Full_Name: Henrik Bohnenkamp
Version: >= 2.4.44, HEAD
OS: Ubuntu 18.04, Coreos 7.5
URL: https://github.com/hbo/openldap-mdb-deref-problem
Submission from: (NULL) (77.176.95.241)
This is a followup to
http://www.openldap.org/lists/openldap-technical/201805/msg00065.html
When MDB is used as backend database and with large DITs (O(10^6)) with many
alias entries (O(10^5)), search requests with deref=always and scope=sub will
take prohibitively long. Servers with a high request rate might become utterly
unresponsive. This problem is not present in the HDB backend.
In this issue I want to contribute two things:
- a means to demonstrate the problem; this in the form of two scripts
(bash/python) which set up a large test DIT and start two slapds (one HDB, one
MDB) to allow easy comparisons of the performance
- a patch to fix the problem
The patch is certainly not production ready (or, if it is, it needs still
exhaustive testing to inspire confidence), however, I think it is far enough to
at least discuss the approach.
Both the scripts and the patch, together with instructions how to use the former
can be found here:
https://github.com/hbo/openldap-mdb-deref-problem
I am looking forward to discuss the patch.
quanah(a)openldap.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.4.46
> OS: FreeBSD 11
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (47.208.148.239)
>
>
> When building OpenLDAP on FreeBSD where the fetch library is available, slapd
> picks up a dependency on libcom_err which shouldn't exist.
>
> This comes in from lines 934 and 944 of build/openldap.m4:
> 934 LIBS="-lfetch -lcom_err $LIBS"
> 944 ol_link_fetch="-lfetch -lcom_err"
>
> These should be updated appropriately and configure regenerated
Careful here. There may still be releases of FreeBSD that linked libfetch
against com_err, for whatever reason. You'd need to check that libfetch
exists, and then check that linking against libfetch by itself succeeds or
fails. (And if it fails, put com_err back in and try again.)
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Full_Name: Quanah Gibson-Mount
Version: 2.4.46
OS: FreeBSD 11
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.239)
When building OpenLDAP on FreeBSD where the fetch library is available, slapd
picks up a dependency on libcom_err which shouldn't exist.
This comes in from lines 934 and 944 of build/openldap.m4:
934 LIBS="-lfetch -lcom_err $LIBS"
944 ol_link_fetch="-lfetch -lcom_err"
These should be updated appropriately and configure regenerated
zhixu.liu(a)gmail.com wrote:
> Full_Name: Z. Liu
> Version: 2.4.44
> OS: Gentoo
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (221.218.169.84)
>
>
> if we enable overlay nops & memberof together, then doing a member MODDN
> operation, slapd will segfault and exit immediately.
>
> Example operation:
>
> dn: uid=test,ou=People,dc=example,dc=dc=com
> changetype: moddn
> newrdn: uid=chenln
> deleteoldrdn: 1
> newsuperior: ou=Leave,dc=example,dc=com
>
> The reason is: in servers/slapd/overlays/memberof.c, function
> memberof_value_modify define mod/values/nvalues in the stack, which will be
> passed to other overlays, nops will try to free them if no attribute is changed.
Note that code in contrib is unsupported and is not actually part of OpenLDAP
Software. You can either contact the nops author and ask them for a fix, or
you're welcome to submit a fix yourself. Nobody in the OpenLDAP Project is
going to investigate this issue.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Full_Name: Quanah Gibson-Mount
Version: HEAD
OS: N/A
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.239)
For OpenLDAP 2.5, we should remove the deprecated configuration options for
back-ldap/meta/asyncmeta that have been marked as deprecated for multiple
release series. Man pages should be updated accordingly as well.
acl-authcDN
acl-passwd
idassert-authcDN
idassert-passwd
idassert-mode
idassert-method
port
server
suffixmassage
map
rewrite*
On 06/20/2018 01:25 PM, Michael Ströder wrote:
> This patch is meant to enhance user experience in case a client software
> is used to maintain data directly via LDAP. This is a real-world issue.
>
> Find the patch against master here:
> https://www.stroeder.com/temp/0001-ITS-8866-slapo-unique-to-return-filter-u…
>
> Also cleanly applies to RE24 and therefore
> could be easily added to upcoming release 2.4.47. ;-)
Any chance to see this in 2.4.47?
It simply works and the patch was also reviewed by another C programmer.
Ciao, Michael.
fturco(a)fastmail.fm wrote:
> Full_Name: Francesco Turco
> Version: 2.4.45
> OS: Gentoo Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:b07:2eb:c9ed:21c:c0ff:fead:3d70)
>
>
> The Portage package manager reports the following warning message when building
> net-nds/openldap-2.4.45 on Gentoo Linux:
>
> * This package has a configure.in file which has long been deprecated. Please
> * update it to use configure.ac instead as newer versions of autotools will
> die
> * when it finds this file. See https://bugs.gentoo.org/426262 for details.
>
> Original bug report: https://bugs.gentoo.org/607686
Not a priority. The version of autoconf we use has been frozen for a long time
and isn't going to change any time soon. End-users aren't expected to run the
autotools themselves anyway, only the OpenLDAP Release Engineer does that. And
changing filenames out of the blue is not viewed fondly by people trolling
commit histories.
Closing this ITS.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Full_Name: Francesco Turco
Version: 2.4.45
OS: Gentoo Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:b07:2eb:c9ed:21c:c0ff:fead:3d70)
The Portage package manager reports the following warning message when building
net-nds/openldap-2.4.45 on Gentoo Linux:
* This package has a configure.in file which has long been deprecated. Please
* update it to use configure.ac instead as newer versions of autotools will
die
* when it finds this file. See https://bugs.gentoo.org/426262 for details.
Original bug report: https://bugs.gentoo.org/607686