--On Thursday, January 11, 2007 9:53 PM +0100 Pierangelo Masarati ando@sys-net.it wrote:
quanah@stanford.edu wrote:
Full_Name: Quanah Gibson-Mount Version: 2.3.32 OS: Linux 2.6 (64-bit) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (171.64.19.81)
I'm not seeing anything like that, neither with HEAD nor with re23. It might be worth having a bit more details on your configuration, since that resulting from test044 (which basically complies with the info you provided) doesn't even hit that line of code (because rs->sr_flags == 0). So there must be something in between that causes the entry to be freed. That could be slapo-dynlist in some cases, but also slapo-translucent, slapo-collect, slapo-rwm or slapo-valsort. I guess at this point you should share the conf, the data and the op that's causing trouble.
The search I'm performing is:
ldapsearch -LLL -Q -h ldap-dev1.stanford.edu -b "cn=groups,cn=applications,dc=stanford,dc=edu"
the slapd.conf is as follows, and the group configurations are as previously noted.
My principal has full read into the LDAP database, so the only ACL parsed is access to * for it. I am using valsort, so perhaps it is an interaction between those two?
# $Id: slapd.conf.dev,v 1.7 2007/01/11 00:05:44 quanah Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/krb5-kdc.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/eduperson.schema include /usr/local/etc/openldap/schema/suacct.schema include /usr/local/etc/openldap/schema/superson.schema include /usr/local/etc/openldap/schema/suapplication.schema
# Allow V2 binds allow bind_v2
# Use star cert TLSCertificateFile /usr/local/etc/openldap/stardomain.crt TLSCertificateKeyFile /usr/local/etc/openldap/stardomain.key TLSCACertificateFile /usr/local/etc/openldap/comodo.pem
# Define global ACLs include /usr/local/etc/openldap/slapd.acl
# pidfile /var/run/slapd.pid argsfile /var/run/slapd.args
# Set the default search base for clients that don't specify a base. defaultsearchbase "dc=stanford,dc=edu"
# Turn gentlehup off, it takes too long. gentlehup off
# Read slapd.conf(5) for possible values loglevel 256
# Set the number of threads (8 seems to work best) threads 8
# Set the number of threads to use in tool mode tool-threads 2
# Set the timeout for idle connections #idletimeout 30
# SASL conf sasl-realm stanford.edu sasl-authz-policy both sasl-regexp uid=(.*)/cgi,cn=stanford.edu,cn=gssapi,cn=auth ldap:///cn=cgi,cn=applications,dc=stanford,dc=edu??sub?krb5PrincipalName=$1/cgi@stanford.edu sasl-regexp uid=service/(.*),cn=stanford.edu,cn=gssapi,cn=auth ldap:///cn=Service,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=service/$1@stanford.edu sasl-regexp uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth ldap:///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=webauth/$1@stanford.edu sasl-regexp uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth ldap:///uid=$1,cn=Accounts,dc=stanford,dc=edu??sub?suSeasStatus=active
# Load dynamic backend modules: modulepath /usr/local/lib/openldap moduleload back_hdb.la moduleload back_monitor.la moduleload valsort.la moduleload dynlist.la
####################################################################### # stanford.edu database definitions #######################################################################
database hdb suffix "dc=stanford,dc=edu" rootdn "cn=manager,dc=stanford,dc=edu"
# Valsort Overlay overlay valsort valsort-attr ou cn=people,dc=stanford,dc=edu weighted valsort-attr suAffiliation cn=people,dc=stanford,dc=edu weighted valsort-attr suDisplayAffiliation cn=people,dc=stanford,dc=edu weighted
# Dynlist Overlay overlay dynlist dynlist-attrset groupOfURLS memberURL member
# Let ldapadmin have limitless searches limits group="cn=ldapadmin,cn=applications,dc=stanford,dc=edu" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
# Let the Athletics principal have limitless searches limits dn.exact="cn=athletics,cn=service,cn=applications,dc=stanford,dc=edu" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
# Let the Authority audit principal have limitless searches limits dn.exact="cn=workgroup-audit,cn=service,cn=applications,dc=stanford,dc=edu" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
# Let the Registry Data Auditor principal have limitless searches limits dn.exact="cn=RegistryDataAuditor,cn=Service,cn=Applications,dc=stanford,dc=edu" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
# Let the ispace prinicpal have a search of 5000 entries limits dn.exact="cn=ispace,cn=Service,cn=Applications,dc=stanford,dc=edu" time.soft=unlimited time.hard=unlimited size.soft=5000 size.hard=5000
# Let the GSB person principal have unlimited searches limits dn.exact="cn=gsb-person,cn=service,cn=applications,dc=stanford,dc=edu" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
# Save the time that the entry gets modified lastmod on
include /usr/local/etc/openldap/syncrepl.conf
# Set the location of where the database storage files go. directory /var/lib/ldap
dbconfig set_cachesize 3 536870912 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 dbconfig set_lg_dir /var/log/bdb dbconfig set_lk_max_locks 3000 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_lockers 1500 # # Automatically remove log files that are no longer needed. dbconfig set_flags DB_LOG_AUTOREMOVE # # Setting set_tas_spins reduces resource contention from multiple clients on systems with multiple CPU's. dbconfig set_tas_spins 1
# Checkpoint the database to prevent transaction loss in unclean shutdowns, and speed up slapd shutdowns. checkpoint 1024 5
# Entries to cache in memory cachesize 50000
# IDL Entries to cache in memory idlcachesize 50000
# Entries to free up when cache gets full cachefree 1000
# Change the sub_any index length from 4 to 3 so that searches like *lee* work. index_substr_any_len 3
# Indices to maintain index default eq index cn eq,sub index dc index displayName index entryUUID index givenName eq,sub index homePhone eq,sub index krb5PrincipalName index mail eq,sub index mobile eq,sub index modifyTimestamp index o index objectClass index pager eq,sub index sn eq,sub,approx index suAffiliation index suCalendarStatus index suCardNumber pres,eq index suCN eq,sub index suDialinStatus index suDisplayAffiliation index suEmailPager eq,sub index suGeneralID eq,sub index suGivenName eq,sub index suGwAffilFax1 eq,sub index suGwAffilFax2 eq,sub index suGwAffilFax3 eq,sub index suGwAffilFax4 eq,sub index suGwAffilFax5 eq,sub index suGwAffilPhone1 eq,sub index suGwAffilPhone2 eq,sub index suGwAffilPhone3 eq,sub index suGwAffilPhone4 eq,sub index suGwAffilPhone5 eq,sub index suKerberosStatus index suLelandStatus index suLocalPhone eq,sub index suMaildrop index suOtherName index suPermanentPhone eq,sub index suPrimaryOrganizationID index suPrivilegeGroup eq,sub index suProxyCardNumber pres,eq index suRegID index suRegisteredName eq,sub index suResidencePhone eq,sub index suSearchID index suSeasStatus index suSeasSunetID index suSN eq,sub,approx index suSunetID index suUniqueIdentifier index suUnivID index suVisibAffilAddress1 index suVisibAffilAddress2 index suVisibAffilAddress3 index suVisibAffilAddress4 index suVisibAffilAddress5 index suVisibAffilFax1 index suVisibAffilFax2 index suVisibAffilFax3 index suVisibAffilFax4 index suVisibAffilFax5 index suVisibAffiliation1 index suVisibAffiliation2 index suVisibAffiliation3 index suVisibAffiliation4 index suVisibAffiliation5 index suVisibAffilPhone1 index suVisibAffilPhone2 index suVisibAffilPhone3 index suVisibAffilPhone4 index suVisibAffilPhone5 index suVisibEmail index suVisibFacsimileTelephoneNumber index suVisibHomeAddress index suVisibHomePage index suVisibHomePhone index suVisibIdentity index suVisibLocalAddress index suVisibMailAddress index suVisibMailCode index suVisibMobilePhone index suVisibPagerEmail index suVisibPagerPhone index suVisibPermanentAddress index suVisibProfile index suVisibStreet index suVisibSunetID index suVisibTelephoneNumber index telephoneNumber eq,sub index uid pres,eq index uidNumber
####################################################################### # back-monitor database definitions ####################################################################### database monitor
reverse-lookup on
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html