Your message dated Sat, 12 Aug 2017 16:17:11 +0000
with message-id <>
and subject line Bug#868753: fixed in openldap 2.4.44+dfsg-5+deb9u1
has caused the Debian Bug report #868753,
regarding slapd: endless replication loop with 3-way delta-MMR
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact

Debian Bug Tracking System
Contact with problems
--- Begin Message ---
Package: slapd
Version: 2.4.44+dfsg-5
Severity: important

Dear Maintainer,

We noticed several issues related to delta-syncrepl in a 3-way
multi-master setup. The issues seem to be caused by bugs in upstream,
which are fixed in upstream version of Openldap 2.4.45.
We successfully tested a build of Openldap 2.4.45: All issues (1-4)
seem to be resolved.

Please find below the list of issues 1-4 (incl. possibly rel. ITS#):

1. Endless replication loop after fast subsequent modifications

Related ITS#:

- ITS#8432: Never ending operation modifications with 3+ MMR nodes

Steps to reproduce:

- Modify attribute A of cn=00000,ou=tt,dc=phys,dc=ethz,dc=ch on phd-aa1
- Wait for a short period of time (<= ~10-100ms), or not at all.
- At this point the change was most probably not yet synced to the other
  nodes, before that sync happens, repeat the modify:
- Modify attribute A of cn=00000,ou=tt,dc=phys,dc=ethz,dc=ch on phd-aa1
- Now the 3 slapds are somehow in a loop, sending cookies forever
- Sometimes a restart of all slapds helps to kill the loop
- Sometimes a stop of at least 2 slapds was nessecary to kill the loop
- Subsequent modifications had to occur in a variable time frame lower
  than 10-100 ms in my tests to cause the loop.


- Endless syncrepl loop, 100% CPU load on all nodes

2. Occasionally slapd hangs on shutdown

Steps to reproduce:

- Occasionally when restarting/stopping the slapd service (using
  `systemctl restart/stop slapd`), process hangs with 100% CPU load.
- Only a `kill -9 <PID>` helps. In the logs is stated that slapd is
  waiting for some tasks: `slapd shutdown: waiting for 2
  operations/tasks to finish`

3. Occasionally slapd crashes when another master is restarted

Possibly (not sure) related ITS# (same symptoms: slapd crash):

- ITS#8413: Assertion in back-mdb/search.c during replication

Steps to reproduce:

- Occasionally when making an update using ldapmodify and after that
  restarting slapd on the same host, it happens that slapd process on
  one of the other masters crashes (nothing showing in the error log)

4. Unwilling slapd after service restart (Error code 53)

This seems to be a temporary hickup under some circumstances, which
fixes itself after another ldapmodify on the unwillig slapd.

Steps to reproduce:

- Setup phd-aa1 (ID 000): initial master config + add data dump
- Setup phd-aa2 (ID 001): replicates all data
- Setup phd-aa3 (ID 002): replicates all data
- Test replication using ldapmodify of an attribute on each master
  separately: all syncing correctly
- Restart slapd on phd-aa1: all ok (all syncing)
- Restart slapd on phd-aa2: now this one starts reporting in the logs
  that phd-aa1 (rid=004) is unwilling:
  `do_syncrep2: rid=004 (53) Server is unwilling to perform`
- Restart slapd on phd-aa3: now this one starts reporting the same.
- Syncrepl tries to reconnect according to the retry parameter interval,
  logging the error above on each cycle.
- After another ldapmodify on phd-aa1 all masters are syncing correctly
  the error message above is gone, all logs look ok.

For more information on the exact setup and configuration,
please refer to:


-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages slapd depends on:
ii  adduser                            3.115
ii  coreutils                          8.26-3
ii  debconf [debconf-2.0]              1.5.61
ii  libc6                              2.24-11+deb9u1
ii  libdb5.3                           5.3.28-12+b1
ii  libgnutls30                        3.5.8-5+deb9u1
ii  libldap-2.4-2                      2.4.44+dfsg-5
ii  libltdl7                           2.4.6-2
ii  libodbc1                           2.3.4-1
ii  libperl5.24 [libmime-base64-perl]  5.24.1-3
ii  libsasl2-2                         2.1.27~101-g0780600+dfsg-3
ii  libwrap0                           7.6.q-26
ii  lsb-base                           9.20161125
ii  perl                               5.24.1-3
ii  psmisc                             22.21-2.1+b2

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.27~101-g0780600+dfsg-3

Versions of packages slapd suggests:
ii  ldap-utils                   2.4.44+dfsg-5
ii  libsasl2-modules-gssapi-mit  2.1.27~101-g0780600+dfsg-3

-- debconf information excluded

--- End Message ---
--- Begin Message ---
Source: openldap
Source-Version: 2.4.44+dfsg-5+deb9u1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Ryan Tandy <> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA512

Format: 1.8
Date: Thu, 10 Aug 2017 12:12:46 -0700
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-common 
libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source
Version: 2.4.44+dfsg-5+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian OpenLDAP Maintainers 
Changed-By: Ryan Tandy <>
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap-common - OpenLDAP common files for libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 820244 860774 860947 864719 868753
 openldap (2.4.44+dfsg-5+deb9u1) stretch; urgency=medium
   * Relax the dependency of libldap-2.4-2 on libldap-common to also permit
     later versions. (Closes: #860774)
   * Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
     the underlying kernel bug #866122 is fixed.
   * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
   * Import upstream patch to avoid reading the value of the
     LDAP_OPT_X_TLS_REQUIRE_CERT option from previously freed memory.
     (ITS#8385) (Closes: #820244)
   * Import upstream patch to fix potential endless replication loop in a
     multi-master delta-syncrepl scenario with 3 or more nodes.
     (ITS#8432) (Closes: #868753)
   * Import upstream patches to fix memory corruption caused by calling
     sasl_client_init() multiple times and possibly concurrently.
     (ITS#8648) (Closes: #860947)
 9cfaa4a157f37fd1e77df1605e0d7c886aecc42b 3009 openldap_2.4.44+dfsg-5+deb9u1.dsc
 9b7a6f58266c688ea90c8c79f989673330edebe9 165640 
 49a6e5b8c90cd3743d29854e2c07a31cfc420075d3368832a7c4e16e47c6aaae 3009 
 06c3aa004b251b5acd036f26db245bfc5207811acf42d20dc02850eb60afb6bd 165640 
 d243ee69c455d1433e9fd35db5fc04f0 3009 net optional 
 5823b2c03024bb2fbad10cd9537239df 165640 net optional 



--- End Message ---

Reply via email to