Bug#1040382: slapd: debian12 ships with slapd-2.5.13+dfsg-5 which crashes (segfault in dynlist.la).

[Quanah Gibson-Mount]

--On Tuesday, April 2, 2024 11:32 PM +0200 Bernhard Übelacker 
 wrote:



On Wed, 24 Jan 2024 15:07:46 +0100 wouldsmina 
wrote:

2024-01-24T09:38:16.810558+01:00 ldap kernel: [ 1553.168747]
slapd[13335]: segfault at 0 ip 7fc2370b49c1 sp 7fbd359fc0c0
error 4 in dynlist-2.5.so.0.1.8[7fc2370b1000+6000] likely on CPU 1 (core
0, socket 2) 2024-01-24T09:38:16.810568+01:00 ldap kernel: [
1553.168761] Code: 48 29 d0 48 89 d7 48 89 c1 31 c0 83 c1 6c c1 e9 03 f3
48 ab 48 8b 84 24 10 02 00 00 4c 89 ef c7 84 24 a0 00 00 00 03 00 00 00
<48> 8b 00 ff 50 78 44 39 73 64 74 09 45 84 e4 0f 85 22 03 00 00 48


Hello,
I tried to get back to the source line of this dmesg output, maybe it is
of any help.

It points to:
dynlist_search at ../../../../../servers/slapd/overlays/dynlist.c:1817
1817(void)o.o_bd->be_search( ,  );

This is the same line shown in the attachment of the upstream bug report.


The fix for this issue is already committed upstream and was part of the 
OpenLDAP 2.5.17 and 2.6.7 releases.  Generally the requirement at this 
point would be for Debian to pull in the fix (if it hasn't already).


Regards,
Quanah

Bug#1065633: openldap: FTBFS on hppa - implicit declaration of function 'kadm5_s_init_with_password_ctx'

[Quanah Gibson-Mount]

--On Thursday, March 7, 2024 5:41 PM + John David Anglin 
 wrote:



Source: openldap
Version: 2.5.13+dfsg-5+b4
Severity: normal
Tags: ftbfs

Dear Maintainer,

See:
https://buildd.debian.org/status/fetch.php?pkg=openldap=hppa=2.5
.13%2Bdfsg-5%2Bb4=1709830559=0

smbk5pwd.c: In function 'smbk5pwd_modules_init':
smbk5pwd.c:917:23: error: implicit declaration of function
'kadm5_s_init_with_password_ctx'; did you mean
'kadm5_init_with_password_ctx'?
[-Werror=implicit-function-declaration]   917 | ret =
kadm5_s_init_with_password_ctx( context,   |
^~


Maybe you're missing a header?  This is a standard Heimdal function:



Or, Debian failed to properly package the Heimdal includes.  But this 
doesn't seem to be the right place to report the issue.


--Quanah

Bug#1040382: slapd: debian12 ships with slapd-2.5.13+dfsg-5 which crashes (segfault in dynlist.la).

[Quanah Gibson-Mount]

--On Wednesday, January 24, 2024 3:07 PM +0100 wouldsmina 
 wrote:





Hello,


I am experiencing the same issue. Here are the logs I obtain in the
syslog: 
2024-01-24T09:38:16.810558+01:00 ldap kernel: [ 1553.168747]
slapd[13335]: segfault at 0 ip 7fc2370b49c1 sp 7fbd359fc0c0 error
4 in dynlist-2.5.so.0.1.8[7fc2370b1000+6000] likely on CPU 1 (core 0,
socket 2)
2024-01-24T09:38:16.810568+01:00 ldap kernel: [ 1553.168761] Code: 48 29
d0 48 89 d7 48 89 c1 31 c0 83 c1 6c c1 e9 03 f3 48 ab 48 8b 84 24 10 02
00 00 4c 89 ef c7 84 24 a0 00 00 00 03 00 00 00 <48> 8b 00 ff 50 78 44 39
73 64 74 09 45 84 e4 0f 85 22 03 00 00 48
2024-01-24T09:38:16.840012+01:00 ldap slapd[13342]: Stopping OpenLDAP:
slapd.


To reproduce, simply activate the dynlist module and try to make an LDAP
query. In slapd.conf add:

moduleload   dynlist
overlay dynlist


Likely .

--Quanah

Bug#1052265: ldap.conf.5: some remarks and editorial changes for this man page

[Quanah Gibson-Mount]

--On Wednesday, September 27, 2023 12:58 AM + Bjarni Ingi Gislason 
 wrote:



General best practice at the moment is to:

a) Open a bug in the OpenLDAP bugzilla: https://bugs.openldap.org

b) sign up for an account on the openldap gitlab instance
https://git.openldap.org, fork the openldap repo to your own user, and
then submit a PR with the change.

Regards,
Quanah



  Thanks for the tips.

  I find this to be too much extra work for probably a one time
involvement.

  The simplest solution is to just forward my remarks to upstream as
these are only suggestions.


Hello,

Then best to open a bug as noted above and put your remarks there.

--Quanah

Bug#1052265: ldap.conf.5: some remarks and editorial changes for this man page

[Quanah Gibson-Mount]

--On Monday, September 25, 2023 8:59 AM -0700 Ryan Tandy  
wrote:



Control: tag -1 moreinfo

Hello Bjarni, thank you for your contribution.

The man page is maintained upstream. May I ask you to submit your changes
directly to the OpenLDAP project? (It's better if you can do so yourself,
than if I do it on your behalf.)

There is a guide for contributors:
. They will probably ask
you to format your patch as unified diff (diff -u) or a git branch.


General best practice at the moment is to:

a) Open a bug in the OpenLDAP bugzilla: https://bugs.openldap.org

b) sign up for an account on the openldap gitlab instance 
https://git.openldap.org, fork the openldap repo to your own user, and then 
submit a PR with the change.


Regards,
Quanah

Bug#1051349: slapd: DoS after some 'Too many open files'?

[Quanah Gibson-Mount]

--On Wednesday, September 6, 2023 5:43 PM +0200 Patrice Duroux 
 wrote:



Package: slapd
Version: 2.5.13+dfsg-5
Severity: normal

Dear Maintainer,

This happens on one physical machine using a Debian Bookworm and only
dedicated to NFS/LDAP services.
I never faced this before for years with Bulleyes before upgrading to
Bookworm.

Looking into log files there are the following messages:


You need to increase the number of file descriptors available to slapd. 
You're hitting this issue because Debian compiles with the 
--enable-wrappers flag for tcp wrappers.


With systemd, you can change the number of file descriptors available with 
the

"LimitNOFILE" option.

For example:

[Service]
...
LimitNOFILE=8192

To increase the limit to 8,192 available file descriptors to the slapd 
process.  I don't know what defaults Debian allows in regards to file 
descriptors for slapd in their default package.


Regards,
Quanah

Bug#877512: slapd: enabled systemd integration (untested patch)

[Quanah Gibson-Mount]

--On Thursday, June 29, 2023 12:27 PM +0200 Andreas Henriksson 
 wrote:



Feel free to file a bug upstream if you think the current configure.ac
code needs adjustment.

[...]

It's my impression that configure.ac is missing a call to:

PKG_PROG_PKG_CONFIG(0.29)

Thus the PKG_CONFIG variable will be unset, and thus the PKG_CHECK_*
macros will just skip over and do nothing.


FWIW you do have this:
m4_ifndef([PKG_PREREQ],
[m4_fatal([must install pkg-config 0.29 or later before running
autoconf/autogen])])
... but that only seems to check that pkg.m4 is new enough, not that
the actual pkg-config binary/utility exists.

Adding `PKG_PROG_PKG_CONFIG(0.29)` directly after the m4_ifndef and
rebuilding gave me the expected systemdsystemunitdir=/lib/systemd/system
(as systemd.pc says on debian) rather than the hardcoded fallbacks.


Please file a bug at https://bugs.openldap.org :)

Regards,
Quanah

Bug#877512: slapd: enabled systemd integration (untested patch)

[Quanah Gibson-Mount]

--On Wednesday, June 28, 2023 2:03 PM -0700 Ryan Tandy  
wrote:



Another (lower priority) thing I meant to look into is the sd_notify(3)
support. Enabling that means changing the service type and adding the -d
flag to stop slapd from detaching.


Yep, you want -d 0 specifically.

--Quanah

Bug#877512: slapd: enabled systemd integration (untested patch)

[Quanah Gibson-Mount]

--On Wednesday, June 28, 2023 10:49 AM -0700 Ryan Tandy  
wrote:





TODO: For unknown reason configure seems to want to use
/usr/lib/systemd/system (rather than /lib/systemd/system) despite the
precense of systemd.pc ... the configure script has hard-coded fallback
paths...


Thanks for noting this, definitely sounds like something we need to look
into.


Feel free to file a bug upstream if you think the current configure.ac code 
needs adjustment.


   PKG_CHECK_VAR(systemdsystemunitdir, systemd, systemdsystemunitdir)
   if test -z "$systemdsystemunitdir"; then
   if test -d /usr/lib/systemd/system; then
   systemdsystemunitdir=/usr/lib/systemd/system
   else
   systemdsystemunitdir=/lib/systemd/system
   fi
   fi


--Quanah

Bug#1030716: openldap: password/sha2 produces incorrect SHA256

[Quanah Gibson-Mount]

--On Monday, February 6, 2023 8:32 PM -0800 Ryan Tandy  
wrote:



Thanks for the patch and info.

One additional data point: openldap 2.5.13 in bullseye-backports (gcc
10.2.1-6) seems to be OK.


This was reported previously and is clearly a bug with gcc.



--Quanah

Bug#1030716: openldap: password/sha2 produces incorrect SHA256

[Quanah Gibson-Mount]

--On Monday, February 6, 2023 2:51 PM -0300 Andreas Hasenack 
 wrote:



- updating the module to use gnutls or openssl, whatever openldap ends
up being linked with


This would require rewriting the module, since it currently contains all 
the SHA code internally and doesn't rely on an external SSL library. 
Contributions welcome upstream, although this module really should just be 
phased out (see below).



- not building/shipping this module


That would break anyone who currently has SHA-512 hashes in their OpenLDAP 
instance, so probably not feasible.


People generally should be migrating away from this module to the ARGON2 
module instead though.


--Quanah

Bug#1024057: slapd: service restart does not always restart slapd

[Quanah Gibson-Mount]

--On Thursday, November 17, 2022 8:39 PM + Alister Winfield 
 wrote:



Last time I had this slapd was waiting until all clients disconnect..
Perhaps that still happens.


This would not be the case.  In fact you can see from the log snippet that 
was provided that when slapd got a shutdown notice, it disconnected all the 
existing clients (which caused a lot of the connection_read messages).


--Quanah

Bug#1024057: slapd: service restart does not always restart slapd

[Quanah Gibson-Mount]

--On Tuesday, November 15, 2022 7:16 AM + Mike Gabriel 
 wrote:



Nov 13 07:17:04 server slapd[11167]: connection_read(17): no connection!
Nov 13 07:17:04 server slapd[11167]: connection_read(17): no connection!
Nov 13 07:17:04 server slapd[11167]: connection_read(17): no connection!
Nov 13 07:17:04 server slapd[11167]: connection_read(17): no connection!
Nov 13 07:17:04 server slapd[11167]: connection_read(17): no connection!
Nov 13 07:17:04 server slapd[11167]: connection_read(17): no connection!

After this failure and before I finally restart stop/start slapd, I get
hundreds of these connection_read: no connection! lines. Sprinkled across
the log. Sometimes 10 in a row, sometimes many 100.



You can ignore those messages.  It purely means a client disconnected 
without performing an unbind request.  They are informational messages. 
You'll likely need to increase the slapd logging level to get any useful 
information from the logs. I  would suggest starting with "stat" level 
logging.


Regards,
Quanah

Bug#1010608: openldap: Flaky test test063-delta-multiprovider

[Quanah Gibson-Mount]

--On Thursday, May 5, 2022 3:54 PM +0300 Adrian Bunk  
wrote:



Source: openldap
Version: 2.5.11+dfsg-1
Severity: seriou
Tags: ftbfs
X-Debbugs-Cc: Philipp Kern 

https://buildd.debian.org/status/fetch.php?pkg=openldap=amd64=2.
5.12%2Bdfsg-1=1651720566=0
https://tests.reproducible-builds.org/debian/rbuild/unstable/i386/openlda
p_2.5.11+dfsg-1.rbuild.log.gz

...

Starting test063-delta-multiprovider for mdb...

running defines.sh
Initializing server configurations...
Starting server 1 on TCP/IP port 9011...
Using ldapsearch to check that server 1 is running...
Using ldapadd for context on server 1...
Starting server 2 on TCP/IP port 9012...
Using ldapsearch to check that server 2 is running...
Starting server 3 on TCP/IP port 9013...
Using ldapsearch to check that server 3 is running...
Starting server 4 on TCP/IP port 9014...
Using ldapsearch to check that server 4 is running...
Using ldapadd to populate server 1...
Waiting 7 seconds for syncrepl to receive changes...
Using ldapsearch to read all the entries from server 1...
Using ldapsearch to read all the entries from server 2...
Using ldapsearch to read all the entries from server 3...
Using ldapsearch to read all the entries from server 4...
Comparing retrieved entries from server 1 and server 2...
Comparing retrieved entries from server 1 and server 3...
Comparing retrieved entries from server 1 and server 4...
Using ldapadd to populate server 2...
Using ldapsearch to read all the entries from server 1...
Using ldapsearch to read all the entries from server 2...
Using ldapsearch to read all the entries from server 3...
Using ldapsearch to read all the entries from server 4...
Comparing retrieved entries from server 1 and server 2...
Comparing retrieved entries from server 1 and server 3...
test failed - server 1 and server 3 databases differ

test063-delta-multiprovider failed for mdb after 28 seconds



The test suite is heavily timing dependent.  If you're building in a 
resource constrainted environment, you'll need to adjust the timers 
accordingly.


--Quanah

Bug#976991: libldap-2.4-2:amd64: Please consider building with openssl instead of gnutls

[Quanah Gibson-Mount]

--On Wednesday, February 2, 2022 12:53 PM -0600 Matt Zagrabelny 
 wrote:



On Wed, Dec 9, 2020 at 2:23 PM Ryan Tandy  wrote:



I have indeed heard that we consider openssl to be a system library now,
and a couple of people pointed out that it's no longer mentioned in
ftp-master's REJECT-FAQ. On the other hand at least one person has
raised concerns[1] about whether it's a valid approach.


I'm not familiar with the OpenLDAP Public License. Is it compatible
with Apache v2 license? That is the license for openssl v3.


That's the license for OpenSSL 3 and later.  Earlier OpenSSL versions use a 
BSD style license.


OpenLDAP is a BSD style license and fully compatible with either OpenSSL 
licenses.


There is currently no OpenLDAP release with OpenSSL 3 support (although 
this should be fixed in the next 2.6 series release).  However other 
components that OpenLDAP depends on may also lack OpenSSL 3 support (such 
as cyrus-sasl).


Regards,
Quanah

Bug#991274: Package libldap-2.4-2 was built without LDAP_CONNECTIONLESS

[Quanah Gibson-Mount]

--On Monday, July 19, 2021 9:59 AM -0700 Ryan Tandy  wrote:


Why does the new version of sssd require this? Can it not remain optional
on their side, if it was in the past?

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539421 for the
previous request about LDAP_CONNECTIONLESS. As far as I know the upstream
status hasn't changed...


I've noted as much in the github issue.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Bug#977123: Aw: Re: Re: Bug#977123: ldapadd: simple authentication works without setting of -x

[Quanah Gibson-Mount]

--On Tuesday, December 15, 2020 11:45 AM -0800 Quanah Gibson-Mount 
 wrote:





--On Tuesday, December 15, 2020 7:06 PM +0100 werner.heu...@web.de wrote:


Hi Quanah,

I just did a fresh install on another Debian 10 system and tried

ldapdelete -D "cn=admin,dc=nodomain" -W "cn=admin,dc=nodomain" -n -v
ldap_initialize(  )
Enter LDAP Password:
!deleting entry "cn=admin,dc=nodomain"


Hi Werner,

I was able to reproduce the behavior with ldapdelete, thanks. I'll
consult with upstream, since it's not a Debian specific issue.


Hi Werner,

There is no bug here.  If the -D option is supplied to the ldap utilities, 
it immediately implies a simple bind, and the -x option is not required. 
You can see this in the source code:


   if (authmethod == -1 && protocol > LDAP_VERSION2) {
#ifdef HAVE_CYRUS_SASL
   if ( binddn != NULL ) {
   authmethod = LDAP_AUTH_SIMPLE;
   } else {
   authmethod = LDAP_AUTH_SASL;
   }
#else
   authmethod = LDAP_AUTH_SIMPLE;
#endif


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Bug#977123: Aw: Re: Re: Bug#977123: ldapadd: simple authentication works without setting of -x

[Quanah Gibson-Mount]

--On Tuesday, December 15, 2020 7:06 PM +0100 werner.heu...@web.de wrote:


Hi Quanah,

I just did a fresh install on another Debian 10 system and tried

ldapdelete -D "cn=admin,dc=nodomain" -W "cn=admin,dc=nodomain" -n -v
ldap_initialize(  )
Enter LDAP Password:
!deleting entry "cn=admin,dc=nodomain"


Hi Werner,

I was able to reproduce the behavior with ldapdelete, thanks. I'll consult 
with upstream, since it's not a Debian specific issue.


Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Bug#977123: Aw: Re: Bug#977123: ldapadd: simple authentication works without setting of -x

[Quanah Gibson-Mount]

--On Saturday, December 12, 2020 3:38 PM +0100 werner.heu...@web.de wrote:


Hi Quanah,

thank you for your support. I have double checked again:
- I use a static configuration with slapd.conf
- slapd was startet from the command line
- with no ACLs
- no $HOME/.ldaprc
- default Debian /etc/ldap/ldap.conf
- no aliases for ldap-clients

ldapwhoami, ldapsearch _require_ -x for simple binds without SASL
ldapadd, and also ldapdelete work _without_ -x (and of course with -x)
when I try to connect to a slapd running on the same machine.


Hi Werner,

I installed slapd via: apt install slapd

on my Debian 10 buster system.

I then run:

root@d10build:~# ldapadd
SASL/DIGEST-MD5 authentication started
Please enter your password:

So it immediately starts a SASL/DIGEST-MD5 bind, as expected.

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Bug#977123: ldapadd: simple authentication works without setting of -x

[Quanah Gibson-Mount]

--On Friday, December 11, 2020 8:20 AM +0100 David Damago 
 wrote:



Package: ldap-utils
Version: 2.4.47+dfsg-3+deb10u4
Severity: minor
Tags: upstream

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

ldapadd used without -x and without SASL of course performs
a simple bind and add entries to the OpenLDAP server. Other
LDAP clients, e.g. ldapsearch, ldapwhoami, .. still
require -x for simple authentication.

Thank you,


Hi Werner,

I do not see such behavior when using ldapadd against a publicly available 
ldap server:


root@d10build:/var/log# ldapadd -H ldap://ldap.stanford.edu
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
   additional info: SASL(-4): no mechanism available: No worthy mechs 
found



Instead, without -x, ldapadd immediately moves on to trying a SASL bind.

Are you sure there isn't something providing defaults to the ldap client, 
such as an ~/.ldaprc file or modified /etc/ldap/ldap.conf?


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Bug#976991: libldap-2.4-2:amd64: Please consider building with openssl instead of gnutls

[Quanah Gibson-Mount]

I read over the source of the rlm_ldap module and the freeradius 
src/lib/ldap code, and it does specifically require functionality that's 
only implemented for OpenSSL inside of libldap (such as the TLS Min 
protocol) that are ignored for GnuTLS.


So for freeradius to work with a GnuTLS compiled libldap would require 
modifying the freeradius source code accordingly, which may be a bit of 
work.  It also seems unlikely the freeradius project would be interested in 
taking any such work back as they are only implementing on OpenSSL.


The best solution long term may simply be to switch to OpenSSL for OpenLDAP 
starting with the 2.5 release series in Debian.


Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Bug#725091: [Pkg-openldap-devel] Bug#725091: Bug#725091: slapd with memory leak in active sync

[Quanah Gibson-Mount]

--On Friday, October 18, 2013 1:39 PM +0200 Thomas Sesselmann 
thomas.sesselm...@uni-jena.de wrote:




This would be the best option for us. Did you know when a new
upstream version in unstable or experimental would be released?

Until this we have to try to build our own package at 2.4.36
(the first trial is failed).


2.4.37 was released on Sunday.

I would note that other people have had success building on ubuntu12 with:

18:05] paco11 i use checkinstall  ./configure . ; make depend ; make 
; sudo checkinstall -D --showinstall --pkgname=openldap --maintainer= 
--pkgversion=2.4.37 --pkgrelease=1 --pkglicense=GPL --pkggroup=checkinstall 
--requires=make,automake,gcc,libtool,libperl-dev,libdb5.1-dev,libssl-dev,libsasl2-dev

[18:06] paco11 it's easy to use
[18:09] paco11 and i modified 2 files from slapd debian package: 
/etc/default/slapd  /etc/init.d/slapd to have /usr/local. and then  
update-rc.d slapd defaults

[18:09] paco11 and nothing else

You would of course need to use the configure options most relevant to you.


--Quanah

--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#725091: [Pkg-openldap-devel] Bug#725091: Bug#725091: slapd with memory leak in active sync

[Quanah Gibson-Mount]

--On Tuesday, October 15, 2013 4:30 PM +0200 Thomas Sesselmann 
thomas.sesselm...@uni-jena.de wrote:



Hi Ryan,

Am 11.10.2013 00:44, schrieb Ryan Tandy: Hi Thomas,


Sorry it took me so long to get back to you.

I think the problem is that your slapd.conf uses LDAP Sync replication
and not delta-syncrepl. I missed that at first because you have an
accesslog database configured, so I assumed you were using
delta-syncrepl, but your syncrepl consumers are actually not
configured for it.


we try to configure Delta-syncrepl and run in next issue :(

The slapd on the slaves crashes immediately after modifying a group
on memberof overlay. I can try to start in debug mode an the slave
crashes after the next entry:


Hi Thomas,

I'm going to re-iterate again that you will need to upgrade to a current 
release if you want to do multi-master replication.


I would also note that you'll need to get the recent fixes to 
slapo-memberof around replication that are going into OpenLDAP 2.4.37:


   Fixed slapo-memberof to not replicate internal ops (ITS#7710)


--Quanah

--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#725153: [Pkg-openldap-devel] Bug#725153: Bug#725153: Bug#725153: migrate to libnss3

[Quanah Gibson-Mount]

--On Tuesday, October 08, 2013 12:30 PM +0100 Alister Winfield 
alis...@ticklers.org wrote:



My 2p worth. Just a reminder interactions between packages and ssl
libraries can be a 'nightmare' especially dynamic modules. Anything that
depends on pick your favourite SSL library then getting a 'different'
but API almost compatible SSL lib loaded by pulling in a module is
destined to crash and burn in a variety of entertaining ways.


Yes, I remember the issues caused by openssl and gnutls both being loaded 
up into the symbol space from the past as well.


Also, I would carefully consider the negative security implications of 
using MozNSS as detailed in the  thread I listed.


--Quanah

--

Quanah Gibson-Mount
Architect - Server
Zimbra Software, LLC

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#725153: [Pkg-openldap-devel] Bug#725153: Bug#725153: migrate to libnss3

[Quanah Gibson-Mount]

--On Sunday, October 06, 2013 8:36 PM -0700 Steve Langasek 
vor...@debian.org wrote:



I've also considered whether we should do two separate builds of libldap,
one for internal consumption by slapd (probably statically linking) and
using OpenSSL, and one for use by third-party packages and using a
license-compatible TLS implementation... whether that's gnutls, or NSS.
If NSS is a suitable implementation to use for libldap generally (even if
not for slapd), that would seem to be the best option to solve both the
389ds bug and get us away from a stale version of gnutls.


Hi Steve,

There's some discussion about MozNSS (and initialization in fact...) here:

http://www.openldap.org/lists/openldap-devel/201204/threads.html

Specifically the thread on proposal, library error codes for TLS failures

Regards,
Quanah

--

Quanah Gibson-Mount
Architect - Server
Zimbra Software, LLC

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#725091: [Pkg-openldap-devel] Bug#725091: slapd with memory leak in active sync

[Quanah Gibson-Mount]

--On Tuesday, October 01, 2013 1:10 PM +0200 Thomas Sesselmann 
thomas.sesselm...@uni-jena.de wrote:




Package: slapd
Version: 2.4.31-1+nmu2
Severity: serious


Distribution packages are not meant to be used for production services. 
There is even an FAQ about this fact on written by one of the previous 
Debian LDAP packagers on the OpenLDAP website:


http://www.openldap.org/faq/data/cache/1456.html

I would strongly advise you to build your own package of OpenLDAP for 
production use that live in their own location (/usr/local, /opt, etc).  I 
suggest OpenLDAP 2.4.36 linked to OpenSSL for security reasons.


In addition, you may wish to read the OpenLDAP changelog while your 
packages are building:


http://www.openldap.org/software/release/changes.html

Regards,
Quanah

--

Quanah Gibson-Mount
Architect - Server
Zimbra Software, LLC

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#725091: [Pkg-openldap-devel] Bug#725091: slapd with memory leak in active sync

[Quanah Gibson-Mount]

--On Tuesday, October 01, 2013 12:12 PM -0700 Don Armstrong 
d...@debian.org wrote:



If you don't have any useful responses to this bug (for example, linking
to an ITS where this particular issue has been fixed or discussed), or
want to help fixing or maintaining the openldap packages in Debian,
please refrain from responding.


I guess our definitions of useful differ.  I'm offering advice that will 
allow the end user to have a working server.  That, to me, is useful.



The maintainers of distribution packages in distributions like Debian do
intend for them to be used in production use, and openldap is no
exception. Otherwise, we wouldn't bother making the packages in the
first place.


Funny.  I suggest you read the FAQ I linked to.  It was written for a 
reason *by* one of the Debian maintainers of the OpenLDAP package.  And I 
also linked to the changelog, which lists all the variety of fixes to 
OpenLDAP since 2.4.31 was released 1.5 years ago.


If Debian could keep a current build available to its users, then maybe I 
wouldn't have to constantly advise people not to use the Debian package. 
But as it stands, what Debian provides is not usable for a production 
service, and it should be avoided at all cost.


--Quanah

--

Quanah Gibson-Mount
Architect - Server
Zimbra Software, LLC

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#725091: [Pkg-openldap-devel] Bug#725091: slapd with memory leak in active sync

[Quanah Gibson-Mount]

--On Tuesday, October 01, 2013 2:33 PM -0700 Steve Langasek 
vor...@debian.org wrote:

Ten years of experience with this package shows me that there is no reason
to expect the new versions upstream recommends to be any less buggy than
the old ones you constantly slag Debian in our own BTS for shipping.


Yes, shockingly, software evolves over time.  And depending on the feature, 
yes, some things have had issues needing to be resolved more than others. 
Has back-bdb/hdb been stable for a long time? Yes.  I've back-bdb since 
2.2, and back-hdb since 2.3 on.  Has MMR been stable?  Not particularly. 
Delta-syncrepl MMR (Introduced in 2.4.27) has been quite stable, however. 
Essentially if Debian even had 2.4.33 rather than 2.4.31 available, then I 
doubt you'd see much if any traffic on bugs, as long as the end user used 
delta-syncrepl MMR if they were doing multi-master.




As for that FAQ, Russ is entitled to his opinion about the best way to
deploy an OpenLDAP server, as are you.  But Russ is no longer a
comaintainer of this package in Debian, and it is patently *false* to say
that the distribution packages are not *meant* to be used for production
services.


If this is false, I've yet to see any evidence of Debian being capable of 
producing a package suitable for running a production service.  As I said 
before, if Debian can do that, then I'll stop telling people to stop using 
it.  This is no different than what I tell people running RHEL, SLES, etc. 
I'm really not aware of *any* distribution that can competently provide an 
OpenLDAP package to its community.  RHEL is many ways is *much* worse than 
Debian, not only because of the age of their product, but because they also 
link to the god-awful MozNSS libraries.  GnuTLS is at least a step up from 
that.



Your persistent badmouthing of Debian, its package maintainers, and its
processes in our own bug tracker is absolutely uncalled for.  If you
aren't actually interested in helping Debian improve its packages, then
just go away.


I'm trying to provide worthwhile advice to someone experiencing problems 
directly related to using the Debian package.  As long as Debian only has 
2.4.31 available to its users, then the *only* reasonable advise is to not 
use that package.  Period.  If you are blind to that *fact* I cannot help 
that.  If you want to do something about it, since you *are* one of the 
packagers, then backport a newer version.


Either way, you're picking a fight where there isn't one, and you have the 
ability to resolve the issue for all your users.


--Quanah


--

Quanah Gibson-Mount
Architect - Server
Zimbra Software, LLC

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#722090: [Pkg-openldap-devel] Bug#722090: slapd: slapindex on back_mdb directory expands without limit, leading to failure

[Quanah Gibson-Mount]

--On Saturday, September 07, 2013 7:07 PM + Jeremy Brandon Roman 
jbro...@csclub.uwaterloo.ca wrote:



Package: slapd
Version: 2.4.31-1+nmu2
Severity: normal

Dear Maintainer,

I just had to rebuild my LDAP directory because I made the mistake of
trying to reindex my back_mdb data (after changing indexes in
slapd.conf). The file grew until it hit its limit; increasing the limit
did not solve this.

This issue seems to be known and solved in upstream:
http://www.openldap.org/lists/openldap-bugs/201209/msg00034.html


To get a fully stable back-mdb, you need OpenLDAP 2.4.36.

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included

[Quanah Gibson-Mount]

--On Thursday, July 25, 2013 3:17 PM +1000 Brian May 
br...@microcomaustralia.com.au wrote:



The original bug reporter said The newer version included several added
attributes (PWDCHANGEDTIME, PWDHISTORY, PWDFAILURETIME, PWDGRACEUSETIME)
which are needed e.g. by GoSA.


However if I look for these, they are commented out.


I would advise you take the time to read the ppolicy.c source file, which 
defines these attributes.  This means any time the ppolicy module is 
loaded, they are present.  If you don't find them in your server schema, 
then you've failed to correctly load the ppolicy module.


} pwd_OpSchema[] = {
   {   ( 1.3.6.1.4.1.42.2.27.8.1.16 
   NAME ( 'pwdChangedTime' ) 
   DESC 'The time the password was last changed' 
   EQUALITY generalizedTimeMatch 
   ORDERING generalizedTimeOrderingMatch 
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 
   SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation 
),

   ad_pwdChangedTime },
   {   ( 1.3.6.1.4.1.42.2.27.8.1.17 
   NAME ( 'pwdAccountLockedTime' ) 
   DESC 'The time an user account was locked' 
   EQUALITY generalizedTimeMatch 
   ORDERING generalizedTimeOrderingMatch 
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 
   SINGLE-VALUE 
#if 0
   /* Not until Relax control is released */
   NO-USER-MODIFICATION 
#endif
   USAGE directoryOperation ),
   ad_pwdAccountLockedTime },
   {   ( 1.3.6.1.4.1.42.2.27.8.1.19 
   NAME ( 'pwdFailureTime' ) 
   DESC 'The timestamps of the last consecutive 
authentication failures' 

   EQUALITY generalizedTimeMatch 
   ORDERING generalizedTimeOrderingMatch 
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 
   NO-USER-MODIFICATION USAGE directoryOperation ),
   ad_pwdFailureTime },
   {   ( 1.3.6.1.4.1.42.2.27.8.1.20 
   NAME ( 'pwdHistory' ) 
   DESC 'The history of users passwords' 
   EQUALITY octetStringMatch 
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 
   NO-USER-MODIFICATION USAGE directoryOperation ),
   ad_pwdHistory },
   {   ( 1.3.6.1.4.1.42.2.27.8.1.21 
   NAME ( 'pwdGraceUseTime' ) 
   DESC 'The timestamps of the grace login once the password 
has expired' 

   EQUALITY generalizedTimeMatch 
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 
   NO-USER-MODIFICATION USAGE directoryOperation ),
   ad_pwdGraceUseTime },
   {   ( 1.3.6.1.4.1.42.2.27.8.1.22 
   NAME ( 'pwdReset' ) 
   DESC 'The indication that the password has been reset' 
   EQUALITY booleanMatch 
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 
   SINGLE-VALUE USAGE directoryOperation ),
   ad_pwdReset },
   NAME ( 'pwdPolicySubentry' ) 
   DESC 'The pwdPolicy subentry in effect for this object' 
   EQUALITY distinguishedNameMatch 
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
   SINGLE-VALUE 
#if 0
   /* Not until Relax control is released */
   NO-USER-MODIFICATION 
#endif
   USAGE directoryOperation ),
   ad_pwdPolicySubentry },
   { NULL, NULL }



--Quanah



--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included

[Quanah Gibson-Mount]

--On Thursday, July 25, 2013 7:28 PM +1000 Brian May 
br...@microcomaustralia.com.au wrote:



That isn't what Steve Langasek said in the bug report. Was he mistaken?
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;att=0;bug=680049



So just to confirm, does this mean I don't need to manually load the
ppolicy.ldif schema? i.e. all I need to do is load the ppolicy module,
and the schema automatically appear, before I add any ppolicy
configuration? Not sure it is that simple, but I haven't tested it, so I
can't say for certainty. Will run a test tomorrow.


Anyway, I realized I wasn't CCing the original bug submitter. So I am
CCing Andreas Heinlein aheinl...@gmx.com here.--
Brian May br...@microcomaustralia.com.au


For a stock openldap install, any attribute that is hard coded in ppolicy.c 
is available once the module is loaded.  Whether or not one also requires 
the ppolicy.[schema|ldif] file depends entirely on whether or not they also 
need access to those attributes defined within them.  If all you need are 
the hard-coded attributes, then you can skip loading the additional schema 
file.


--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included

[Quanah Gibson-Mount]

--On Wednesday, July 24, 2013 11:20 AM +1000 Brian May 
br...@microcomaustralia.com.au wrote:




The file:


servers/slapd/schema/ppolicy.ldif


from the upstream sources also appears to be out-of-date too.


I'm not sure what you mean by this.  I just checked the source respository 
for OpenLDAP, and ppolicy.ldif and ppolicy.schema have the same definitions.


--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included

[Quanah Gibson-Mount]

 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 SINGLE-VALUE )


attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
 NAME 'pwdLockout'
 EQUALITY booleanMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
 NAME 'pwdLockoutDuration'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 SINGLE-VALUE )


attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
 NAME 'pwdMaxFailure'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 SINGLE-VALUE )


attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
 NAME 'pwdFailureCountInterval'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
 SINGLE-VALUE )


attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
 NAME 'pwdMustChange'
 EQUALITY booleanMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
 SINGLE-VALUE )


attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
 NAME 'pwdAllowUserChange'
 EQUALITY booleanMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
 SINGLE-VALUE )


attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
 NAME 'pwdSafeModify'
 EQUALITY booleanMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
 SINGLE-VALUE )


ttributetype ( 1.3.6.1.4.1.4754.1.99.1
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
DESC 'Loadable module that instantiates check_password() function'
SINGLE-VALUE )

objectclass ( 1.3.6.1.4.1.4754.2.99.1
 NAME 'pwdPolicyChecker'
 SUP top
 AUXILIARY
 MAY ( pwdCheckModule ) )

objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
 NAME 'pwdPolicy'
 SUP top
 AUXILIARY
 MUST ( pwdAttribute )
 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
 pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
 $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
 pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )


--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#715498: [Pkg-openldap-devel] Bug#715498: OpenLDAP crashes when syncrepl enabled and plugins in use

[Quanah Gibson-Mount]

--On Tuesday, July 09, 2013 1:06 PM -0500 Timothy Pearson 
kb9...@pearsoncomputing.net wrote:



Package: slapd
Version: 2.4.31-1+nmu2

OpenLDAP crashes when syncrepl has been enabled and plugins are in use.
Full details (along with a patch to fix this problem) are available in
upstream Bug 7636


As noted by upstream, this patch is the wrong approach and should not be 
applied.


--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#694757: Info received (Bug#694757: libmdb is not packaged in debian)

[Quanah Gibson-Mount]

--On Friday, November 30, 2012 9:45 PM + Debian Bug Tracking System 
ow...@bugs.debian.org wrote:


Git repo for the library only:

https://gitorious.org/mdb/mdb

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#673038: [Pkg-openldap-devel] Bug#673038: please confirm if back-hdb is affected too

[Quanah Gibson-Mount]

--On Wednesday, February 13, 2013 6:08 PM +0100 Giovanni Biscuolo 
g...@xelera.eu wrote:



Hello,

does the fact that the proposed patch (message #69
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673038#69)

is just for back-bdb mean that back-hdb is not affected?


back-bdb and back-hdb share 99% or more of their code, including the source 
files.  Thus a fix to the back-bdb location is generally a fix to both 
backends.


--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#673038: Re: [Pkg-openldap-devel] Bug#673038: Bug#673038: slapd: slapcat output truncated every now and then

[Quanah Gibson-Mount]

--On Thursday, February 07, 2013 7:45 PM +0100 Bálint Réczey 
bal...@balintreczey.hu wrote:



tags 673038 + patch fixed-upstream
thanks

Hi All,

2013/1/28 Bálint Réczey bal...@balintreczey.hu:
...


I think we're all in agreement that the code should be fixed.  Please
help to do that, if you can.

Upstream has rejected the proposed fix.
Since it seems I'm not familiar enough with upstream's plans and
coding practices I'm not the best person to provide a fix.

Upstream (Howard Chu, thanks!) has committed and alternate fix [1] [2].
Please consider back-porting it to Debian instead of using my patch.


As noted in the follow up, this fix needs to be *tested* by someone who is 
affected.  Not just grabbed and applied.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#696563: [Pkg-openldap-devel] Bug#696563: slapd not ready when start script exits, plase add sleep in starting script

[Quanah Gibson-Mount]

--On Saturday, December 22, 2012 3:54 PM -0800 Steve Langasek 
vor...@debian.org wrote:



This is absolutely not an acceptable fix for this bug.  A 'sleep' only
reduces the frequency of a race, it does not eliminate it.  We need to
find out why the parent slapd process is again exiting before it's ready
to listen for connections - this is a regression, for a bug that was very
specifically supposed to have been fixed upstream in 2.4.28.  See bug
# 589915 for the history.

The source files that were being patched for this haven't changed upstream
since 2.4.28, so I'm not sure what will have gone wrong.


I suggest reading followup #2 in 
http://www.openldap.org/its/index.cgi/?findid=6848, the upstream ITS 
dealing with this.  It is specifically noted that on a heavily loaded 
system, this can still occur.


The real solution is to switch to back-mdb from back-bdb/hdb, which doesn't 
have the heavy startup load that BDB based backends do.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#694757: libmdb is not packaged in debian

[Quanah Gibson-Mount]

--On Friday, November 30, 2012 10:35 PM +0100 Gergely Nagy 
alger...@balabit.hu wrote:



Control: reassign -1 wnpp
Control: title -1 RFP: libmdb -- OpenLDAP Memory-Mapped Database
Control: severity -1 wishlist

Quanah Gibson-Mount qua...@zimbra.com writes:


Package: libmdb
Version: 0.9.4


When filing bugs requesting that a package be packaged for Debian,
please file it against the wnpp pseudo-package. You can find more
information about the procedure at: http://www.debian.org/devel/wnpp/#l1

I have reassigned  retitled this bug, but in the future, please file it
appropriately.

Thanks in advance!


Thanks.  I didn't see this information on the primary bug submission web 
page.


--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#694757: libmdb is not packaged in debian

[Quanah Gibson-Mount]

Package: libmdb
Version: 0.9.4

Please add the MDB library to Debian, so that software packages that use it 
can link to it in the future.


http://www.symas.com/mdb/

Thanks,
Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#688797: [Pkg-openldap-devel] Bug#688797: Dead lock on BDB and partial stop on slapd

[Quanah Gibson-Mount]

--On October 17, 2012 2:35:30 PM +0100 Jose Manuel dos Santos Calhariz 
jose.calha...@netvisao.pt wrote:



On Wed, Oct 10, 2012 at 03:18:50PM +0100, Jose Manuel dos Santos Calhariz
wrote:

On Thu, Oct 04, 2012 at 01:05:15PM -0700, Quanah Gibson-Mount wrote:
 --On Thursday, October 04, 2012 4:19 PM +0100 Jose Manuel dos Santos
 Calhariz jose.calha...@netvisao.pt wrote:

 
  Following a previous bug report about a stopping slapd server, during
  normal day work.  As now we have a partially working slapd server,
  that answers some queries but ignores others.  Using db5.1_stat and
  gdb was possible to get the following information:

 Hi Jose,

 As I previously noted, this is a known bug with BDB 5.x series.
 Please read:

 http://www.openldap.org/its/index.cgi/?findid=7378
 http://www.openldap.org/its/index.cgi/?findid=7401

 Again, if you can show a deadlock in a current OpenLDAP build with a
 known good version of BDB (4.7.25 + all patches), then that would be
 of interesting.

Is openldap 2.4.31 current enough?


It even happen with 2.4.33 :-(  It was compiled with BDB (4.7.25 + all
patches).  Waiting for the next stop to collect debug information.


Ok.  did you see the information Howard requested you gather via his 
comment in the bug?


Thanks,
Quanah


--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#688797: Dead lock on BDB and partial stop on slapd

[Quanah Gibson-Mount]

--On Thursday, October 04, 2012 4:19 PM +0100 Jose Manuel dos Santos 
Calhariz jose.calha...@netvisao.pt wrote:




Following a previous bug report about a stopping slapd server, during
normal day work.  As now we have a partially working slapd server, that
answers some queries but ignores others.  Using db5.1_stat and gdb
was possible to get the following information:


Hi Jose,

As I previously noted, this is a known bug with BDB 5.x series.  Please 
read:


http://www.openldap.org/its/index.cgi/?findid=7378
http://www.openldap.org/its/index.cgi/?findid=7401

Again, if you can show a deadlock in a current OpenLDAP build with a known 
good version of BDB (4.7.25 + all patches), then that would be of 
interesting.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#689025: slapd: chokes on unresponsive syslogd

[Quanah Gibson-Mount]

--On Friday, September 28, 2012 2:19 PM +0200 Dominik George 
n...@naturalnet.de wrote:



Package: slapd
Version: 2.4.31-1
Severity: important

The slapd process hangs when sending log data to an unresponsive syslogd.

In out site setup, all servers log to a central MySQL database through
rsyslog. rsyslog becomes unresponsive when having too much data queued,
which happened when the line to the log server came down for a loner time
period several times last week. rsyslog then refuses to accept any new
logs before commiting all queued messages to MySQL.

Although this is possibly an rsyslog bug, slapd should not run into a
freeze due to that. It didn't even come back up after syslog
functionality had been re-established.


A full GDB backtrace of all threads would be useful for examining this 
issue any further.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#688797: [Pkg-openldap-devel] Bug#688797: openldap 2.4.23 and 2.4.31 slapd server process frequently stops during everyday use

[Quanah Gibson-Mount]

--On Wednesday, September 26, 2012 12:34 PM +0100 Jose Manuel dos Santos 
Calhariz jose.calha...@netvisao.pt wrote:




What version of BDB are you linked to?


We follow Debian on this.  Openldap 2.4.31 is linked to BDB 5.1.29 and
openldap 2.4.23 is linked to BDB 4.8.30.



In attach there is a db5.1_stat -CA from one server with problems,
openldap 2.4.31.


But now you changed two things -- BDB and OpenLDAP.

You may also want to look at 
http://www.openldap.org/its/index.cgi/?findid=7222, fixed in OpenLDAP 
2.4.32.


Personally, I've dumped BDB entirely, and now use current RE24 OpenLDAP 
from git with OpenLDAP's MDB, which is faster than BDB in all areas, and 
doesn't have the locking issues that come with BDB.


http://highlandsun.com/hyc/mdb/

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#688857: [Pkg-openldap-devel] Bug#688857: slapd - Modifications by refint not replicated

[Quanah Gibson-Mount]

--On Wednesday, September 26, 2012 1:18 PM +0200 Bastian Blank 
wa...@debian.org wrote:



Package: slapd
Version: 2.4.31-1
Severity: important

Modifications made by refint are not replicated. They neither update the
modification timestamp nor the CSN used for replication. This is serious
data loss, because the replicas gets out of sync pretty quickly. There
seems to be no way to recover from this discrepancy without doing a
complete replication.

While this seems to be known, it is not documented at all in the
man-pages related to the refint and memberof overlays. Also it violates
the principle of least surprise, because the changes are not limited to
operational attributes.


Hi Bastian,

refint is working as designed in this case.  I will file an upstream ITS 
for you to improve the documentation in this area.  In general, this really 
should have been filed as an upstream issue to begin with, as Debian really 
has nothing to do with OpenLDAP development or documentation.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#688797: [Pkg-openldap-devel] Bug#688797: openldap 2.4.23 and 2.4.31 slapd server process frequently stops during everyday use

[Quanah Gibson-Mount]

--On Tuesday, September 25, 2012 6:35 PM +0100 Jose Calhariz 
jose.calha...@ist.utl.pt wrote:



Package: slapd
Version: 2.4.31-1~bpo60+2
Severity: important
Tags: upstream


During normal day use the slapd daemon stops and have to be restarted by
a watchdog daemon.   This problem is present on openldap 2.4.23 and on
2.4.31 (private backport from wheezy).


From a previous investigation with 2.4.23 this is a problem of deadlocks
in Berleckey DB.

The backport was in the hope that this was the bug #618904.  But our
problem is still  present on 2.4.31.

Exists information from a db*_stat -CA that I will send in the next
email.


What version of BDB are you linked to?  There are consistent reports of 
deadlock issues with BDB 5.3.  I would recommend against using that version 
of BDB.  4.7.25+patches has been solid for me.  All indications with the 
BDB deadlock issue in 5.3 is that it is a BDB bug, and thus nothing to do 
with OpenLDAP.  It may exist in other 5.x versions of BDB.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#673038: [Pkg-openldap-devel] Bug#673038: Bug#673038: slapd: slapcat output truncated every now and then

[Quanah Gibson-Mount]

--On Tuesday, June 19, 2012 2:25 PM +0200 Axel Beckert a...@debian.org 
wrote:



Hi Steve,

Steve Langasek wrote:

 According to the slapcat man page it should be always safe to run
 slapcat with the slapd-bdb(5) ... backends even if slapd runs. We do
 use a BDB backend.

Note that the HDB backend is the one recommended upstream and the Debian
default.


Well, yeah, that system has been dist-upgraded from at least Etch.
IIRC it started at some time when BDB was still the default.

I wrote that -- according to our backups -- this happened already with
Lenny's slapd. But with Lenny it seemed to have happened less often
(which is why we noticed it only recently).


Personally, I would advise you to ask a question about this on 
openldap-techni...@openldap.org.  I asked Howard about it, and he had a 
ready answer as to why you were seeing this, but I forget what it is.  In 
any case, this is not a debian specific openldap bug.


--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#678191: [Pkg-openldap-devel] Bug#678191: /usr/bin/ldapsearch: Error - Could not parse LDAP URI

[Quanah Gibson-Mount]

--On Tuesday, June 19, 2012 5:00 PM -0300 Fabiano Xavier Pires 
f...@ig.com.br wrote:



Subject: /usr/bin/ldapsearch: Error - Could not parse LDAP URI
Package: ldap-utils
Version: 2.4.23-7.2
File: /usr/bin/ldapsearch
Severity: normal

While trying to debug Apache2 LDAP Auth (Debian 6 ) I found this:
ldapsearch -H can't parse ldap URLs that have baseDn info  even the
ones created by ldapurl.


I would advise reading the ldapsearch(1) man page.  This is not a bug.

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#664930: [Pkg-openldap-devel] Bug#664930: Matthias' patch seems to be the correct action

[Quanah Gibson-Mount]

--On Tuesday, May 01, 2012 10:12 AM +0200 Peter Marschall pe...@adpm.de 
wrote:



So I consider Matthias' patch correct

Best regards
PEter

PS: for me this patch made OpenLDAP 2.6.31 compile flawlessly.


My guess is that OpenLDAP 2.6.anything would probably compile flawlessly 
against updated Heimdal code, since it'll be years before it's released. ;)


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#664930: [Pkg-openldap-devel] Bug#664930: Info received (FTBFS)

[Quanah Gibson-Mount]

--On Monday, April 16, 2012 3:27 PM +0200 Mattias Ellert 
mattias.ell...@fysast.uu.se wrote:



Hi!

No other suggestion put forward. I will do a bin NMU in a few days
unless there are other solutions proposed.

Mattias



Hi Mattias,

I've filed a bug with upstream 
(http://www.openldap.org/its/index.cgi/?findid=7247) on this issue.  That 
would be the correct place for this to be fixed.


What version of Heimdal was Debian using previously?  What version of 
Heimdal is Debian using that you encountered this error against?


Thanks!

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#664930: [Pkg-openldap-devel] Bug#664930: Bug#664930: Info received (FTBFS)

[Quanah Gibson-Mount]

--On Monday, April 16, 2012 10:17 AM -0700 Quanah Gibson-Mount 
qua...@zimbra.com wrote:



--On Monday, April 16, 2012 3:27 PM +0200 Mattias Ellert
mattias.ell...@fysast.uu.se wrote:


Hi!

No other suggestion put forward. I will do a bin NMU in a few days
unless there are other solutions proposed.

Mattias



Hi Mattias,

I've filed a bug with upstream
(http://www.openldap.org/its/index.cgi/?findid=7247) on this issue.
That would be the correct place for this to be fixed.

What version of Heimdal was Debian using previously?  What version of
Heimdal is Debian using that you encountered this error against?


Hi Mattias,

I looked at the latest source for Heimdal (1.5.2) that is available.  This 
header change does not exist there.  What version of Heimdal is Debian 
using?


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#662940: [Pkg-openldap-devel] Bug#662940: Bug#662940: slapd gives assertions for valid configuration

[Quanah Gibson-Mount]

--On Thursday, March 15, 2012 6:04 AM +0100 Mattias Ellert 
mattias.ell...@fysast.uu.se wrote:



fre 2012-03-09 klockan 11:16 -0800 skrev Quanah Gibson-Mount:


Fixed upstream with git commit 6143aa0c18c8e0f73f4855b884b30405adabfc99

Please test.

--Quanah


Rebuilding the openldap source package with the commit added as an
additional patch results in a working slapd server.


Thanks for the verification!

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#663644: [Pkg-openldap-devel] Bug#663644: [CVE-2012-1164] openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry

[Quanah Gibson-Mount]

--On Monday, March 12, 2012 11:34 PM +0100 Luciano Bello 
luci...@debian.org wrote:



Package: openldap
Severity: grave
Tags: security patch

The following vulnerability had been reported against openssl:


I think you mean OpenLDAP.  Note that you have to be using 
slapo-translucent and slapo-rwm, which very few people do.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#662940: [Pkg-openldap-devel] Bug#662940: Bug#662940: slapd gives assertions for valid configuration

[Quanah Gibson-Mount]

--On Wednesday, March 07, 2012 9:11 AM -0800 Quanah Gibson-Mount 
qua...@zimbra.com wrote:



--On Wednesday, March 07, 2012 1:28 PM +0100 Mattias Ellert
mattias.ell...@fysast.uu.se wrote:


Package: slapd
Version: 2.4.28-1.1
Severity: normal

When configuring the shell backend in slapd.conf the syntax is (see man
slapd-shell):

add pathname argument...
bind pathname argument...
compare pathname argument...

and so on.

That is the path to the script followed by its arguments. This has
worked fine in the past. However, the current version 2.4.28-1.1 of the
slapd server refuses to start if any arguments are given after the path
name in the configuration file, with the following assertion:

slapd: ../../../../servers/slapd/config.c:198: config_check_vals:
Assertion `c-argc == 2' failed.

For the configuration of the shell backend the assertion condition means
that it is not possible to pass arguments to the script in the
slapd.conf. The man pages documents that this should still be possible,
and it has been working with earlier versions.

Mattias




I've filed http://www.openldap.org/its/index.cgi/?findid=7201 for this.


Fixed upstream with git commit 6143aa0c18c8e0f73f4855b884b30405adabfc99

Please test.

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#662940: [Pkg-openldap-devel] Bug#662940: slapd gives assertions for valid configuration

[Quanah Gibson-Mount]

--On Wednesday, March 07, 2012 1:28 PM +0100 Mattias Ellert 
mattias.ell...@fysast.uu.se wrote:



Package: slapd
Version: 2.4.28-1.1
Severity: normal

When configuring the shell backend in slapd.conf the syntax is (see man
slapd-shell):

add pathname argument...
bind pathname argument...
compare pathname argument...

and so on.

That is the path to the script followed by its arguments. This has
worked fine in the past. However, the current version 2.4.28-1.1 of the
slapd server refuses to start if any arguments are given after the path
name in the configuration file, with the following assertion:

slapd: ../../../../servers/slapd/config.c:198: config_check_vals:
Assertion `c-argc == 2' failed.

For the configuration of the shell backend the assertion condition means
that it is not possible to pass arguments to the script in the
slapd.conf. The man pages documents that this should still be possible,
and it has been working with earlier versions.

Mattias




I've filed http://www.openldap.org/its/index.cgi/?findid=7201 for this.

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#660917: [Pkg-openldap-devel] Bug#660917: fileno ulimit regression: slapd rejects connections approaching 1024 simultaneous connections

[Quanah Gibson-Mount]

--On Wednesday, February 22, 2012 2:36 PM -0800 Chris Hiestand 
chiest...@salk.edu wrote:



That's all fair enough, I've moved this to wishlist. I would find this
patch, or something like it, useful in order to make it easy for admins
of heavily-used servers to easily increase the ulimit and not have to
maintain a forked init file. Maintaining forks strains my technomage
capabilities ;-)


I would note the only reason this is being hit at all is because slapd has 
been linked to tcpwrappers. I personally frown on such linking, as you can 
do much more sophisticated filtering at the ACL level in OpenLDAP, and all 
it does is create issues such as this one.  If you aren't using 
hosts.{allow,deny} then rebuild w/o the tcpwrappers linking, and this 
problem will disappear entirely.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#658047: [Pkg-openldap-devel] Bug#658047: Bug#658047: slapd: reproducible segfault during sync-replication on slave

[Quanah Gibson-Mount]

--On Monday, January 30, 2012 3:40 PM -0800 Quanah Gibson-Mount 
qua...@zimbra.com wrote:


This issue was a duplicate of ITS#7132, which is already fixed for the 
OpenLDAP 2.4.29 release.


--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#658047: [Pkg-openldap-devel] Bug#658047: slapd: reproducible segfault during sync-replication on slave

[Quanah Gibson-Mount]

--On Tuesday, January 31, 2012 12:07 AM +0100 Sven Hartge 
s...@svenhartge.de wrote:



Package: slapd
Version: 2.4.23-7.2
Severity: normal

Hi OpenLDAP Maintainers,

I experience an easy to reproduce and consistent segfault when I setup a
slapd syncrepl consumer on Squeeze.

This segfault always happens during the replication of the same object,
but the slapd version in Lenny has no problems with same DIT.

My oldstable replicas currently run a self-backported version of
2.4.21-1~dvz50+1, but both 2.4.17-2.1~bpo50+1 and 2.4.11-1+lenny2.1 are
also fine.

2.4.23-7.2 shows the segfault as all versions up to 2.4.28-1.1 do. Even
if I disable all indices and strip my configuration to the bare minimum
needed (i.e. self-defined objectclasses and attributes) I get the
segfault.

I am aware the problem my lie in my self-defined objectclasses and
attributes, but then slapd should throw an error and exit instead of
replicating 1/3 of the DIT and then segfault.

I get a very good backtrace, but since this backtrace contains internal
information I am a bit hesitant to attach this backtrace to a public
bug-report.

Is there a way to privatly submit this data (backtrace and additional
schemas) so you can have look at the problem?


Hi Sven,

To start with, you're filing this ticket with the wrong group.  You would 
want to file this with http://www.openldap.org/its/


I think what you are reporting has already been reported to OpenLDAP as 
http://www.openldap.org/its/index.cgi/?findid=7113


I would ask that you try the current RE24 checkout from GIT and see if you 
still encounter the issue.  If so, then please file an ITS in the OpenLDAP 
tracker with the backtrace, etc, information.  If you need to arrange that 
to be provided privately, that can be worked out with the OpenLDAP 
developers.


--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#658047: [Pkg-openldap-devel] Bug#658047: slapd: reproducible segfault during sync-replication on slave

[Quanah Gibson-Mount]

Hi Sven,

--On Tuesday, January 31, 2012 12:30 AM +0100 Sven Hartge 
s...@svenhartge.de wrote:



On 31.01.2012 00:18, Quanah Gibson-Mount wrote:

--On Tuesday, January 31, 2012 12:07 AM +0100 Sven Hartge
s...@svenhartge.de wrote:



Is there a way to privatly submit this data (backtrace and additional
schemas) so you can have look at the problem?



To start with, you're filing this ticket with the wrong group.  You
would want to file this with http://www.openldap.org/its/


I have always been told to directly report bugs to the Debian BTS. The
DDs will then relay the bug to upstream if they believe this to be an
upstream bug.

But if the Debian OpenLDAP Maintainers tell me to directly report this
issue to upstream, this is fine with me as well.


I'm the release engineer for the OpenLDAP project, and am not one of the 
Debian OpenLDAP maintainers.  However, I work to triage issues reported via 
Debian's BTS into the upstream tracker.


Your request for privacy is a significant detail, and thus the request for 
filing against the upstream tracker vs the Debian BTS, because I wouldn't 
have access to anything set up in it privately.




I think what you are reporting has already been reported to OpenLDAP as
http://www.openldap.org/its/index.cgi/?findid=7113


This does not look right, since my consumer segfaults and not the
master, which is fine.


I would ask that you try the current RE24 checkout from GIT and see if
you still encounter the issue.  If so, then please file an ITS in the
OpenLDAP tracker with the backtrace, etc, information.  If you need to
arrange that to be provided privately, that can be worked out with the
OpenLDAP developers.


Will do. But first I will try a -O0 rebuild of the current package to
rule out any weird compiler bugs.


Thanks.  I never build OpenLDAP with anything but -O0 myself, because I've 
seen gcc do the wrong thing too many times to trust its optimizations when 
it comes to OpenLDAP. ;)


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#651700: [Pkg-openldap-devel] Bug#651700: Bug#651700: slapd: BDB library version mismatch

[Quanah Gibson-Mount]

--On Wednesday, January 04, 2012 6:01 PM -0800 Russ Allbery 
r...@debian.org wrote:



Do you think that's sufficient, or should I clarify this further?


No, I think that's fine.  I'm just a little worried that we'll get bitten
by some future libdb change, but actually OpenLDAP may serve as an
excellent canary there.  If libdb changes either the file format or the
ABI in a way that isn't compatible without changing the SONAME, that's an
RC bug in libdb from Debian's perspective and it's something we'd rather
know about than not, since we need to fix it regardless of OpenLDAP's use
of the package.


Personally, I'm hoping Debian will dump back-bdb/back-hdb entirely once 
back-mdb is stable. ;)


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#651700: [Pkg-openldap-devel] Bug#651700: BDB version ...

[Quanah Gibson-Mount]

--On Wednesday, December 21, 2011 12:16 AM +0100 JP P jp.po...@bbox.fr 
wrote:



Hello,

I had to find a suitable version of the BDB library
(libdb5.1_5.1.25-11), empty the /var/lib/ldap/ and launch slapd to
have the DB rebuilt. As the server is a slave server after a few
minutes the DB was resynchronized and all is OK now.
But the package in unstable is still unusable.


The version of BDB that OpenLDAP is built against must be used.  Your other 
fix would have been to simply rebuild the OpenLDAP package against the 
version of BDB in unstable.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#651700: [Pkg-openldap-devel] Bug#651700: slapd: BDB library version mismatch

[Quanah Gibson-Mount]

--On Monday, December 12, 2011 1:29 PM -0800 Quanah Gibson-Mount 
qua...@zimbra.com wrote:



--On Sunday, December 11, 2011 12:14 PM +0100 stor...@club-internet.fr
jp.po...@izzop.net wrote:


Package: slapd
Version: 2.4.25-4+b1
Severity: important

Dear Maintainer,

I think that the openldap package was not compiled with the last
version :
bdb_back_initialize: BDB library version mismatch: expected Berkeley DB
5.1.25: (January 28, 2011) got Berkeley DB 5.1.29: (October 25, 2011).
slapd stopped.


Actually this indicates that OpenLDAP was recompiled with the latest BDB
version (5.1.29).  It is complaining about the fact that your database
was created using the 5.1.25 version, and thus it refuses to start.


Ugh, nm, misread that.

OpenLDAP was compiled using 5.1.25, and the libs were updated to 5.1.29. 
OpenLDAP *must* be recompiled against 5.1.29 as well in that case.  If that 
is done, then everything will move along happily.


This is by design because Oracle/Sleepycat has made API changes in patch 
level releases before.  back-hdb/bdb *must* be compiled against the exact 
BDB library version they are linked to.  In this case, the patch level does 
matter.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#651700: [Pkg-openldap-devel] Bug#651700: slapd: BDB library version mismatch

[Quanah Gibson-Mount]

--On Sunday, December 11, 2011 12:14 PM +0100 stor...@club-internet.fr 
jp.po...@izzop.net wrote:



Package: slapd
Version: 2.4.25-4+b1
Severity: important

Dear Maintainer,

I think that the openldap package was not compiled with the last
version :
bdb_back_initialize: BDB library version mismatch: expected Berkeley DB
5.1.25: (January 28, 2011) got Berkeley DB 5.1.29: (October 25, 2011).
slapd stopped.


Actually this indicates that OpenLDAP was recompiled with the latest BDB 
version (5.1.29).  It is complaining about the fact that your database was 
created using the 5.1.25 version, and thus it refuses to start.


The correct behavior on Debian's part is to export the database(s) prior to 
updating the BDB library via slapcat, and then reimport it via slapadd post 
upgrade.  OpenLDAP is working as designed.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#651700: [Pkg-openldap-devel] Bug#651700: slapd: BDB library version mismatch

[Quanah Gibson-Mount]

--On Monday, December 12, 2011 10:54 PM +0100 Julien Cristau 
jcris...@debian.org wrote:



On Mon, Dec 12, 2011 at 13:35:50 -0800, Quanah Gibson-Mount wrote:


OpenLDAP was compiled using 5.1.25, and the libs were updated to
5.1.29. OpenLDAP *must* be recompiled against 5.1.29 as well in that
case.  If that is done, then everything will move along happily.

This is by design because Oracle/Sleepycat has made API changes in
patch level releases before.  back-hdb/bdb *must* be compiled
against the exact BDB library version they are linked to.  In this
case, the patch level does matter.


If bdb breaks ABI then it needs to bump SONAME.  If it doesn't then
apps compiled against an earlier version must still work.  A check for
the patchlevel version is just broken.


Feel free to take that up with Oracle. ;)  Until they fix their development 
practices, the OpenLDAP behavior remains.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#648056: [Pkg-openldap-devel] Bug#648056: Acknowledgement (Openldap fails to use existing cipher TLS_RSA_3DES_EDE_CBC_SHA1)

[Quanah Gibson-Mount]

--On Friday, November 18, 2011 8:41 AM +0100 Christophe Ségui 
christophe.se...@math.univ-toulouse.fr wrote:



Hi,


any update on this ?


I've filed an upstream bug for this:

https://www.openldap.org/its/private.cgi/?findid=7094

As that is likely the correct location for getting it fixed.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#631120: [Pkg-openldap-devel] Bug#631120: slapd-smbk5pwd: Overlay can not be added

[Quanah Gibson-Mount]

--On Monday, November 07, 2011 8:48 AM +0800 David Adam 
zanc...@ucc.gu.uwa.edu.au wrote:



I'm pretty sure that slapd-smbk5pwd is failing to respect the
smbK5PwdEnable attribute on 64-bit platforms - having spun up two
fresh Debian VMs and configured them for samba and not kerberos as in the
original bug report, I get an error complaining about Kerberos
misconfiguration on the 64-bit machine but not on the 32-bit machine.


I'm somewhat curious why you are filing this with Debian when you were 
pointed at the upstream ITS system, which initial such reports belong.  The 
Debian project is not affiliated in any way with the OpenLDAP project.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#631120: [Pkg-openldap-devel] Bug#631120: slapd-smbk5pwd: Overlay can not be added

[Quanah Gibson-Mount]

--On Monday, November 07, 2011 7:44 PM +0800 David Adam 
zanc...@ucc.gu.uwa.edu.au wrote:



It has also been filed upstream at
   http://www.OpenLDAP.org/its/index.cgi?findid=7082


This has been fixed upstream.  It also has raised 
http://www.openldap.org/its/index.cgi/?findid=7083 which is currently 
being fixed.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#647460: [Pkg-openldap-devel] Bug#647460: slapd: README.Debian.gz mentions obsolete note about GnuTLS and OpenSSL

[Quanah Gibson-Mount]

--On Wednesday, November 02, 2011 10:40 PM +0100 Rolf Kutz r...@vzsze.de 
wrote:



Package: slapd
Version: 2.4.23-7.2
Severity: normal


README.Debian.gz mentions obsolete note about GnuTLS and OpenSSL:

  Finally, note that the Debian OpenLDAP packages have been compiled
  against GnuTLS instead of OpenSSL to avoid licensing problems for
  GPL-covered packages that use the LDAP libraries.  This is a supported
  configuration, but it's not widely used outside of Debian.

Since 2.2.23-0.pre1 slapd is build against OpenSSL.


I assume you mean this very last sentence is poorly worded?  It is 
definitely correct and current that Debian uses GnuTLS rather than OpenSSL 
for theoretical licensing issues.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#643970: [Pkg-openldap-devel] Bug#643970: slapd - Spams syslog with connection_read(17): no connection!

[Quanah Gibson-Mount]

--On Saturday, October 01, 2011 12:16 PM +0200 Bastian Blank 
wa...@debian.org wrote:



Package: slapd
Version: 2.4.25-3
Severity: normal

slapd spams syslog with no connection messages even if no log level is
enabled.


It means a client is incorrectly configured and disconnected without 
unbinding.  It is alerting you to an error condition.


--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#628237: [Pkg-openldap-devel] Bug#628237: OpenLDAP vs. SASL - what happened

[Quanah Gibson-Mount]

--On Thursday, July 14, 2011 7:45 PM +0200 Ralph Rößner 
roess...@capcom.de wrote:




Now you could argue that Cyrus upstream should not do that, i.e. breaking
the plugin ABI for a step release but that argument is two years late
(which is how long the .24 has been around).


There is no cyrus-sasl 2.1.24 release.  There is a release candidate, which 
when I tested it, had a series of serious flaws.  Why anyone would add that 
to a distribution is beyond me.  The latest release of cyrus-sasl is 
2.1.23.  I find it significant that after 2 years there still remains no 
official 2.1.24 release after the numerous issue reports that were filtered 
back to the project.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#628237: Bug#628237: OpenLDAP vs. SASL - what happened

[Quanah Gibson-Mount]

--On Thursday, July 14, 2011 2:09 PM -0500 Dan White dwh...@olp.net wrote:


There's been quite a bit of new work even since the 2.1.24rc1 tarball,
including work corresponding to the newer IETF SASL standards (GS2, SCRAM,
and channel binding), so I wouldn't be surprised to see another version
bump before the next release. The package in Debian is actually based on
CVS HEAD, and should be in much better shape than 2.1.24rc1 was.

Please file any outstanding issues against the sasl packages, and I'll try
to filter those to upstream developers as appropriate.


Thanks Dan,

Much appreciated!

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#621403: [Pkg-openldap-devel] Bug#621403: Bug#621403: Bug#621403: Automatic upgrades for Berkeley DB version

[Quanah Gibson-Mount]

--On Friday, May 13, 2011 6:55 PM +0200 Ondřej Surý ond...@debian.org 
wrote:



On Fri, May 13, 2011 at 18:25, Russ Allbery r...@debian.org wrote:

Ondřej Surý ond...@debian.org writes:


I share your concern and I am not saying you should build-depend
openldap on libdb-dev, but that:



a) you could store the compiled-in version and compare it to used
version (and do the upgrade if they differ)



b) do the upgrade without dumpload, by running dbNEW_upgrade on them



That would solve the 'dpkg --compare-version $2
version-in-unstable' vs backported versions issue, which was brought
up on the debian-backports lists (aka if we backport openldap then the
upgrade from backports to next-stable will fail because the package
won't know it wants an upgrade).


My recollection is that OpenLDAP upstream doesn't recommend using the
BerkeleyDB tools to do a direct upgrade and instead recommends using the
OpenLDAP tools to dump and reload the LDAP database at a higher level.

OpenLDAP uses every nook and cranny of BerkeleyDB in ways that tend to
stress every weak point of the software, so if my recollection is right,
straying away from any recommendation about the database handling is
likely to lead to trouble.


That might be true for database format upgrades, but from my POV I
don't see any risk using Berkeley DB upgrade tools to upgrade only
when the logformat has changed, which is the case for past releases
since 4.3.x. (4.2.x has changed Queue access method). That said I
don't have enough experiences neither with Berkeley DB nor OpenLDAP to
be 100% sure that it's safe to just run dbX.Y_upgrade.

But unless there are actually cases of recent failures in the upgrade
procedure (say from 4.6 up), then I would say that this is just legacy
from ancient times which everybody follows just to be sure...


Russ is correct, you are incorrect.  Using the BDB tools to do upgrades of 
the OpenLDAP DB has never been supported, and it is unlikely it ever will. 
OTOH, OpenLDAP 2.5 will have a new backend that doesn't use BDB at all, so 
long term this issue should go away.


slapcat/slapadd are the only supported methods of upgrading OpenLDAP across 
versions of BDB.



--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#541256: [Pkg-openldap-devel] Bug#541256: slapd: could not set cipher list SIGABRT

[Quanah Gibson-Mount]

--On Wednesday, May 11, 2011 3:55 AM -0400 Simon L'nu simon@gmail.com 
wrote:



Package: slapd
Version: 2.4.25-1+b1
Followup-For: Bug #541256

*** glibc detected *** slapd: double free or corruption (top): 0x08894138
***


I've filed this upstream as that is the appropriate place to file this bug.

http://www.openldap.org/its/index.cgi/?findid=6939

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#614569: [Pkg-openldap-devel] Bug#614569: slapd: Dist-Upgrade Lenny-Squeeze: syncreplication w/ incomplete objects fails

[Quanah Gibson-Mount]

--On Wednesday, March 30, 2011 4:51 PM +0200 Rainer Ruprechtsberger 
rainer.ruprechtsber...@volkshilfe-ooe.at wrote:



Just m2c: On a syncreplication slave one could ommit the re-import step
completely and rely on the replication mechanism to re-populate the
slave. In the end its what I did anyway.
A clean way to get to this point is whats missing :)


That is not a very worthwhile suggestion for anyone with a sizeable 
database.  It would take hours to days to weeks.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#614569: [Pkg-openldap-devel] slapd: Dist-Upgrade Lenny-Squeeze: syncreplication w/ incomplete objects fails

[Quanah Gibson-Mount]

--On Monday, March 28, 2011 3:47 PM +0200 Matthijs Möhlmann 
matth...@cacholong.nl wrote:



Hi all,

Cc'ing my fellow maintainers.

To fix this bug I can add simply -s to the slapadd in the function
load_databases.

The -s option disables the schemachecking. But I'm not sure if this is a
good solution to fix the upgrade procedure.

Maybe it's better to look at the configuration and check if it's a slave
and then add this option.

Any comments?


It is never wise to disable schema checking.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#614569: [Pkg-openldap-devel] slapd: Dist-Upgrade Lenny-Squeeze: syncreplication w/ incomplete objects fails

[Quanah Gibson-Mount]

--On Monday, March 28, 2011 7:11 PM +0200 Matthijs Möhlmann 
matth...@cacholong.nl wrote:



If you say it's never wise to disable schemachecking, why is there an
option to disable the schemachecking in the replication?


For that very reason (partial replication). :/

So the problem is that if you use -s, people who have invalid databases 
that shouldn't get imported may then get imported.  But if you don't, you 
hit this issue.  I guess you need to decide which is the lesser evil. ;)


--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#618904: [Pkg-openldap-devel] Bug#618904: openldap 2.4.23 slapd server process frequently hangs during everyday use

[Quanah Gibson-Mount]

--On Friday, March 25, 2011 2:33 PM + Mark Cave-Ayland 
mark.cave-ayl...@siriusit.co.uk wrote:



That's true, although no-one really showed any interest after I could
verify that 2.4.24 fixed the issue. If you're still interested, I'll see
if I can spend some time at the beginning of next week to come up with a
reproducible test case.


That's because for upstream, we would expect you to use the latest release. 
If you want Debian to fix it, they will need to use the same release they 
pushed out with squeeze (2.4.23), so they will need to know what is causing 
the problem so they can find the specific fix that resolves your issue. 
Most likely, since you filed the bug, they would hope you would track it 
down, since you are the only person who has ever encountered it, making it 
particularly difficult for the Debian maintainers to eve know where start 
to look for a solution.


--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#618904: [Pkg-openldap-devel] Bug#618904: openldap 2.4.23 slapd server process frequently hangs during everyday use

[Quanah Gibson-Mount]

--On Saturday, March 19, 2011 1:00 PM + Mark Cave-Ayland 
mark.cave-ayl...@siriusit.co.uk wrote:



Package: slapd
Version: 2.4.23-7
Severity: critical
Tags: squeeze

After upgrading our LDAP server from lenny (2.4.11) to squeeze (2.4.23),
we have found  that the slapd process frequently hangs when adding new
objects to the LDAP tree. The server freezes and will not accept any new
connections until it is forcibly terminated with kill -9 and then the
slapd process restarted.


I would note that you are the only person using OpenLDAP 2.4.23 since it 
was released on 6/10/2010 to report this issue.  So while I concur this is 
a serious issue for your use of OpenLDAP, it is also somehow related to 
your specific OpenLDAP configuration.  You never provided your 
configuration in the upstream discussion that I can find, so it's difficult 
to know what you've done specifically in your environment that is causing 
the problem to show up.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#601569: [Pkg-openldap-devel] Bug#601569: slapschema: manpage without binary

[Quanah Gibson-Mount]

--On Thursday, January 20, 2011 4:30 PM +0100 Sven Hartge 
s...@svenhartge.de wrote:





I just checked the version 2.4.23-6, and I see the slapschema manpage
there.



Yes, the *manpage* is there, the *command* is not. :)


Well, in a way it is absent and present at the same time. slapd is just a
multi-call-binary (like busybox) so the simple solution is to add a
hardlink like it is already done for slapcat, slapadd, etc.:

  ln /usr/sbin/slapd /usr/sbin/slapschema

and voila: working slapschema tool.


This must be something Debian broke, since a normal slapd build results in 
slapschema existing.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#608815: [Pkg-openldap-devel] Bug#608815: Proxy authorization fails with SASL-GSSAPI

[Quanah Gibson-Mount]

--On Monday, January 03, 2011 6:49 PM +0100 Jaap Winius jwin...@umrk.nl 
wrote:



Package: slapd
Version: 2.4.23-7

Proxy authorization works with SIMPLE binds, as well as with SASL binds
using various other mechanisms, but not with SASL and GSSAPI. In that
case it may only work initially, but eventually the problem is that, for
no apparent reason, the consumer instead attempts to use a SIMPLE bind to
authenticate itself to the provider. Naturally, this fails.


Why are you filing bugs with Debian for issues in the OpenLDAP project?  If 
you want bugs for OpenLDAP to be tracked, use the OpenLDAP ITS system.  You 
were *already* told to do this on the OpenLDAP list.


The Debian project is *not* part of the OpenLDAP Foundation or the OpenLDAP 
project.  Please use the correct and appropriate resources for filing bugs.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#608815: [Pkg-openldap-devel] Bug#608815: Proxy authorization fails with SASL-GSSAPI

[Quanah Gibson-Mount]

--On Monday, January 03, 2011 9:29 PM +0100 Jaap Winius jwin...@umrk.nl 
wrote:



Quoting Quanah Gibson-Mount qua...@zimbra.com:



Okay, no problem. As soon as I figure out how to do so, I will resubmit
this bug over there, as well as for the one regarding the olcDbURI
attribute (unless you think that's no longer necessary).


http://www.openldap.org/its is the URI for the OpenLDAP bug tracker. 
Hope that helps! :)


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#598361: [Pkg-openldap-devel] Bug#598361: Cause of this issue

[Quanah Gibson-Mount]

--On Thursday, November 25, 2010 8:42 PM +0100 Klaus Flittner 
kl...@flittner.org wrote:



I have the same issue on each debian squeeze installation.

Looking at the source revealed, that the backend db is opened before
the process is forked. (This is a patch added to solve #589915).

During open of the db the alock file gets locked. But this lock is lost
during fork and therefore the db is seen as unclean and not as used.

Removing the said patch, slapcat with running slapd works as expected.

Since the db is no longer locked while slapd is running, all tools like
slapindex can be used on the database, potentially corrupting it.
This probably justifies a higher severity for this bug.


Thanks for finding the cause.  This is clearly a Debian inflicted issue 
then.


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#598361: [Pkg-openldap-devel] Bug#598361: slapd: slapcat gives unclean shutdown detected; attempting recovery after squeeze upgrade

[Quanah Gibson-Mount]

--On Tuesday, September 28, 2010 9:45 AM -0500 Walton, Bryan K 
bryan-wal...@uiowa.edu wrote:



Thanks for the reply.  You are correct.  If I shutdown slapd first, no
error is generated.  I can start doing this.  However, I didn't think
this was necessary.  From the slapcat man page:

For some backend types, your slapd(8) should not be running (at least,
not in read-write mode) when you do this to ensure consistency of the
database. It is always safe to run slapcat  with the slapd-bdb(5),
slapd-hdb(5), and slapd-null(5) backends.

Is this no longer accurate?


If you run db_recover while slapd is running, you'll likely corrupt your 
database.  However, it is perfectly fine to run slapcat while slapd is 
running.


--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#598361: [Pkg-openldap-devel] Bug#598361: Bug#598361: slapd: slapcat gives unclean shutdown detected; attempting recovery after squeeze upgrade

[Quanah Gibson-Mount]

--On Tuesday, September 28, 2010 8:00 AM -0700 Quanah Gibson-Mount 
qua...@zimbra.com wrote:




If you run db_recover while slapd is running, you'll likely corrupt your
database.  However, it is perfectly fine to run slapcat while slapd is
running.


Finally, I would note I receive no such error while using slapcat with my 
own build of OpenLDAP 2.4.23:


zim...@zre-ldap002:~$ /opt/zimbra/openldap/sbin/slapcat -F 
/opt/zimbra/data/ldap/config -l /tmp/test.out -b ''

zim...@zre-ldap002:~$


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#598361: [Pkg-openldap-devel] Bug#598361: Bug#598361: Bug#598361: slapd: slapcat gives unclean shutdown detected; attempting recovery after squeeze upgrade

[Quanah Gibson-Mount]

--On Tuesday, September 28, 2010 10:40 AM -0500 Walton, Bryan K 
bryan-wal...@uiowa.edu wrote:



On Tue, 2010-09-28 at 08:29 -0700, Quanah Gibson-Mount wrote:


Finally, I would note I receive no such error while using slapcat with
my  own build of OpenLDAP 2.4.23:

zim...@zre-ldap002:~$ /opt/zimbra/openldap/sbin/slapcat -F
/opt/zimbra/data/ldap/config -l /tmp/test.out -b ''
zim...@zre-ldap002:~$


Hi Quanah, I'll acknowledge that I this doesn't seem universal.  This is
only happening on our master ldap server.  On the slave, we are get no
such error.  Both are running the current slapd that exists in Squeeze.

Still, the master does give the error.  Running db4.8_recover doesn't
fix whatever the problem is (if there is really a problem).  Any ideas
how this can be fixed?  Is this possibly a bug in BDB 4.8 rather than
slapd?


Well, the server I ran slapcat on is a master server, so I don't think 
that's relevant. ;)  Also, numerous people run OpenLDAP with bdb 4.8 and 
haven't reported such an error.  So it's unlikely it is a 4.8 issue, 
although it could be possible.


Is there any difference in file system between the master and replicas? 
I.e., nfs or ext4 vs ext3 etc?


--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#598361: [Pkg-openldap-devel] Bug#598361: Bug#598361: Bug#598361: Bug#598361: slapd: slapcat gives unclean shutdown detected; attempting recovery after squeeze upgrade

[Quanah Gibson-Mount]

--On Tuesday, September 28, 2010 11:19 AM -0500 Walton, Bryan K 
bryan-wal...@uiowa.edu wrote:



On Tue, 2010-09-28 at 09:00 -0700, Quanah Gibson-Mount wrote:



Is there any difference in file system between the master and replicas?
I.e., nfs or ext4 vs ext3 etc?


Yes. The one giving the error is on an ext3.  The one without an error
is xfs.  I just took the liberty of unmounting the ext3 filesystem on
the machine in question and forcing a filesystem check which came back
clean.  After staring slapd up again, I still get the error.


Please try the following:

(a) stop slapd
(b) run db_recover on the database
(c) remove the alock file in the database directory
(d) start slapd
(e) run slapcat

Thanks,
Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#598361: [Pkg-openldap-devel] Bug#598361: Bug#598361: Bug#598361: Bug#598361: Bug#598361: slapd: slapcat gives unclean shutdown detected; attempting recovery after squeeze upgrade

[Quanah Gibson-Mount]

--On Tuesday, September 28, 2010 11:34 AM -0500 Walton, Bryan K 
bryan-wal...@uiowa.edu wrote:



On Tue, 2010-09-28 at 09:27 -0700, Quanah Gibson-Mount wrote:


Please try the following:

(a) stop slapd
(b) run db_recover on the database
(c) remove the alock file in the database directory
(d) start slapd
(e) run slapcat


I just completed this.  Still get the same error.


Ok, well, that rules out a corrupted alock file (which I've had happen a 
few times).


The last thing I can think of, just to verify the database didn't get into 
an odd place, would be to reload the master.  I'd spot check the LDIF file 
to make sure it looked fine.


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#598361: [Pkg-openldap-devel] Bug#598361: Bug#598361: Bug#598361: Bug#598361: Bug#598361: Bug#598361: slapd: slapcat gives unclean shutdown detected; attempting recovery after squeeze upgrade

[Quanah Gibson-Mount]

--On Tuesday, September 28, 2010 1:21 PM -0500 Walton, Bryan K 
bryan-wal...@uiowa.edu wrote:



On Tue, 2010-09-28 at 09:42 -0700, Quanah Gibson-Mount wrote:



The last thing I can think of, just to verify the database didn't get
into  an odd place, would be to reload the master.  I'd spot check the
LDIF file  to make sure it looked fine.


Thanks.  That didn't seem to make any difference. LDIF file seems
perfectly correct.  I dumped both directories (master and slave), and
LDIFs were identical.  Yet, slapcat errors on the master and not the
slave.  Anyway, I repopulated the directory and still get the error.

BTW, there is one other difference between the two servers, the master
is 64-bit, while the slave is 32-bit.

The other thing I find odd is that the error only occurs when slapd is
running.  If there was really a problem, wouldn't the error also occur
when doing a slapcat while slapd is stopped?


Yeah, I really have no idea why you are seeing this.  I would note that a 
32-bit binary would not work well with a 64-bit built database (or vice 
versa), but I assume both slapd and slapcat in your case are 64-bit.


--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#596280: [Pkg-openldap-devel] Hacking slapd conffiles to fix an RC bug in kolabd (Was: Bug#596280: unblock: kolabd/2.2.4-20100624-2)

[Quanah Gibson-Mount]

--On Monday, September 13, 2010 9:25 AM +0200 Mathieu Parent (Debian) 
sath...@debian.org wrote:



Hi,

On Mon, Sep 13, 2010 at 4:24 AM, Steve Langasek vor...@debian.org wrote:
...

Note that kolabd for Wheezy will manage cn=config natively (most
probably by creating slapd.conf and using slaptest; but perhaps by
directly issuing ldap commands).


Is there any reason this (slapd.conf + slaptest) couldn't be used as the
workaround in squeeze?  That still doesn't sound great to me given that
it would overwrite any previously present cn=config settings, but it
seems to be the existing practice that kolabd will overwrite slapd
configs, so it should at least do so in the preferred location; and
getting this right shouldn't be any harder than the policy-violating
conffile overwrite.


OK. Let's go for this path. I will upload a new kolabd that revert the
hack and upload a new libkolab-perl package which run slaptest after
changing any openldap config (this is where this fix belongs).

For the long term, how can we be sure to have write access to
cn=config? Couldn't slapd package provide a tool to query cn=config
(like ldapconfigsearch) which uses ldapsearch with proper credentials
if slapd is running and uses something else when slapd is stopped.
Similary, provide an ldapconfigmodify. Also providing ldapschemaadd,
ldapschemaremove, ... can ease the integration from other packages.


I think you're looking for slapmodify, a tool I specifically requested be 
written a while back.  It exists currently in OpenLDAP HEAD.  It allows the 
offline modification of cn=config.


See ITS#6165.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#593550: [Pkg-openldap-devel] Bug#593550: A fix

[Quanah Gibson-Mount]

--On August 19, 2010 11:03:19 AM +0200 Matthijs Mohlmann 
matth...@cacholong.nl wrote:



On Aug 19, 2010, at 10:32 AM, Michael Rasmussen wrote:


Hi,

A way to fix this:
apt-get install db4.7-util
cd /var/lib/ldap
db4.7_checkpoint -1
db4.7_recover
dpkg --configure -a



Thanks for the fix, but I do not understand why your environment is still
4.7 The 2.4.23-2 version should already have db 4.8 as default.

I'll investigate what's going on here.


What version was being migrated from (i.e., what version of BDB was 
openldap linked against?).  If it was prior to BDB 4.8, then you have to do 
a slapcat/slapadd of the database (I assume that's already being done), but 
before that, it is critical to completely checkpoint the database via 
db_recover (one of the steps taken above).


--Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#593550: [Pkg-openldap-devel] Bug#593550: A fix

[Quanah Gibson-Mount]

--On August 19, 2010 10:41:51 PM +0200 Michael Rasmussen m...@datanom.net 
wrote:



On Thu, 19 Aug 2010 09:19:55 -0700
Quanah Gibson-Mount qua...@zimbra.com wrote:



What version was being migrated from (i.e., what version of BDB was
openldap linked against?).  If it was prior to BDB 4.8, then you have to
do a slapcat/slapadd of the database (I assume that's already being
done), but before that, it is critical to completely checkpoint the
database via db_recover (one of the steps taken above).


I think this is the key question. Apparently the db-tools cannot handle
a migration from = 4.7 to 4.8 in which case the only reliable way to
do this is slapcat/slapadd.


Correct, it is never possible to use db-tools to upgrade OpenLDAP Databases 
across BDB versions.  The only method is slapcat/slapadd.  I'd also note 
that BDB 4.8 versions prior to 4.8.30 are not reliable and should be 
avoided (Not sure what's in debian atm).


--Quanah


--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#593368: [Pkg-openldap-devel] Bug#593368: OpenLdap simple auth password trim 8 symbols (fwd)

[Quanah Gibson-Mount]

 Forwarded Message 
Date: August 17, 2010 9:42:41 AM -0700
From: Quanah Gibson-Mount qua...@zimbra.com
To: x x n...@yandex.ru, sub...@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#593368: OpenLdap simple auth password 
trim	8 symbols




--On August 17, 2010 7:20:35 PM +0400 x x n...@yandex.ru wrote:


Package: slapd
Version: 2.4.11-1+lenny2

When I invoke `ldapsearch -x -D cn=admin,dc=example,dc=com -w qwerty12 -H
ldap://192.168.0.1` auth OK When I invoke `ldapsearch -x -D
cn=admin,dc=example,dc=com -w qwerty123456 -H ldap://192.168.0.1` auth OK
When I invoke `ldapsearch -x -D cn=admin,dc=example,dc=com -w qwerty1 -H
ldap://192.168.0.1` auth FAIL

Password consists of 8 symbols max


It sounds like you chose a poor scheme for storing your passwords, like
{CRYPT}, which only supports the first 8 characters.  This is not a bug
with OpenLDAP.

--Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

-- End Forwarded Message --



--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#583319: [Pkg-openldap-devel] Bug#583319: slapd: built-in schema for uidNumber/gidNumber does not have ordering directive

[Quanah Gibson-Mount]

--On Tuesday, July 27, 2010 6:14 PM -0500 Brian Kroth bpkr...@gmail.com 
wrote:



A diff of a dump of the cn=schema,cn=config object doesn't show any
changes before or after the ldapmodify.


Ugh, those are both hard coded into slapd.  You'll have to modify the 
source code and build your own slapd for this.


In any case, adding an ORDERING rule for them breaks the RFC's, and 
OpenLDAP does its best to remain RFC compliant in core features.  I would 
suggest filing a new RFC that updates the rules for these attributes.


--Quanah



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#589915: [Pkg-openldap-devel] Bug#589915: slapd: service is not operational when the init.d script exits during boot

[Quanah Gibson-Mount]

--On Friday, July 23, 2010 9:01 PM +0200 Matthijs Möhlmann 
matth...@cacholong.nl wrote:



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

It can take 3 minutes or more to have the OpenLDAP server operational,
should we wait that long in the initscript? Are there objections to for
example, wait for 5 seconds and try if the server is up, if not do that
again forever?

I'm going to do some tests with pdns too, with the bind backend it is
possible that it can take up a few seconds before operational, but I
have to test that.


The time slapd can take to start depends on if it is a first time startup. 
If it is, it has to initialize the BDB environment.  How long the BDB 
environment takes to initialize depends on its size.  There is no set 
amount of time it can take to start.  The largest environment I've dealt 
with was over 1TB in size.  It took a very very long time to start the 
first time. ;)


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#589915: [Pkg-openldap-devel] Bug#589915: slapd: service is not operational when the init.d script exits during boot

[Quanah Gibson-Mount]

--On Friday, July 23, 2010 9:13 PM +0200 Matthijs Möhlmann 
matth...@cacholong.nl wrote:



I'm not sure if I understand you correctly, you say 'The time slapd can
take to start depends on if it is a first time startup.' What do you
mean by 'first time startup' ?


First time startup for the given DB_CONFIG setting.  How long it takes to 
start depends on the cachesize value set in the DB_CONFIG file.  If this is 
the very first time slapd has ever started, or if they've changed that 
cachesize value, then the BDB environment has to be created (or recreated). 
slapd will not start listening until that is finished.  If I have a 128GB 
BDB cachesize, slapd will take a lot longer to start than if it is 8GB. 
etc.


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#589852: [Pkg-openldap-devel] Bug#589852: slapd: version 2.4.24 fixes 2 security bugs (fwd)

[Quanah Gibson-Mount]

 Forwarded Message 
Date: Wednesday, July 21, 2010 9:35 AM -0700
From: Quanah Gibson-Mount qua...@zimbra.com
To: Laurent Bonnaud bonn...@iut2.upmf-grenoble.fr, Debian BTS submission 
sub...@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#589852: slapd: version 2.4.24 fixes 2 
	security bugs


--On Wednesday, July 21, 2010 6:17 PM +0200 Laurent Bonnaud
bonn...@iut2.upmf-grenoble.fr wrote:


Package: slapd
Version: 2.4.23-2
Severity: important
Tags: security


Hi,

version 2.4.24 has been announced recently and it fixes 2 security bugs:


I think you are confused.  The latest release is 2.4.23, and it includes
those security fixes.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

-- End Forwarded Message --



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#327585: [Pkg-openldap-devel] Bug#589852: slapd: version 2.4.24 fixes 2 security bugs (fwd)

[Quanah Gibson-Mount]

 Forwarded Message 
Date: Wednesday, July 21, 2010 9:35 AM -0700
From: Quanah Gibson-Mount qua...@zimbra.com
To: Laurent Bonnaud bonn...@iut2.upmf-grenoble.fr, Debian BTS submission 
sub...@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#589852: slapd: version 2.4.24 fixes 2 
	security bugs


--On Wednesday, July 21, 2010 6:17 PM +0200 Laurent Bonnaud
bonn...@iut2.upmf-grenoble.fr wrote:


Package: slapd
Version: 2.4.23-2
Severity: important
Tags: security


Hi,

version 2.4.24 has been announced recently and it fixes 2 security bugs:


I think you are confused.  The latest release is 2.4.23, and it includes
those security fixes.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

-- End Forwarded Message --



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#588969: [Pkg-openldap-devel] Bug#588969: Bug#588969: slapd 2.4.23-1 fails to start with libdb4.8 4.8.26-1

[Quanah Gibson-Mount]

--On Wednesday, July 14, 2010 6:28 PM +1000 Alex Samad a...@samad.com.au 
wrote:



Hi

Sorry apologies, very light on the information. I did an upgrade of slapd
and when slapd went to start there were errors could not start expecting
version xxx and found version . At that point I guessed it was the
libdb package needed to be brought into line with slapd. Once I loaded
that it started - I had some other problems but did not investigate any
further.


Just as a side note, you definitely want to make sure you do not use BDB 
4.8.26 with OpenLDAP, as BDB 4.8.26 has serious issues that were fixed in 
4.8.30.  So it not working with that release is a good thing.


--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#586334: ldappasswd hangs while smbk5pwd enabled

[Quanah Gibson-Mount]

--On Tuesday, July 13, 2010 8:31 PM +0200 Matthijs Möhlmann 
matth...@cacholong.nl wrote:



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Quanah,

According to the following url:
http://lists.arthurdejong.org/openldap-technical/2010/06/msg00308.html

This seems to be fixed ?


Right, it was user error.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#586334: [Pkg-openldap-devel] Bug#586334: ldappasswd hangs while smbk5pwd enabled

[Quanah Gibson-Mount]

--On Friday, June 18, 2010 3:45 PM +0200 Frank Van Damme 
frank.vanda...@gmail.com wrote:



Package: slapd-smbk5pwd
Version: 2.4.21-1


Quite frankly, I'm beyond baffled as to why you would file this bug with 
Debian, and not the OpenLDAP project.  The Debian project does not maintain 
this code.  Particularly given all of the ongoing discussion on the 
OpenLDAP list about this issue already.




--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org