asserts and manadatory build instructions (was ITS#8240)
by Michael Ströder
hyc(a)symas.com wrote in ITS#8240:
> Our patch response was too hasty. There is no OpenLDAP bug here, the real
> issue is production binaries being built with asserts enabled instead of
> compiling with -DNDEBUG. That's an issue for packagers and distros to resolve.
> Closing this ITS, not an OpenLDAP bug.
Maybe I missed something. But this is the first time I've heard about -DNDEBUG
being mandatory when compiling binary packages for production use. Does it
have other effects?
And what are general rules for assert statements in OpenLDAP code?
In my own (Python) code assert statements are supposed to be only triggered if
something goes wrong *internally* (type issues etc.). If somebody manages to
trigger an assert statement with invalid input from "outside" I always
consider this to be a serious bug revealing insufficient error handling even
though e.g. web2ldap just logs the exception but won't crash. YMMV, but please
clarify.
I also wonder whether there are more mandatory rules for building packages and
where I can find them.
Please don't get me wrong: My inquiry is in good faith to avoid unnecessary
ITS based on misunderstanding.
Ciao, Michael.
1 year, 7 months
Persistent failures of test050
by Quanah Gibson-Mount
I've noticed that when running test050 in a loop, it often fails, even
after increasing the sleep timeout defaults. Where it fails in the test is
inconsistent and which servers differ is inconsistent as well. I'm
concerned we may have a regression or perhaps long standing issue here that
needs addressing. I'll continue to investigate and see if I can get more
details on what the issue(s) are. In my latest run I see:
.....
Using ldapmodify to add/modify/delete entries from server 1...
iteration 1
iteration 2
iteration 3
iteration 4
iteration 5
iteration 6
iteration 7
iteration 8
iteration 9
iteration 10
Waiting 10 seconds for servers to resync...
Using ldapsearch to read all the entries from server 1...
Using ldapsearch to read all the entries from server 2...
Using ldapsearch to read all the entries from server 3...
Using ldapsearch to read all the entries from server 4...
Comparing retrieved entries from server 1 and server 2...
Comparing retrieved entries from server 1 and server 3...
test failed - server 1 and server 3 databases differ
Failed after 3 of 500 iterations
[build@freebsd12 ~/git/openldap-2-4/tests/testrun]$ diff -u server1.out
server3.out
--- server1.out 2019-06-22 18:23:54.933600000 +0000
+++ server3.out 2019-06-22 18:23:55.049209000 +0000
@@ -1,3 +1,8 @@
+dn: cn=Add-Mod-Del,dc=example,dc=com
+cn: Add-Mod-Del
+objectClass: organizationalRole
+description: guinea pig
+
dn: cn=All Staff,ou=Groups,dc=example,dc=com
member: cn=Manager,dc=example,dc=com
member: cn=Barbara Jensen,ou=Information Technology
Division,ou=People,dc=exam
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
3 years, 11 months
Current RE24 status (2.4.48)
by Quanah Gibson-Mount
Ondrej is looking at a few different issues related to replication w/
syncrepl, including cn=config. Additionally, the fix applied for ITS#8427
has broken back-ldap with ldaps.
For the last item, one option would be to revert ITS#8427, although I'd
prefer to see a fix rather than a revert.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
3 years, 11 months
ITS review 6/14/2019
by Quanah Gibson-Mount
Thanks to Ondrej, this list is a bit shorter now. :)
The following ITSes have a patch or have been committed already.
-------------------------------------------------------------------
ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with updateref
(44e9bda0e42f40e0baf0a2c0ef733eb757abd366)
ITS#7770 - back-monitor - Add mdb_stat info
(e19c683c41e14365d28e82278eec1d8b12c71d4c ,
6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )
**** ITS#8037 - slapd - Fix delta-syncrepl with relax
(cb9a4d01bc1ecf1eeb3fb7ef39067b2b30b6c545)
ITS#8349 - Fix ppolicy behavior with pwdHistory
ITS#8508 - liblunicode - Fix ucgendat
(cc99da182f53d3d4f3874703643b277773717af3)
**** ITS#8637 - slapd-ldap - Correctly reject invalid config with
slapd-config (has patch, IPR OK)
**** ITS#8671 - libldap - ldap_init_fd() in ldap.h
(6a5e30674b63b17587738ba9a3d1ea3633c33fb1)
ITS#8695 - slapd - "sleep" is deprecated (WINDOWS ONLY) (has patch, IPR OK)
**** ITS#8755 - libldap - leaking file descriptor when closing connection
(has patch, IPR OK)
ITS#8794 - libraries/libldap - Fix implicit declaration (has minor patch)
**** ITS#8799 - back-chain - Fix conversion from slapd.conf (has patch, IPR
OK)
**** ITS#8864 - liblber - fix ber_flush
(fb49d486a35fd4b2e993398c1eea0c8f7bc6ac40)
ITS#8875 - back-mdb - fix performance problems with large DIT and many
aliases (has patch, RE25 only)
**** ITS#8997 - slapd-ldap - Fix segfault (Howard already wrote the patch,
just needs to be committed)
ITS#9000 - slapo-memberof - Fix group rename issue (Ondrej has already
written the patch, just needs to be committed?)
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
3 years, 11 months
RE24 testing call (2.4.48) LMDB RE0.9 testing call (0.9.24)
by Quanah Gibson-Mount
This is expected to be the final testing call for 2.4.48, with an
anticipated release, depending on feedback, during the week of 2019/06/24.
Generally, get the code for RE24:
<http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs...>
Configure & build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Thanks!
OpenLDAP 2.4.48 Engineering
Added libldap OpenSSL Elliptic Curve support (ITS#7595)
Added libldap Expose OpenLDAP specific interfaces via openldap.h
(ITS#8671)
Added slapd-monitor support for slapd-mdb (ITS#7770)
Fixed liblber leaks (ITS#8727)
Fixed liblber with partial flush (ITS#8864)
Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980)
Fixed libldap ASYNC connections with Solaris 10 (ITS#8968)
Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585)
Fixed libldap to use AI_ADDRCONFIG when available (ITS#7326)
Fixed libldap to be able to unset syncrepl TLS options (ITS#7042)
Fixed libldap race condition in ldap_int_initialize (ITS#7996,
ITS#8450)
Fixed libldap return code in ldap_create_assertion_control_value
(ITS#8674)
Fixed libldap to correctly disable IPv6 when configured to do so
(ITS#8754)
Fixed libldap to correctly close TLS connection (ITS#8755)
Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353)
Fixed liblunicode case correspondance (ITS#8508)
Fixed slapd with an idletimeout of less than four seconds (ITS#8952)
Fixed slapd config parser variable for Windows64 (ITS#9012)
Fixed slapd syncrepl fallback handling with delta-syncrepl
(ITS#9015)
Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999)
Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037)
Fixed slapd TLS settings on reconnection (ITS#8427)
Fixed slapd to restrict rootDN proxyauthz to its own databases
(ITS#9038)
Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990)
Fixed slapd-ldap starttls connections timeout behavior (ITS#8963)
Fixed slapd-ldap TLS settings on reconnection (ITS#8427)
Fixed slapd-ldap segfault when entry result doesn't match filter
(ITS#8997)
Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743)
Fixed slapd-meta TLS settings on reconnection (ITS#8427)
Fixed slapd-meta assertion when network interface goes down
(ITS#8841)
Fixed slapd-mdb fix bitshift integer overflow (ITS#8989)
Fixed slapd-mdb index cleanup with cn=config (ITS#8472)
Fixed slapo-accesslog possible assert with exops (ITS#8971)
Fixed slapo-chain to correctly reject multiple chaining URIs
(ITS#8637)
Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799)
Fixed slapo-memberof conversion from slapd.conf to cn=config
(ITS#8663)
Fixed slapo-memberof for group name change to itself (ITS#9000)
Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349)
Fixed slapo-rwm to not free original filter (ITS#8964)
Fixed slapo-syncprov contextCSN generation (ITS#9015)
Build Environment
Fixed slapd to only link to BDB libraries with static build
(ITS#8948)
Fixed libldap implicit declaration with LDAP_CONNECTIONLESS
(ITS#8794)
Documentation
General - Fixed minor typos (ITS#8764, ITS#8761)
admin24 - Miscellaneous updates promoting mdb and fixing
examples (ITS#9031)
slapd.access(5) - Note MDB is the primary backend (ITS#8881)
slapd.backends(5) - Note MDB is the recommended backend
(ITS#8771)
slapd-ldap(5) - Document starttls parameter (ITS#8693)
Contrib
Added slapo-lastbind capability to forward authTimestamp
updates (ITS#7721)
LMDB 0.9.24 Engineering
ITS#8969 Tweak mdb_page_split
ITS#8975 WIN32 fix writemap set_mapsize crash
ITS#9007 Fix loose pages in WRITEMAP
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
3 years, 11 months
ITS#8286 continued
by Quanah Gibson-Mount
I found a few stray items that still need matching rules. All were
trivially straight forward except one for slapo-chain:
{ "chain-chaining", "args",
2, 4, 0, ARG_MAGIC|ARG_BERVAL|CH_CHAINING, chain_cf_gen,
"( OLcfgOvAt:3.1 NAME 'olcChainingBehavior' "
"DESC 'Chaining behavior control parameters
(draft-sermersheim-ldap-chaining)' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
At the moment, based on the man page description, I was thinking:
"EQUALITY caseExactMatch "
for the matching rule. Anyone have an opinion for caseIgnoreMatch being
better?
Thanks,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
3 years, 11 months
ITS review 6/4/2019
by Quanah Gibson-Mount
All of the following have patches and need review/approval. Any with ****
I consider desired for the next releases of LMDB & OpenLDAP:
LMDB related ITSes
----------------------
**** ITS#8986 - Fix LMDB for FreeBSD12 (has patch, IPR OK)
ITS#8739 - liblmdb - Fixes fsync check on FreeBSD (has patch, IPR not
needed)
OpenLDAP related ITSes for RE24
-------------------------------
ITS#7042 - slapd/syncrepl - Allow disconfiguring TLS settings (has patch,
IPR OK)
ITS#7721 - contrib/lastbind - allow authtimestamp forwarding with updateref
(44e9bda0e42f40e0baf0a2c0ef733eb757abd366)
ITS#7770 - back-monitor - Add mdb_stat info
(e19c683c41e14365d28e82278eec1d8b12c71d4c ,
6e2bac6465bb81a8c1aeb083b6dc497eb4187264 )
**** ITS#7996, ITS#8450 - libldap - Fix race condition (has patch, IPR OK)
**** ITS#8037 - slapd - Fix delta-syncrepl with relax
(cb9a4d01bc1ecf1eeb3fb7ef39067b2b30b6c545)
**** ITS#8167 - libldap - fix non-blocking TLS
(46c93e41f43da7f16270179c6eff75e450617329)
ITS#8349 - Fix ppolicy behavior with pwdHistory
**** ITS#8427 - slapd/syncrepl - Fix broken behavor for TLS options (has
patch, IPR OK)
ITS#8508 - liblunicode - Fix ucgendat
(cc99da182f53d3d4f3874703643b277773717af3)
**** ITS#8637 - slapd-ldap - Correctly reject invalid config with
slapd-config (has patch, IPR OK)
**** ITS#8671 - libldap - ldap_init_fd() in ldap.h (has patch, for Samba
project, IPR OK)
**** ITS#8674 - libldap - Fix leak (has patch, IPR not needed)
ITS#8695 - slapd - "sleep" is deprecated (WINDOWS ONLY) (has patch, IPR OK)
ITS#8754 - libldap - Correctly ignore IPv6 if IPv6 is disabled (has patch)
**** ITS#8755 - libldap - leaking file descriptor when closing connection
(has patch, IPR OK)
ITS#8794 - libraries/libldap - Fix implicit declaration (has minor patch)
**** ITS#8841 - back-meta - Fix assertion if the network interface goes
down (17f1e32b65c332f7a33b77ebe6e20b47188a88aa)
**** ITS#8864 - liblber - fix ber_flush
(fb49d486a35fd4b2e993398c1eea0c8f7bc6ac40)
**** ITS#8997 - slapd-ldap - Fix segfault (Howard already wrote the patch,
just needs to be committed)
**** ITS#9001 - libraries/libldap - Use new Tavl bits to reduce search time
(has patch, IPR OK)
OpenLDAP related ITSes for RE25
-------------------------------
ITS#8875 - back-mdb - fix performance problems with large DIT and many
aliases (has patch)
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
3 years, 11 months
2.4.48
by Michael Ströder
HI!
Any blockers for releasing 2.4.48?
Ciao, Michael.
4 years