Hi LDAP Folks,
I do have a weird problem, I didn't have before. slapd version 2.3.30-2 (debian etch).
If I alter any entry in the ldap database, the entry is stored. As soon as I read from the slapd again, it shows (in debug mode) the following message VERY often:
slap_global_control: unavailable control: 2.16.840.1.113730.3.4.2 ==> limits_get: conn=0 op=22 dn="cn=admin,dc=bla,dc=bla"
And finally, after watching lines scroll by, says good by with an: Segmentation fault
Did I run into a bug here? I slapcat'ed the db, removed the db, slap- added the db just in case the db was corrupt, but this didn't help. Any help would be appreciated. Same slapd version working fine on another installation.
Thank you for a short note... wogri
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Did you check your machine's RAM, e.g. with memtest86?
Am Donnerstag, 22. Februar 2007 13:59:25 schrieb Wolfgang Hennerbichler:
Hi LDAP Folks,
I do have a weird problem, I didn't have before. slapd version 2.3.30-2 (debian etch).
If I alter any entry in the ldap database, the entry is stored. As soon as I read from the slapd again, it shows (in debug mode) the following message VERY often:
slap_global_control: unavailable control: 2.16.840.1.113730.3.4.2 ==> limits_get: conn=0 op=22 dn="cn=admin,dc=bla,dc=bla"
And finally, after watching lines scroll by, says good by with an: Segmentation fault
Did I run into a bug here? I slapcat'ed the db, removed the db, slap- added the db just in case the db was corrupt, but this didn't help. Any help would be appreciated. Same slapd version working fine on another installation.
Thank you for a short note... wogri
--On Thursday, February 22, 2007 2:45 PM +0100 Eric MSP Veith eveith@wwweb-library.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Did you check your machine's RAM, e.g. with memtest86?
Am Donnerstag, 22. Februar 2007 13:59:25 schrieb Wolfgang Hennerbichler:
Hi LDAP Folks,
I do have a weird problem, I didn't have before. slapd version 2.3.30-2 (debian etch).
If I alter any entry in the ldap database, the entry is stored. As soon as I read from the slapd again, it shows (in debug mode) the following message VERY often:
slap_global_control: unavailable control: 2.16.840.1.113730.3.4.2 ==> limits_get: conn=0 op=22 dn="cn=admin,dc=bla,dc=bla"
And finally, after watching lines scroll by, says good by with an: Segmentation fault
You are probably running into the very nasty problem that Debian decided to link its OpenLDAP 2.1 libraries against GnuTLS using their own custom, badly hacked patch. This causes a ton of problems when anything LDAP-wise tries to use SSL/TLS, even if it is one of their later packages, because the 2.1 libraries (and in the case, the 2.3 libraries) end up in the same user space, causing conflicts between GnuTLS and OpenSSL, which leads to the behavior you are seeing.
Bottom line: Don't use Debian's LDAP packages if you want to use Debian. Try building the packages into /usr/local, so that the libraries in /usr/lib do not get loaded.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
<quote who="Quanah Gibson-Mount">
--On Thursday, February 22, 2007 2:45 PM +0100 Eric MSP Veith eveith@wwweb-library.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Did you check your machine's RAM, e.g. with memtest86?
Am Donnerstag, 22. Februar 2007 13:59:25 schrieb Wolfgang Hennerbichler:
Hi LDAP Folks,
I do have a weird problem, I didn't have before. slapd version 2.3.30-2 (debian etch).
If I alter any entry in the ldap database, the entry is stored. As soon as I read from the slapd again, it shows (in debug mode) the following message VERY often:
slap_global_control: unavailable control: 2.16.840.1.113730.3.4.2 ==> limits_get: conn=0 op=22 dn="cn=admin,dc=bla,dc=bla"
And finally, after watching lines scroll by, says good by with an: Segmentation fault
You are probably running into the very nasty problem that Debian decided to link its OpenLDAP 2.1 libraries against GnuTLS using their own custom, badly hacked patch. This causes a ton of problems when anything LDAP-wise tries to use SSL/TLS, even if it is one of their later packages, because the 2.1 libraries (and in the case, the 2.3 libraries) end up in the same user space, causing conflicts between GnuTLS and OpenSSL, which leads to the behavior you are seeing.
Bottom line: Don't use Debian's LDAP packages if you want to use Debian. Try building the packages into /usr/local, so that the libraries in /usr/lib do not get loaded.
Does anyone have Debian contacts to inform them of this, or are they fully aware?
Thanks.
On 23.02.2007, at 09:11, Gavin Henry wrote:
Does anyone have Debian contacts to inform them of this, or are they fully aware?
I will file a bug report, if this is really a debian problem. I will investigate further next week.
Thanks.
Wogri
--On Friday, February 23, 2007 3:30 PM +0100 Wolfgang Hennerbichler wogri@wogri.com wrote:
On 23.02.2007, at 09:11, Gavin Henry wrote:
Does anyone have Debian contacts to inform them of this, or are they fully aware?
I will file a bug report, if this is really a debian problem. I will investigate further next week.
No need, they already know.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
On 23.02.2007, at 15:30, Wolfgang Hennerbichler wrote:
On 23.02.2007, at 09:11, Gavin Henry wrote:
Does anyone have Debian contacts to inform them of this, or are they fully aware?
I will file a bug report, if this is really a debian problem. I will investigate further next week.
The problem in my case had to do with syncrepl. I deactivated it for now as I don't need it yet, once the main ldap server is up and running I'm going to see about that error.
Thank you for your help;
wogri
--On Friday, February 23, 2007 8:11 AM +0000 Gavin Henry ghenry@suretecsystems.com wrote:
Does anyone have Debian contacts to inform them of this, or are they fully aware?
Debian is fully aware. Stanford and The Written Word have hired Symas to implement true GnuTLS support, so that this problem will go away.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Quanah Gibson-Mount wrote:
--On Friday, February 23, 2007 8:11 AM +0000 Gavin Henry ghenry@suretecsystems.com wrote:
Does anyone have Debian contacts to inform them of this, or are they fully aware?
Debian is fully aware. Stanford and The Written Word have hired Symas to implement true GnuTLS support, so that this problem will go away.
Though the wisdom of actually using GNUtls has yet to be established. Personally I would seriously distrust an X.509 implementation written by people who so obviously don't understand X.500. While we'll fix what's obviously broken that we trip over, we weren't tasked with insuring its overall suitability for use.
--On Friday, February 23, 2007 11:10 AM -0800 Howard Chu hyc@symas.com wrote:
Quanah Gibson-Mount wrote:
--On Friday, February 23, 2007 8:11 AM +0000 Gavin Henry ghenry@suretecsystems.com wrote:
Does anyone have Debian contacts to inform them of this, or are they fully aware?
Debian is fully aware. Stanford and The Written Word have hired Symas to implement true GnuTLS support, so that this problem will go away.
Though the wisdom of actually using GNUtls has yet to be established. Personally I would seriously distrust an X.509 implementation written by people who so obviously don't understand X.500. While we'll fix what's obviously broken that we trip over, we weren't tasked with insuring its overall suitability for use.
Understood. One of my co-workers was making the argument to me yesterday, that using GnuTLS is desired because it has a better API than OpenSSL. Personally, I thought one would choose what SSL/TLS implementation to use based on how well it actually follows the specifications....
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
On Fri, Feb 23, 2007 at 11:10:06AM -0800, Howard Chu wrote:
Quanah Gibson-Mount wrote:
--On Friday, February 23, 2007 8:11 AM +0000 Gavin Henry ghenry@suretecsystems.com wrote:
Does anyone have Debian contacts to inform them of this, or are they fully aware?
Debian is fully aware. Stanford and The Written Word have hired Symas to implement true GnuTLS support, so that this problem will go away.
Though the wisdom of actually using GNUtls has yet to be established. Personally I would seriously distrust an X.509 implementation written by people who so obviously don't understand X.500. While we'll fix what's obviously broken that we trip over, we weren't tasked with insuring its overall suitability for use.
I'm sure the GnuTLS authors would be interested to hear any deficiences in their software :)
Albert Chin wrote:
On Fri, Feb 23, 2007 at 11:10:06AM -0800, Howard Chu wrote:
Quanah Gibson-Mount wrote:
Debian is fully aware. Stanford and The Written Word have hired Symas to implement true GnuTLS support, so that this problem will go away.
Though the wisdom of actually using GNUtls has yet to be established. Personally I would seriously distrust an X.509 implementation written by people who so obviously don't understand X.500. While we'll fix what's obviously broken that we trip over, we weren't tasked with insuring its overall suitability for use.
I'm sure the GnuTLS authors would be interested to hear any deficiences in their software :)
Trust me, they're hearing from us, constantly...
On 22.02.2007, at 18:21, Quanah Gibson-Mount wrote:
You are probably running into the very nasty problem that Debian decided to link its OpenLDAP 2.1 libraries against GnuTLS using their own custom, badly hacked patch.
Oh-oh...
This causes a ton of problems when anything LDAP-wise tries to use SSL/TLS, even if it is one of their later packages, because the 2.1 libraries (and in the case, the 2.3 libraries) end up in the same user space, causing conflicts between GnuTLS and OpenSSL, which leads to the behavior you are seeing.
If I disable TLS for testing, I guess this problem shouldn't exist anymore, should it?
Bottom line: Don't use Debian's LDAP packages if you want to use Debian. Try building the packages into /usr/local, so that the libraries in /usr/lib do not get loaded.
I will try. Thanks for that Info.
--Quanah
wogri
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
openldap-software@openldap.org
-
Albert Chin -
Eric MSP Veith -
Gavin Henry -
Howard Chu -
Quanah Gibson-Mount -
Wolfgang Hennerbichler