OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/6749
Full headers

From: h.b.furuseth@usit.uio.no
Subject: Shut up "configure monitor database to enable"
Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 15 Dec 2010 12:39:11 +0000
From: h.b.furuseth@usit.uio.no
To: openldap-its@OpenLDAP.org
Subject: Shut up "configure monitor database to enable"
Full_Name: Hallvard B Furuseth
Version: 2.4.23
OS: 
URL: 
Submission from: (NULL) (129.240.6.233)
Submitted by: hallvard


Please don't give the "configure monitor database to enable" message
by default.

Either just remove it, or better, stop cn=config from adding a default
olcMonitoring: TRUE attribute to olcDatabase objects.  (The flag value
can still default to True if the attribute is absent.)  Then you can
give the message if the _admin_ has explicitly asked for monitoring,
instead of if slapd has asked for it.

Followup 1

Download message
Date: Sun, 2 Jan 2011 15:04:16 +0100 (CET)
Subject: Re: (ITS#6749) Shut up "configure monitor database to enable"
From: masarati@aero.polimi.it
To: h.b.furuseth@usit.uio.no
Cc: openldap-its@openldap.org
> Full_Name: Hallvard B Furuseth
> Version: 2.4.23
> OS:
> URL:
> Submission from: (NULL) (129.240.6.233)
> Submitted by: hallvard
>
>
> Please don't give the "configure monitor database to enable" message
> by default.
>
> Either just remove it, or better, stop cn=config from adding a default
> olcMonitoring: TRUE attribute to olcDatabase objects.  (The flag value
> can still default to True if the attribute is absent.)  Then you can
> give the message if the _admin_ has explicitly asked for monitoring,
> instead of if slapd has asked for it.

I disagree; it is not cn=config that defaults database monitoring to TRUE;
actually, it's back-bdb/back-hdb that sets its own monitoring to TRUE as
soon as back-monitor support is compiled and the specific backend
monitoring is successfully initilized.

Maybe this warning can be demoted to LDAP_DEBUG_CONFIG instead of
LDAP_DEBUG_ANY.  I understand that one could presume that the lack of
database monitor in the configuration indicates that monitoring is not
desired; this warning, however, tries to address a typical configuration
error, when admins just forget to configure it.

p.



Followup 2

Download message
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Sat, 29 Jan 2011 23:50:10 +0100
To: masarati@aero.polimi.it
Cc: openldap-its@openldap.org
Subject: Re: (ITS#6749) Shut up "configure monitor database to enable"
masarati@aero.polimi.it writes:
>> Please don't give the "configure monitor database to enable" message
>> by default.
>>
>> Either just remove it, or better, stop cn=config from adding a default
>> olcMonitoring: TRUE attribute to olcDatabase objects.  (The flag value
>> can still default to True if the attribute is absent.)  Then you can
>> give the message if the _admin_ has explicitly asked for monitoring,
>> instead of if slapd has asked for it.
> 
> I disagree; it is not cn=config that defaults database monitoring to TRUE;
> actually, it's back-bdb/back-hdb that sets its own monitoring to TRUE as
> soon as back-monitor support is compiled and the specific backend
> monitoring is successfully initilized.

If the admin put 'olcMonitoring: TRUE' in slapd.d but did not include
database monitor, that would be poor user config.

I'm fine with having bdb set the internal default flag value to TRUE.
My protest in that context is against slapd - be it back-bdb or
back-config which is to blame - writing the default value to the
cn=config LDIF even though the admin never mentioned monitoring.

This means that neither the TRUE value of the internal flag nor the
presence of the attribute is an indication that the admin asked for
monitoring (i.e. set the flag) but forgot to add database monitor.

> Maybe this warning can be demoted to LDAP_DEBUG_CONFIG instead of
> LDAP_DEBUG_ANY.

Yes.  Maybe slapd should nag the admin more about bad config, but if so
there are plenty of other things which are more important than this and
should get a chance to nag the admin before this particular flag gets to
do it.  IIRC the only other thing which gets to do that now is BDB
without DB_CONFIG - which makes sense since that's an entire
non-OpenLDAP subsystem which has not been configured.

But also:

> I understand that one could presume that the lack of database monitor
> in the configuration indicates that monitoring is not desired; this
> warning, however, tries to address a typical configuration error, when
> admins just forget to configure it.

No, this is a broken slapd default.  It should not be an admin error to
not mention a feature he does not want and does not need to know about.

And if slapd does nag anyone about it, it should nag admins who do
mention either database monitor or the flag, not admins who do not.

So slapd should be quiet if it set the flag internally and the admin
does not include database monitor.  Thus my suggestion to set the flag
internally by default but only nag the admin if it was set in cn=config.

Unless olcMonitoring:TRUE is a drain on performance or something so
it really ought to be off when the data is not used anyway.

An alternative (and a change in behavior from now) if you really want
this warning, would be to always default monitoring to off.  That'll
surprise existing users, so the cn=monitor objects could contain some
text 'monitoring off for this database, set olcMonitoring to enable'.
Personally I don't think a warning is worth such a change in behavior,
but then I don't like the warning anyway:-)

-- 
Hallvard


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org