Bug#1010608: openldap: Flaky test test063-delta-multiprovider
--On Thursday, May 5, 2022 3:54 PM +0300 Adrian Bunk wrote: Source: openldap Version: 2.5.11+dfsg-1 Severity: seriou Tags: ftbfs X-Debbugs-Cc: Philipp Kern https://buildd.debian.org/status/fetch.php?pkg=openldap=amd64=2. 5.12%2Bdfsg-1=1651720566=0 https://tests.reproducible-builds.org/debian/rbuild/unstable/i386/openlda p_2.5.11+dfsg-1.rbuild.log.gz ... Starting test063-delta-multiprovider for mdb... running defines.sh Initializing server configurations... Starting server 1 on TCP/IP port 9011... Using ldapsearch to check that server 1 is running... Using ldapadd for context on server 1... Starting server 2 on TCP/IP port 9012... Using ldapsearch to check that server 2 is running... Starting server 3 on TCP/IP port 9013... Using ldapsearch to check that server 3 is running... Starting server 4 on TCP/IP port 9014... Using ldapsearch to check that server 4 is running... Using ldapadd to populate server 1... Waiting 7 seconds for syncrepl to receive changes... Using ldapsearch to read all the entries from server 1... Using ldapsearch to read all the entries from server 2... Using ldapsearch to read all the entries from server 3... Using ldapsearch to read all the entries from server 4... Comparing retrieved entries from server 1 and server 2... Comparing retrieved entries from server 1 and server 3... Comparing retrieved entries from server 1 and server 4... Using ldapadd to populate server 2... Using ldapsearch to read all the entries from server 1... Using ldapsearch to read all the entries from server 2... Using ldapsearch to read all the entries from server 3... Using ldapsearch to read all the entries from server 4... Comparing retrieved entries from server 1 and server 2... Comparing retrieved entries from server 1 and server 3... test failed - server 1 and server 3 databases differ test063-delta-multiprovider failed for mdb after 28 seconds The test suite is heavily timing dependent. If you're building in a resource constrainted environment, you'll need to adjust the timers accordingly. --Quanah
Bug#725091: [Pkg-openldap-devel] Bug#725091: Bug#725091: slapd with memory leak in active sync
--On Friday, October 18, 2013 1:39 PM +0200 Thomas Sesselmann thomas.sesselm...@uni-jena.de wrote: This would be the best option for us. Did you know when a new upstream version in unstable or experimental would be released? Until this we have to try to build our own package at 2.4.36 (the first trial is failed). 2.4.37 was released on Sunday. I would note that other people have had success building on ubuntu12 with: 18:05] paco11 i use checkinstall ./configure . ; make depend ; make ; sudo checkinstall -D --showinstall --pkgname=openldap --maintainer= --pkgversion=2.4.37 --pkgrelease=1 --pkglicense=GPL --pkggroup=checkinstall --requires=make,automake,gcc,libtool,libperl-dev,libdb5.1-dev,libssl-dev,libsasl2-dev [18:06] paco11 it's easy to use [18:09] paco11 and i modified 2 files from slapd debian package: /etc/default/slapd /etc/init.d/slapd to have /usr/local. and then update-rc.d slapd defaults [18:09] paco11 and nothing else You would of course need to use the configure options most relevant to you. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725091: [Pkg-openldap-devel] Bug#725091: Bug#725091: slapd with memory leak in active sync
--On Tuesday, October 15, 2013 4:30 PM +0200 Thomas Sesselmann thomas.sesselm...@uni-jena.de wrote: Hi Ryan, Am 11.10.2013 00:44, schrieb Ryan Tandy: Hi Thomas, Sorry it took me so long to get back to you. I think the problem is that your slapd.conf uses LDAP Sync replication and not delta-syncrepl. I missed that at first because you have an accesslog database configured, so I assumed you were using delta-syncrepl, but your syncrepl consumers are actually not configured for it. we try to configure Delta-syncrepl and run in next issue :( The slapd on the slaves crashes immediately after modifying a group on memberof overlay. I can try to start in debug mode an the slave crashes after the next entry: Hi Thomas, I'm going to re-iterate again that you will need to upgrade to a current release if you want to do multi-master replication. I would also note that you'll need to get the recent fixes to slapo-memberof around replication that are going into OpenLDAP 2.4.37: Fixed slapo-memberof to not replicate internal ops (ITS#7710) --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725091: [Pkg-openldap-devel] Bug#725091: slapd with memory leak in active sync
--On Tuesday, October 01, 2013 1:10 PM +0200 Thomas Sesselmann thomas.sesselm...@uni-jena.de wrote: Package: slapd Version: 2.4.31-1+nmu2 Severity: serious Distribution packages are not meant to be used for production services. There is even an FAQ about this fact on written by one of the previous Debian LDAP packagers on the OpenLDAP website: http://www.openldap.org/faq/data/cache/1456.html I would strongly advise you to build your own package of OpenLDAP for production use that live in their own location (/usr/local, /opt, etc). I suggest OpenLDAP 2.4.36 linked to OpenSSL for security reasons. In addition, you may wish to read the OpenLDAP changelog while your packages are building: http://www.openldap.org/software/release/changes.html Regards, Quanah -- Quanah Gibson-Mount Architect - Server Zimbra Software, LLC Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725091: [Pkg-openldap-devel] Bug#725091: slapd with memory leak in active sync
--On Tuesday, October 01, 2013 12:12 PM -0700 Don Armstrong d...@debian.org wrote: If you don't have any useful responses to this bug (for example, linking to an ITS where this particular issue has been fixed or discussed), or want to help fixing or maintaining the openldap packages in Debian, please refrain from responding. I guess our definitions of useful differ. I'm offering advice that will allow the end user to have a working server. That, to me, is useful. The maintainers of distribution packages in distributions like Debian do intend for them to be used in production use, and openldap is no exception. Otherwise, we wouldn't bother making the packages in the first place. Funny. I suggest you read the FAQ I linked to. It was written for a reason *by* one of the Debian maintainers of the OpenLDAP package. And I also linked to the changelog, which lists all the variety of fixes to OpenLDAP since 2.4.31 was released 1.5 years ago. If Debian could keep a current build available to its users, then maybe I wouldn't have to constantly advise people not to use the Debian package. But as it stands, what Debian provides is not usable for a production service, and it should be avoided at all cost. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra Software, LLC Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#725091: [Pkg-openldap-devel] Bug#725091: slapd with memory leak in active sync
--On Tuesday, October 01, 2013 2:33 PM -0700 Steve Langasek vor...@debian.org wrote: Ten years of experience with this package shows me that there is no reason to expect the new versions upstream recommends to be any less buggy than the old ones you constantly slag Debian in our own BTS for shipping. Yes, shockingly, software evolves over time. And depending on the feature, yes, some things have had issues needing to be resolved more than others. Has back-bdb/hdb been stable for a long time? Yes. I've back-bdb since 2.2, and back-hdb since 2.3 on. Has MMR been stable? Not particularly. Delta-syncrepl MMR (Introduced in 2.4.27) has been quite stable, however. Essentially if Debian even had 2.4.33 rather than 2.4.31 available, then I doubt you'd see much if any traffic on bugs, as long as the end user used delta-syncrepl MMR if they were doing multi-master. As for that FAQ, Russ is entitled to his opinion about the best way to deploy an OpenLDAP server, as are you. But Russ is no longer a comaintainer of this package in Debian, and it is patently *false* to say that the distribution packages are not *meant* to be used for production services. If this is false, I've yet to see any evidence of Debian being capable of producing a package suitable for running a production service. As I said before, if Debian can do that, then I'll stop telling people to stop using it. This is no different than what I tell people running RHEL, SLES, etc. I'm really not aware of *any* distribution that can competently provide an OpenLDAP package to its community. RHEL is many ways is *much* worse than Debian, not only because of the age of their product, but because they also link to the god-awful MozNSS libraries. GnuTLS is at least a step up from that. Your persistent badmouthing of Debian, its package maintainers, and its processes in our own bug tracker is absolutely uncalled for. If you aren't actually interested in helping Debian improve its packages, then just go away. I'm trying to provide worthwhile advice to someone experiencing problems directly related to using the Debian package. As long as Debian only has 2.4.31 available to its users, then the *only* reasonable advise is to not use that package. Period. If you are blind to that *fact* I cannot help that. If you want to do something about it, since you *are* one of the packagers, then backport a newer version. Either way, you're picking a fight where there isn't one, and you have the ability to resolve the issue for all your users. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra Software, LLC Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#673038: [Pkg-openldap-devel] Bug#673038: please confirm if back-hdb is affected too
--On Wednesday, February 13, 2013 6:08 PM +0100 Giovanni Biscuolo g...@xelera.eu wrote: Hello, does the fact that the proposed patch (message #69 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673038#69) is just for back-bdb mean that back-hdb is not affected? back-bdb and back-hdb share 99% or more of their code, including the source files. Thus a fix to the back-bdb location is generally a fix to both backends. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#673038: Re: [Pkg-openldap-devel] Bug#673038: Bug#673038: slapd: slapcat output truncated every now and then
--On Thursday, February 07, 2013 7:45 PM +0100 Bálint Réczey bal...@balintreczey.hu wrote: tags 673038 + patch fixed-upstream thanks Hi All, 2013/1/28 Bálint Réczey bal...@balintreczey.hu: ... I think we're all in agreement that the code should be fixed. Please help to do that, if you can. Upstream has rejected the proposed fix. Since it seems I'm not familiar enough with upstream's plans and coding practices I'm not the best person to provide a fix. Upstream (Howard Chu, thanks!) has committed and alternate fix [1] [2]. Please consider back-porting it to Debian instead of using my patch. As noted in the follow up, this fix needs to be *tested* by someone who is affected. Not just grabbed and applied. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#673038: [Pkg-openldap-devel] Bug#673038: Bug#673038: slapd: slapcat output truncated every now and then
--On Tuesday, June 19, 2012 2:25 PM +0200 Axel Beckert a...@debian.org wrote: Hi Steve, Steve Langasek wrote: According to the slapcat man page it should be always safe to run slapcat with the slapd-bdb(5) ... backends even if slapd runs. We do use a BDB backend. Note that the HDB backend is the one recommended upstream and the Debian default. Well, yeah, that system has been dist-upgraded from at least Etch. IIRC it started at some time when BDB was still the default. I wrote that -- according to our backups -- this happened already with Lenny's slapd. But with Lenny it seemed to have happened less often (which is why we noticed it only recently). Personally, I would advise you to ask a question about this on openldap-techni...@openldap.org. I asked Howard about it, and he had a ready answer as to why you were seeing this, but I forget what it is. In any case, this is not a debian specific openldap bug. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#664930: [Pkg-openldap-devel] Bug#664930: Matthias' patch seems to be the correct action
--On Tuesday, May 01, 2012 10:12 AM +0200 Peter Marschall pe...@adpm.de wrote: So I consider Matthias' patch correct Best regards PEter PS: for me this patch made OpenLDAP 2.6.31 compile flawlessly. My guess is that OpenLDAP 2.6.anything would probably compile flawlessly against updated Heimdal code, since it'll be years before it's released. ;) --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#664930: [Pkg-openldap-devel] Bug#664930: Info received (FTBFS)
--On Monday, April 16, 2012 3:27 PM +0200 Mattias Ellert mattias.ell...@fysast.uu.se wrote: Hi! No other suggestion put forward. I will do a bin NMU in a few days unless there are other solutions proposed. Mattias Hi Mattias, I've filed a bug with upstream (http://www.openldap.org/its/index.cgi/?findid=7247) on this issue. That would be the correct place for this to be fixed. What version of Heimdal was Debian using previously? What version of Heimdal is Debian using that you encountered this error against? Thanks! --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#664930: [Pkg-openldap-devel] Bug#664930: Bug#664930: Info received (FTBFS)
--On Monday, April 16, 2012 10:17 AM -0700 Quanah Gibson-Mount qua...@zimbra.com wrote: --On Monday, April 16, 2012 3:27 PM +0200 Mattias Ellert mattias.ell...@fysast.uu.se wrote: Hi! No other suggestion put forward. I will do a bin NMU in a few days unless there are other solutions proposed. Mattias Hi Mattias, I've filed a bug with upstream (http://www.openldap.org/its/index.cgi/?findid=7247) on this issue. That would be the correct place for this to be fixed. What version of Heimdal was Debian using previously? What version of Heimdal is Debian using that you encountered this error against? Hi Mattias, I looked at the latest source for Heimdal (1.5.2) that is available. This header change does not exist there. What version of Heimdal is Debian using? --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#663644: [Pkg-openldap-devel] Bug#663644: [CVE-2012-1164] openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry
--On Monday, March 12, 2012 11:34 PM +0100 Luciano Bello luci...@debian.org wrote: Package: openldap Severity: grave Tags: security patch The following vulnerability had been reported against openssl: I think you mean OpenLDAP. Note that you have to be using slapo-translucent and slapo-rwm, which very few people do. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651700: [Pkg-openldap-devel] Bug#651700: Bug#651700: slapd: BDB library version mismatch
--On Wednesday, January 04, 2012 6:01 PM -0800 Russ Allbery r...@debian.org wrote: Do you think that's sufficient, or should I clarify this further? No, I think that's fine. I'm just a little worried that we'll get bitten by some future libdb change, but actually OpenLDAP may serve as an excellent canary there. If libdb changes either the file format or the ABI in a way that isn't compatible without changing the SONAME, that's an RC bug in libdb from Debian's perspective and it's something we'd rather know about than not, since we need to fix it regardless of OpenLDAP's use of the package. Personally, I'm hoping Debian will dump back-bdb/back-hdb entirely once back-mdb is stable. ;) --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651700: [Pkg-openldap-devel] Bug#651700: BDB version ...
--On Wednesday, December 21, 2011 12:16 AM +0100 JP P jp.po...@bbox.fr wrote: Hello, I had to find a suitable version of the BDB library (libdb5.1_5.1.25-11), empty the /var/lib/ldap/ and launch slapd to have the DB rebuilt. As the server is a slave server after a few minutes the DB was resynchronized and all is OK now. But the package in unstable is still unusable. The version of BDB that OpenLDAP is built against must be used. Your other fix would have been to simply rebuild the OpenLDAP package against the version of BDB in unstable. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651700: [Pkg-openldap-devel] Bug#651700: slapd: BDB library version mismatch
--On Monday, December 12, 2011 1:29 PM -0800 Quanah Gibson-Mount qua...@zimbra.com wrote: --On Sunday, December 11, 2011 12:14 PM +0100 stor...@club-internet.fr jp.po...@izzop.net wrote: Package: slapd Version: 2.4.25-4+b1 Severity: important Dear Maintainer, I think that the openldap package was not compiled with the last version : bdb_back_initialize: BDB library version mismatch: expected Berkeley DB 5.1.25: (January 28, 2011) got Berkeley DB 5.1.29: (October 25, 2011). slapd stopped. Actually this indicates that OpenLDAP was recompiled with the latest BDB version (5.1.29). It is complaining about the fact that your database was created using the 5.1.25 version, and thus it refuses to start. Ugh, nm, misread that. OpenLDAP was compiled using 5.1.25, and the libs were updated to 5.1.29. OpenLDAP *must* be recompiled against 5.1.29 as well in that case. If that is done, then everything will move along happily. This is by design because Oracle/Sleepycat has made API changes in patch level releases before. back-hdb/bdb *must* be compiled against the exact BDB library version they are linked to. In this case, the patch level does matter. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651700: [Pkg-openldap-devel] Bug#651700: slapd: BDB library version mismatch
--On Sunday, December 11, 2011 12:14 PM +0100 stor...@club-internet.fr jp.po...@izzop.net wrote: Package: slapd Version: 2.4.25-4+b1 Severity: important Dear Maintainer, I think that the openldap package was not compiled with the last version : bdb_back_initialize: BDB library version mismatch: expected Berkeley DB 5.1.25: (January 28, 2011) got Berkeley DB 5.1.29: (October 25, 2011). slapd stopped. Actually this indicates that OpenLDAP was recompiled with the latest BDB version (5.1.29). It is complaining about the fact that your database was created using the 5.1.25 version, and thus it refuses to start. The correct behavior on Debian's part is to export the database(s) prior to updating the BDB library via slapcat, and then reimport it via slapadd post upgrade. OpenLDAP is working as designed. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651700: [Pkg-openldap-devel] Bug#651700: slapd: BDB library version mismatch
--On Monday, December 12, 2011 10:54 PM +0100 Julien Cristau jcris...@debian.org wrote: On Mon, Dec 12, 2011 at 13:35:50 -0800, Quanah Gibson-Mount wrote: OpenLDAP was compiled using 5.1.25, and the libs were updated to 5.1.29. OpenLDAP *must* be recompiled against 5.1.29 as well in that case. If that is done, then everything will move along happily. This is by design because Oracle/Sleepycat has made API changes in patch level releases before. back-hdb/bdb *must* be compiled against the exact BDB library version they are linked to. In this case, the patch level does matter. If bdb breaks ABI then it needs to bump SONAME. If it doesn't then apps compiled against an earlier version must still work. A check for the patchlevel version is just broken. Feel free to take that up with Oracle. ;) Until they fix their development practices, the OpenLDAP behavior remains. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628237: [Pkg-openldap-devel] Bug#628237: OpenLDAP vs. SASL - what happened
--On Thursday, July 14, 2011 7:45 PM +0200 Ralph Rößner roess...@capcom.de wrote: Now you could argue that Cyrus upstream should not do that, i.e. breaking the plugin ABI for a step release but that argument is two years late (which is how long the .24 has been around). There is no cyrus-sasl 2.1.24 release. There is a release candidate, which when I tested it, had a series of serious flaws. Why anyone would add that to a distribution is beyond me. The latest release of cyrus-sasl is 2.1.23. I find it significant that after 2 years there still remains no official 2.1.24 release after the numerous issue reports that were filtered back to the project. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628237: Bug#628237: OpenLDAP vs. SASL - what happened
--On Thursday, July 14, 2011 2:09 PM -0500 Dan White dwh...@olp.net wrote: There's been quite a bit of new work even since the 2.1.24rc1 tarball, including work corresponding to the newer IETF SASL standards (GS2, SCRAM, and channel binding), so I wouldn't be surprised to see another version bump before the next release. The package in Debian is actually based on CVS HEAD, and should be in much better shape than 2.1.24rc1 was. Please file any outstanding issues against the sasl packages, and I'll try to filter those to upstream developers as appropriate. Thanks Dan, Much appreciated! --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#618904: [Pkg-openldap-devel] Bug#618904: openldap 2.4.23 slapd server process frequently hangs during everyday use
--On Friday, March 25, 2011 2:33 PM + Mark Cave-Ayland mark.cave-ayl...@siriusit.co.uk wrote: That's true, although no-one really showed any interest after I could verify that 2.4.24 fixed the issue. If you're still interested, I'll see if I can spend some time at the beginning of next week to come up with a reproducible test case. That's because for upstream, we would expect you to use the latest release. If you want Debian to fix it, they will need to use the same release they pushed out with squeeze (2.4.23), so they will need to know what is causing the problem so they can find the specific fix that resolves your issue. Most likely, since you filed the bug, they would hope you would track it down, since you are the only person who has ever encountered it, making it particularly difficult for the Debian maintainers to eve know where start to look for a solution. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#618904: [Pkg-openldap-devel] Bug#618904: openldap 2.4.23 slapd server process frequently hangs during everyday use
--On Saturday, March 19, 2011 1:00 PM + Mark Cave-Ayland mark.cave-ayl...@siriusit.co.uk wrote: Package: slapd Version: 2.4.23-7 Severity: critical Tags: squeeze After upgrading our LDAP server from lenny (2.4.11) to squeeze (2.4.23), we have found that the slapd process frequently hangs when adding new objects to the LDAP tree. The server freezes and will not accept any new connections until it is forcibly terminated with kill -9 and then the slapd process restarted. I would note that you are the only person using OpenLDAP 2.4.23 since it was released on 6/10/2010 to report this issue. So while I concur this is a serious issue for your use of OpenLDAP, it is also somehow related to your specific OpenLDAP configuration. You never provided your configuration in the upstream discussion that I can find, so it's difficult to know what you've done specifically in your environment that is causing the problem to show up. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#593550: [Pkg-openldap-devel] Bug#593550: A fix
--On August 19, 2010 11:03:19 AM +0200 Matthijs Mohlmann matth...@cacholong.nl wrote: On Aug 19, 2010, at 10:32 AM, Michael Rasmussen wrote: Hi, A way to fix this: apt-get install db4.7-util cd /var/lib/ldap db4.7_checkpoint -1 db4.7_recover dpkg --configure -a Thanks for the fix, but I do not understand why your environment is still 4.7 The 2.4.23-2 version should already have db 4.8 as default. I'll investigate what's going on here. What version was being migrated from (i.e., what version of BDB was openldap linked against?). If it was prior to BDB 4.8, then you have to do a slapcat/slapadd of the database (I assume that's already being done), but before that, it is critical to completely checkpoint the database via db_recover (one of the steps taken above). --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#593550: [Pkg-openldap-devel] Bug#593550: A fix
--On August 19, 2010 10:41:51 PM +0200 Michael Rasmussen m...@datanom.net wrote: On Thu, 19 Aug 2010 09:19:55 -0700 Quanah Gibson-Mount qua...@zimbra.com wrote: What version was being migrated from (i.e., what version of BDB was openldap linked against?). If it was prior to BDB 4.8, then you have to do a slapcat/slapadd of the database (I assume that's already being done), but before that, it is critical to completely checkpoint the database via db_recover (one of the steps taken above). I think this is the key question. Apparently the db-tools cannot handle a migration from = 4.7 to 4.8 in which case the only reliable way to do this is slapcat/slapadd. Correct, it is never possible to use db-tools to upgrade OpenLDAP Databases across BDB versions. The only method is slapcat/slapadd. I'd also note that BDB 4.8 versions prior to 4.8.30 are not reliable and should be avoided (Not sure what's in debian atm). --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#589915: [Pkg-openldap-devel] Bug#589915: slapd: service is not operational when the init.d script exits during boot
--On Friday, July 23, 2010 9:13 PM +0200 Matthijs Möhlmann matth...@cacholong.nl wrote: I'm not sure if I understand you correctly, you say 'The time slapd can take to start depends on if it is a first time startup.' What do you mean by 'first time startup' ? First time startup for the given DB_CONFIG setting. How long it takes to start depends on the cachesize value set in the DB_CONFIG file. If this is the very first time slapd has ever started, or if they've changed that cachesize value, then the BDB environment has to be created (or recreated). slapd will not start listening until that is finished. If I have a 128GB BDB cachesize, slapd will take a lot longer to start than if it is 8GB. etc. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#589915: [Pkg-openldap-devel] Bug#589915: slapd: service is not operational when the init.d script exits during boot
--On Friday, July 23, 2010 9:01 PM +0200 Matthijs Möhlmann matth...@cacholong.nl wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It can take 3 minutes or more to have the OpenLDAP server operational, should we wait that long in the initscript? Are there objections to for example, wait for 5 seconds and try if the server is up, if not do that again forever? I'm going to do some tests with pdns too, with the bind backend it is possible that it can take up a few seconds before operational, but I have to test that. The time slapd can take to start depends on if it is a first time startup. If it is, it has to initialize the BDB environment. How long the BDB environment takes to initialize depends on its size. There is no set amount of time it can take to start. The largest environment I've dealt with was over 1TB in size. It took a very very long time to start the first time. ;) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579221: [Pkg-openldap-devel] Bug#579221: Bug#579221: openldap: FTBFS on kfreebsd-*: error: missing binary operator before token long
--On Sunday, May 23, 2010 10:39 PM +0200 Julien Cristau jcris...@debian.org wrote: sys/ioctl.h should be enough, and it sounds like TIOCNOTTY *is* defined in your build. A quick test on the kfreebsd-amd64 porter box shows that TIOCNOTTY expands as: ((unsigned long) ((0x2000) | (((0) 0x1fff) 16) | ((('t')) 8) | ((113 from sys/ioccom.h: # define _IOC(inout,group,num,len) ((unsigned long) \ ((inout) | (((len) IOCPARM_MASK) 16) | ((group) 8) | (num))) # define _IO(g,n)_IOC(IOC_VOID, (g), (n), 0) Testing for defined(TIOCNOTTY) instead would probably fix it, I think? Noted in the upstream ITS: http://www.openldap.org/its/index.cgi/?findid=6534 --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579221: [Pkg-openldap-devel] Bug#579221: Bug#579221: openldap: FTBFS on kfreebsd-*: error: missing binary operator before token long
--On Thursday, April 29, 2010 12:58 PM +0200 Cyril Brulebois k...@debian.org wrote: Hello, Quanah Gibson-Mount qua...@zimbra.com (28/04/2010): TIOCNOTTY is defined in a system header file. If the build is failing on this elif, it sounds like you have a missing system header while doing the build. Please report which OS header defines TIOCNOTTY on your BSD based box. k...@kbsd:~$ grep TIOCNOTTY /usr/include/ -r /usr/include/sys/ttycom.h:#define TIOCNOTTY _IO('t', 113) /* void tty association */ k...@kbsd:~$ grep ttycom.h -r /usr/include/ /usr/include/sys/tty.h:#include sys/ttycom.h /usr/include/bits/ioctls.h:#include sys/ttycom.h Looks like you may want sys/tty.h here? Thanks! I'll follow up with upstream on this. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579221: [Pkg-openldap-devel] Bug#579221: Bug#579221: openldap: FTBFS on kfreebsd-*: error: missing binary operator before token long
--On Monday, April 26, 2010 8:10 AM -0700 Quanah Gibson-Mount qua...@zimbra.com wrote: --On Monday, April 26, 2010 12:57 PM +0200 Cyril Brulebois k...@debian.org wrote: Source: openldap Version: 2.4.21-1 Severity: serious Justification: FTBFS User: debian-...@lists.debian.org Usertags: kfreebsd Filed upstream as: http://www.openldap.org/its/index.cgi/?findid=6534 Further note: TIOCNOTTY is defined in a system header file. If the build is failing on this elif, it sounds like you have a missing system header while doing the build. Please report which OS header defines TIOCNOTTY on your BSD based box. Unfortunately your suggested patch is not valid, see http://www.openldap.org/lists/openldap-bugs/201004/msg00074.html Regards, Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579221: [Pkg-openldap-devel] Bug#579221: openldap: FTBFS on kfreebsd-*: error: missing binary operator before token long
--On Monday, April 26, 2010 12:57 PM +0200 Cyril Brulebois k...@debian.org wrote: Source: openldap Version: 2.4.21-1 Severity: serious Justification: FTBFS User: debian-...@lists.debian.org Usertags: kfreebsd Filed upstream as: http://www.openldap.org/its/index.cgi/?findid=6534 --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#553432: [Pkg-openldap-devel] Bug#553432: Bug#553432: Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name
--On Saturday, October 31, 2009 9:13 AM -0700 Quanah Gibson-Mount qua...@zimbra.com wrote: Also, if Debian's still supporting anything based on OL 2.3, I have a clean patch for this issue for it as well. 2.3 patch attached if needed. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration ITS6239.patch Description: Binary data
Bug#553432: [Pkg-openldap-devel] Bug#553432: Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name
--On Tuesday, November 10, 2009 6:58 PM +0100 Giuseppe Iuculano iucul...@debian.org wrote: Hi, Quanah Gibson-Mount wrote: Also, if Debian's still supporting anything based on OL 2.3, I have a clean patch for this issue for it as well. Could you send the patch for OL 2.3 please? Sent it this morning already. :) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#553432: [Pkg-openldap-devel] Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name
--On Saturday, October 31, 2009 10:57 AM +0100 Giuseppe Iuculano iucul...@debian.org wrote: Package: openldap Severity: grave Tags: security patch This was fixed in OpenLDAP 2.4.18 (Just to note). Also, how easily someone can set up a rogue LDAP server masquarading as someone else's ldap server seems not particularly simple to do. I.e., this requires someone to set up an LDAP server with a bad cert, and then intercept someone elses ldap client traffic to that server. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#553432: [Pkg-openldap-devel] Bug#553432: Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name
--On Saturday, October 31, 2009 8:47 AM -0700 Quanah Gibson-Mount qua...@zimbra.com wrote: --On Saturday, October 31, 2009 10:57 AM +0100 Giuseppe Iuculano iucul...@debian.org wrote: Package: openldap Severity: grave Tags: security patch This was fixed in OpenLDAP 2.4.18 (Just to note). Also, how easily someone can set up a rogue LDAP server masquarading as someone else's ldap server seems not particularly simple to do. I.e., this requires someone to set up an LDAP server with a bad cert, and then intercept someone elses ldap client traffic to that server. Also, if Debian's still supporting anything based on OL 2.3, I have a clean patch for this issue for it as well. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#474161: [Pkg-openldap-devel] Bug#474161: Bug#474161: slapd crashes in modify operations
--On Thursday, April 03, 2008 12:42 PM -0700 Quanah Gibson-Mount [EMAIL PROTECTED] wrote: --On Thursday, April 03, 2008 4:42 PM -0300 Fernando Augusto Medeiros Silva [EMAIL PROTECTED] wrote: Package: slapd Version: 2.4.7-6.1 Severity: grave Justification: renders package unusable I would suggest filing this upstream, most likely as a follow-on to ITS#5450. I went ahead and did this for you. The bug is now fixed in CVS, and will be in OpenLDAP 2.4.9. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#474161: [Pkg-openldap-devel] Bug#474161: Bug#474161: slapd crashes in modify operations
--On Friday, April 04, 2008 11:01 AM -0300 Fernando Augusto Medeiros Silva [EMAIL PROTECTED] wrote: Hi, Thanks for your promptness! Is there release date for this? When it is ready. :) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#474161: [Pkg-openldap-devel] Bug#474161: Bug#474161: slapd crashes in modify operations
--On Friday, April 04, 2008 3:36 PM -0300 Fernando Augusto Medeiros Silva [EMAIL PROTECTED] wrote: Ok, sorry for the stupid question ;) is there any workaround? it's a complete blocking problem. Why is this happening just with me? It isn't happening just to you, which is why there was already an upstream ITS about the issue. ;) The fix is to patch servers/slapd/modify.c with the one line change here: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modify.c.diff?r1=1.301r2=1.302hideattic=1sortbydate=0f=h and to patch servers/slapd/back-bdb/modify.c with the one line change here: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-bdb/modify.c.diff?r1=1.173r2=1.174hideattic=1sortbydate=0f=h Perhaps the debian maintainers will do this for the debian packages. Otherwise you'll need to rebuild the debian package with those patches yourself. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#474161: [Pkg-openldap-devel] Bug#474161: slapd crashes in modify operations
--On Thursday, April 03, 2008 4:42 PM -0300 Fernando Augusto Medeiros Silva [EMAIL PROTECTED] wrote: Package: slapd Version: 2.4.7-6.1 Severity: grave Justification: renders package unusable I would suggest filing this upstream, most likely as a follow-on to ITS#5450. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#471253: [Pkg-openldap-devel] Bug#471253: slapd hangs and eats 100%cpu with syncrepl statements
--On Monday, March 17, 2008 9:48 AM +0100 Mathieu PARENT [EMAIL PROTECTED] wrote: Hi, On Mon, Mar 17, 2008 at 12:06 AM, Quanah Gibson-Mount [EMAIL PROTECTED] wrote: --On Sunday, March 16, 2008 11:40 PM +0100 Mathieu Parent [EMAIL PROTECTED] wrote: Package: slapd Version: 2.4.7-5 Severity: critical What's your slapd.conf file? It's already attached : complete and reduced testcase (http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;bug=471253). Note that if if remove the ''syncprov-checkpoint 1024 16'' line, it doesn't hang anymore. This issue is already known upstream and will be fixed in 2.4.9. Remove the syncprov-checkpoint for the time being. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#471253: [Pkg-openldap-devel] Bug#471253: slapd hangs and eats 100%cpu with syncrepl statements
--On Monday, March 17, 2008 10:13 AM +0100 Mathieu PARENT [EMAIL PROTECTED] wrote: Maybe you have the upstream bug # ? http://www.openldap.org/its/index.cgi/?findid=5407 -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#471253: [Pkg-openldap-devel] Bug#471253: slapd hangs and eats 100%cpu with syncrepl statements
--On Sunday, March 16, 2008 11:40 PM +0100 Mathieu Parent [EMAIL PROTECTED] wrote: Package: slapd Version: 2.4.7-5 Severity: critical What's your slapd.conf file? --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem
--On Tuesday, January 29, 2008 12:09 PM -0800 Steve Langasek [EMAIL PROTECTED] wrote: On Tue, Jan 29, 2008 at 08:27:03PM +0100, T.A. van Roermund wrote: Steve Langasek wrote: Well, I can reproduce the problem when using this value for TLSCipherSuite. But why would you set this value, rather than leaving TLSCipherSuite blank to use the default? I don't see the point of listing *all* the cipher types if you don't intend to exclude some of them. If I leave it blank, it still doesn't work. The behaviour is then exactly equal to the current situation. Ok. Does your certificate have a proper cn, matching the fqdn of your server? That's the only other case where I can reproduce the described behavior, but I don't know if that's a behavior change relative to the OpenSSL version. (I would have hoped that OpenSSL would also refuse to negotiate SSL/TLS with a server whose cn doesn't match the hostname being connected to, since this subverts the SSL security model.) OpenLDAP compiled with OpenSSL behaves the same way. i.e, the cn in the cert must match the servername (or the fields on subjectAltName, etc). --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Bug#462588: Bug#462588: Same problem
--On Tuesday, January 29, 2008 10:18 PM +0100 T.A. van Roermund [EMAIL PROTECTED] wrote: FQDN: server-timo.van-roermund.nl CN: van-roermund.nl Will that be the problem? If so, then the behaviour of GnuTLS *is* different from the behavious of OpenSSL. I will test it and let you know. That would be a problem if server-timo.van-roermud.nl is not in subjectAltName for the certs. Standard OpenLDAP 2.3 against OpenSSL would also not accept that cert. I don't know why the previous debian package would have allowed it, unless it was related to the old hacked libldap libraries (are those replaced now?). --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Bug#462588: Same problem
--On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek [EMAIL PROTECTED] wrote: Anyway, the documented syntax for TLSCipherSuite is $cipher1:$cipher2, not $cipher1 $cipher2; but setting such values gives me a hang on startup (which should be investigated). Filed upstream: http://www.OpenLDAP.org/its/index.cgi?findid=5341 --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#462588: [Pkg-openldap-devel] Bug#462588: Bug#462588: Same problem
--On Saturday, January 26, 2008 12:33 PM +0100 T.A. van Roermund [EMAIL PROTECTED] wrote: Quanah Gibson-Mount wrote: Have you verified whether or not you can connect using LDAPS via the command line tools? (ldapsearch, ldapwhoami, etc). Yes I did: $ ldapsearch -H ldaps://localhost:636/ -X cn=admin ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Have you verified that port 636 is open? I.e., telnet localhost 636 --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#462588: [Pkg-openldap-devel] Bug#462588: Same problem
--On Saturday, January 26, 2008 1:01 AM +0100 T.A. van Roermund [EMAIL PROTECTED] wrote: Hi, I have the same problem. Following your suggestion, I listed all the cipher suites using gnutls-cli -l and tried all of them. Now, slapd does start, but still Thunderbird cannot connect to the daemon, no matter which cipher suite was selected. Have you verified whether or not you can connect using LDAPS via the command line tools? (ldapsearch, ldapwhoami, etc). --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#462588: [Pkg-openldap-devel] Bug#462588: Fails to start slapd ldaps:/// on upgrade
--On Saturday, January 26, 2008 8:16 AM +1100 Alex Samad [EMAIL PROTECTED] wrote: Package: slapd Version: 2.4.7-3+b1 Severity: grave Justification: renders package unusable OpenLDAP 2.4.7 in Debian uses GnuTLS now instead of OpenSSL. GnuTLS uses a different set of cipher suites. I would advise reading the GnuTLS documentation and picking something appropriate. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#440632: [Pkg-openldap-devel] Bug#440632: ldapadd with 'objectClasses' instead of 'objectClass' brings slapd down
--On Monday, September 03, 2007 11:23 AM +0200 Thomas Sesselmann [EMAIL PROTECTED] wrote: Upstream bug#5119. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#316389: [Pkg-db-devel] Bug#316389: Please apply this patch
--On Thursday, March 22, 2007 10:15 AM -0400 Clint Adams [EMAIL PROTECTED] wrote: The bug listed here incorrectly links to my site. It should have linked to the official BDB site, as this bug is from the BDB folks themselves. http://www.oracle.com/technology/products/berkeley-db/db/update/4.2.52/ patch.4.2.52.html In particular, this is patch #5. It is *required* for the later OpenLDAP 2.2 and all of OpenLDAP 2.3 to work right. The severity here needs to raised to grave, as the OpenLDAP distributed with etch cannot function correctly without this patch. Just to clarify here for all fascinated readers: This bug is, or was originally, about the patch at http://www.openldap.org/devel/cvsweb.cgi/~checkout~/build/Attic/BerkeleyD B42.patch?rev=1.5.4.1hideattic=1sortbydate=0 According to OpenLDAP CVS commit logs and this Faq-O-Matic entry, http://www.openldap.org/faq/data/cache/44.html this unofficial BDB patch is obsoleted by OpenLDAP 2.3. The vendor patch to which Quanah refers was the subject of a brief mailing list thread beginning here http://lists.alioth.debian.org/pipermail/pkg-db-devel/2007-February/00115 7.html and continuing here http://lists.alioth.debian.org/pipermail/pkg-db-devel/2007-March/001161.h tml but no bug report was generated as a result of that thread as far as I am aware. In the interest of making me less confused, I am presently going to make a new bug that is explicitly about vendor patch #5. Thanks! --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#397673: [Pkg-openldap-devel] Bug#397673: CVE-2006-5779: OpenLDAP BIND Denial of Service Vulnerability
--On Wednesday, November 08, 2006 10:53 PM +0100 Stefan Fritsch [EMAIL PROTECTED] wrote: Can you supply actual details? This statement isn't very useful without them. Ups. Of course: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779 http://secunia.com/advisories/22750 Proof of concept exploit (not tested) is at http://gleg.net/vulndisco_meta.shtml I think upstream should handle this, I've already contacted the other OL developers. Of course, this guy is using CRAM-MD5, which isn't even a support SASL mech for OpenLDAP, so it is an interesting bug... --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#397673: [Pkg-openldap-devel] Bug#397673: CVE-2006-5779: OpenLDAP BIND Denial of Service Vulnerability
--On Wednesday, November 08, 2006 9:40 PM +0100 Stefan Fritsch [EMAIL PROTECTED] wrote: Package: slapd Severity: grave Tags: security Justification: user security hole A vulnerability has been found in openldap: Evgeny Legerov has reported a vulnerability in OpenLDAP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing certain BIND requests. This can be exploited to cause a crash by sending specially crafted BIND requests to an OpenLDAP server. The vulnerability is reported in OpenLDAP version 2.2.29. Other versions may also be affected. Can you supply actual details? This statement isn't very useful without them. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#397673: [Pkg-openldap-devel] Bug#397673: CVE-2006-5779: OpenLDAP BIND Denial of Service Vulnerability
--On Wednesday, November 08, 2006 1:56 PM -0800 Quanah Gibson-Mount [EMAIL PROTECTED] wrote: --On Wednesday, November 08, 2006 10:53 PM +0100 Stefan Fritsch [EMAIL PROTECTED] wrote: Can you supply actual details? This statement isn't very useful without them. Ups. Of course: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779 http://secunia.com/advisories/22750 Proof of concept exploit (not tested) is at http://gleg.net/vulndisco_meta.shtml I think upstream should handle this, I've already contacted the other OL developers. Of course, this guy is using CRAM-MD5, which isn't even a support SASL mech for OpenLDAP, so it is an interesting bug... Upstream patch available at: http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/getdn.c getdn.c 1.124.2.4 - 1.124.2.5 --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#361846: [Pkg-openldap-devel] Bug#361846: reopening 361846, reassign 361846 to slapd
--On Tuesday, October 03, 2006 12:14 AM +0200 Peter Eisentraut [EMAIL PROTECTED] wrote: Steinar H. Gunderson wrote: Or are you claiming that anything implementing the schema from a copyrighted RFC falls under that license? I am talking strictly about the core.schema file as shipped. The Internet Society license in the file says: this document itself may not be modified in any way. Which means it's not free. I don't know how that got there or to what extent it applies, but that's what it says, so I have to assume it's true. If it is not applicable, the text should be qualified or removed. The earlier bug thread contains other suggestions on how to deal with this. Significant parts of core.schema are hard coded into OpenLDAP. And I'm pretty sure just about all LDAP servers implement core.schema. And amazingly, no license problems. And, as I read it, it doesn't say the document can't be modified. In fact, it quite clearly says the document *can* be modified: ## Portions Copyright (C) The Internet Society (1997-2003). ## All Rights Reserved. ## ## This document and translations of it may be copied and furnished to ## others, and derivative works that comment on or otherwise explain it ## or assist in its implementation may be prepared, copied, published ## and distributed, in whole or in part, without restriction of any ## kind, provided that the above copyright notice and this paragraph are ## included on all such copies and derivative works. However, this ## document itself may not be modified in any way, such as by removing ## the copyright notice or references to the Internet Society or other ## Internet organizations, except as needed for the purpose of ## developing Internet standards in which case the procedures for ## copyrights defined in the Internet Standards process must be ## followed, or as required to translate it into languages other than ## English. ## ## The limited permissions granted above are perpetual and will not be ## revoked by the Internet Society or its successors or assigns. ## ## This document and the information contained herein is provided on an ## AS IS basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING ## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION ## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF ## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. What it says, is that you cannot modify or remove the license, at least the way I read it. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365409: [Pkg-openldap-devel] Bug#365409: slapd: segfaults on entry modify
--On Sunday, June 04, 2006 9:15 PM +0200 Steinar H. Gunderson [EMAIL PROTECTED] wrote: On Sun, Jun 04, 2006 at 08:43:47PM +0200, Steinar H. Gunderson wrote: I'm completely unable to reproduce this. Scrap that; I can reproduce it now. I just didn't see that slapd segfaulted... Debugging now. Is it possible to reproduce in 2.3.24? Or just the rather old 2.2.x version? --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365409: [Pkg-openldap-devel] Bug#365409: slapd: segfaults on entry modify
--On Monday, June 05, 2006 1:58 AM +0200 Steinar H. Gunderson [EMAIL PROTECTED] wrote: On Mon, Jun 05, 2006 at 12:42:57AM +0200, Steinar H. Gunderson wrote: OK, the problem doesn't show up at -O0, which supports the theory that it's some kind of overflow issue. I'm starting a build with -O2 now -- perhaps it can be caught using valgrind on a slightly faster platform, though... OK, valgrind didn't catch it, but I believe in the theory of a stack smashing problem (which valgrind won't catch; bounds-checking gcc would, though). Since this is a bug with OpenLDAP, I would highly advise opening an ITS with OpenLDAP at: http://www.openldap.org/its/ I would include the URL to the bug in debian, since it has the gdb backtrace and other information contained in it. --Quanah -- Quanah Gibson-Mount QA Engineer http://www.openldap.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365409: [Pkg-openldap-devel] Bug#365409: slapd: segfaults on entry modify
--On Sunday, June 04, 2006 7:36 PM -0700 Steve Langasek [EMAIL PROTECTED] wrote: On Sun, Jun 04, 2006 at 07:28:14PM -0700, Quanah Gibson-Mount wrote: On Mon, Jun 05, 2006 at 12:42:57AM +0200, Steinar H. Gunderson wrote: OK, the problem doesn't show up at -O0, which supports the theory that it's some kind of overflow issue. I'm starting a build with -O2 now -- perhaps it can be caught using valgrind on a slightly faster platform, though... OK, valgrind didn't catch it, but I believe in the theory of a stack smashing problem (which valgrind won't catch; bounds-checking gcc would, though). Since this is a bug with OpenLDAP Is that certain? It looks just as likely to be a compiler bug to me. Oh.. I misunderstood. ;) If it isn't an OpenLDAP thing, then I guess no ITS. ;) I thought it wasn't completely specific to the ARM platform. --Quanah -- Quanah Gibson-Mount QA Engineer http://www.openldap.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#308906: Bug #308906
Hi Steve, To answer your first question, the 64 bit patch was in response to: http://www.openldap.org/its/index.cgi/Build?id=3691 I'm curious what you think is incorrect about that particular patch. As for the serious issue in 2.2.23, it is not addressed by any of my posted patches, they address other issues. It was pulled in 2.2.25: OpenLDAP 2.2.25 Release Removed broken libldap fast synchronous search result processing (ITS#3612) --Quanah -- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html These censorship operations against schools and libraries are stronger than ever in the present religio-political climate. They often focus on fantasy and sf books, which foster that deadly enemy to bigotry and blind faith, the imagination. -- Ursula K. Le Guin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#308906: Bug #308906
--On Friday, May 13, 2005 5:06 PM -0700 Steve Langasek [EMAIL PROTECTED] wrote: Hi Quanah, On Fri, May 13, 2005 at 04:51:14PM -0700, Quanah Gibson-Mount wrote: To answer your first question, the 64 bit patch was in response to: http://www.openldap.org/its/index.cgi/Build?id=3691 I'm curious what you think is incorrect about that particular patch. I simply don't know that it's necessary once the root cause of Debian bug # 304549 is addressed. Doubling the stack size for 64-bit archs is fine, # but at least in my 64-bit tests, slapd works fine once the library linkage is fixed so that slapd threads actually *get* the requested 4MB stack instead of a default 2MB one. If this patch is known to fix a real problem, and not merely supposed to fix one, then by all means it should be added. Ah. Yes, it is known to fix a real problem. ;) As for the serious issue in 2.2.23, it is not addressed by any of my posted patches, they address other issues. It was pulled in 2.2.25: OpenLDAP 2.2.25 Release Removed broken libldap fast synchronous search result processing (ITS#3612) The bug log suggests that this problem is specific to 2.2.24, which we're not shipping. (We're shipping 2.2.23.) Hm, yeah, you're right. I got the backing down to 2.2.23 from 2.2.24 as a solution mixed up. However, I would note the large number of bugs fixed between 2.2.23 2.2.26, including several crash fixes. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html These censorship operations against schools and libraries are stronger than ever in the present religio-political climate. They often focus on fantasy and sf books, which foster that deadly enemy to bigotry and blind faith, the imagination. -- Ursula K. Le Guin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]