openldap-bugs

openldap-bugs@openldap.org

1 participants
20961 discussions

Re: (ITS#8724) slapo-pcache truncates remote results
by quanah＠symas.com 07 Sep '17

07 Sep '17

--On Wednesday, September 06, 2017 7:06 PM -0500 Adam Heath <adam(a)brainfood.com> wrote: > Well, then since you are confirming the bug, I would say this ticket > should *not* be closed. I already reopened it. ;) > I might just have to patch this to make it work. Make sure you follow the contribution guidelines: <https://www.openldap.org/devel/contributing.html> Thanks, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8724) slapo-pcache truncates remote results
by adam＠brainfood.com 07 Sep '17

07 Sep '17

I just cloned the source, and found where it removes the paging control. == /* NOTE: this is a quick workaround to let pcache minimally interact * with pagedResults. A more articulated solutions would be to * perform the remote query without control and cache all results, * performing the pagedResults search only within the client * and the proxy. This requires pcache to understand pagedResults. */ static int pcache_chk_controls( Operation *op, SlapReply *rs ) == Well, then since you are confirming the bug, I would say this ticket should *not* be closed. I might just have to patch this to make it work. The client software I'm actually working with is nextcloud, and it is *very* *very* *very* ldap chatty. And with 2900+ objectclass=group, and 3300 objectclass=person, it runs super dog slow. Their suggestion is to install a local ldap instance configured as a caching proxy, which has led us to here. I've already fixed several issues in nextcloud locally(the first one I ran into was $limit=400 hard-coded in the group search function). This kind of paged result handling needs to be dealt the same way an http proxy would deal with partial content caches. On Wed, Sep 6, 2017 at 4:22 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > Hi Adam, > > I would note that pcache is not back-ldap, so their behavior is not the > same. > > slapo-pcache strips out the paged results control, and has since 2005 > (ec532ce88590c5454025cbc030d9df65d2df634f). So in the 12 years since then, > you're the first to have an issue with the behavior. If you'd like to see a > change in relation to this, patches welcome. > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

Re: (ITS#8724) slapo-pcache truncates remote results (fwd)
by quanah＠symas.com 06 Sep '17

06 Sep '17

Hi Adam, I would note that pcache is not back-ldap, so their behavior is not the same. slapo-pcache strips out the paged results control, and has since 2005 (ec532ce88590c5454025cbc030d9df65d2df634f). So in the 12 years since then, you're the first to have an issue with the behavior. If you'd like to see a change in relation to this, patches welcome. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com> -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8717) Connection delete callback registreed with LDAP_OPT_CONNECT_CB is not called on TLS failure
by hyc＠symas.com 06 Sep '17

06 Sep '17

ipuleston(a)SonicWALL.com wrote: > I have uploaded the patch to ftp.openldap.org/incoming as ian-puleston-1708= > 25.patch, and included it below. > > The code that it adds is pretty much copied from ldap_free_connection: Thanks for the report, added in master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8719) slapd_crypt() become slow when many ldap cliant connections occur.
by hyc＠symas.com 06 Sep '17

06 Sep '17

yos-nishino(a)ys.jp.nec.com wrote: > Dear Howard-san, > >> That comment only applies when using LDAP_MEMORY_DEBUG and is irrelevant. > > I saw memory.c again.=20 > As you told, I confirmed the comment was available only when LDAP_MEMORY_DE= > BUG was used(from line 27 to line 119). > > I am sorry to bother you, and I am grateful for your help. > I am going to use "case2" patch, which I expect slapd_crypt() becomes much = > faster. Thanks for the patch, now in git master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8724) slapo-pcache truncates remote results
by adam＠brainfood.com 06 Sep '17

06 Sep '17

I'll say it another way. ldapsearch is asking for 200 items at a time. But it gets 2000 from the local slapd, when pcache is enabled. What the local client is asking of slapd should be separate from how it talks to the back-ldap. If the back-ldap returns more results then the requested page size, then slapd should handle that. On Wed, Sep 6, 2017 at 12:59 PM, Adam Heath <adam(a)brainfood.com> wrote: > No, it's a pcache bug. > > 10.10.55.128(remote active directory) works > localhost(without pcache) works > localhost(with pcache) breaks. > > Paging of the results *does* work with AD. And works with back-ldap, > pointed at AD. It's only when pcache is added that the paging options > are ignored. > > On Wed, Sep 6, 2017 at 12:48 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: >> --On Wednesday, September 06, 2017 6:15 PM +0000 adam(a)brainfood.com wrote: >> >>> Full_Name: Adam Heath >>> Version: 2.4.44 >>> OS: debian stretch >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (99.146.168.62) >>> >>> >>> I have configured slapd to proxy to a remote server. >>> >>> Using ldapsearch, I can talk directly to that remote server, and using the >>> pr=200/noprompt option, I get back 2900 results. >>> >>> Pointing ldapsearch at localhost, *without* pcache, I get the same set of >>> results(pages, and the final count is correct). >>> >>> When I enabled slapo-pcache, with *no* attribute sets, then the paging >>> options are removed, and I get only 2000 results(the max-size from the >>> remote server). >> >> >> Hi Adam, >> >> slapo-pcahce is acting in the correct fashion. It would appear that your >> remote system is Active Directory, which in typical Microsoft fashion, >> deliberately mis-implements paged results so that it incorrectly ignores the >> maxsize setting when paged results are in use (contrary to specifications). >> I would generally suggest talking to the AD administrator so that the bind >> identity of the pcache database is not subject to the maxsize limitation. >> >> This ITS will be closed. >> >> Regards, >> Quanah >> >> >> -- >> >> Quanah Gibson-Mount >> Product Architect >> Symas Corporation >> Packaged, certified, and supported LDAP solutions powered by OpenLDAP: >> <http://www.symas.com> >>

1 0

Re: (ITS#8724) slapo-pcache truncates remote results
by adam＠brainfood.com 06 Sep '17

06 Sep '17

No, it's a pcache bug. 10.10.55.128(remote active directory) works localhost(without pcache) works localhost(with pcache) breaks. Paging of the results *does* work with AD. And works with back-ldap, pointed at AD. It's only when pcache is added that the paging options are ignored. On Wed, Sep 6, 2017 at 12:48 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Wednesday, September 06, 2017 6:15 PM +0000 adam(a)brainfood.com wrote: > >> Full_Name: Adam Heath >> Version: 2.4.44 >> OS: debian stretch >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (99.146.168.62) >> >> >> I have configured slapd to proxy to a remote server. >> >> Using ldapsearch, I can talk directly to that remote server, and using the >> pr=200/noprompt option, I get back 2900 results. >> >> Pointing ldapsearch at localhost, *without* pcache, I get the same set of >> results(pages, and the final count is correct). >> >> When I enabled slapo-pcache, with *no* attribute sets, then the paging >> options are removed, and I get only 2000 results(the max-size from the >> remote server). > > > Hi Adam, > > slapo-pcahce is acting in the correct fashion. It would appear that your > remote system is Active Directory, which in typical Microsoft fashion, > deliberately mis-implements paged results so that it incorrectly ignores the > maxsize setting when paged results are in use (contrary to specifications). > I would generally suggest talking to the AD administrator so that the bind > identity of the pcache database is not subject to the maxsize limitation. > > This ITS will be closed. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

Re: (ITS#8724) slapo-pcache truncates remote results
by quanah＠symas.com 06 Sep '17

06 Sep '17

--On Wednesday, September 06, 2017 6:15 PM +0000 adam(a)brainfood.com wrote: > Full_Name: Adam Heath > Version: 2.4.44 > OS: debian stretch > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (99.146.168.62) > > > I have configured slapd to proxy to a remote server. > > Using ldapsearch, I can talk directly to that remote server, and using the > pr=200/noprompt option, I get back 2900 results. > > Pointing ldapsearch at localhost, *without* pcache, I get the same set of > results(pages, and the final count is correct). > > When I enabled slapo-pcache, with *no* attribute sets, then the paging > options are removed, and I get only 2000 results(the max-size from the > remote server). Hi Adam, slapo-pcahce is acting in the correct fashion. It would appear that your remote system is Active Directory, which in typical Microsoft fashion, deliberately mis-implements paged results so that it incorrectly ignores the maxsize setting when paged results are in use (contrary to specifications). I would generally suggest talking to the AD administrator so that the bind identity of the pcache database is not subject to the maxsize limitation. This ITS will be closed. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8724) slapo-pcache truncates remote results
by adam＠brainfood.com 06 Sep '17

06 Sep '17

Full_Name: Adam Heath Version: 2.4.44 OS: debian stretch URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (99.146.168.62) I have configured slapd to proxy to a remote server. Using ldapsearch, I can talk directly to that remote server, and using the pr=200/noprompt option, I get back 2900 results. Pointing ldapsearch at localhost, *without* pcache, I get the same set of results(pages, and the final count is correct). When I enabled slapo-pcache, with *no* attribute sets, then the paging options are removed, and I get only 2000 results(the max-size from the remote server). Command: docker exec -ti caching-ad ldapsearch -E pr=200/noprompt -o ldif-wrap=no -z none -w 'XXXX' -b 'XXXX' -D 'XXXX' '(objectclass=group)' dn -h localhost|grep -A 5 '# search result' slapd.conf: == egrep -v '^(#|$)' ../app-hosting/brainfood-docker-image-recipes/openldap/files/caching-slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none modulepath /usr/lib/ldap moduleload back_ldap.la moduleload back_hdb.la moduleload back_bdb.la moduleload rwm moduleload pcache.la moduleload memberof.la sizelimit 5000 tool-threads 1 backend ldap readonly yes database ldap protocol-version 3 rebind-as-user norefs yes chase-referrals no uri "ldap://192.168.178.2:389" suffix "dc=ldap01,dc=com" rootdn "cn=admin,dc=ldap01,dc=com" rootpw "foobar" overlay memberof overlay pcache proxyCache hdb 100000 3 1000 100 pcachePersist TRUE cachesize 200 directory /var/lib/ldap == I expect pcache to not truncate the results from the remote server.

1 0

Re: (ITS#8703) slapd should create its PID file before dropping privileges
by hyc＠symas.com 06 Sep '17

06 Sep '17

michael(a)orlitzky.com wrote: > On 09/06/2017 09:29 AM, Howard Chu wrote: >> >> Learn something about Unix, please. >> >> Use the ps command to verify that the process at least has the correct name. >> The init script should know it's looking for a process named slapd, not init. >> > > Supposing we want to copy/paste two or more "ps" calls into every slapd > init script, this still lets a hacker prevent his own hacked process > from being killed by writing junk into the file. > > If the standard practice was to write the PID file as an unprivileged > user, we would need to not only copy/paste those "ps" calls into every > slapd init script, but literally every init script for every daemon. > Apparently my predecessors didn't want to do that, so the standard > practice is to write the PID file as root. Do with that information what > you will. Apparently your predecessors also didn't understand that PIDs get recycled. If your init scripts are just blindly trusting the contents of PID files they're all broken already. But none of that is of any concern of the OpenLDAP Project. Closing this ITS as Invalid. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs