[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd hangs in startup with monitor directives and debug (ITS#3863)
--Apple-Mail-2--829032506
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
On Jul 14, 2005, at 4:07 PM, Pierangelo Masarati wrote:
> I have played a bit with current RE22 and HEAD code and I couldn't
> see that
> issue. Can you clarify if an incorrect rootdn for the monitor
> database is
> required to cause the issue and, in this case, how "incorrect" does
> it have to
> be?
No. On 2.2.23 it hangs with any directive beneath the "database
monitor" and before the next "database" directive. Those directives
were correct and function correctly without the hang when the
database definition is moved to the end of slapd.conf.
> An invalid DN, or a DN not rooted at cn=monitor or what? Is access
> control
> also required to cause the hang?
Access control directives or rootdn and rootpw cause the behavior.
> Can you produce a simple slapd.conf (e.g. the
> one resulting from test003 plus the "database monitor" and related
> directive(s))
> to easily reproduce the issue?
slapd.conf attached ... the only differences are the rootpw
directives. I changed the passwords to protect my innocence and the
toy directory ;-) ... all of the statements are in the file but the
ones that don't work are commented out.
--Apple-Mail-2--829032506
Content-Transfer-Encoding: 7bit
Content-Type: application/octet-stream;
x-unix-mode=0644;
name="slapd.conf"
Content-Disposition: attachment;
filename=slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Schema files. Note that not all of these schemas co-exist peacefully.
# Use only those you need and leave the rest commented out.
include /opt/symas/etc/openldap/schema/core.schema
#include /opt/symas/etc/openldap/schema/ppolicy.schema
#include /opt/symas/etc/openldap/schema/connexitor.schema
#include /opt/symas/etc/openldap/schema/corba.schema
### --- Marty REMOVED a second copy of core.schema 21Apr2005
include /opt/symas/etc/openldap/schema/cosine.schema
#include /opt/symas/etc/openldap/schema/eduperson.schema
include /opt/symas/etc/openldap/schema/inetorgperson.schema
#include /opt/symas/etc/openldap/schema/java.schema
#include /opt/symas/etc/openldap/schema/krb5-kdc.schema
#include /opt/symas/etc/openldap/schema/misc.schema
#include /opt/symas/etc/openldap/schema/nis.schema
#include /opt/symas/etc/openldap/schema/openldap.schema
#include /opt/symas/etc/openldap/schema/samba.schema
# TLS Setup Section
#
# TLSCACertificateFile <filename>
# Specifies the file that contains certificates for all
# of the Certificate Authorities that slapd will
# recognize.
TLSCACertificateFile /opt/symas/ssl/cacert.pem
#
# TLSCertificateFile <filename>
# Specifies the file that contains the slapd server
# certificate.
TLSCertificateFile /opt/symas/etc/openldap/shawm.pem
#
# TLSCertificateKeyFile <filename>
# Specifies the file that contains the slapd server
# private key that matches the certificate stored in the
# TLSCertificateFile file. Currently, the private key
# must not be protected with a password, so it is of
# critical importance that it is protected carefully.
TLSCertificateKeyFile /opt/symas/etc/openldap/shawmkey.pem
#
# TLSRandFile <filename>
# Specifies the file from which to obtain random bits when
# /dev/[u]random is not available. Generally set to the
# name of the EGD/PRNGD socket. The environment variable
# RANDFILE can also be used to specify the filename.
#TLSRandFile /var/symas/egd-pool
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
# Files in which to store the process id and startup arguments.
# These files are needed by the init scripts, so only change
# these if you are prepared to edit those scripts as well.
pidfile /var/symas/slapd.pid
argsfile /var/symas/slapd.args
replica-pidfile /var/symas/slurpd.pid
replica-argsfile /var/symas/slurpd.args
# The default location of loadable modules
modulepath /opt/symas/lib/openldap
# Uncomment the moduleloads as needed to enable backend
# functionality.
# Load dynamic backend modules:
moduleload back_bdb.la
#moduleload back_ldap.la
#moduleload back_ldbm.la
#moduleload back_meta.la
moduleload back_monitor.la
# Uncomment the following moduleload to add support for
# referential integrity. Refer to the example below and to
# slapo-integrity(5) for additional information.
#moduleload refint.la
# Uncomment the following moduleload to add support for
# password policies. Refer to the example below and to
# slapo-ppolicy(5) for additional information.
#moduleload ppolicy.la
# Uncomment the following moduleload to add support for
# attribute uniqueness. Refer to the example below and to
# slapo-unique(5) for additional information.
#moduleload unique.la
# Uncomment the following moduleload to add support for NTLM
# hashes. This option is useful if you are importing passwords
# from an NT Domain Controller or want to replicate to an NT4
# PDC using hashed passwords.
#moduleload pwntlm.la
# Uncomment the following moduleload to add support for
# dynamic groups. This module greatly simplifies group
# management.
#moduleload dyngroup.la
# Uncomment the following moduleload to add support for
# the obsolete draft-weltman-ldapb3-proxy-05 revision of the
# LDAP Proxy Authorization control. This module is only
# intended to provide compatibility in environments where
# other servers only recognize this old control.
# New installations should not use this code.
#moduleload proxyOld.la
# Sample access control policy:
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn="" by * read
# grant read access to anyone to the statistics subtree
access to dn.subtree="cn=monitor"
by * read
access to dn.children="ou=people,cn=Marty Heyman,ou=users,o=symas"
by dn="cn=Marty Heyman,ou=user,o=symas" write
access to dn.children="ou=people,o=symas"
by users write
access to dn.children="ou=people,o=symas"
filter=(o=symas*)
attrs=entry,cn,sn,gn,mail,telephoneNumber,o,title
by anonymous read
access to dn.children="ou=users,o=symas"
attrs=entry,cn,sn,gn,telephoneNumber,description
by users read
by * auth
access to dn.children="ou=users,o=symas"
attrs=userPassword
by self write
by * auth
access to dn.children="ou=people,o=symas"
filter=(o=symas*)
attrs=entry,cn,sn,gn,mail,telephoneNumber,o,title,mobile,pager,l,st,street,postalCode,postalAddress,description
by users write
access to *
by self write
by anonymous auth
### The following line was commented out from the access to * group
# by users read
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
# +++ Marty screwing around
# database monitor
# suffix "cn=monitor"
# rootdn "cn=Watcher,cn=monitor"
# rootpw rootpw
# access to dn="" by * read
# grant read access to anyone to the statistics subtree
# access to dn.subtree="cn=monitor"
# by * read
#######################################################################
# Sample bdb database definitions
#######################################################################
database bdb
suffix "o=symas"
rootdn "cn=TheJanitor,o=symas"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details describing
# the creation of encrypted passwords.
rootpw rootpw
# Indices to maintain
index objectClass eq
index cn eq
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
# One directory will be needed for each backend, so you should
# create a subdirectory beneath /var/symas/openldap-data for each
# new backend. This is also where the DB_CONFIG file needs to be
# placed.
directory /var/symas/openldap-data/example
# The cache size should be large enough to hold the working set of
# entries, if possible. The cache size is measured in number of
# entries and is distinct from the set_cachesize option in the
# DB_CONFIG file.
cachesize 5000
# Checkpoints cause the transaction log buffers to be flushed out
# to disk. This option takes the form:
# checkpoint <kbyte> <minutes>
# This allows you to cause checkpoints to take place after a certain
# number of kbytes have been written to the log file or at certain
# certain time intervals. Small values cause checkpoints to be
# performed more often, and the chance of not being able to recover
# transactions after a system crash is relatively small. The downside
# is that write performance can suffer. Larger values will keep write
# performance up, but increase the chances of not being able to recover
# transactions after a system crash.
#
checkpoint 512 60
# Uncomment these lines if you want to use the Referential Integrity
# overlay to enforce referential integrity within a subtree:
# Load an instance of the RefInt overlay for the current database:
#overlay integrity
# By default, integrity operates over the entire database for which it has
# been configured. To enforce integrity in a different tree, use the
# base parameter as shown here:
#integrity_base "dc=subtree,dc=example,dc=com"
# Specify a list of attribute names for which referential integrity
# is enforced.
#integrity_attributes manager secretary
# Uncomment these lines if you want to use the Attribute Uniqueness
# overlay to enforce attribute uniqueness within a subtree:
# Load an instance of the unique overlay for the current database:
#overlay unique
# By default, unique operates over the entire database for which it has
# been configured. To enforce uniqueness against a different tree, use
# the base parameter as shown here:
#unique_base "dc=subtree,dc=example,dc=com"
# Specify a list of attribute names which must be unique. If not
# configured, all non-operational (eg, system) and non-ignored (see
# below) attributes must be unique within the entire tree.
#unique_attributes uid cn
# Specify a list of attribute names for which uniqueness is NOT
# enforced. Note: this example default is almost always required,
# as these attributes are not unique, nor are they operational.
#unique_ignore objectClass dc ou o
# Require null values to be unique; by default, uniqueness is not
# enforced for a null value.
#unique_strict
# Uncomment these lines if you want to use the Password Policy
# overlay to enforce password policies on this database.
# Load an instance of the ppolicy overlay for the current database:
#overlay ppolicy
# Specify the default password policy subentry to use when none is
# specified in an account's entry
#ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
# Uncomment these lines if you want to use the Proxy Override
# overlay to provide translucent access to a remote LDAP server:
# Load an instance of the translucent overlay for the current database:
# NOTE: this overlay requires the "back-ldap" backend to be loaded!
#overlay translucent
# Don't automatically create parent "glue" entries to anchor records
# created via add or modrdn operations. (Glue is always created for
# modify requests.)
#translucent_no_glue
# Strict mode causes any attempt to delete records or attributes from
# the remote database to result in an error. By default, these operations
# are silently ignored:
#translucent_strict
# The remainder of these directives are interpreted by back-ldap, and
# are described more fully in the slapd-ldap(5) manual page:
#
# Don't pass operational attributes related to entry creation/modification:
#lastmod off
#
# URI of the remote server:
#uri ldap://remote-server:9009
#
# DN used to query the remote server for ACL checking
#binddn uid=binder,o=remote
#
# Password to be used with the above binddn:
#bindpw bindtest
#
# Map all remote objectClasses and Attributes to the same objectClases and
# Attributes on the local server:
#map objectclass * *
#map attribute * *
#
### Add the monitor Database
database monitor
# suffix "cn=monitor"
# rootdn "cn=Watcher,cn=monitor"
# rootdn "cn=TheJanitor,cn=monitor"
# rootpw jordan
# access to dn="" by * read
# grant read access to anyone to the statistics subtree
# access to dn.subtree="cn=monitor"
# by * read
--Apple-Mail-2--829032506
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
> And finally, does it appear with the latest
> RE22?
I do not have anything more recent than 2.2.23 running. I hope to
have 2.2.27 shortly and will reproduce the tests with that release.
> If I can't reproduce it, could you please attach the hung slapd
> with gdb
> and see where it's hanging?
I would be glad to but will need some coaching on how that's done.
>
> Thanks, p.
>
Thanks, Marty
--Apple-Mail-2--829032506--