LMDB alignment of values
by Gábor Melis
I understand that at some points keys were aligned to 2 bytes and
maybe values, too:
https://github.com/AltSysrq/lmdb-zero/issues/8
Maybe that's still the case.
However a solution I'm looking at needs double word (16 bytes on 64
bit) alignment of values. This would allow using the value directly as
a read-only Lisp object. Leaving whether that's a good idea aside, is
there any way to guarantee double word alignment of values? My
preliminary hacks involving varying the key size were not successful.
Cheers,
Gábor Melis
3 years, 3 months
LMDB safety under misuse
by Gábor Melis
Hello
I'm writing a Common Lisp wrapper for LMDB, starting where the
previous efforts left off. I have a number of questions related to
safety and the color of the smoke after a disaster.
1. lmdb.h says that "A parent transaction and its cursors may not
issue any other operations than mdb_txn_commit and mdb_txn_abort
while it has active child transactions."
What I observe is that when a cursor associated with the parent
transaction is used in the child, there are no errors and the
cursor behaves (my test only involved mdb_cursor_put and
MDB_SET_KEY) as if it belonged to the child.
Is this to be expected in general or my tests are insufficient and
something really bad can happen? If this is a disaster waiting to
happen, I need to add checks to the cursor code.
2. mdb_txns are calloc()ed and free()d. In the case where a thread
performs some operation (e.g. put, get, del) involving an already
freed mdb_txn pointer, what kind of nastiness can happen? Can the
database be corrupted?
3. Same question about mdb_cursors.
4. Async unwind safety. This is a bit like a thread being destroyed in
the middle of an lmdb function call.
Context: In some Common Lisp implementations (SBCL), Posix
interrupts like SIGINT are used during development. If the
developer presses C-c the lisp debugger will start where the signal
handler was invoked, which may be in the middle of some mdb_* call.
Depending on the actions taken, the stack (both the lisp and the C
stack) may be unwound to some earlier frame. Another example is
async timeouts (SBCL's WITH-TIMEOUT) can also unwind the stack. I
understand that async unwinds are unsafe in general.
There is a way to defer handling of interrupts, which I already use
to protect allocations (mdb_txn_begin, mdb_txn_commit and similar),
but it has a small performance cost and I hesitate to apply it to
performance hotspots (e.g. put, get, del and most cursor ops). Are
[some of] these functions safe in face of async unwinds? What kind
of problem may arise?
Cheers,
Gábor Melis
3 years, 3 months
Race condition with groupOfNames using syncrepl
by Jonathan Steel
Hi,
When trying to sync our LDAP data to a consumer, the consumer errors with:
null_callback : error code 0x13
syncrepl_entry: rid=002 be_add cn=mygroup,ou=Group,dc=domain,dc=com failed (19)
I believe this is because it is a groupOfNames (list of member DNs) that do not yet exist on the consumer. If I sync with a filter to exclude the groupOfNames entries, it completes fine, which confirms it is only having an issue with groupOfNames:
filter="(!(objectClass=groupOfNames))"
Can you advise if this is a known issue, and if there's a way to work around it, short of importing the LDAP data manually? I wonder if there's a way to skip errors, so it will skip the groupOfNames and retry once the users have been created.
Best regards,
Jonathan
3 years, 3 months
Acl for admin group
by Клеусов Владимир Сергеевич
Hi
Sorry for the banal question
I created an acl for a group whose members have full access to OpenLDAP.
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword
by self write
by group.exact="cn=ldap_admins,ou=Groups,dc=domain,dc=com" write
by anonymous auth
by * none
olcAccess: to *
by self write
by group.exact="cn=ldap_admins,ou=Groups,dc=domain,dc=com write
by * read
But members of this group didn't get full access. Please tell me what I did wrong ?
3 years, 3 months
Re: TLSv1.3 support on openldap 2.4.44
by Shaheena Kazi
My product is a security product and hence I would like to stick to 2.4.44
or a version provided by buster i.e., 2.4.47.
May be 2.4.47 is a better option. What do you think?
On Tue, 11 Aug 2020 at 11:57 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Wednesday, August 12, 2020 12:43 AM +0530 Shaheena Kazi
> <shaheena.kazi(a)gmail.com> wrote:
>
> >
> > Hi Team,
> >
> >
> > I wanted to know if TLSv1.3 is supported on openldap 2.4.44.
> > openssl packge which I would be using is - openssl-1.1.1d.tar.bz2 to
> > compile openldap.
>
> If you are building OpenLDAP yourself, you should use the most current
> release, not one that's over four years old.
>
> Build OpenLDAP 2.4.50, and it has TLS 1.3 support as long as the SSL
> library does.
>
> Regards,
> Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
--
Regards,
Shaheena K
3 years, 3 months
TLSv1.3 support on openldap 2.4.44
by Shaheena Kazi
Hi Team,
I wanted to know if TLSv1.3 is supported on openldap 2.4.44.
openssl packge which I would be using is - openssl-1.1.1d.tar.bz2 to
compile openldap.
Awaiting your reply.
Regards,
Shaheena K
3 years, 3 months
Switching roles between 2 DCs
by Lothar Schilling
Dear Mr. Kania,
setting up a DC with Samba 4 and OpenLDAP I am still going exactly by
the rules in your book. I got to the point where I would switch, just
testing, roles from DC1 to DC2 and vice versa. Switching all roles from
DC1 to DC 2 was a piece of cake, reswitching "domaindns" and "forestdns"
to DC1 wasn't, though:
samba-tool fsmo transfer --role=domaindns -k yes
Password for [MY_DOMAIN\root]:
Failed to bind - LDAP client internal error: NT_STATUS_LOGON_FAILURE
Failed to connect to
'ldap://1b3fd128-1bd3-40fb-bc6c-9f943cac6e9e._msdcs.MY_DOMAIN.NEW' with
backend 'ldap': LDAP client internal error: NT_STATUS_LOGON_FAILURE
ERROR(ldb): uncaught exception - LDAP client internal error:
NT_STATUS_LOGON_FAILURE
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
177, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
528, in run
transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
104, in transfer_dns_role
credentials=creds, lp=lp)
File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 64, in
__init__
options=options)
File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115,
in __init__
self.connect(url, flags, options)
File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 79, in
connect
options=options)
Any ideas?
Thank you
Lothar Schilling
3 years, 3 months
OpenLDAP crashes with search from PC
by a.leurs@consense-gmbh.de
I have a functional OpenLDAP service installed and configured on a Windows Server 2016.
From another Windows Server 2016 I can get a connection to the server and can search for results.
But when I start the search from a Windows 10 machine the server crashes and after that can't be accessed anymore.
I don't have the last parts of the log, but I can get it.
I know that are not many information, but has anybody an idea how I can find out why the OpenLDAP server is crashing when accessed from a Windows 10 machine?
3 years, 4 months
LASTVALIDATIONDATE | Attribute error
by Technology Server
Dear,
We tried to import the data to an existing LDAP instance but gives the same
error about below attribute.
str2entry: str2ad(LASTVALIDATIONDATE): attribute type undefined
slapadd: could not parse entry (line=1437875)
can you please let me know what is (LASTVALIDATIONDATE) attribute
significance ?? We don't see any such attribute . Kindly guide us .
3 years, 4 months
