openldap-bugs

openldap-bugs@openldap.org

21001 discussions

(ITS#5537) syncprov updates incorrect contextCSN at startup
by rein＠OpenLDAP.org 28 May '08

28 May '08

Full_Name: Rein Tollevik Version: CVS head + rein-serverID.patch OS: linux and solaris URL: ftp://ftp.openldap.org/incoming/rein-syncprov.patch Submission from: (NULL) (81.93.160.250) Submitted by: rein At startup syncprov searches for any entries with an entryCSN value newer than the newest contextCSN it read from the db and replaces the newest contextCSN value with the newest it finds. But the newest entryCSN could have a different sid field, which would result in the server loosing one valid contextCSN and instead introduce two contexCSNs with the same sid field. It could also introduce a defaulted contextCSN with sid=0, which would never be updated unless there exist a server with that sid, ref my previous ITS. A patch that fixes this is at the referenced URL. It only updates the contextCSN from entryCSN values matching the serverID of this server. My initial thought was that all the contextCSNs that has newer entryCSN values with the same sid field should be updated. But I'm afraid that could cause syncrepl to miss some entries if it picks up the updated contextCSN values, as there may be entries from remote servers with entryCSN values newer than the contextCSN received from that server. The exception is delta-syncrepl where a similar update of all the contextCSN values should probably be done at startup. But that belongs in syncrepl.c if needed, as it is requiered whether syncprov is used or not. Rein Tollevik Basefarm AS

1 0

Re: (ITS#5536) Always use a configured serverID in the syncrepl cookie
by hyc＠symas.com 28 May '08

28 May '08

rein(a)OpenLDAP.org wrote: > Full_Name: Rein Tollevik > Version: CVS head > OS: linux and solaris > URL: ftp://ftp.openldap.org/incoming/rein-serverID.patch > Submission from: (NULL) (81.93.160.250) > Submitted by: rein > > > Syncrepl includes the serverID in the syncCookie in multi-master mode only, but > there are other configuration that would benefit from it as well. > > A case I have is where a consumer replicates a glue'ed database, with the > exception of one subordinate backend where the consumer is the master. The > subordinate backend is replicated back to the master of the glue'ed database. > With the current code the master would send the content of the subordinate db > back to its master. Understood. In fact, having multiple sources of data in a glued tree is really a form of multi-master. (The separate glued branches cannot cause inconsistencies with each other, but still their contextCSNs must be managed individually.) > A patch that fixes this is at the referenced URL. As I am not sure of the > consequences if a defaulted serverID=0 value was included in the syncCookie the > patch changes the internal default slap_serverID value to -1 to make it possible > to differentiate between a configured and defaulted serverID=0. > Btw, there are potential problems with using serverID=0, so it would be best if > that value was reserved for the default unconfigured case. I.e, a default > serverID=0 value could be chosen be slapadd when the two-argument form of > serverID is used in the config, as resolving the URL needs the listener argument > to slapd to succeed. You mean the three-argument form? The two-argument form only allows a single serverID to be configured anyway, so there is no ambiguity there. But you're right, in tool mode when multiple serverIDs are configured, there's no way for it to choose the right serverID. That's a problem regardless of whether the default is 0 or -1 though. For now I think this is a doc issue; we could simply recommend that slapadd always be performed on the node with ID 0, and you manually change the serverID config if you need to slapadd on some other node. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#5536) Always use a configured serverID in the syncrepl cookie
by rein＠OpenLDAP.org 28 May '08

28 May '08

Full_Name: Rein Tollevik Version: CVS head OS: linux and solaris URL: ftp://ftp.openldap.org/incoming/rein-serverID.patch Submission from: (NULL) (81.93.160.250) Submitted by: rein Syncrepl includes the serverID in the syncCookie in multi-master mode only, but there are other configuration that would benefit from it as well. A case I have is where a consumer replicates a glue'ed database, with the exception of one subordinate backend where the consumer is the master. The subordinate backend is replicated back to the master of the glue'ed database. With the current code the master would send the content of the subordinate db back to its master. I currently solve this problem with acl rules on the glue'ed master that prevents the slave from reading the subordinate db it is master for. Different rootdn's on the glue and subordinate db on the slave prevents syncrepl from succeeding in its attempts to remove the content of the subordinate db during the present phase. But it felt like I got a minor heartache the first time a saw the log of delete messages scroll by before I realized they were all error messages... A patch that fixes this is at the referenced URL. As I am not sure of the consequences if a defaulted serverID=0 value was included in the syncCookie the patch changes the internal default slap_serverID value to -1 to make it possible to differentiate between a configured and defaulted serverID=0. Btw, there are potential problems with using serverID=0, so it would be best if that value was reserved for the default unconfigured case. I.e, a default serverID=0 value could be chosen be slapadd when the two-argument form of serverID is used in the config, as resolving the URL needs the listener argument to slapd to succeed. Enforcing serverID>0 could require changes in existing configurations, but indicating it in the doc. could be a first step? Rein Tollevik Basefarm AS

1 0

Re: (ITS#5532) incorrect timestamp of slapd replica log
by quanah＠zimbra.com 28 May '08

28 May '08

--On Tuesday, May 27, 2008 10:10 AM +0000 hai.zhao(a)gmail.com wrote: > Full_Name: Zhao Hai > Version: 2.3.41 > OS: Linux 2.4.21 arm > URL: ftp://ftp.openldap.org/incoming/zhaohai-080527.patch > Submission from: (NULL) (205.209.140.4) > > > Problem: > race condition makes incorrect timestamp in replogfile, cause certain > modification of entries not replicate to slurp slaves. > > replica: 180.0.10.2:1234 > replica: 180.0.10.3:1234 > time: 1211855467 > ^^^^^^^^^^ this timestamp > > How to reproduce the problem: > 1) run under very slow machines (my environ: arm 266MHz) > 2) slapd is configed to generate replogfile > 3) ldapadd about 5 entries, then ldapmodify 2 entries without delay. This is fixed in RE23. If there is ever a 2.3.43 release, it will be in that. In the meantime, I'd advise using 2.3.42 + your patch. Regards, Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by hyc＠symas.com 28 May '08

28 May '08

Andrew Bartlett wrote: > On Tue, 2008-05-27 at 18:43 -0700, Howard Chu wrote: >> Andrew Bartlett wrote: >>> On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: >>>>> This needs to occur even between databases on the server, but I won't ask that >>>>> it occur outside the known trees. >>>> It's already possible for operations in one database to reference entries in a >>>> different database, so that aspect of validation should be fine. However, as >>>> noted before, "validation" is generally bogus to begin with. In particular, >>>> how do you create entries with circular references? If you disallow references >>>> to nonexistent entries, you can't set the references until after all of the >>>> entries have been created. This means that you cannot backup a database that >>>> has these references and then later reload it in a single pass. >>> An interesting point, but I need to match the windows runtime >>> behaviour. >> Only when it has a visible impact on other clients. What software will break >> if the directory allows you to add new entries that contain dangling >> references? What will break if the directory allows you to modify a reference >> attribute to point to a nonexistent entry? > > Sure, I'm not asking for a change to default behaviours. I'm listing > the things that our testsuite finds are differences, and looking for > solutions. I don't believe your proposed solution will ever be satisfactory. Entries with circular references will also break syncrepl Refresh if the constraint you're asking for is enforced. That will clearly have visible impact in many deployments. If the only thing that complains with the current behavior is your testsuite and not any real world clients, I suggest you just note the difference and move on. >> There's a lot of Windows behavior that is clearly wrong, by any number of >> metrics. You need to be a bit more selective in prioritizing the list of >> things to chase down. > > This is the currently the top priority for an LDAP Backend for Samba4. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#5535) smbk5pwd uses private heimdal functions
by Guillaume.Rousse＠inria.fr 28 May '08

28 May '08

Full_Name: Guillaume Rousse Version: 2.4.8 OS: linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (193.55.250.67) smbk5pwd uses two private heimdal functions: _kadm5_set_keys _kadm5_free_keys As of heimdal 1.1, those functions are not exported anymore. As a consequence, opendalp crashes as soon as I try to change password when the overlay is activated. According to heimdal maintainers, smb5pwd should rather use hdb_generate_key_set_password and hdb_free_keys to generate the key data. I tried to produce a patch myself (available at http://www.zarb.org/~guillomovitch/openldap-smbk5pwd-2.4.8-dont-use-interna…) by inlining _kadm5_set_keys function directly in smbk5pwd, but I don't know how to deal with members of private kadm_context structure.

1 0

Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by abartlet＠samba.org 27 May '08

27 May '08

--=-s2sha8beM9nUssvA07HS Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2008-05-27 at 18:43 -0700, Howard Chu wrote: > Andrew Bartlett wrote: > > On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: >=20 > >>> This needs to occur even between databases on the server, but I won't= ask that > >>> it occur outside the known trees. > >> It's already possible for operations in one database to reference entr= ies in a > >> different database, so that aspect of validation should be fine. Howev= er, as > >> noted before, "validation" is generally bogus to begin with. In partic= ular, > >> how do you create entries with circular references? If you disallow re= ferences > >> to nonexistent entries, you can't set the references until after all o= f the > >> entries have been created. This means that you cannot backup a databas= e that > >> has these references and then later reload it in a single pass. > > > > An interesting point, but I need to match the windows runtime > > behaviour. >=20 > Only when it has a visible impact on other clients. What software will br= eak=20 > if the directory allows you to add new entries that contain dangling=20 > references? What will break if the directory allows you to modify a refer= ence=20 > attribute to point to a nonexistent entry? Sure, I'm not asking for a change to default behaviours. I'm listing the things that our testsuite finds are differences, and looking for solutions.=20 > There's a lot of Windows behavior that is clearly wrong, by any number of= =20 > metrics. You need to be a bit more selective in prioritizing the list of=20 > things to chase down. This is the currently the top priority for an LDAP Backend for Samba4. =20 Andrew Bartlett --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. --=-s2sha8beM9nUssvA07HS Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBIPMMwz4A8Wyi0NrsRAljCAJsEsn1tsq4BdkdenNOEOF3PIGcDDACfVoUR APoU1kbv2ljwVBgjyhPbyGQ= =mXBr -----END PGP SIGNATURE----- --=-s2sha8beM9nUssvA07HS--

1 0

Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by hyc＠symas.com 27 May '08

27 May '08

Andrew Bartlett wrote: > On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: >>> This needs to occur even between databases on the server, but I won't ask that >>> it occur outside the known trees. >> It's already possible for operations in one database to reference entries in a >> different database, so that aspect of validation should be fine. However, as >> noted before, "validation" is generally bogus to begin with. In particular, >> how do you create entries with circular references? If you disallow references >> to nonexistent entries, you can't set the references until after all of the >> entries have been created. This means that you cannot backup a database that >> has these references and then later reload it in a single pass. > > An interesting point, but I need to match the windows runtime > behaviour. Only when it has a visible impact on other clients. What software will break if the directory allows you to add new entries that contain dangling references? What will break if the directory allows you to modify a reference attribute to point to a nonexistent entry? There's a lot of Windows behavior that is clearly wrong, by any number of metrics. You need to be a bit more selective in prioritizing the list of things to chase down. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by abartlet＠samba.org 27 May '08

27 May '08

--=-I6d9E5fOqbwKcJhhvz+z Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2008-05-27 at 18:22 -0700, Howard Chu wrote: > abartlet(a)samba.org wrote: > > Full_Name: Andrew Bartlett > > Version: CVS HEAD > > OS: Fedora 9 > > URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.h= tml > > Submission from: (NULL) (59.167.251.137) > > > > > > For Samba4, I need a few things, detailed in the attached URL. >=20 > The above message thread had some unanswered questions. We may need to ha= ve=20 > each point listed out again. >=20 > > This ITS is for internal transactions and validation - the ability to h= ave a > > openldap overlay roll back all the changes so far, because a preconditi= on is not > > met. >=20 > I think this one is understood, OK. Just a matter of getting the time to = do it. >=20 > > I need the memberOf and refint modules to ensure that no dangling links= ever > > exist, even over subtree renames and invalid modifies, and that a trans= action > > ensures this is always the case. >=20 > I think the proper use of memberOf still needs to be addressed. E.g., it'= s=20 > generally a bad idea to search for (memberOf=3Dfoo) when you can simply=20 > enumerate the members inside the "foo" entry. If you give us precise exam= ples=20 > of the searches and modifications that you'll be using, we may be able to= =20 > narrow the scope of this work. I'll be passing on any search that a windows client makes, and trying to return the same result a windows server would return. Bad ideas still have to be implemented in my world :-( > > This needs to occur even between databases on the server, but I won't a= sk that > > it occur outside the known trees. >=20 > It's already possible for operations in one database to reference entries= in a=20 > different database, so that aspect of validation should be fine. However,= as=20 > noted before, "validation" is generally bogus to begin with. In particula= r,=20 > how do you create entries with circular references? If you disallow refer= ences=20 > to nonexistent entries, you can't set the references until after all of t= he=20 > entries have been created. This means that you cannot backup a database t= hat=20 > has these references and then later reload it in a single pass. An interesting point, but I need to match the windows runtime behaviour.=20 Andrew Bartlett --=20 Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. --=-I6d9E5fOqbwKcJhhvz+z Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQBIPLXqz4A8Wyi0NrsRArp6AJ9OaJP8Cu4MdO69n1k1S8vlBjtPOACdHvDh t0XbDQzXaJya2LR/bhl1RlQ= =/FnH -----END PGP SIGNATURE----- --=-I6d9E5fOqbwKcJhhvz+z--

1 0

Re: (ITS#5534) Samba4 needs internal transactions/consistancy
by hyc＠symas.com 27 May '08

27 May '08

abartlet(a)samba.org wrote: > Full_Name: Andrew Bartlett > Version: CVS HEAD > OS: Fedora 9 > URL: http://www.openldap.org/lists/openldap-technical/200803/msg00101.html > Submission from: (NULL) (59.167.251.137) > > > For Samba4, I need a few things, detailed in the attached URL. The above message thread had some unanswered questions. We may need to have each point listed out again. > This ITS is for internal transactions and validation - the ability to have a > openldap overlay roll back all the changes so far, because a precondition is not > met. I think this one is understood, OK. Just a matter of getting the time to do it. > I need the memberOf and refint modules to ensure that no dangling links ever > exist, even over subtree renames and invalid modifies, and that a transaction > ensures this is always the case. I think the proper use of memberOf still needs to be addressed. E.g., it's generally a bad idea to search for (memberOf=foo) when you can simply enumerate the members inside the "foo" entry. If you give us precise examples of the searches and modifications that you'll be using, we may be able to narrow the scope of this work. > This needs to occur even between databases on the server, but I won't ask that > it occur outside the known trees. It's already possible for operations in one database to reference entries in a different database, so that aspect of validation should be fine. However, as noted before, "validation" is generally bogus to begin with. In particular, how do you create entries with circular references? If you disallow references to nonexistent entries, you can't set the references until after all of the entries have been created. This means that you cannot backup a database that has these references and then later reload it in a single pass. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs