asserts and manadatory build instructions (was ITS#8240)
by Michael Ströder
hyc(a)symas.com wrote in ITS#8240:
> Our patch response was too hasty. There is no OpenLDAP bug here, the real
> issue is production binaries being built with asserts enabled instead of
> compiling with -DNDEBUG. That's an issue for packagers and distros to resolve.
> Closing this ITS, not an OpenLDAP bug.
Maybe I missed something. But this is the first time I've heard about -DNDEBUG
being mandatory when compiling binary packages for production use. Does it
have other effects?
And what are general rules for assert statements in OpenLDAP code?
In my own (Python) code assert statements are supposed to be only triggered if
something goes wrong *internally* (type issues etc.). If somebody manages to
trigger an assert statement with invalid input from "outside" I always
consider this to be a serious bug revealing insufficient error handling even
though e.g. web2ldap just logs the exception but won't crash. YMMV, but please
clarify.
I also wonder whether there are more mandatory rules for building packages and
where I can find them.
Please don't get me wrong: My inquiry is in good faith to avoid unnecessary
ITS based on misunderstanding.
Ciao, Michael.
1 year, 6 months
- 1
- 1
RE24 testing call #1 (2.4.46) LMDB RE0.9 testing call #1 (0.9.22)
by Quanah Gibson-Mount
Hello everyone,
At this point, I believe we're ready to being testing for a 2.4.46 release.
The primary focus on this release has been to fix several long standing
issues with replication, both for "standard" and "delta" based syncrepl.
These fixes have been tested against databases and workloads known to
trigger the problems that were encountered. Special thanks to Paul B.
Henson for doing additional validation for those issues that were
discovered in his deployment.
OpenLDAP 2.4.46 Engineering
Fixed libldap connection delete callbacks when TLS fails to start
(ITS#8717)
Fixed libldap to not reuse tls_session if TLS hostname check fails
(ITS#7373)
Fixed libldap cross-compiling with OpenSSL 1.1 (ITS#8687)
Fixed libldap OpenSSL 1.1.1 compatibility with BIO_method (ITS#8791)
Fixed libldap MozNSS CA certificate hash matching (ITS#7374)
Fixed libldap MozNSS with PEM certs when also using an NSS cert db
(ITS#7389)
Fixed libldap MozNSS initialization (ITS#8484)
Fixed libldap GnuTLS with GNUTLS_E_AGAIN (ITS#8650)
Fixed libldap memory leak with cancel operations (ITS#8782)
Fixed slapd Eventlog registry key creation on 64-bit Windows (ITS#8705)
Fixed slapd to maintain SSF across SASL binds (ITS#8796)
Fixed slapd syncrepl deadlock when updating cookie (ITS#8752)
Fixed slapd syncrepl callback to always be last in the stack (ITS#8752)
Fixed slapd telephoneNumberNormalize when the value is spaces and
hyphens (ITS#8778)
Fixed slapd CSN queue processing (ITS#8801)
Fixed slapd-ldap TLS connection timeout with high latency connections
(ITS#8720)
Fixed slapd-ldap to ignore unknown schema when omit-unknown-schema is
set (ITS#7520)
Fixed slapd-mdb with an optimization for long lived read transactions
(ITS#8226)
Fixed slapd-meta assert when olcDbRewrite is modified (ITS#8404)
Fixed slapd-sock with LDAP_MOD_INCREMENT operations (ITS#8692)
Fixed slapo-accesslog cleanup to only occur on failed operations
(ITS#8752)
Fixed slapo-accesslog to not expire the last entry in the database
(ITS#8100)
Fixed slapo-dds entryTTL to actually decrease as per RFC 2589 (ITS#7100)
Fixed slapo-syncprov memory leak with delete operations (ITS#8690)
Fixed slapo-syncprov to not clear pending operation when checkpointing
(ITS#8444)
Fixed slapo-syncprov to initialize an empty accesslog db if configured
(ITS#8100)
Fixed slapo-syncprov not to log checkpoints to accesslog db (ITS#8607)
Fixed slapo-syncprov to process changes from this SID on REFRESH
(ITS#8800)
Fixed slapo-syncprov session log parsing to not block other operations
(ITS#8486)
Build Environment
Fixed Windows build with newer MINGW version (ITS#8697)
Fixed compiler warnings and removed unused variables (ITS#8578)
Contrib
Fixed ldapc++ Control structure (ITS#8583)
Documentation
Delete stub manpage for back-ldbm (ITS#8713)
Fixed ldap_bind(3) to mention the LDAP_SASL_SIMPLE mechanism
(ITS#8121)
Fixed slapd-config(5) typo for olcTLSCipherSuite (ITS#8715)
Fixed slapo-syncprov(5) indexing requirements (ITS#5048)
LMDB 0.9.22 Engineering
Fix regression with new db from 0.9.19 (ITS#8760)
Fix liblmdb to build on Solaris (ITS#8612)
Fix delete behavior with DUPSORT DB (ITS#8622)
Fix mdb_cursor_get/mdb_cursor_del behavior (ITS#8722)
Thanks,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
4 years, 11 months
- 5
- 14
cn=config schema, matching rules and UX with web2ldap
by Michael Ströder
HI!
I'd like to highlight a bit why I'm nitpicking on schema definitions for
back-config and how careful schema crafting can help to have a better UX
with less effort (even though I'm personally using back-config read-only
for monitoring).
The goals of web2dap are:
1. guide the user to do it right rather than enforce stuff unless
"stuff" is really well-known and thus can be handled strictly
2. no overzealous actions, don't surprise the user, be trustworthy
3. do as much as possible just by looking at the subschema
So why is the syntax or a known attribute constraint important for that?
Internally web2ldap uses plugin classes which are registered to
- a syntax or
- list of attribute types or
- combinations of attribute types and structural object classes.
Lots of plugin classes cover handling of well-defined application
schema, some proprietary stuff, and weird quirks for broken schema. The
classes are organized in plugin modules described here:
https://www.web2ldap.de/features.html#plugin
This all turned out to be quite powerful. Details upon request.
Now why this long story?
Of course there's also a plugin module for OpenLDAP-specific schema,
especially for slapo-accesslog but also some stuff for cn=config
(remember my presentation at ODD in Tübingen long time ago?).
https://fossies.org/linux/web2ldap/web2ldap/app/plugins/openldap.py
So here's a simple example for the case-exact vs. case-insensitive
discussion:
For attribute 'olcMemberOfDangling' I could add such a class:
class OlcMemberOfDangling(SelectList):
oid = 'OlcMemberOfDangling-oid'
desc = 'Behavior in case of dangling references during modification'
attr_value_dict = {
u'':u'-/-',
u'ignore':u'ignore',
u'drop':u'drop',
u'error':u'error',
}
syntax_registry.registerAttrType(
OlcMemberOfDangling.oid,[
'1.3.6.1.4.1.4203.1.12.2.3.3.18.1', # olcMemberOfDangling
]
)
As you can imagine the dict keys in attr_value_dict are the real values,
the values are the UI description.
Now if the existing entry contains a mixed-case value exactly this value
is added to the select list to preserve this exact value in any case.
Example:
dn: olcOverlay={7}memberof,olcDatabase={2}mdb,cn=config
olcMemberOfDangling: IGNore
The select list in the UI would contain:
ignore
drop
error
IGNore
Hmm, that likely looks confusing to the user in the UI.
So I could define a lower-case sanitizing like this:
class OlcMemberOfDangling(SelectList):
[..class attrs like above..]
simpleSanitizers = (
str.lower,
)
But in this case the existing value would be altered and sent along with
the modify request thus also confusing the user because the altering was
not result of his/her action.
So it boils down that being more strict with values can lead to a better
user experience. In this case I'd recommend that slapd would always
*sanitize* the value to lower-case.
I'd be glad if OpenLDAP developers could consider those aspects in the
future. Bear in mind that the above is just one very simple example.
web2ldap has also base classes for attribute type names or object class
names where it displays direct links into the schema browsers. Hence I
proposed to declare some cn=config attributes as OID syntax.
Interested readers can directly play with web2ldap and Æ-DIR's cn=config:
https://demo.ae-dir.com/web2ldap/dit?ldapi://%2Fopt%2Fae-dir%2Frun%2Fslap...
Sorry, read-only, but you can display the input forms and see what's
displayed along the attributes.
There is more you could do in later releases beyond 2.5.
For inspiration here's the plugin module for OpenDJ's cn=config:
https://fossies.org/linux/web2ldap/web2ldap/app/plugins/opends.py
It can make heavy use of web2ldap's DynamicDNSelectList because many
config values are just references to other entries.
Ciao, Michael.
5 years
- 1
- 0
ITS#8286 pending questions
by Quanah Gibson-Mount
I've done a first pass through the source tree adding missing matching
rules to the olc* attributes to address ITS#8286
(<https://github.com/quanah/openldap-scratch/tree/its8286>). However, many
of the attributes are string types, and can either be case exact/ignore
match. The following is a list of those attributes, and my best guess at
which they should be. Once I have a definitive answer on these, I'll
commit them:
---------------- servers/slapd/bconfig.c -----------------------
olcInclude -- case ignore match?
olcLogFile -- case ignore match?
olcModulePath -- case ignore match?
olcOverlay -- case ignore match?
olcPasswordCryptSaltFormat -- case ignore match?
olcPidFile -- case ignore match?
olcPluginLogFile -- case ignore match?
olcReferral -- case ignore match?
olcRootPw -- case exact match?
olcSaslAuxprops -- case ignore match?
olcSaslHost -- case exact match?
olcSaslRealm -- case exact match?
olcSaslSecProps -- case exact match?
olcSizeLimit -- case ignore match?
olcSubordinate -- case ignore match?
olcTCPBuffer -- case ignore match?
olcTimeLimit -- case ignore match?
olcTLSCACertificateFile -- case ignore match?
olcTLSCACertificatePath -- case ignore match?
olcTLSCertificateFile -- case ignore match?
olcTLSCertificatePath -- case ignore match?
olcTLSCertificateKey -- ??? (Private OID)
olcTLSCertificateKeyFile -- case ignore match?
olcTLSCipherSuite -- case ignore match?
olcTLSCRLCheck -- case ignore match?
olcTLSCRLFile -- case ignore match?
olcTLSRandFile -- case ignore match?
olcTLSVerifyClient -- case ignore match?
olcTLSDHParamFile -- case ignore match?
olcTLSSECName -- case ignore match?
olcTLSProtocolMin -- case ignore match?
---------------- BACKENDS -----------------------
--- back-asyncmeta
olcDbURI -- case ignore match?
olcDbStartTLS -- case ignore match? (also, seems to be misnamed and missing
the "ldaps" option)
olcDbACLPasswd -- case exact match?
olcDbIDAssertBind -- case ignore match?
olcDbTFSupport -- case ignore match?
olcDbTimeout -- case ignore match?
olcDbIdleTimeout -- case ignore match?
olcDbCancel -- case ignore match?
olcDbQuarantine -- case ignore match?
olcDbDefaultTarget -- case ignore match?
olcDbDnCacheTtl -- case ignore match?
olcDbBindTimeout -- case ignore match?
olcDbOnErr -- case ignore match?
olcDbNretries -- case ignore match?
olcDbClientPr -- case ignore match?
olcDbKeepalive -- case ignore match?
--- back-bdb/hdb
olcDbCheckpoint -- case ignore match?
olcDbCryptFile -- case ignore match?
olcDbCryptKey -- case ignore match?
olcDbConfig -- IA5 case ignore match?
olcDbLockDetect -- case ignore match?
olcDbMode -- case ignore match?
--- back-ldap
olcDbURI -- case ignore match?
olcDbStartTLS -- case ignore match? (also, seems to be misnamed? old config
parameter was just "tls")
olcDbACLPasswd -- case exact match?
olcDbACLBind -- case ignore match?
olcDbIDAssertPasswd -- case exact match?
olcDbIDAssertBind -- case ignore match?
olcDbIDAssertMode -- case ignore match?
olcDbTFSupport -- case ignore match?
olcDbTimeout -- case ignore match?
olcDbIdleTimeout -- case ignore match?
olcDbConnTtl -- case ignore match?
olcDbNetworkTimeout -- case ignore match?
olcDbCancel -- case ignore match?
olcDbQuarantine -- case ignore match?
olcDbOnErr -- case ignore match?
olcDbKeepalive -- case ignore match?
--- back-mdb
olcDbCheckpoint -- case ignore match?
olcDbMode -- case ignore match?
--- back-meta
olcDbURI -- case ignore match?
olcDbStartTLS -- case ignore match? (also, seems to be misnamed? old config
parameter was just "tls")
olcDbACLPasswd -- case exact match?
olcDbIDAssertBind -- case ignore match?
olcDbTFSupport -- case ignore match?
olcDbTimeout -- case ignore match?
olcDbIdleTimeout -- case ignore match?
olcDbConnTtl -- case ignore match?
olcDbNetworkTimeout -- case ignore match?
olcDbCancel -- case ignore match?
olcDbQuarantine -- case ignore match?
olcDbDefaultTarget -- case ignore match?
olcDbDnCacheTtl -- case ignore match?
olcDbBindTimeout -- case ignore match?
olcDbOnErr -- case ignore match?
olcDbNretries -- case ignore match?
olcDbClientPr -- case ignore match?
olcDbKeepalive -- case ignore match?
--- back-sql
olcDbHost -- case ignore match?
olcDbName -- case ignore match?
olcDbUser -- case ignore match?
olcDbPass -- case exact match?
olcSqlConcatPattern -- case ignore match?
olcSqlSubtreeCond -- case ignore match?
olcSqlChildrenCond -- case ignore match?
olcSqlDnMatchCond-- case ignore match?
olcSqlOcQuery -- case ignore match?
olcSqlAtQuery -- case ignore match?
olcSqlInsEntryStmt -- case ignore match?
olcSqlUpperFunc -- case ignore match?
olcSqlStrcastFunc -- case ignore match?
olcSqlDelEntryStmt -- case ignore match?
olcSqlRenEntryStmt -- case ignore match?
olcSqlDelObjclassesStmt -- case ignore match?
olcSqlBaseObject -- case ignore match?
olcSqlLayer -- case ignore match?
olcSqlFetchAttrs -- case ignore match?
olcSqlAliasingKeyword -- case ignore match?
olcSqlAliasingQuote -- case ignore match?
olcSqlIdQuery -- case ignore match?
---------------- OVERLAYS -----------------------
--- accesslog.c
logpurge -- case ignore match?
logold -- case ignore match?
--- auditlog.c
olcAuditLogFile -- case ignore match?
--- autoca.c
olcACAuserClass -- case ignore match?
olcACAserverClass -- case ignore match?
--- dds.c
olcDDSmaxTtl -- case ignore match?
olcDDSminTtl -- case ignore match?
olcDDSdefaultTtl -- case ignore match?
olcDDSinterval -- case ignore match?
olcDDStolerance -- case ignore match?
--- dyngroup.c
olcDGAttrPair -- case ignore match?
--- memberof.c
olcMemberOfDangling -- case ignore match?
olcMemberOfGroupOC -- case ignore match?
olcMemberOfMemberAD -- case ignore match?
olcMemberOfMemberOfAD -- case ignore match?
olcMemberOfDanglingError -- case ignore match?
--- pcache.c
olcProxyCache -- case ignore match?
olcPcachePosition -- case ignore match?
olcPcacheMaxQueries -- case ignore match?
--- rwm.c
olcRwmTFSupport -- case ignore match?
--- syncprov.c
olcSpCheckpoint -- case ignore match?
--- translucent.c
olcTranslucentLocal -- case ignore match?
olcTranslucentRemote -- case ignore match?
---------------- CONTRIB -----------------------
--- adremap.c
olcADremapDowncase -- case ignore match?
olcADremapDNmap -- case ignore match?
--- autogroup.c
olcAGmemberOfAd -- case ignore match?
--- smbk5pwd.c
olcSmbK5PwdEnable -- case ignore match?
olcSmbK5PwdMustChange -- case ignore match?
Thanks,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years
- 3
- 5
- ← Newer
- 1
- Older →