openldap-bugs

openldap-bugs@openldap.org

1 participants
20960 discussions

Re: (ITS#8623) test022-ppolicy can fail due to timing dependency between lockout and expiration tests
by subbarao＠computer.org 22 Mar '17

22 Mar '17

On 03/22/2017 03:19 PM, Quanah Gibson-Mount wrote: > Even better is to use the SLEEP variables instead of hard coded > values. Then they can be overridden in the test environment if > necessary for specific VMs. > > At the moment we have: > > quanah@ub16:~/git/openldap/openldap-head/tests/scripts$ grep SLEEP > defines.sh > SLEEP0=${SLEEP0-1} > SLEEP1=${SLEEP1-7} > SLEEP2=${SLEEP2-15} > > It may be useful to add things like SLEEP10, SLEEP20, etc, and rebase > tests off of that. 1/7/15 seem rather odd increments (no pun intended!). This could well be a very good idea for broader reasons, but it probably would be less desirable as a sole solution for this particular situation, at least for my use case. In this case, I'm backporting 2.4.44 for zesty to 14.04 LTS. Ideally, I want this to be a clean rebuild, without any code changes. I'm especially reluctant to maintain a customized package for something that doesn't affect the behavior of the actual software. So having more variable(s) that need to be tuned, and thus changed from the vanilla Ubuntu package, isn't too appealing :-) Hopefully there's an agreeable solution to this issue that will make it work for everyone out of the box. In any case, I appreciate your and Howard's responses to this! Regards, -Kartik

1 0

Re: (ITS#8623) test022-ppolicy can fail due to timing dependency between lockout and expiration tests
by subbarao＠computer.org 22 Mar '17

22 Mar '17

On 03/22/2017 03:11 PM, Howard Chu wrote: >> A recent 2.4.44 package build failed on a VM due to the following timing >> dependency between the lockout and expiration tests in test022-ppolicy. > > Clocks on VMs are notoriously unstable, which is why we have always > used such large margins in these tests. Shaving things down to "1 > second more than needed" will probably break in multiple build > environments. Just to make sure we're understanding each other clearly -- are you saying that you've seen VMs where "sleep 10" won't sleep for at *least* 10 actual seconds? I haven't come across this, but if you have, then the adaptive solution where line 91 checks to see how many seconds have elapsed since line 67, and then calculates how much more it needs to sleep (perhaps with some more buffer) could be effective. If that doesn't work, then another thought might be to widen the difference between pwdLockoutDuration and pwdMaxAge to enable greater separation between the two tests, and adjust the script accordingly. Regards, -Kartik

1 0

Re: Re: (ITS#8546) "allow bind_anon_cred" in slapd.conf does not work as expected
by yelin＠venustech.com.cn 22 Mar '17

22 Mar '17

This is a multi-part message in MIME format. ------=_001_NextPart714452840021_=---- Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: base64 SGVsbG8gUXVhbmFoDQpJIGFtIGZpbmUgdG8gY2xvc2UgdGhpcyBJVFMuDQoNCkluIHRoaXMgY2Fz ZSwgSSBvd2UgeW91IGEgJ1RoYW5rcycgZm9yIHJlc29sdmluZyB0aGUgaXNzdWUgaW4gbXkgcHJv amVjdC4NCkJ1dCB0aGUgdXNlciBleHBlcmllbmNlIGlzIHBvb3IuDQpGcm9tIHRoZSBjdXN0b21l cidzIHBvaW50IG9mIHZpZXcsIGl0IGlzIGhhcmQgdG8gZGV0ZXJtaW5lIGEgYnVnIG9yIGEgbWlz dW5kZXJzdGFuZGluZyB3aGVuIHRoZSByZXN1bHQgaXMgdW5leHBlY3RlZC4gDQoNCkJlc3RzLA0K DQoNCg0KDQp5ZWxpbkB2ZW51c3RlY2guY29tLmNuDQogDQpGcm9tOiBRdWFuYWggR2lic29uLU1v dW50DQpEYXRlOiAyMDE3LTAzLTIyIDIzOjI2DQpUbzogeWVsaW47IG9wZW5sZGFwLWl0cw0KU3Vi amVjdDogUmU6IChJVFMjODU0NikgImFsbG93IGJpbmRfYW5vbl9jcmVkIiBpbiBzbGFwZC5jb25m IGRvZXMgbm90IHdvcmsgYXMgZXhwZWN0ZWQNCkhlbGxvIFllbGluLA0KIA0KVGhlIElUUyBzeXN0 ZW0gaXMgZm9yIGZpbGluZyBidWcgcmVwb3J0cywgbm90IGZvciBhc2tpbmcgaGVscCB3aXRoIHNs YXBkIA0KY29uZmlndXJhdGlvbi4gIFRoZSBjb3JyZWN0IHJlc291cmNlIGZvciBjb25maWd1cmF0 aW9uIHF1ZXN0aW9ucyBpcyB0aGUgDQpvcGVubGRhcC10ZWNobmljYWwgbGlzdDoNCiANCjxodHRw Oi8vd3d3Lm9wZW5sZGFwLm9yZy9saXN0cy9tbS9saXN0aW5mby9vcGVubGRhcC10ZWNobmljYWw+ DQogDQogDQpZb3VyIHVuZGVyc3RhbmRpbmcgb2YgaG93IHRoaXMgZmVhdHVyZSB3b3JrcyBpcyBp bmNvcnJlY3QuICBBcyBub3RlZCBpbiB0aGUgDQpzbGFwZC5jb25mKDUpIG1hbiBwYWdlOg0KIA0K YmluZF9hbm9uX2NyZWQgYWxsb3dzIGFub255bW91cyBiaW5kIHdoZW4gY3JlZGVudGlhbHMgYXJl IG5vdCBlbXB0eSAoZS5nLiANCndoZW4gRE4gaXMgZW1wdHkpLg0KIA0KVGhlIG9wdGlvbiB5b3Ug YXJlIGxvb2tpbmcgZm9yIGluIHlvdXIgY2FzZSBpczoNCiANCmJpbmRfYW5vbl9kbiAgYWxsb3dz IHVuYXV0aGVudGljYXRlZCAoYW5vbnltb3VzKSBiaW5kIHdoZW4gRE4gaXMgbm90IGVtcHR5Lg0K IA0KVGhpcyBJVFMgd2lsbCBiZSBjbG9zZWQuDQogDQpSZWdhcmRzLA0KUXVhbmFoDQogDQotLQ0K IA0KUXVhbmFoIEdpYnNvbi1Nb3VudA0KUHJvZHVjdCBBcmNoaXRlY3QNClN5bWFzIENvcnBvcmF0 aW9uDQpQYWNrYWdlZCwgY2VydGlmaWVkLCBhbmQgc3VwcG9ydGVkIExEQVAgc29sdXRpb25zIHBv d2VyZWQgYnkgT3BlbkxEQVA6DQo8aHR0cDovL3d3dy5zeW1hcy5jb20+DQogDQo= ------=_001_NextPart714452840021_=---- Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable <html><head><meta http-equiv=3D"content-type" content=3D"text/html; charse= t=3DISO-8859-1"><style>body { line-height: 1.5; }blockquote { margin-top: = 0px; margin-bottom: 0px; margin-left: 0.5em; }body { font-size: 10.5pt; fo= nt-family: ????; color: rgb(0, 0, 0); line-height: 1.5; }</style></head><b= ody>=0A<div><span></span>Hello <span style=3D"font-size: 10.5pt; line= -height: 1.5; background-color: window;">Quanah</span></div><div>I am fine= to close this ITS.</div><div><br></div><div><span style=3D"font-size: 10.= 5pt; line-height: 1.5; background-color: window;">In this case, I owe you = a 'Thanks' for resolving the issue in my project.</span></div><div>But the= user experience is poor.</div><div><span style=3D"font-size: 10.5pt; line= -height: 1.5; background-color: window;">From the customer's point of view= , it is hard to determine a bug or a misunderstanding when the result is u= nexpected. </span></div><div><br></div><div>Bests,</div><div><br></di= v>=0A<div><br></div><hr style=3D"width: 210px; height: 1px;" color=3D"#b5c= 4df" size=3D"1" align=3D"left">=0A<div><span><div style=3D"MARGIN: 10px; F= ONT-FAMILY: verdana; FONT-SIZE: 10pt"><div>yelin(a)venustech.com.cn</div></d= iv></span></div>=0A<blockquote style=3D"margin-top: 0px; margin-bottom: 0p= x; margin-left: 0.5em;"><div> </div><div style=3D"border:none;border-= top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div style=3D"PADDING-R= IGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px;FONT-FAMILY:tahoma;COLOR:#00= 0000; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><div><b>= From:</b> <a href=3D"mailto:quanah@symas.com">Quanah Gibson-Mount</a>= </div><div><b>Date:</b> 2017-03-22 23:26</div><div><b>To:</b>&nb= sp;<a href=3D"mailto:yelin@venustech.com.cn">yelin</a>; <a href=3D"mailto:= openldap-its(a)openldap.org">openldap-its</a></div><div><b>Subject:</b>&nbsp= ;Re: (ITS#8546) "allow bind_anon_cred" in slapd.conf does not work as expe= cted</div></div></div><div><div>Hello Yelin,</div>=0A<div> </div>=0A<= div>The ITS system is for filing bug reports, not for asking help with sla= pd </div>=0A<div>configuration.  The correct resource for configurati= on questions is the </div>=0A<div>openldap-technical list:</div>=0A<div>&n= bsp;</div>=0A<div><http://www.openldap.org/lists/mm/listinfo/openldap-t= echnical></div>=0A<div> </div>=0A<div> </div>=0A<div>Your und= erstanding of how this feature works is incorrect.  As noted in the <= /div>=0A<div>slapd.conf(5) man page:</div>=0A<div> </div>=0A<div>bind= _anon_cred allows anonymous bind when credentials are not empty (e.g. </di= v>=0A<div>when DN is empty).</div>=0A<div> </div>=0A<div>The option y= ou are looking for in your case is:</div>=0A<div> </div>=0A<div>bind_= anon_dn  allows unauthenticated (anonymous) bind when DN is not empty= .</div>=0A<div> </div>=0A<div>This ITS will be closed.</div>=0A<div>&= nbsp;</div>=0A<div>Regards,</div>=0A<div>Quanah</div>=0A<div> </div>= =0A<div>--</div>=0A<div> </div>=0A<div>Quanah Gibson-Mount</div>=0A<d= iv>Product Architect</div>=0A<div>Symas Corporation</div>=0A<div>Packaged,= certified, and supported LDAP solutions powered by OpenLDAP:</div>=0A<div= ><http://www.symas.com></div>=0A<div> </div>=0A</div></blockquo= te>=0A</body></html> ------=_001_NextPart714452840021_=------

1 0

Re: (ITS#8623) test022-ppolicy can fail due to timing dependency between lockout and expiration tests
by quanah＠symas.com 22 Mar '17

22 Mar '17

--On Wednesday, March 22, 2017 8:11 PM +0000 hyc(a)symas.com wrote: > subbarao(a)computer.org wrote: >> Full_Name: Kartik Subbarao >> Version: 2.4.44 >> OS: Linux >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (108.52.86.252) >> >> >> A recent 2.4.44 package build failed on a VM due to the following timing >> dependency between the lockout and expiration tests in test022-ppolicy. > > Clocks on VMs are notoriously unstable, which is why we have always used > such large margins in these tests. Shaving things down to "1 second more > than needed" will probably break in multiple build environments. Even better is to use the SLEEP variables instead of hard coded values. Then they can be overridden in the test environment if necessary for specific VMs. At the moment we have: quanah@ub16:~/git/openldap/openldap-head/tests/scripts$ grep SLEEP defines.sh SLEEP0=${SLEEP0-1} SLEEP1=${SLEEP1-7} SLEEP2=${SLEEP2-15} It may be useful to add things like SLEEP10, SLEEP20, etc, and rebase tests off of that. 1/7/15 seem rather odd increments (no pun intended!). --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8623) test022-ppolicy can fail due to timing dependency between lockout and expiration tests
by hyc＠symas.com 22 Mar '17

22 Mar '17

subbarao(a)computer.org wrote: > Full_Name: Kartik Subbarao > Version: 2.4.44 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (108.52.86.252) > > > A recent 2.4.44 package build failed on a VM due to the following timing > dependency between the lockout and expiration tests in test022-ppolicy. Clocks on VMs are notoriously unstable, which is why we have always used such large margins in these tests. Shaving things down to "1 second more than needed" will probably break in multiple build environments. > > The problem is that the password expiration time is 30 seconds, and on slower > VMs, lines 67-91 take more than 30 seconds to execute. This causes the password > to expire by the time the ldapsearch command on line 93 is executed. That > ldapsearch command eats up one of the grace logins that's not supposed to be > consumed until line 106. This causes the grep count on line 124 to be off, > failing the entire script. > > A simple improvement would be to change line 91 to "sleep 10" instead of the > current "sleep 20". This would buy 10 more seconds of leeway on slower VMs, > while guaranteeing sufficient delay between lines 67-90 (e.g. 16 seconds, 1 > second more than the 15 second lockout time) on fast VMs. A more robust > improvement would be to check how much time has actually elapsed between lines > 67-90 and change line 91 to only sleep until 16 total seconds have elapsed since > line 67. > > Another suggestion would be to change the "sleep 20" on line 104 to "sleep 15". > That will shave 5 seconds off the build time for everyone, while still > guaranteeing that 31 seconds (e.g. 1 second more than the 30 second expiration > time) will have elapsed between lines 67-106). > > A further optimization could be implemented, if desired, by revisiting the test > and reducing all lockout times, expiration times, and other delays to the bare > minimum necessary, which would speed up package build times across the board. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8622) Getting MDB_CORRUPTED when deleting within a DUPSORT database
by h.b.furuseth＠usit.uio.no 22 Mar '17

22 Mar '17

I wrote: > URL: http://www.openldap.org/lists/openldap-technical/201703/msg00043.html malloc (sizeof (KeyDataType) * recordCount); in the test program should be calloc (recordCount, sizeof (KeyDataType)); to avoid writing uninit'ed data. And the test can be a lot smaller and faster: static long size = 50000000; static int recordCount = 600000; static int majorIdCount = 2500; static int minorIdCount = 5000;

1 0

(ITS#8623) test022-ppolicy can fail due to timing dependency between lockout and expiration tests
by subbarao＠computer.org 22 Mar '17

22 Mar '17

Full_Name: Kartik Subbarao Version: 2.4.44 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (108.52.86.252) A recent 2.4.44 package build failed on a VM due to the following timing dependency between the lockout and expiration tests in test022-ppolicy. The problem is that the password expiration time is 30 seconds, and on slower VMs, lines 67-91 take more than 30 seconds to execute. This causes the password to expire by the time the ldapsearch command on line 93 is executed. That ldapsearch command eats up one of the grace logins that's not supposed to be consumed until line 106. This causes the grep count on line 124 to be off, failing the entire script. A simple improvement would be to change line 91 to "sleep 10" instead of the current "sleep 20". This would buy 10 more seconds of leeway on slower VMs, while guaranteeing sufficient delay between lines 67-90 (e.g. 16 seconds, 1 second more than the 15 second lockout time) on fast VMs. A more robust improvement would be to check how much time has actually elapsed between lines 67-90 and change line 91 to only sleep until 16 total seconds have elapsed since line 67. Another suggestion would be to change the "sleep 20" on line 104 to "sleep 15". That will shave 5 seconds off the build time for everyone, while still guaranteeing that 31 seconds (e.g. 1 second more than the 30 second expiration time) will have elapsed between lines 67-106). A further optimization could be implemented, if desired, by revisiting the test and reducing all lockout times, expiration times, and other delays to the bare minimum necessary, which would speed up package build times across the board.

1 0

RE: (ITS#8402) indexing issue
by quanah＠symas.com 22 Mar '17

22 Mar '17

--On Wednesday, April 13, 2016 5:00 PM +0000 escriba(a)cells.es wrote: > Mail system message that raised the alarm: > > Reporting-MTA: dns; mail01.xxxx.xx > X-Postfix-Queue-ID: 24C5526003F > X-Postfix-Sender: rfc822; xxxxx at xxx .xy > Arrival-Date: Wed, 13 Apr 2016 16:30:34 +0200 (CEST) > > Final-Recipient: rfc822; xxxxx @ xxx .xy > Original-Recipient: rfc822; xxxxxx at xxx .xy > Action: failed > Status: 5.1.1 > Remote-MTA: dns; mail02.xxxx.xx > Diagnostic-Code: smtp; 550 5.1.1 <xxxxxxx at xxx .xy >: Recipient address > rejected: User unknown in local recipient table > > >> From my point of view indexing, even if not needed, may never do the >> queries > fail, isn't it? > But seems something weird happened. Hello, I would note that you reported using a very ancient version of OpenLDAP (2.4.23, released June 2010). It's possible you encountered a bug that has long since been fixed. I would advise using a current release of OpenLDAP. If you still encounter the same issue with indices, then please follow up to this ITS. In the meantime, this ITS will be closed. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8451) slapd[27939]: connection_input: conn=1295612 deferring operation: binding
by quanah＠symas.com 22 Mar '17

22 Mar '17

Hello, The ITS system is for reporting bugs with OpenLDAP, rather than help/configuration requests such as what was filed in your report. In the future, please use the OpenLDAP technical mailing list. This ITS will be closed. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8546) "allow bind_anon_cred" in slapd.conf does not work as expected
by quanah＠symas.com 22 Mar '17

22 Mar '17

Hello Yelin, The ITS system is for filing bug reports, not for asking help with slapd configuration. The correct resource for configuration questions is the openldap-technical list: <http://www.openldap.org/lists/mm/listinfo/openldap-technical> Your understanding of how this feature works is incorrect. As noted in the slapd.conf(5) man page: bind_anon_cred allows anonymous bind when credentials are not empty (e.g. when DN is empty). The option you are looking for in your case is: bind_anon_dn allows unauthenticated (anonymous) bind when DN is not empty. This ITS will be closed. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs