- openldap-bugs - openldap.org

Re: (ITS#5355) back-meta calls back-ldap directly
by vorlon＠debian.org 29 Jun '08

29 Jun '08

On Sun, Jun 29, 2008 at 05:23:57PM -0700, Howard Chu wrote: > Steve Langasek wrote: >> Is the correct fix to add >> this function to the ldap_extra_t struct, as in the attached patch? > Pretty much. There are a few other functions that need to be added as > well. All of them are provided in current CVS HEAD, just grab the > relevant changes from there. Ok. With the patch from CVS HEAD applied, I'm seeing a segfault in make test (specifically, the meta backend test): >>>>> Starting test035-meta ... running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to check that slapd is running... Using ldapadd to populate the database... Starting slapd on TCP/IP port 9012... Using ldapsearch to check that slapd is running... Using ldapadd to populate the database... Starting slapd on TCP/IP port 9013... /home/devel/openldap/build-area/openldap2.3-2.4.10/tests/scripts/test035-meta: line 118: 22990 Segmentation fault $SLAPD -f $CONF3 -h $URI3 -d $LVL /$TIMING > $LOG3 2>&1 Are you seeing this as well, or is this somehow specific to Debian? (It doesn't seem like it should be related to libltdl in any way, and we don't have any other patches that touch the meta backend; and I saw this segfault both with the version of the patch I sent, and the one extracted from CVS.) Unfortunately, running these tests under gdb seems to be pretty awkward. :/ -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek(a)ubuntu.com vorlon(a)debian.org

1 0

(ITS#5584)
by abartlet＠samba.org 29 Jun '08

29 Jun '08

--=-GddVbqVLc61XV3X/kWQ/ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I've uploaded the patch to http://abartlet.net/memberof.patch --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. --=-GddVbqVLc61XV3X/kWQ/ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBIaD8sz4A8Wyi0NrsRAjTZAJ4mQaT1xP5zbZG4Db0UM1BbzfmDYACePtXf MCnHmzCUac6KL/WbRX7aSxE= =2c9m -----END PGP SIGNATURE----- --=-GddVbqVLc61XV3X/kWQ/--

1 0

[PATCH] (ITS#5584)
by abartlet＠samba.org 29 Jun '08

29 Jun '08

--=-AN4G/3lLejTAf6KGBTk7 Content-Type: multipart/mixed; boundary="=-NvwPd4A703Oz/HjyG5IJ" --=-NvwPd4A703Oz/HjyG5IJ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I think I've figured out the right way to fix this, handling modify with 0 replacement elements just like a delete. See attached.=20 --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. --=-NvwPd4A703Oz/HjyG5IJ Content-Disposition: attachment; filename=memberof.patch Content-Type: text/x-patch; name=memberof.patch; charset=UTF-8 Content-Transfer-Encoding: base64 SW5kZXg6IHNlcnZlcnMvc2xhcGQvb3ZlcmxheXMvbWVtYmVyb2YuYw0KPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KUkNT IGZpbGU6IC9yZXBvL09wZW5MREFQL3BrZy9sZGFwL3NlcnZlcnMvc2xhcGQvb3ZlcmxheXMvbWVt YmVyb2YuYyx2DQpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMTkNCmRpZmYgLXUgLXIxLjE5IG1lbWJl cm9mLmMNCi0tLSBzZXJ2ZXJzL3NsYXBkL292ZXJsYXlzL21lbWJlcm9mLmMJMTEgSmFuIDIwMDgg MDU6MDc6NDMgLTAwMDAJMS4xOQ0KKysrIHNlcnZlcnMvc2xhcGQvb3ZlcmxheXMvbWVtYmVyb2Yu YwkzMCBKdW4gMjAwOCAwMToyODoxMiAtMDAwMA0KQEAgLTg0MywxMSArODQzLDE3IEBADQogCQkJ CQlicmVhazsNCiAJCQ0KIAkJCQljYXNlIExEQVBfTU9EX1JFUExBQ0U6DQorCQkJCQkvKiBIYW5k bGUgdGhpcyBqdXN0IGxpa2UgYSBkZWxldGUgKHNlZSBhYm92ZSkgKi8NCisJCQkJCWlmICggbWwt PnNtbF9udmFsdWVzID09IE5VTEwgKSB7DQorCQkJCQkJbWxwID0gJm1sLT5zbWxfbmV4dDsNCisJ CQkJCQlicmVhazsNCisJCQkJCX0NCisNCiAJCQkJY2FzZSBMREFQX01PRF9BREQ6DQogCQkJCQkv KiBOT1RFOiByaWdodCBub3csIHRoZSBhdHRyaWJ1dGVUeXBlIHdlIHVzZQ0KIAkJCQkJICogZm9y IG1lbWJlciBtdXN0IGhhdmUgYSBub3JtYWxpemVkIHZhbHVlICovDQogCQkJCQlhc3NlcnQoIG1s LT5zbWxfbnZhbHVlcyAhPSBOVUxMICk7DQotCQkNCisNCiAJCQkJCWZvciAoIGkgPSAwOyAhQkVS X0JWSVNOVUxMKCAmbWwtPnNtbF9udmFsdWVzWyBpIF0gKTsgaSsrICkgew0KIAkJCQkJCWludAkJ cmM7DQogCQkJCQkJRW50cnkJCSplOw0KQEAgLTEzNjIsNyArMTM2OCw3IEBADQogCQkJCQliZXJf YnZhcnJheV9mcmVlX3goIHZhbHMsIG9wLT5vX3RtcG1lbWN0eCApOw0KIAkJCQl9DQogCQ0KLQkJ CQlpZiAoIG1sLT5zbWxfb3AgPT0gTERBUF9NT0RfREVMRVRFICkgew0KKwkJCQlpZiAoIG1sLT5z bWxfb3AgPT0gTERBUF9NT0RfREVMRVRFIHx8IG1sLT5zbWxfbnZhbHVlcyA9PSBOVUxMKSB7DQog CQkJCQlicmVhazsNCiAJCQkJfQ0KIAkJCQkvKiBmYWxsIHRocnUgKi8NCg== --=-NvwPd4A703Oz/HjyG5IJ-- --=-AN4G/3lLejTAf6KGBTk7 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBIaDb3z4A8Wyi0NrsRAqd2AJ9pvfUj4jqL8HyFCfMh3zE47IfNwwCfTXOo /lvXcMQzo0XgFPVqe8W/h1c= =ssFN -----END PGP SIGNATURE----- --=-AN4G/3lLejTAf6KGBTk7--

1 0

(ITS#5584) memberof and modify: replace with 0 new entries
by abartlet＠samba.org 29 Jun '08

29 Jun '08

Full_Name: Andrew Bartlett Version: CVS HEAD OS: Fedora 9 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (59.167.251.137) The memberOf plugin asserts if I attempt a modify like: (snippet from our python test script, using ldb, but I hope you get the idea) ldb.modify_ldif(""" dn: cn=ldaptestgroup2,cn=users,""" + self.base_dn + """ changetype: modify replace: member """) slapd: memberof.c:849: memberof_op_modify: Assertion `ml->sml_mod.sm_nvalues != ((void *)0)' failed. I think this just needs to be handled like the delete case, which our tests already show pass correctly.

1 0

Re: (ITS#5355) back-meta calls back-ldap directly
by hyc＠symas.com 29 Jun '08

29 Jun '08

Steve Langasek wrote: > Is the correct fix to add > this function to the ldap_extra_t struct, as in the attached patch? Pretty much. There are a few other functions that need to be added as well. All of them are provided in current CVS HEAD, just grab the relevant changes from there. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5395) Patch for test system
by abartlet＠samba.org 29 Jun '08

29 Jun '08

--=-9ss+Mrcd1KUNsVlI3qDP Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2008-02-28 at 10:15 +0100, Pierangelo Masarati wrote: > Andrew Bartlett wrote: > > On Thu, 2008-02-28 at 10:02 +0100, Pierangelo Masarati wrote: > >> abartlet(a)samba.org wrote: > >>> Full_Name: Andrew Bartlett > >>> Version: CVS HEAD > >>> OS: Fedora 8 > >>> URL: http://abartlet.net/patches/memberof-refint.patch > >>> Submission from: (NULL) (59.167.251.137) > >>> > >>> > >>> I've added a patch to show that refint and memberof work together. > >> Your patch seems to be missing some (trivial) modification to > >> tests/scripts/define.sh (the MEMBEROFREFINTOUT env var). >=20 > Thanks. In the meanwhile I figured it out (easy enough ;), and it seems > to work fine. I'm going to commit it, unless there's any IPR issue > (which I'd delegate to Howard or Kurt). Is there anything more that needs to be done here? If you need an IPR note, then please consider the modifications in this contribution licensed: Copyright 2008 Red Hat Inc. Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License. --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. --=-9ss+Mrcd1KUNsVlI3qDP Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBIaCZTz4A8Wyi0NrsRApQeAJ9iWFzB1Fp+5nsSZqDZg6HsB6WPWgCeLAkl dObIvmosUhr/R2Ju2KqIEuM= =RGa/ -----END PGP SIGNATURE----- --=-9ss+Mrcd1KUNsVlI3qDP--

1 0

Re: (ITS#5355) back-meta calls back-ldap directly
by vorlon＠debian.org 29 Jun '08

29 Jun '08

--BI5RvnYi6R4T2M87 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Jun 29, 2008 at 11:49:37AM -0700, Howard Chu wrote: > vorlon(a)debian.org wrote: >> This bug is marked as fixed in 2.4.8, but I still see the same problem in >> the test suite in 2.4.10. Trying to start slapd with back-meta gives: >> /home/devel/openldap/build-area/openldap2.3-2.4.10/debian/build/servers/slapd/.libs/lt-slapd: symbol lookup error: ../servers/slapd/back-meta/.libs/back_meta-2.4.so.2: undefined symbol: slap_idassert_parse_cf >> Is this a regression since 2.4.8? > Looks more like an incomplete fix. The functions in question haven't > changed since 2006. Since we're not using a hacked libltdl the problem > you're seeing doesn't show up here. I guess you should have tested this > sooner... Well, given that back_meta has been broken for an indeterminate period of time on systems whose libltdl doesn't use the insane RTLD_GLOBAL option :), the Debian userbase for that backend is roughly nonexistent which means verifying the fix was not a high priority (except that I would like to be able to turn on 'make test' during our builds). Is the correct fix to add this function to the ldap_extra_t struct, as in the attached patch? Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek(a)ubuntu.com vorlon(a)debian.org --BI5RvnYi6R4T2M87 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=no_backend_inter-linking Index: trunk/servers/slapd/back-ldap/back-ldap.h =================================================================== --- trunk.orig/servers/slapd/back-ldap/back-ldap.h +++ trunk/servers/slapd/back-ldap/back-ldap.h @@ -428,6 +428,8 @@ int (*proxy_authz_ctrl)( Operation *op, SlapReply *rs, struct berval *bound_ndn, int version, slap_idassert_t *si, LDAPControl *ctrl ); int (*controls_free)( Operation *op, SlapReply *rs, LDAPControl ***pctrls ); + int (*idassert_parse_cf)( const char *fname, int lineno, int argc, + char *argv[], slap_idassert_t *si ); } ldap_extra_t; LDAP_END_DECL Index: trunk/servers/slapd/back-meta/config.c =================================================================== --- trunk.orig/servers/slapd/back-meta/config.c +++ trunk/servers/slapd/back-meta/config.c @@ -1089,7 +1089,7 @@ } cargv[ 2 ] = binddn; - rc = slap_idassert_parse_cf( fname, lineno, cargc, cargv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert ); + rc = mi->mi_ldap_extra->idassert_parse_cf( fname, lineno, cargc, cargv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert ); if ( rc == 0 ) { struct berval bv; @@ -1159,7 +1159,7 @@ return 1; } - return slap_idassert_parse_cf( fname, lineno, argc, argv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert ); + return mi->mi_ldap_extra->idassert_parse_cf( fname, lineno, argc, argv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert ); /* idassert-authzFrom */ } else if ( strcasecmp( argv[ 0 ], "idassert-authzFrom" ) == 0 ) { Index: trunk/servers/slapd/back-ldap/init.c =================================================================== --- trunk.orig/servers/slapd/back-ldap/init.c +++ trunk/servers/slapd/back-ldap/init.c @@ -34,7 +34,8 @@ static const ldap_extra_t ldap_extra = { ldap_back_proxy_authz_ctrl, - ldap_back_controls_free + ldap_back_controls_free, + slap_idassert_parse_cf }; int --BI5RvnYi6R4T2M87--

1 0

Re: (ITS#5583) slapadd core dumps
by dieter＠dkluenter.de 29 Jun '08

29 Jun '08

Pierangelo Masarati <ando(a)sys-net.it> writes: > Dieter Kluenter wrote: >> Pierangelo Masarati <ando(a)sys-net.it> writes: >> >>> dieter(a)dkluenter.de wrote: >>> >>>> Sorry, forgot it, >>> Should be fixed in HEAD, please test. I infer you're using multiple >>> instances of slapo-dynlist(5) in your slapd.conf, aren't you? >> No, just one instance. > > Sounds odd, because the error was related to executing slapo-dynlist's > db_open() function while the static vars holding the dgIdentity (and > the dgAuthz) attrs being already initialized. Can you test the fix to > overlays/dynlist.c 1.51->1.52? It is for HEAD, but should apply > straightforwardly to 2.4. I just compiled HEAD and slapadd added the ldif file as expected. But a second error occured, test failed with test001, but I will check this tomorrow, same as the dynlist patch. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

1 0

Re: (ITS#5574) Attribute type 'auditContext' not available in subschema
by ando＠sys-net.it 29 Jun '08

29 Jun '08

michael(a)stroeder.com wrote: > Full_Name: Michael Ströder > Version: RE24 > OS: OpenSUSE Linux 10.2 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (84.163.82.89) > > > Please add attribute type 'auditContext' to subschema. It is registered by slapo-accesslog(5). I can see it when slapo-accesslog(5) is built. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5583) slapadd core dumps
by ando＠sys-net.it 29 Jun '08

29 Jun '08

Dieter Kluenter wrote: > Pierangelo Masarati <ando(a)sys-net.it> writes: > >> dieter(a)dkluenter.de wrote: >> >>> Sorry, forgot it, >> Should be fixed in HEAD, please test. I infer you're using multiple >> instances of slapo-dynlist(5) in your slapd.conf, aren't you? > > No, just one instance. Sounds odd, because the error was related to executing slapo-dynlist's db_open() function while the static vars holding the dgIdentity (and the dgAuthz) attrs being already initialized. Can you test the fix to overlays/dynlist.c 1.51->1.52? It is for HEAD, but should apply straightforwardly to 2.4. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5583) slapadd core dumps
by dieter＠dkluenter.de 29 Jun '08

29 Jun '08

Pierangelo Masarati <ando(a)sys-net.it> writes: > dieter(a)dkluenter.de wrote: > >> Sorry, forgot it, > > Should be fixed in HEAD, please test. I infer you're using multiple > instances of slapo-dynlist(5) in your slapd.conf, aren't you? No, just one instance. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

1 0

Re: (ITS#5581) slapd: search.c:970: oc_filter: Assertion `f != ((void *)0)' failed.
by ando＠sys-net.it 29 Jun '08

29 Jun '08

amg1127(a)cefetrs.tche.br wrote: > I submitted a bug report in Ubuntu's Launchpad. The address is: > > https://bugs.launchpad.net/ubuntu/+source/openldap2.3/+bug/243337 > > The bug refers to 2.4.9, but it is reproducible in OpenLDAP 2.4.10 (I could > reproduce it, at least). Your logs show something relatively odd: apparently, slapo-unique(5) is trying to perform an internal search with a really malformed filter: ==> unique_search , str2filter "(&objectClass=posixGroup(|(gidNumber=1000)))" put_filter: "(&objectClass=posixGroup(|(gidNumber=1000)))" put_filter: AND put_filter_list "objectClass=posixGroup(|(gidNumber=1000))" Can you please try using "(objectClass=posixGroup)" instead of "objectClass=posixGroup" as the unique_uri filter in your test slapd.conf? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5583) slapadd core dumps
by ando＠sys-net.it 29 Jun '08

29 Jun '08

dieter(a)dkluenter.de wrote: > Sorry, forgot it, Should be fixed in HEAD, please test. I infer you're using multiple instances of slapo-dynlist(5) in your slapd.conf, aren't you? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando(a)sys-net.it -----------------------------------

1 0

Re: (ITS#5583) slapadd core dumps
by dieter＠dkluenter.de 29 Jun '08

29 Jun '08

Howard Chu <hyc(a)symas.com> writes: > dieter(a)dkluenter.de wrote: >> Full_Name: Dieter Kluenter >> Version: 2.4.10 >> OS: openSUSE >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (84.142.217.87) [...] > > Where is the backtrace? Sorry, forgot it, #0 0x00007f07d3c6a5c5 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00007f07d3c6a5c5 in raise () from /lib64/libc.so.6 #1 0x00007f07d3c6bbb3 in abort () from /lib64/libc.so.6 #2 0x00007f07d3c631e9 in __assert_fail () from /lib64/libc.so.6 #3 0x00000000004894a1 in slap_bv2ad (bv=0x7fffddbd3c30, ad=0x7f07d2bbc4f0, text=0x7fffddbd3c70) at ad.c:164 #4 0x00000000004893a3 in slap_str2ad (str=0x7f07d29bad62 "dgIdentity", ad=0x7f07d2bbc4f0, text=0x7fffddbd3c70) at ad.c:123 #5 0x00007f07d29ba0bc in dynlist_db_open (be=0x7fffddbd3ce0, cr=0x7fffddbd3f20) at dynlist.c:1560 #6 0x00000000004bae67 in over_db_open (be=0x8b9a90, cr=0x7fffddbd3f20) at backover.c:153 #7 0x0000000000449819 in backend_startup_one (be=0x8b9a90, cr=0x7fffddbd3f20) at backend.c:224 #8 0x0000000000449ad2 in backend_startup (be=0x8b9a90) at backend.c:267 #9 0x000000000047366f in slap_startup (be=0x8b9a90) at init.c:225 #10 0x00000000004c1853 in slap_tool_init (progname=0x55a728 "slapadd", tool=1, argc=10, argv=0x7fffddbe4a08) at slapcommon.c:725 #11 0x00000000004beff0 in slapadd (argc=10, argv=0x7fffddbe4a08) at slapadd.c:73 #12 0x00000000004190ef in main (argc=10, argv=0x7fffddbe4a08) at main.c:636 (gdb) -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

1 0

Re: (ITS#5355) back-meta calls back-ldap directly
by hyc＠symas.com 29 Jun '08

29 Jun '08

hyc(a)symas.com wrote: > vorlon(a)debian.org wrote: >> This bug is marked as fixed in 2.4.8, but I still see the same problem in >> the test suite in 2.4.10. Trying to start slapd with back-meta gives: >> >> /home/devel/openldap/build-area/openldap2.3-2.4.10/debian/build/servers/slapd/.libs/lt-slapd: symbol lookup error: ../servers/slapd/back-meta/.libs/back_meta-2.4.so.2: undefined symbol: slap_idassert_parse_cf >> >> Is this a regression since 2.4.8? > > Looks more like an incomplete fix. The functions in question haven't changed > since 2006. Since we're not using a hacked libltdl the problem you're seeing > doesn't show up here. I guess you should have tested this sooner... Additional patches for back-ldap/back-meta are now in HEAD; please test. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5355) back-meta calls back-ldap directly
by hyc＠symas.com 29 Jun '08

29 Jun '08

vorlon(a)debian.org wrote: > This bug is marked as fixed in 2.4.8, but I still see the same problem in > the test suite in 2.4.10. Trying to start slapd with back-meta gives: > > /home/devel/openldap/build-area/openldap2.3-2.4.10/debian/build/servers/slapd/.libs/lt-slapd: symbol lookup error: ../servers/slapd/back-meta/.libs/back_meta-2.4.so.2: undefined symbol: slap_idassert_parse_cf > > Is this a regression since 2.4.8? Looks more like an incomplete fix. The functions in question haven't changed since 2006. Since we're not using a hacked libltdl the problem you're seeing doesn't show up here. I guess you should have tested this sooner... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5579) Interaction of ppolicy attributes
by hyc＠symas.com 29 Jun '08

29 Jun '08

Andrew Findlay wrote: > Indeed, though draft-behera-ldap-password-policy-xx.txt is a bit unclear > on the subject of that attribute: > > 5.3.3 pwdAccountLockedTime > The current implementation does allow > admins to set the value, which appears to be the only way to > lock/unlock an account without changing the password. The current implementation allows pretty much anybody to set the attribute. It's intended that it can only be set when using the Relax Constraints control. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5583) slapadd core dumps
by hyc＠symas.com 29 Jun '08

29 Jun '08

dieter(a)dkluenter.de wrote: > Full_Name: Dieter Kluenter > Version: 2.4.10 > OS: openSUSE > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (84.142.217.87) > running slapadd with following options > > ./slapd -T add -d-1 -qwv -f /opt/openldap/etc/openldap/slapd.conf -F > /opt/openldap/etc/openldap/slapd.d -l /tmp/hdk-init.ldif > > slapadd startup: initiated. > backend_startup_one: starting "o=avci,c=de" > hdb_db_open: "o=avci,c=de" > hdb_db_open: database "o=avci,c=de": dbenv_open(/tmp/ldap). > slapd: ad.c:164: slap_bv2ad: Assertion `*ad == ((void *)0)' failed. > Abgebrochen (core dumped) > > output of gdb Where is the backtrace? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#5583) slapadd core dumps
by dieter＠dkluenter.de 29 Jun '08

29 Jun '08

Full_Name: Dieter Kluenter Version: 2.4.10 OS: openSUSE URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.142.217.87) Hello, processor: amd64 my configure flags: export CFLAGS="-g -march=athlon64" PREFIX="/opt/openldap" DATABASE="bdb" make distclean ; ./configure \ --prefix=${PREFIX} \ --enable-dynamic \ --enable-aci \ --enable-modules \ --enable-rewrite \ --enable-bdb=yes \ --enable-hdb=yes \ --enable-ldap=mod \ --enable-monitor=yes \ --enable-meta=mod \ --enable-perl=mod \ --enable-relay=mod \ --enable-monitor=yes \ --enable-sql=mod \ --enable-overlays=mod make depend && make && cd tests ; running slapadd with following options ./slapd -T add -d-1 -qwv -f /opt/openldap/etc/openldap/slapd.conf -F /opt/openldap/etc/openldap/slapd.d -l /tmp/hdk-init.ldif slapadd startup: initiated. backend_startup_one: starting "o=avci,c=de" hdb_db_open: "o=avci,c=de" hdb_db_open: database "o=avci,c=de": dbenv_open(/tmp/ldap). slapd: ad.c:164: slap_bv2ad: Assertion `*ad == ((void *)0)' failed. Abgebrochen (core dumped) output of gdb (gdb) file /work/openldap/2.4.10/servers/slapd/.libs/slapd Reading symbols from /work/openldap/2.4.10/servers/slapd/.libs/slapd..done (gdb) core-file core warning: Can't read pathname for load map: Input/output error. Reading symbols from /opt/openldap/lib/libldap_r-2.4.so.2...done. Loaded symbols for /opt/openldap/lib/libldap_r-2.4.so.2 Reading symbols from /opt/openldap/lib/liblber-2.4.so.2...done. Loaded symbols for /opt/openldap/lib/liblber-2.4.so.2 Reading symbols from /usr/lib64/libltdl.so.3...done. Loaded symbols for /usr/lib64/libltdl.so.3 Reading symbols from /usr/lib64/libdb-4.5.so...done. Loaded symbols for /usr/lib64/libdb-4.5.so Reading symbols from /usr/lib64/libodbc.so.1...done. Loaded symbols for /usr/lib64/libodbc.so.1 Reading symbols from /lib64/libpthread.so.0...done. Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /usr/lib64/libsasl2.so.2...done. Loaded symbols for /usr/lib64/libsasl2.so.2 Reading symbols from /lib64/libdl.so.2...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /usr/lib64/libssl.so.0.9.8...done. Loaded symbols for /usr/lib64/libssl.so.0.9.8 Reading symbols from /usr/lib64/libcrypto.so.0.9.8...done. Loaded symbols for /usr/lib64/libcrypto.so.0.9.8 Reading symbols from /lib64/libresolv.so.2...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libc.so.6...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib64/libz.so.1...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /usr/lib64/sasl2/liblogin.so...done. Loaded symbols for /usr/lib64/sasl2/liblogin.so Reading symbols from /lib64/libcrypt.so.1...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /usr/lib64/sasl2/libanonymous.so...done. Loaded symbols for /usr/lib64/sasl2/libanonymous.so Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...done. Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so Reading symbols from /usr/lib64/sasl2/libcrammd5.so...done. Loaded symbols for /usr/lib64/sasl2/libcrammd5.so Reading symbols from /usr/lib64/sasl2/libsasldb.so...done. Loaded symbols for /usr/lib64/sasl2/libsasldb.so Reading symbols from /usr/lib64/sasl2/libplain.so...done. Loaded symbols for /usr/lib64/sasl2/libplain.so Reading symbols from /opt/openldap/libexec/openldap/dynlist-2.4.so.2...done. Loaded symbols for /opt/openldap/libexec/openldap/dynlist-2.4.so.2 Reading symbols from /opt/openldap/libexec/openldap/accesslog-2.4.so.2...done. Loaded symbols for /opt/openldap/libexec/openldap/accesslog-2.4.so.2 Reading symbols from /opt/openldap/libexec/openldap/ppolicy-2.4.so.2...done. Loaded symbols for /opt/openldap/libexec/openldap/ppolicy-2.4.so.2 Reading symbols from /opt/openldap/libexec/openldap/syncprov-2.4.so.2...done. Loaded symbols for /opt/openldap/libexec/openldap/syncprov-2.4.so.2 Core was generated by `./slapd -Tadd -d-1 -qwv -f /opt/openldap/etc/openldap/slapd.conf -F /opt/openld' Program terminated with signal 6, Aborted. [New process 16951] #0 0x00007f39e0ea95c5 in raise () from /lib64/libc.so.6 (gdb) quit -Dieter

1 0

Re: (ITS#5579) Interaction of ppolicy attributes
by andrew.findlay＠skills-1st.co.uk 29 Jun '08

29 Jun '08

On Sat, Jun 28, 2008 at 07:21:44PM -0700, Howard Chu wrote: > >pwdFailureTime cannot be modified directly, so I think there is a case for > >clearing it when pwdAccountLockedTime is cleared explicitly. > > Technically, you're not supposed to be able to modify pwdAccountLockedTime > directly either. The current behavior is a temporary hack. The only > legitimate way to remove those attributes is by setting a new password. I'm > rejecting this ITS. Indeed, though draft-behera-ldap-password-policy-xx.txt is a bit unclear on the subject of that attribute: 5.3.3 pwdAccountLockedTime This attribute holds the time that the user's account was locked. A locked account means that the password may no longer be used to authenticate. A 000001010000Z value means that the account has been locked permanently, and that only a password administrator can unlock the account. One reading of that clause is that *setting* pwdAccountLockedTime to 000001010000Z is the way to lock an account by administrative action. There does not appear to be anything in the I-D that would cause the server to set that value itself. The current implementation does allow admins to set the value, which appears to be the only way to lock/unlock an account without changing the password. I would certainly prefer to have separate attributes for 'admin lock' and 'auto lock'. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

1 0

Re: (ITS#5355) back-meta calls back-ldap directly
by vorlon＠debian.org 29 Jun '08

29 Jun '08

This bug is marked as fixed in 2.4.8, but I still see the same problem in the test suite in 2.4.10. Trying to start slapd with back-meta gives: /home/devel/openldap/build-area/openldap2.3-2.4.10/debian/build/servers/slapd/.libs/lt-slapd: symbol lookup error: ../servers/slapd/back-meta/.libs/back_meta-2.4.so.2: undefined symbol: slap_idassert_parse_cf Is this a regression since 2.4.8? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek(a)ubuntu.com vorlon(a)debian.org

1 0

Re: (ITS#5540) Normalization assertion in attr.c
by hyc＠symas.com 28 Jun '08

28 Jun '08

Howard Chu wrote: > unix.gurus(a)gmail.com wrote: >> If someone wants to accept or comment on what needs fixing in the >> patch below, that would help me to generate the rest of the patches: >> ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-unified-0806… > > In back-monitor/database.c you don't need to normalize the DNs before > comparing them. The stored values are already Prettied, so all you need is to > use a case-insensitive compare here. Duh. Or just compare a->a_vals and be->be_suffix instead. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5540) Normalization assertion in attr.c
by hyc＠symas.com 28 Jun '08

28 Jun '08

unix.gurus(a)gmail.com wrote: > If someone wants to accept or comment on what needs fixing in the > patch below, that would help me to generate the rest of the patches: > ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-unified-0806… In back-monitor/database.c you don't need to normalize the DNs before comparing them. The stored values are already Prettied, so all you need is to use a case-insensitive compare here. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5579) Interaction of ppolicy attributes
by hyc＠symas.com 28 Jun '08

28 Jun '08

andrew.findlay(a)skills-1st.co.uk wrote: > Full_Name: Andrew Findlay > Version: 2.4.10 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (88.97.25.132) > > > If an account becomes locked due to excessive failed authentications, its entry > will contain the attributes pwdFailureTime and pwdAccountLockedTime. If the > account is subsequently unlocked by setting a new password, all values of those > attributes are automatically removed. However, if the password is left alone and > the account is unlocked by removing pwdAccountLockedTime, values remain in > pwdFailureTime. This means that a single authentication failure will immediately > lock the account again. > > pwdFailureTime cannot be modified directly, so I think there is a case for > clearing it when pwdAccountLockedTime is cleared explicitly. Technically, you're not supposed to be able to modify pwdAccountLockedTime directly either. The current behavior is a temporary hack. The only legitimate way to remove those attributes is by setting a new password. I'm rejecting this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5540) Normalization assertion in attr.c
by hyc＠symas.com 28 Jun '08

28 Jun '08

unix.gurus(a)gmail.com wrote: > I've uploaded a patch that adds an equality matching rule to the > schema for olcRootDN and olcSchemaDN so that the normalization matches > the schema. These attributes are already normalized wherever they are > generated, and their normalized values are used in bvmatches, so > removing the nvals instead of modifying the schema would result extra > normalization calls later. > ftp://ftp.openldap.org/incoming/sean-burford-rootdn-080628.patch Committed, thanks. > If someone wants to accept or comment on what needs fixing in the > patch below, that would help me to generate the rest of the patches: > ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-unified-0806… If it makes life easier, we can add the DN eq rule to monitorContext and configContext. Since they're OpenLDAP-specific attributes we can make this change without any repercussions. IMO, it really needs to be added to namingContexts since that's multivalued. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs