> >> $ ldapsearch -x -b dc=example,dc=com -E 'deref=member:entryUUID' >> >> you'll see results like > > When using Samba4's client, it seems to work, but it is as if it extends > the control to the full expected length, but not the data. Ie, attached > this is the control response I got back from the 'make testenv' > environment in Samba4. I've also attached the full LDAP request. > > The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4 > parsing bug). I've found the bug (erroneous manipulation of octet strings containing '\0' octets). The objectSid is octet string-valued. Should be fixed now; please test. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

1 0

(ITS#5854) Double send response in meta backend
by jorge.perez＠adaptia.net 11 Dec '08

11 Dec '08

Full_Name: Jorge Perez Burgos Version: 2.4.11 OS: SLES 10 URL: ftp://ftp.openldap.org/incoming/back-meta_changes.diff.gz Submission from: (NULL) (194.237.142.20) Meta backend send two response codes when trying to reconnect to other slapd. Steps to reproduce: Configure two slapds, slapd_A and slapd_B. slapd_A connects to slapd_B trough meta backend. Do some traffic operations. Restart slapd_B and do some modify, delete or add operation, response code 52 is received although the operation is sucessful. Using a tcpdump you can see two response codes for the request. I attach a possible patch for this issue.

1 0

Re: (ITS#5768) [enhancement] add support for Dereference Control
by abartlet＠samba.org 10 Dec '08

10 Dec '08

--=-svDYOuAyXlEqIDWU48Ko Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2008-12-11 at 12:22 +1100, Andrew Bartlett wrote: > On Thu, 2008-10-23 at 00:15 +0200, Pierangelo Masarati wrote: > > A tentative implementation is in HEAD, please test. You need to: >=20 > Thankyou very much. I downloaded CVS HEAD and tested it out (finally - > the Samba4 side of the implementation took far longer than I expected). >=20 > > - configure as --enable-deref > >=20 > > - enable the "deref" overlay in slapd, with "overlay deref" (doesn't > > work as global overlay yet, sorry). >=20 > This is something Samba4 will need, as many of our links are > cross-database. But fixing this for a single DB is a big help in any > case. >=20 > > - run searches like > > > > $ ldapsearch -x -b dc=3Dexample,dc=3Dcom -E 'deref=3Dmember:entryUUID' > >=20 > > you'll see results like >=20 > When using Samba4's client, it seems to work, but it is as if it extends > the control to the full expected length, but not the data. Ie, attached > this is the control response I got back from the 'make testenv' > environment in Samba4. I've also attached the full LDAP request. >=20 > The extra zeros also appear in the OpenLDAP logs (so it's not a Samba4 > parsing bug). >=20 > I can make the Samba4 tree that reproduces this available as a GIT > repository if you like. =20 To reproduce: In a checkout from git://git.samba.org/abartlet/samba.git master run: OPENLDAP_ROOT=3D/usr/local/ TEST_LDAP=3Dyes make testenv Then in the xterm that pops up, run: bin/ldbsearch -H ldap://localdc1 cn=3Dadministrator --controls=3Dextended_dn:1:1 This will not return the extended DN (compare with TEST_LDAP=3Dno), because it fails to parse the returned control in libcli/ldap/ldap_controls.c (I suspect my parser also needs work) Thanks, Andrew Bartlett --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. --=-svDYOuAyXlEqIDWU48Ko Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBJQJosz4A8Wyi0NrsRAuLgAJwIYEfeK/rj9xXw+/2KiVhDPw6bvwCeJwaj Q/I64Xu6suP53nnqNT6Bkv0= =GSzF -----END PGP SIGNATURE----- --=-svDYOuAyXlEqIDWU48Ko--

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs