[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
I have found an upstream ticket which seems to be exactly our issue: ITS#7107 [1]. It's fixed on upstream, but was fixed after the release of 2.4.28. It's a one line fix, see git commit [2]. I don't have tested if it effectivelly fix our issue, but description seem very close to our problem. [1]: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7107;selectid=7107 [2]: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=85c1c545f4e20882a2f748fcef5f732ea2d2ecf6 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
** Changed in: openldap (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
** Also affects: openldap (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: openldap (Ubuntu Precise) Status: New = Triaged ** Changed in: openldap (Ubuntu Precise) Importance: Undecided = Medium ** Changed in: openldap (Ubuntu Precise) Milestone: None = ubuntu-12.04.1 ** Changed in: openldap (Ubuntu) Status: Confirmed = Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
** Description changed: - On precise, the slapd daemon return error code 2 - controls require - LDAPv3 to client search. I don't see any reason why this would occure, - because if you run the same command few seconds later, it (may) work. + [IMPACT] - For example, using nss_ldap, when running in a loop id pierref, you - may sometime have fewer group that you would normally have. And few - seconds later, everything go back to normal. + * Any client connecting in LDAPv3 and using v3 specific feature may fail + * This include libnss-ldap (so id user may not return all group). Thus you may login without all your groups and need to logout/login on more time. + * This issue is known and fixed on upsteam, ITS#7107 (commit 85c1c545f4e20882a2f748fcef5f732ea2d2ecf6). - We also have this issue with some other tools, like Confluence - (Atlassian's wiki) and also a internal tools developped in Python. + [TESTCASE] - On client side (confluence), we have - javax.naming.CommunicationException: [LDAP: error code 2 - controls - require LDAPv3]; + To reproduce this issue, you will need to do enougth search some with + version 2, other with version 3 and some control. - On server side, we found the same controls require LDAPv3 returned - with get_ctrl function. I attached log extract of slapd server at - loglevel any. On log I keep one successfull search done by confluence - and one failed search. + Example: - Note: on server log - if I understand log correctly - the client bind - with version 3 of protocol... while error complain about not behind - version 3... - - Version: - - * server : Ubuntu precise 3.2.0-26-generic x86_64, slapd 2.4.28-1.1ubuntu4 - * client 1 : Ubuntu lucid 2.6.32-41-server x86_64, libnss-ldap 264-2ubuntu2, ldap-utils 2.4.21-0ubuntu5.7 - * client 2 : Ubuntu precise 3.2.0-26-virtual x86_64, libnss-ldap 264-2.2ubuntu2, ldap-utils 2.4.28-1.1ubuntu4 - - Their is two LDAP server (replication), I attached configuration of - both. - - I also attached a test_nss.sh which show this bug on client side. + * In terminal A, run: while true; do ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -P 2 /dev/null;sleep 0.1;done + * Let the loop run for some time (it increase change of failure for next step). + * In terminal B, run ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -M. You should not have to run more than 20 times before an error occure. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
debdiff for precise sru. ** Patch added: lp1023025.debdiff https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+attachment/3228396/+files/lp1023025.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
debdiff for quantal. ** Patch added: lp-1023025-quantal.debdiff https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+attachment/3228408/+files/lp-1023025-quantal.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
This bug was fixed in the package openldap - 2.4.28-1.1ubuntu6 --- openldap (2.4.28-1.1ubuntu6) quantal; urgency=low * Fix issue with intermittent connection issues when using LDAPv3 protocol (LP: #1023025): - d/patches/its-7107-fix-Operation-init-on-reuse.diff: Cherry picked patch from upstream VCS which ensures objects are initialized before re-use. -- Pierre Fersing pfers...@sierrawireless.com Thu, 19 Jul 2012 14:05:09 +0100 ** Changed in: openldap (Ubuntu) Status: Triaged = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
Pierre Thanks for the debdiffs. I made one change to both which was to fill out the changelog entry in more detail to explain what's being fixed and how. Other than that looked good so uploaded. ** Description changed: [IMPACT] * Any client connecting in LDAPv3 and using v3 specific feature may fail * This include libnss-ldap (so id user may not return all group). Thus you may login without all your groups and need to logout/login on more time. * This issue is known and fixed on upsteam, ITS#7107 (commit 85c1c545f4e20882a2f748fcef5f732ea2d2ecf6). [TESTCASE] - To reproduce this issue, you will need to do enougth search some with + To reproduce this issue, you will need to do enough searches, some with version 2, other with version 3 and some control. Example: * In terminal A, run: while true; do ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -P 2 /dev/null;sleep 0.1;done - * Let the loop run for some time (it increase change of failure for next step). - * In terminal B, run ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -M. You should not have to run more than 20 times before an error occure. + * Let the loop run for some time (it increases change of failure for next step). + * In terminal B, run ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -M. + + You should not have to run more than 20 times before an error occurs. + + [REGRESSION POTENTIAL] + + Minimal, as this is a simple one-line change to initialize objects before re-use. + Fix has good heritage as Howard is the Chief TA of OpenLDAP. ** Summary changed: - search fail with get_ctrls : controls require LDAPv3 + [SRU] search fail with get_ctrls : controls require LDAPv3 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: [SRU] search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
I can reproduce this issue with a simple ldapsearch: ldapsearch -h ldap-1 -b ou=people,o=company -x (((objectClass=posixAccount)(uid=*))(uid=pierref)) -M -v Note: I think the exact query filter doesn't matter, only the -M switch is important. The result when it fail is: ldap_initialize( ldap://ldap-1) filter: (((objectClass=posixAccount)(uid=*))(uid=pierref)) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base ou=people,o=company with scope subtree # filter: (((objectClass=posixAccount)(uid=*))(uid=pierref)) # requesting: ALL # with manageDSAit control # # search result search: 2 result: 2 Protocol error text: controls require LDAPv3 # numResponses: 1 But this don't occure often... running this command every 5 seconds generated only 6 errors in 3 hours. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
I can also reproduce this issue with the same ldapsearch, except I get a failure about half the time (this is with the daemon versions of lib(pam|nss)-ldapd): $ ldapsearch -h localhost -b ou=people,dc=company,dc=com -x (((objectClass=posixAccount)(uid=*))(uid=cswingley)) -M -v ldap_initialize( ldap://localhost ) filter: (((objectClass=posixAccount)(uid=*))(uid=cswingley)) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base ou=people,dc=company,dc=com with scope subtree # filter: (((objectClass=posixAccount)(uid=*))(uid=cswingley)) # requesting: ALL # with manageDSAit control # # search result search: 2 result: 2 Protocol error text: controls require LDAPv3 # numResponses: 1 I tried rebuilding 'nss-pam-ldapd' from the latest upstream sources (0.8.10), copying the debian directory over from the 12.04 src package and modifying the changelog, and the problem is still there, so it doesn't seem to be an issue that was fixed in upstream. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
In my earlier comment (#5) I mentioned installing libnss-ldapd / libpam- ldapd as replacements for libnss-ldap / libpam-ldap. This did *not* solve the issue with group mappings: I experience the group mapping failures with both versions of the libnss and libpam LDAP packages on my 12.04 server. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
** Attachment added: Log on one of slapd server when bug occure https://bugs.launchpad.net/bugs/1023025/+attachment/3218612/+files/syslog -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
** Attachment added: Configuration of slapd on master https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+attachment/3218625/+files/slapd-1.conf -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
** Attachment added: Configuration of slapd on slave https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+attachment/3218626/+files/slapd-2.conf -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openldap (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023025] Re: search fail with get_ctrls : controls require LDAPv3
I also have this issue with a 12.04 server, also using replication. The issue appears on the slave, not the master, but the master LDAP server is still running 10.04, so I don't know if that is relevant or not. This morning I installed libnss-ldapd / libpam-ldapd (which also installed nscd) and I haven't noted the group mapping or the controls require LDAPv3 error since. However, since nscd is now running, it could be that I was just lucky and that my first connection managed to grab the LDAP groups, was then cached, and subsequent connections are getting the correct group membership from nscd. In any case, this is a critical bug because it affects what individual users will have access too. If their logon (local / Samba / etc.) doesn't map the proper groups, they're locked out of shared resources they need. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1023025 Title: search fail with get_ctrls : controls require LDAPv3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs