openldap-devel April 2008

openldap-devel@openldap.org

22 participants
26 discussions

dITStructureRules/nameForms in subschema subentry for informational purpose
by Michael Ströder 21 Mar '09

21 Mar '09

HI! Discussed this very briefly with Howard at LDAPcon 2007 based on an idea of Steve: Support for dITStructureRules and nameForms is still in OpenLDAP's TODO. In the meanwhile slapd could accept definitions for both in slapd.conf and simply pass them on to a schema-aware LDAP client for informational purpose without enforcing them. Same function like rootDSE <file> in slapd.conf. Opinions? Ciao, Michael. -- Michael Ströder E-Mail: michael(a)stroeder.com http://www.stroeder.com

2 4

managing OpenLDAP / back-config
by Ralf Haferkamp 17 Jun '08

17 Jun '08

With the great features that back-config provides to configure OpenLDAP servers at runtime it seems logical to start thinking about providing tools that could help to leverage those features. Currently to manage an OpenLDAP server through back-config you have the option to use either a generic LDAP Browser (JXplorer, Apache LDAP Studio, web2ldap), the OpenLDAP command line tools (ldapsearch, ldapmodify, ...) or homegrown software using one of the available LDAP APIs. I think it would be helpful to have some more sophisticated management tools (Commandline and/or GUI). In order to get there I think it could be helpful to create an API dedicated to provide an easy way to access the OpenLDAP configuration (databases, overlays, schema, access control, ...). This API could then be used to create different flavors of management tools. I have not yet spend too much time thinking about the design of such an API. Neither about the programming language that I'd use to implement something like this (Python, C, C++, ?). I first like to get a feeling how others think about this and if anybody is interested in collaborating on such an API. So please feel free to reply with your comments and suggestions :) -- regards, Ralf

7 24

multiple server certificates
by Hallvard B Furuseth 29 Apr '08

29 Apr '08

Would it be hard to make different listener addresses present different server certificates, signed by different CA certificates? (I'm sure I've asked someone on that before, but don't remember if it was this list.) -- Hallvard

3 5

How to get rid of sys_errlist and sys_nerr?
by Michael B Allen 29 Apr '08

29 Apr '08

Hello, I'm trying to run something linked with libldap on a glibc-2.5 system on a glibc-2.3 linux system and the loader compains about not having the right versions of sys_errlist and sys_nerr. Why does libldap need these symbols? $ objdump -T libldap-2.3.so.0 | grep sys_ 0000000000000000 DO *UND* 0000000000000004 GLIBC_2.4 sys_nerr 0000000000000000 DO *UND* 0000000000000420 GLIBC_2.4 sys_errlist >From looking at config.log, configure finds strerror just fine. Is there any way to get rid of these symbols? Of all the symbols in all the libraries that make up my project these are the only two GLIBC_2.4 or above symbols. If I can get rid of them, my code should run on the glibc-2.3 system. Mike

2 4

RE24 deadlock
by Aaron Richton 29 Apr '08

29 Apr '08

https://www.nbcs.rutgers.edu/~richton/test008deadlock-RE24_20080414.txt Could just be ITS#5391 proving that it still exists. BDB 4.2.52. testrun and the process are still just sitting there (from 10 days ago, should've looked at the machine more often...)

3 7

Re: commit: ldap/servers/slapd/back-monitor cache.c
by Hallvard B Furuseth 29 Apr '08

29 Apr '08

ando(a)OpenLDAP.org writes: > Modified Files: > cache.c 1.32 -> 1.33 > avoid potential deadlock? I've never been sure of the back-monitor locking code.. Do volatile entries get cached? -- Hallvard

2 2

OpenLDAP booth at OpenExpo, 25/26 May 2008, Karlsruhe, Germany
by Michael Ströder 28 Apr '08

28 Apr '08

HI! It seems my application to run an OpenLDAP booth at http://openexpo.de/ in Germany, Karlsruhe, 25./26. May 2008 was accepted. Like requested by them I'll sent them the OpenLDAP worm logo to be put on their web page. Volunteers welcome to help at that booth. It's right before Linuxtag in Berlin, Germany. Ciao, Michael.

1 0

[Fwd: Re: deadlocks in OpenLDAP]
by Howard Chu 28 Apr '08

28 Apr '08

I haven't looked at this part of back-monitor. Someone else care to respond? -------- Original Message -------- Subject: Re: deadlocks in OpenLDAP Date: Mon, 28 Apr 2008 04:30:23 -0400 From: Yin Wang <yinw(a)umich.edu> To: Howard Chu <hyc(a)symas.com> Hi Howard, Our study shows a possible deadlock in OpenLDAP 2.4.8. Hope you could help explain. - monitor_cache_get at servers/slapd/back-monitor/cache.c:163 waiting for mp_mutex while holding mi_cache_mutex - monitor_cache_release at servers/slapd/back-monitor/cache.c:366 waiting for mi_cache_mutex while holding mp_mutex We have not been able to verify this in a real running environment, which could be difficult, if not impossible. Therefore your comments would be extremely valuable. Any help would be greatly appreciated. Yin ======= At 2008-01-12, 19:48:38 you wrote: ======= >Yin Wang wrote: >> Hi Howard, >> >> Sorry I am replying a very old email below that >> you send in last April. Terence is a colleague >> of mine and we are still working on the project. >> I hope to understand the problem better. >> >> When you said "While we can control the order of >> lock acquisition in the OpenLDAP code, we have no >> control over it in the BerkeleyDB layer", do you >> mean the (possible) deadlock comes from BerkeleyDB >> or it is because of the interaction of OpenLDAP >> and BerkeleyDB? If it is the latter case and I >> assume BerkeleyDB is deadlock-free, I don't understand >> why using such a library could cause deadlocks. >> >> Your help would be greatly appreciated. > >Since you say you're working on a research project, you shouldn't assume >anything. You should do some actual research. The BerkeleyDB lock system is >fully described in their documentation. Read it. > >If you have questions that aren't addressed by the BerkeleyDB docs you can ask >those, but I don't have time to answer questions about things that are already >well documented. >> >> Yin Wang >> Research Assistant >> EECS Department, University of Michigan >> >> >>> -----Original Message----- >>> From: Howard Chu [mailto:hyc@openldap.org] >>> Sent: Thursday, April 19, 2007 5:32 PM >>> To: Kelly, Terence P >>> Cc: Project(a)openldap.org >>> Subject: Re: deadlocks in OpenLDAP >>> >>> Kelly, Terence P wrote: >>> >>>> Hi, >>>> >>>> I'm a researcher with interests >>>> in concurrent programming issues. I'm >>>> writing with a question about deadlocks >>>> in OpenLDAP code. >>>> >>>> Based on the OpenLDAP issue tracking system, >>>> I gather that deadlocks involving circular >>>> wait for locks have occurred or have been >>>> suspected in slapd. >>>> >>>> In principle it's possible to avoid deadlock >>>> by consistently acquiring locks in a defined >>>> order, but in practice this can be inconvenient >>>> or impossible. >>>> >>>> Can you give me some intuition for why it's >>>> hard to prevent deadlocks in slapd? Has >>>> your experience with deadlocks in OpenLDAP >>>> software given you any generic insights >>>> into deadlock and how (not) to avoid it? >>>> Would your insights apply to other >>>> software in addition to slapd? >>>> >>>> Many thanks in advance for any wisdom you >>>> can share! Long editorials and brain dumps >>>> are particularly welcome. >>>> >>>> -- Terence >>> For OpenLDAP the problem is that there are two layers of locking systems >>> >>> in use - the OpenLDAP code and the BerkeleyDB code. While we can control >>> >>> the order of lock acquisition in the OpenLDAP code, we have no control >>> over it in the BerkeleyDB layer. As such, the usual approach of strictly >>> >>> ordering locks doesn't work here. > >-- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ = = = = = = = = = = = = = = = = = = = = -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

ldap://ldap.openldap.org out of service
by Michael Ströder 26 Apr '08

26 Apr '08

HI! Is the demo server which was running ldap://ldap.openldap.org abandoned forever? Ciao, Michael.

1 0

LDAP transactions
by Howard Chu 24 Apr '08

24 Apr '08

Just thinking aloud right now about what's needed here. Basically all incoming requests participating in a transaction are queued until the Commit is received. Aside from basic parsing/validation, no other processing is performed until then. If an Abort is received, the queued requests are simply discarded. When the Commit request is received, all of the queued requests are performed sequentially by a single thread and the results are gathered. If any individual request fails, any preceding completed requests must be rolled back. Since I'm considering this for both back-bdb and back-ndb, it appears we're going to need some transaction-specific hooks to be added to the BackendInfo structure. 1) start a TXN, get a TXN handle 2) end a TXN: Commit or Abort For back-bdb the tricky part is exposing the updates atomically in the caches. I think the fact that entry caching uses BDB locks helps somewhat; we can keep entry cache items locked until the overall transaction completes. But for Aborts we'll either need to keep a copy of the previous cache info, or just discard it all. For now, discarding it all seems simpler. For back-ndb things are currently easy since this backend does no caching of its own. As such, once the backend issues a Commit or Abort request, there's no further (backend) work to be done. It's tempting to think about this for backglue, but we'd need a cross-database lock manager of some kind for detecting deadlocks. That implies that we really need an LDAP-level lock request, to handle distributed locking, and that the Transaction handling ought to be built on top of that. Currently the Transaction layer says nothing at all about locking, and it's up to the underying LDAP database to take care of it. I guess another approach would just be to have backglue fully serialize all transactions; if only one is outstanding at any time there can be no deadlocks. This brings up a question about whether slapd in general should fully serialize them. I was thinking, at the least, that we should only allow one active transaction per connection, though that was mainly a matter of convenience. Thoughts? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

4 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel April 2008