Full_Name: Sean Burford Version: 2.4.9 OS: Linux x86_64 URL: ftp://ftp.openldap.org/incoming/sean-burford-080529.tar.gz.1 Submission from: (NULL) (76.104.224.20) Adding equality and substring matching to an existing in use attribute causes the schema and database contents to mismatch. I added equality and substring matching to an attribute in my schema. A modification of an attribute value was propogated a few days later, triggering the assertion and taking my replicas offline. Each restart replicated the change and triggered the assertion again. When no matching is specified, new database entries do not have their normalized value populated in the database. When the matching is added, new database entries with have their normalized value populated in the database. There is an assertion in attr.c that checks that attributes from the database have the expected normalization. I have attached a script and config to demonstrate the issue (ftp://ftp.openldap.org/incoming/sean-burford-080529.tar.gz.1) These files are in the tarball: slapd.d/ contains a server configuration that is suitable for reproducing the problem. script/trigger-assertion.sh performs the ldap operations necessary to trigger the assertion. The important ones are: - An attribute is added to the schema without equality matching. - An entry is added to the directory that uses the new attribute. - The schema is modified so that the attribute has equality matching. - Another attribute value is added to the entry, triggering the assertion. patch/attr-assertion.patch causes the operation to be rejected and logged, rather than triggering the assertion. It might not be the optimal patch for this problem, but it prevents the assertion and rejects the operation.
This backtrace may provide some further info: #0 0x00007f72558aa095 in raise () from /lib/libc.so.6 #1 0x00007f72558abaf0 in abort () from /lib/libc.so.6 #2 0x00007f72558a32df in __assert_fail () from /lib/libc.so.6 #3 0x0000000000426e41 in attr_merge (e=<value optimized out>, desc=<value optimized out>, vals=0x98ceb0, nvals=0x953bf0) at attr.c:477 #4 0x00000000004681bc in modify_add_values (e=0x4085f7b0, mod=0x98ce70, permissive=0, text=0x40860cd0, textbuf=0x4085f8b0 "0�\230", textlen=256) at mods.c:155 #5 0x000000000048e4bf in hdb_modify_internal (op=0x952400, tid=0x953640, modlist=0x98ce70, e=0x4085f7b0, text=0x40860cd0, textbuf=0x4085f8b0 "0�\230", textlen=256) at modify.c:101 #6 0x000000000048eead in hdb_modify (op=0x952400, rs=0x40860cb0) at modify.c:578 #7 0x00000000004346ed in fe_op_modify (op=0x952400, rs=0x40860cb0) at modify.c:300 #8 0x0000000000434fda in do_modify (op=0x952400, rs=0x40860cb0) at modify.c:175 #9 0x000000000041e193 in connection_operation (ctx=0x40860e00, arg_v=<value optimized out>) at connection.c:1084 #10 0x000000000041e995 in connection_read_thread (ctx=0x40860e00, argv=<value optimized out>) at connection.c:1211 #11 0x00000000005430da in ldap_int_thread_pool_wrapper (xpool=0x8d7c60) at tpool.c:663 #12 0x00007f7256e6d3f7 in start_thread () from /lib/libpthread.so.0 #13 0x00007f725594fb2d in clone () from /lib/libc.so.6 #14 0x0000000000000000 in ?? ()
unix.gurus@gmail.com wrote: > ------=_Part_4694_18767492.1212106829556 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: base64 > Content-Disposition: inline > > VGhpcyBiYWNrdHJhY2UgbWF5IHByb3ZpZGUgc29tZSBmdXJ0aGVyIGluZm86CgojMCAgMHgwMDAw > N2Y3MjU1OGFhMDk1IGluIHJhaXNlICgpIGZyb20gL2xpYi9saWJjLnNvLjYKIzEgIDB4MDAwMDdm > NzI1NThhYmFmMCBpbiBhYm9ydCAoKSBmcm9tIC9saWIvbGliYy5zby42CiMyICAweDAwMDA3Zjcy > NTU4YTMyZGYgaW4gX19hc3NlcnRfZmFpbCAoKSBmcm9tIC9saWIvbGliYy5zby42CiMzICAweDAw Thanks, the original report was sufficient. It surfaces a larger problem, which we've been ignoring up till now. The correct action would be to iterate through all the databases and generate the normalized values for all the affected attributes. There is currently no code to make that happen though. (Likewise, if deleting matching rules, the normalized values must also be deleted.) As such, the only way to progress after such a change would be to dump and reload the DBs (slapcat/slapadd). We'll probably need to discuss on the -devel list what steps to take from here. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
hyc@symas.com wrote: > We'll probably need to discuss on the -devel list what steps to take from here. > I wrote the attached patch for the original issue. Unfortunately it asserted right away: [Switching to Thread 1090525504 (LWP 23577)] 0x00002b55e738d535 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00002b55e738d535 in raise () from /lib64/libc.so.6 #1 0x00002b55e738e990 in abort () from /lib64/libc.so.6 #2 0x00002b55e7386c16 in __assert_fail () from /lib64/libc.so.6 #3 0x00000000004410e5 in attr_valadd (a=0xb866c8, vals=0x41000670, nvals=0x0, nn=1) at ../../../r24/servers/slapd/attr.c:394 #4 0x0000000000441a06 in attr_merge_one (e=0xb72c08, desc=0x8b3780, val=0x41000670, nval=0x0) at ../../../r24/servers/slapd/attr.c:599 #5 0x000000000043ea0f in slap_add_opattrs (op=0x965ec0, text=<value optimized out>, textbuf=<value optimized out>, textlen=<value optimized out>, manage_ctxcsn=<value optimized out>) at ../../../r24/servers/slapd/add.c:664 #6 0x00000000004d9c42 in hdb_add (op=0x965ec0, rs=0x41000ca0) at add.c:108 #7 0x000000000043f1a6 in fe_op_add (op=0x965ec0, rs=0x41000ca0) at ../../../r24/servers/slapd/add.c:334 #8 0x000000000043fa12 in do_add (op=0x965ec0, rs=0x41000ca0) at ../../../r24/servers/slapd/add.c:194 #9 0x00000000004383a7 in connection_operation (ctx=0x41000de0, arg_v=0x965ec0) at ../../../r24/servers/slapd/connection.c:1084 #10 0x00000000004388cf in connection_read_thread (ctx=0x41000de0, argv=0xc) at ../../../r24/servers/slapd/connection.c:1211 #11 0x000000000054b8ca in ldap_int_thread_pool_wrapper (xpool=0x8bf070) at ../../../r24/libraries/libldap_r/tpool.c:663 #12 0x00002b55e655e09e in start_thread () from /lib64/libpthread.so.0 #13 0x00002b55e741e4cd in clone () from /lib64/libc.so.6 #14 0x0000000000000000 in ?? () It was adding the createTimestamp attribute, without providing normalized values. slap_add_opattrs was written before the generalizedTimeNormalize function was written... I suspect there will be a fair number of cases that need to be cleaned up. I don't have time at the moment to chase them all down. Anyone else want to jump in here? If not, we may have to push this back a bit. Note that this patch will probably require a fair number of databases to be reloaded. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi, On Fri, May 30, 2008 at 2:40 AM, <hyc@symas.com> wrote: > This is a multi-part message in MIME format. > --------------050600010007030200030106 > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > > hyc@symas.com wrote: > > We'll probably need to discuss on the -devel list what steps to take from > here. > > > I wrote the attached patch for the original issue. Unfortunately it > asserted > right away: > > [Switching to Thread 1090525504 (LWP 23577)] > 0x00002b55e738d535 in raise () from /lib64/libc.so.6 > (gdb) bt > #0 0x00002b55e738d535 in raise () from /lib64/libc.so.6 > #1 0x00002b55e738e990 in abort () from /lib64/libc.so.6 > #2 0x00002b55e7386c16 in __assert_fail () from /lib64/libc.so.6 > #3 0x00000000004410e5 in attr_valadd (a=0xb866c8, vals=0x41000670, > nvals=0x0, > nn=1) at ../../../r24/servers/slapd/attr.c:394 > #4 0x0000000000441a06 in attr_merge_one (e=0xb72c08, desc=0x8b3780, > val=0x41000670, nval=0x0) > at ../../../r24/servers/slapd/attr.c:599 > #5 0x000000000043ea0f in slap_add_opattrs (op=0x965ec0, text=<value > optimized > out>, textbuf=<value optimized out>, > textlen=<value optimized out>, manage_ctxcsn=<value optimized out>) at > ../../../r24/servers/slapd/add.c:664 > #6 0x00000000004d9c42 in hdb_add (op=0x965ec0, rs=0x41000ca0) at add.c:108 > #7 0x000000000043f1a6 in fe_op_add (op=0x965ec0, rs=0x41000ca0) at > ../../../r24/servers/slapd/add.c:334 > #8 0x000000000043fa12 in do_add (op=0x965ec0, rs=0x41000ca0) at > ../../../r24/servers/slapd/add.c:194 > #9 0x00000000004383a7 in connection_operation (ctx=0x41000de0, > arg_v=0x965ec0) at ../../../r24/servers/slapd/connection.c:1084 > #10 0x00000000004388cf in connection_read_thread (ctx=0x41000de0, argv=0xc) > at > ../../../r24/servers/slapd/connection.c:1211 > #11 0x000000000054b8ca in ldap_int_thread_pool_wrapper (xpool=0x8bf070) at > ../../../r24/libraries/libldap_r/tpool.c:663 > #12 0x00002b55e655e09e in start_thread () from /lib64/libpthread.so.0 > #13 0x00002b55e741e4cd in clone () from /lib64/libc.so.6 > #14 0x0000000000000000 in ?? () > > It was adding the createTimestamp attribute, without providing normalized > values. slap_add_opattrs was written before the generalizedTimeNormalize > function was written... I suspect there will be a fair number of cases that > need to be cleaned up. I don't have time at the moment to chase them all > down. > Anyone else want to jump in here? If not, we may have to push this back a > bit. > Note that this patch will probably require a fair number of databases to be > reloaded. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > --------------050600010007030200030106 > Content-Type: text/plain; > name="dif.txt" > Content-Transfer-Encoding: 7bit > Content-Disposition: inline; > filename="dif.txt" > > Index: attr.c > =================================================================== > RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/attr.c,v > retrieving revision 1.112.2.7 > diff -u -r1.112.2.7 attr.c > --- attr.c 11 Feb 2008 23:26:43 -0000 1.112.2.7 > +++ attr.c 30 May 2008 09:33:43 -0000 > @@ -366,8 +366,39 @@ > BerVarray nvals, > int nn ) > { > - int i; > BerVarray v2; > + int i; > + > + { > + /* FIXME: if the schema has been edited, and an equality > matching rule > + * has been added or removed from the attribute definition, > the database > + * values may no longer be in sync with our expectations. > Currently this > + * means the DB must be reloaded. > + */ > + int have_norm, have_nval, new_nval; > + have_norm = a->a_desc->ad_type->sat_equality->smr_normalize > != NULL; Not all attributes have an equality matching rule. This causes your patch to segfault since sat_equality is NULL: > have_norm = a->a_desc->ad_type->sat_equality->smr_normalize != NULL; > This seems to be a better way to generate have_norm: > have_norm = a->a_desc->ad_type->sat_equality != NULL && > a->a_desc->ad_type->sat_equality->smr_normalize != NULL; > Once that is fixed the config backend causes an assert for me when it attempts to add createTimestamp, which is exactly the problem you describe. I'll create a patch that addresses any of these normalization issues that I can identify and send it to one of the openldap lists. Would openldap-its or openldap-devel be preferable? + have_nval = a->a_nvals != a->a_vals; > + new_nval = nvals != NULL; > + > + /* this check is only relevant if any values already exist > */ > + if ( a->a_vals != NULL && have_norm != have_nval ) { > + Debug(LDAP_DEBUG_ANY, > + "attr_valadd: database inconsistent with > schema definition of %s, reload the DB\n", > + a->a_desc->ad_cname.bv_val, 0, 0 ); > + return LDAP_OTHER; > + /* no need to compare have_nval with new_nval; by > transitivity they will match if > + * the above check and the following check succeed. > + */ > + } > + > + assert( have_norm == new_nval ); > + if ( have_norm != new_nval ) { > + Debug(LDAP_DEBUG_ANY, > + "attr_valadd: new values of %s not properly > normalized (should never happen!)\n", > + a->a_desc->ad_cname.bv_val, 0, 0 ); > + return LDAP_OTHER; > + } > + } > > v2 = (BerVarray) SLAP_REALLOC( (char *) a->a_vals, > (a->a_numvals + nn + 1) * sizeof(struct berval) ); > @@ -469,15 +500,6 @@ > > if ( *a == NULL ) { > *a = attr_alloc( desc ); > - } else { > - /* > - * FIXME: if the attribute already exists, the presence > - * of nvals and the value of (*a)->a_nvals must be > consistent > - */ > - assert( ( nvals == NULL && (*a)->a_nvals == (*a)->a_vals ) > - || ( nvals != NULL && ( > - ( (*a)->a_vals == NULL && > (*a)->a_nvals == NULL ) > - || ( (*a)->a_nvals != (*a)->a_vals > ) ) ) ); > } > > if ( vals != NULL ) { > > --------------050600010007030200030106-- > > > -- Thanks, Sean Burford
Sean Burford wrote: > Not all attributes have an equality matching rule. This causes your > patch to segfault since sat_equality is NULL: > > have_norm = a->a_desc->ad_type->sat_equality->smr_normalize != NULL; > > > This seems to be a better way to generate have_norm: > > have_norm = a->a_desc->ad_type->sat_equality != NULL && > a->a_desc->ad_type->sat_equality->smr_normalize != NULL; Thanks, looks fine. > Once that is fixed the config backend causes an assert for me when it > attempts to add createTimestamp, which is exactly the problem you describe. > > I'll create a patch that addresses any of these normalization issues > that I can identify and send it to one of the openldap lists. Would > openldap-its or openldap-devel be preferable? Just continue to reply to this ITS for now. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi, On Fri, May 30, 2008 at 2:40 AM, <hyc@symas.com> wrote: > > I wrote the attached patch for the original issue. Unfortunately it asserted > right away: ... > It was adding the createTimestamp attribute, without providing normalized > values. slap_add_opattrs was written before the generalizedTimeNormalize > function was written... I suspect there will be a fair number of cases that > need to be cleaned up. I don't have time at the moment to chase them all down. > Anyone else want to jump in here? If not, we may have to push this back a bit. I've modified my copy of the source to normalize data where needed. slapd starts up and my test can run. With the old assertion in place it fails exactly as it did before, because the old attr_merge() assertion runs before your new attr_valadd() normalization check. Removing the old attr_merge() assertion results in your new attr_valadd() check being triggered. Removing the old assertion looks safe, since attr_merge() calls attr_valadd() almost immediately after the assertion anyway. With these changes, running my test script from the original tarball results in: bdb_modify_internal: add testAttribute attr_valadd: database inconsistent with schema definition of testAttribute, reload the DB bdb_modify_internal: 80 modify/add: testAttribute: merge error (80) hdb_modify: modify failed (80) I'm working through 'make test' now to find more instances that need fixing. After that I'll send some patches. > Note that this patch will probably require a fair number of databases to be > reloaded. I'm not even sure that attributes can be automatically renormalized when a problem is detected, since bugs (eg. with the generation of timestamps, CSNs or referalls) can also trigger the normalization checks. -- Thanks, Sean Burford
I'm having some trouble working out where to set the normalized value for ContextCSN in the modlist for the syncrepl refresh consumer (test017-syncreplication-refresh fails). The assertion backtrace looks like this: #0 0x00007f472879d095 in raise () from /lib/libc.so.6 #1 0x00007f472879eaf0 in abort () from /lib/libc.so.6 #2 0x00007f47287962df in __assert_fail () from /lib/libc.so.6 #3 0x0000000000425903 in attr_valadd (a=0x8fb380, vals=0xc72130, nvals=0x0, nn=1) at attr.c:398 #4 0x000000000046714c in modify_add_values (e=0x41ff5bb0, mod=0x41ff60e0, permissive=0, text=0x41ff6090, textbuf=0x41ff5cb0 "", textlen=256) at mods.c:155 #5 0x000000000048147d in bdb_modify_internal (op=0x41ff6780, tid=0xc71f50, modlist=0x41ff60e0, e=0x41ff5bb0, text=0x41ff6090, textbuf=0x41ff5cb0 "", textlen=256) at modify.c:133 #6 0x0000000000481f6d in bdb_modify (op=0x41ff6780, rs=0x41ff6070) at modify.c:578 #7 0x0000000000477d32 in overlay_op_walk (op=0x41ff6780, rs=0x41ff6070, which=op_modify, oi=0x858990, on=0x0) at backover.c:646 #8 0x00000000004782b3 in over_op_func (op=0x41ff6780, rs=0x41ff6070, which=op_modify) at backover.c:698 #9 0x000000000046dc59 in syncrepl_updateCookie (si=0x858560, op=0x249e, pdn=<value optimized out>, syncCookie=0x41ff6310) at syncrepl.c:2785 #10 0x0000000000472bea in do_syncrep2 (op=0x41ff6780, si=0x858560) at syncrepl.c:961 #11 0x0000000000475072 in do_syncrepl (ctx=0x0, arg=0x8588f0) at syncrepl.c:1276 #12 0x00000000004daa4a in ldap_int_thread_pool_wrapper (xpool=0x82e440) at tpool.c:663 #13 0x00007f47296d03f7 in start_thread () from /lib/libpthread.so.0 #14 0x00007f4728842b2d in clone () from /lib/libc.so.6 #15 0x0000000000000000 in ?? () In frame 3 a->a_desc->ad_type->sat_equality has a value but nvals has not been set, which is why the assertion triggers: (gdb) print a->a_desc->ad_type->sat_equality $39 = (MatchingRule *) 0x821be0 Way back in frame 10 do_syncrepl passes a modlist containing an unnormalized contextCSN to do_syncrep2, leading me to believe that I've missed something in syncrepl.c: (gdb) print *op->o_request->oq_modify->rs_mods->rs_modlist $44 = {sml_mod = {sm_desc = 0x824b70, sm_values = 0xc72130, sm_nvalues = 0x0, sm_numvals = 1, sm_op = 2, sm_flags = 0, sm_type = {bv_len = 10, bv_val = 0x824be0 "contextCSN"}}, sml_next = 0x0} The debug output up to the assertion is: slap_queue_csn: queing 0xc72ae0 20080531010928.580166Z#000000#000#000000 daemon: epoll: listen=10 active_threads=0 tvp=zero => bdb_entry_get: ndn: "dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("dc=example,dc=com") => bdb_entry_get: found entry: "dc=example,dc=com" bdb_entry_get: rc=0 bdb_modify: dc=example,dc=com bdb_dn2entry("dc=example,dc=com") bdb_modify_internal: 0x00000001: dc=example,dc=com <= acl_access_allowed: granted to database root bdb_modify_internal: replace contextCSN slapd: attr.c:398: attr_valadd: Assertion `have_norm == new_nval' failed. -- Thanks, Sean Burford
Sean Burford wrote: > Hi, > > On Fri, May 30, 2008 at 2:40 AM,<hyc@symas.com> wrote: >> I wrote the attached patch for the original issue. Unfortunately it asserted >> right away: > ... >> It was adding the createTimestamp attribute, without providing normalized >> values. slap_add_opattrs was written before the generalizedTimeNormalize >> function was written... I suspect there will be a fair number of cases that >> need to be cleaned up. I don't have time at the moment to chase them all down. >> Anyone else want to jump in here? If not, we may have to push this back a bit. > > I've modified my copy of the source to normalize data where needed. > slapd starts up and my test can run. With the old assertion in place > it fails exactly as it did before, because the old attr_merge() > assertion runs before your new attr_valadd() normalization check. That aspect of the patch is not optional. The old check is in the wrong place and must be removed. It misses the other places where attrs are being added, while attr_valadd catches all of them. > Removing the old attr_merge() assertion results in your new > attr_valadd() check being triggered. Removing the old assertion looks > safe, since attr_merge() calls attr_valadd() almost immediately after > the assertion anyway. > > With these changes, running my test script from the original tarball results in: > bdb_modify_internal: add testAttribute > attr_valadd: database inconsistent with schema definition of > testAttribute, reload the DB > bdb_modify_internal: 80 modify/add: testAttribute: merge error (80) > hdb_modify: modify failed (80) > > I'm working through 'make test' now to find more instances that need > fixing. After that I'll send some patches. > >> Note that this patch will probably require a fair number of databases to be >> reloaded. > > I'm not even sure that attributes can be automatically renormalized > when a problem is detected, since bugs (eg. with the generation of > timestamps, CSNs or referalls) can also trigger the normalization > checks. I think it's important to continue to assert as in my patch, at least at this stage, so we can catch all of those bugs. I also don't think we can silently renormalize just the cases that the "reload the DB" message detects, because that's obviously only going to happen on entries that are explicitly modified, and the rest of the DB will still have problems. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
moved from Incoming to Software Bugs
HI, On Fri, May 30, 2008 at 2:40 AM, <hyc@symas.com> wrote: > hyc@symas.com wrote: >> We'll probably need to discuss on the -devel list what steps to take from here. >> > I wrote the attached patch for the original issue. Unfortunately it asserted > right away: > ... > > It was adding the createTimestamp attribute, without providing normalized > values. slap_add_opattrs was written before the generalizedTimeNormalize > function was written... I suspect there will be a fair number of cases that > need to be cleaned up. I've identified these attributes as having differences between their nval population and their schema. I've been using Google coredumper instead of assertions to mark places where normalization looks bad. In this way, I get a bunch of core files to look through after a run instead of a single assertion. Once all of the attributes that have bad normalization have been identified in this way, I'll go back over the source and look for other places where they are used. I haven't found all of the normalization differences yet, but I wanted to check in to ensure I'm on the right path. I would like your comments on whether these look like the right changes to make. You can refer to ftp://ftp.openldap.org/incoming/sburford-initial-normalization-20080604.patch for the details. createTimestamp createTimestamp does have an equality matching rule, as I think it should. The buffer timestamp is populated with a generalized time by slap_timestamp(), so I add ×tamp as the nval for the calls to attr_merge_one in add.c slap_add_opattrs() and schema.c schema_info(). I also use a slight variation of this for createTimestamp in slapadd.c slapadd(). modifyTimestamp Same arguments and modifications as createTimestamp. modifyTimestamp is also used in modify.c slap_mods_opattrs(), where I ch_malloc a new BerVarray for the mod->sml_nvalues. I dont use the same BerVarray for vals and nvals in case whatever frees mod entries frees them as separate pointers (double free). Does something free all of the vals and nvals in the modify list? entryCSN entryCSN does have an equality matching rule, as I think it should. In add.c slap_add_opattrs() I change the attr_merge_one into an attr_merge_normalize_one with op->o_tmpmemctx as the memory context. I haven't looked into the memory context argument, but assume it contains a list of things to free when the context is finished with? In slapadd I also change the attr_merge_one into an attr_merge_normalize_one but I pass a NULL memory context, since slapadd is short lived and there are other examples like this in the nearby source code. In modify.c slap_mods_opattrs() I ch_malloc a new BerVarray for the entryCSN nval and use attr_normalize_one to populate it. Again I assume something frees the components of the modify list later. contextCSN contextCSN does have an equality matching rule, as I think it should. In ctxcsn.c slap_create_context_csn_entr() I change attr_merge_one into attr_merge_normalize_one with a NULL memory context. In overlays/syncprov.c syncprov_checkpoint() and syncrepl.c syncrepl_updateCookie() it is a bit more difficult because a local modlist is created without any attr_merge calls, so I ch_malloc an array for the nvals, and populate it with attr_normalize and use ber_array_bvfree to free it. monitorCounter monitorCounter does not have an equality matching rule, so I remove the nval argument from attr_merge_one() in back-monitor/conn.c monitor_subsys_conn_init() (affects counters for max FD, total conns and current conns). monitorOpCompleted monitorOpInitiated These attributes do not have equality matching rules, so I remove the nval argument from attr_merge_one() in back-monitor/operation.c monitor_subsys_ops_init(). monitorContext namingContexts configContext dynamicSubtrees These attributes do not have equality matching rules, but probably should. I add 'EQUALITY distinguishedNameMatch' to them in schema_prep.c. olcRootDN olcSchemaDN These attributes do not have equality matching rules, but probably should. I add 'EQUALITY distinguishedNameMatch' to them in bconfig.c. supportedControl This attribute does not have an equality matching rule, but probably should. I add 'EQUALITY objectIdentifierMatch' to it in schema_prep.c. readOnly This attribute does not have an equality matching rule, I don't know if it should. I NULLed the nval passed to attr_merge_one in back-monitor/database.c. default_referral: In rootdse.c root_dse_info() I change attr_merge to attr_merge_normalize for default_referral, since it has an equality matching rule. There doesn't seem to be a memory context in use here. I suspect this normalization might result in memory leakage unless followed by a free in root_dse_info()? Also, bconfig.c config_build_attrs() contains this logic which calls attr_merge_normalize() for values that don't need normalization. attr_merge_normalize won't normalize them though, so it should be fine: if ( c->rvalue_nvals ) attr_merge(e, ct[i].ad, c->rvalue_vals, c->rvalue_nvals); else attr_merge_normalize(e, ct[i].ad, c->rvalue_vals, NULL); > I don't have time at the moment to chase them all down. > Anyone else want to jump in here? If not, we may have to push this back a bit. > Note that this patch will probably require a fair number of databases to be > reloaded. The attributes listed above tend to agree with that, but if they really were not being normalized before storage I'm surprised that the original assertion wasn't hit more often? -- Thanks, Sean Burford
I haven't follwed this ITS, but a few notes anyway: unix.gurus@gmail.com writes: > monitorCounter > monitorCounter does not have an equality matching rule, Yes it does. back-monitor/init.c line 1710. What are you looking at? (Hmm, I too had the impression it had no EQUALITY rule...) > monitorOpCompleted > monitorOpInitiated > These attributes do not have equality matching rules, These do too, inherited from monitorCounter. it doesn't work right in 2.3 however: ldapsearch -LLL -bcn=monitor -s one '(monitorCounter=0)' monitorCounter dn: cn=Operations,cn=Monitor monitorOpInitiated: 231542983 monitorOpCompleted: 231542982 > namingContexts > configContext > dynamicSubtrees > > These attributes do not have equality matching rules, but probably > should. I add 'EQUALITY distinguishedNameMatch' to them in > schema_prep.c. No, that breaks the definitions in the RFCs they come from. (See their DESC strings.) I don't know why they lack EQUALITY rules, maybe we just forgot when we defined them, but that's the way it is. Same with supportedControl. monitorContext, readOnly and the olc* attributes are defined by OpenLDAP (their OIDs start with 1.3.6.1.4.1.4203) and can be modified if we feel like it. Personally I prefer attrs to have the matching rules they can have unless there is a reason not to, but I didn't write these modules so I don't know if there _is_ a reason not to. -- Hallvard
Hi, On Wed, Jun 4, 2008 at 2:20 PM, Hallvard B Furuseth <h.b.furuseth@usit.uio.no> wrote: > I haven't follwed this ITS, but a few notes anyway: > > unix.gurus@gmail.com writes: >> monitorCounter >> monitorCounter does not have an equality matching rule, > > Yes it does. back-monitor/init.c line 1710. What are you looking at? > (Hmm, I too had the impression it had no EQUALITY rule...) I'm working with OpenLDAP 2.4.9. You're right. integerMatch has an equality rule but no normalizing function. The logic that determines whether a normalized value should exist says: have_norm = a->a_desc->ad_type->sat_equality != NULL && a->a_desc->ad_type->sat_equality->smr_normalize != NULL; ... new_nval = nvals != NULL; ... if ( have_norm != new_nval ) { assert() So we don't need nvals for integers. For this reason I was right to remove the nval for monitorCounter, monitorOpInitiated, monitorOpCompleted, but my reasoning was wrong. >> monitorOpCompleted >> monitorOpInitiated >> These attributes do not have equality matching rules, > > These do too, inherited from monitorCounter. See above. > it doesn't work right in 2.3 however: > > ldapsearch -LLL -bcn=monitor -s one '(monitorCounter=0)' monitorCounter > dn: cn=Operations,cn=Monitor > monitorOpInitiated: 231542983 > monitorOpCompleted: 231542982 I wonder if val is being maintained and nval is being left at 0. The code at the end of monitor_subsys_ops_update() maintains a_vals but not a_nvals, so that is probably the problem: /* NOTE: no minus sign is allowed in the counters... */ UI2BV( &a->a_vals[ 0 ], nInitiated ); ldap_pvt_mp_clear( nInitiated ); ... /* NOTE: no minus sign is allowed in the counters... */ UI2BV( &a->a_vals[ 0 ], nCompleted ); ldap_pvt_mp_clear( nCompleted ); >> namingContexts >> configContext >> dynamicSubtrees >> >> These attributes do not have equality matching rules, but probably >> should. I add 'EQUALITY distinguishedNameMatch' to them in >> schema_prep.c. > > No, that breaks the definitions in the RFCs they come from. (See their > DESC strings.) I don't know why they lack EQUALITY rules, maybe we just > forgot when we defined them, but that's the way it is. Same with > supportedControl. Ok, so we should not define nvals for them? > monitorContext, readOnly and the olc* attributes are defined by OpenLDAP > (their OIDs start with 1.3.6.1.4.1.4203) and can be modified if we feel > like it. Personally I prefer attrs to have the matching rules they can > have unless there is a reason not to, but I didn't write these modules > so I don't know if there _is_ a reason not to. -- Thanks, Sean Burford
unix.gurus@gmail.com wrote: >>> namingContexts >>> configContext >>> dynamicSubtrees >>> >>> These attributes do not have equality matching rules, but probably >>> should. I add 'EQUALITY distinguishedNameMatch' to them in >>> schema_prep.c. >> No, that breaks the definitions in the RFCs they come from. (See their >> DESC strings.) I don't know why they lack EQUALITY rules, maybe we just >> forgot when we defined them, but that's the way it is. Same with >> supportedControl. configContext is OpenLDAP-specific. It is also single-valued, so it seemed to me it did not need an EQ rule. > Ok, so we should not define nvals for them? No normalizer, therefore, cannot provide nval... >> monitorContext, readOnly and the olc* attributes are defined by OpenLDAP >> (their OIDs start with 1.3.6.1.4.1.4203) and can be modified if we feel >> like it. Personally I prefer attrs to have the matching rules they can >> have unless there is a reason not to, but I didn't write these modules >> so I don't know if there _is_ a reason not to. For the config attributes, I just assumed no one needs to search on them (so no filter capability needed) and for single-valued attributes, there's no need to consider modifies... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
hyc@symas.com writes: >>> monitorContext, readOnly and the olc* attributes are defined by OpenLDAP >>> (their OIDs start with 1.3.6.1.4.1.4203) and can be modified if we feel >>> like it. Personally I prefer attrs to have the matching rules they can >>> have unless there is a reason not to, but I didn't write these modules >>> so I don't know if there _is_ a reason not to. > > For the config attributes, I just assumed no one needs to search on > them (so no filter capability needed) and for single-valued > attributes, there's no need to consider modifies... Oh, good. No reason not to add matching rules then:-) I search for one config attrs or another once in a while. Mostly for olcSuffix and with presence filters, but it'd be nice if e.g. (olcAccess:caseIgnoreSubstringsMatch:=*userPassword*) worked. Also some day I'll want to use assertion controls as a check on modify operations someday. Still, I'm not proposing to add more work than necessary to this ITS. Get it right first, then think of "nice to have"-features if/when anyone bothers. -- Hallvard
Hi, I have uploaded a patch against HEAD that normalizes the attributes used under cn=monitor according to the schema: ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-080624.patch I picked cn=monitor for the first upload since it can be modified without having to reimport databases. Once we've worked through any issues with this patch I'll seperate out the rest of the normalization patches and send those in. namingContexts was the trickiest, since RFC 4512 defines it without an equality matching rule but monitor_back_register_database() compares it with backend suffixes. It has to deal with capitalised values properly otherwise we end up with duplicate namingContexts entries, so normalization is required. The relevant part of the diff is below. I am open to suggestions about how this should be dealt with: + struct berval nContext; + + for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) { + /* FIXME: namingContexts has no equality rule + * but it needs to be normalized for this + * comparison. Using si_ad_distinguishedName + * instead of si_ad_namingContexts results + * in the normalization we expect for now. + */ + if ( attr_normalize_one( slap_schema.si_ad_distinguishedName, + &a->a_vals[ j ], + &nContext, + NULL ) ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_database_init: " + "unable to normalize DN %d \"%s\"\n", + j, a->a_vals[ j ], 0 ); + return( -1 ); + } for ( k = 0; !BER_BVISNULL( &be->be_nsuffix[ k ] ); k++ ) { ! if ( dn_match( &nContext, &be->be_nsuffix[ k ] ) ) { rc = 0; goto done; } } + free( nContext.bv_val ); The attribute types that are modified and the attributes that are affected are listed below. cn=Monitor didn't need and schema modifications: monitorContext: removed nvals namingContexts: removed nvals rootDSE monitorContext and namingContexts monitorCounter: removed nvals cn=Max File Descriptors cn=Total,cn=Connections cn=Current,cn=Connections cn=Read under rww DN counter under sent monitorConnectionProtocol: removed nvals monitorConnectionMask: normalized monitorConnectionListener: normalized monitorConnectionPeerDomain: normalized monitorConnectionPeerAddress: normalized monitorConnectionLocalAddress: normalized monitorConnectionStartTime: normalized monitorConnectionActivityTime: normalized monitorOpInitiated: removed nvals monitorOpCompleted: removed nvals readOnly: removed nvals -- Thanks, Sean Burford
On Tue, Jun 24, 2008 at 12:50 PM, <unix.gurus@gmail.com> wrote: > Hi, > > I have uploaded a patch against HEAD that normalizes the attributes > used under cn=monitor according to the schema: > ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-080624.patch Unified diff of the same thing: sean-burford-monitor-normalize-unified-080624.patch The search (namingContexts:distinguishedNameMatch:=CN=...) returns the expected results, I'll check what filterentry.c:test_mra_filter() is up to later. make test also completes successfully, for what it's worth. -- Thanks, Sean Burford
Hi, On Tue, Jun 24, 2008 at 3:37 PM, <unix.gurus@gmail.com> wrote: > On Tue, Jun 24, 2008 at 12:50 PM, <unix.gurus@gmail.com> wrote: >> Hi, >> >> I have uploaded a patch against HEAD that normalizes the attributes >> used under cn=monitor according to the schema: >> ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-080624.patch > > Unified diff of the same thing: > sean-burford-monitor-normalize-unified-080624.patch > > The search (namingContexts:distinguishedNameMatch:=CN=...) returns the > expected results, I'll check what filterentry.c:test_mra_filter() is > up to later. As far as I can tell the arguments passed to filterentry.c:test_mra_filter() for that search also look sane, so whilst it passes my tests I'm looking forward to an official opinion on this patch. > make test also completes successfully, for what it's worth. -- Thanks, Sean Burford
I've uploaded a tiny patch that checks the return code from structural_class() in config_build_entry() and outputs an error message if it fails. This makes it easier to debug structural_class() failures before too much other code is run: ftp://ftp.openldap.org/incoming/sean-burford-structural-error-080628.patch -- Thanks, Sean Burford
I've uploaded a patch that adds an equality matching rule to the schema for olcRootDN and olcSchemaDN so that the normalization matches the schema. These attributes are already normalized wherever they are generated, and their normalized values are used in bvmatches, so removing the nvals instead of modifying the schema would result extra normalization calls later. ftp://ftp.openldap.org/incoming/sean-burford-rootdn-080628.patch If someone wants to accept or comment on what needs fixing in the patch below, that would help me to generate the rest of the patches: ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-unified-080624.patch -- Thanks, Sean Burford
unix.gurus@gmail.com wrote: > I've uploaded a patch that adds an equality matching rule to the > schema for olcRootDN and olcSchemaDN so that the normalization matches > the schema. These attributes are already normalized wherever they are > generated, and their normalized values are used in bvmatches, so > removing the nvals instead of modifying the schema would result extra > normalization calls later. > ftp://ftp.openldap.org/incoming/sean-burford-rootdn-080628.patch Committed, thanks. > If someone wants to accept or comment on what needs fixing in the > patch below, that would help me to generate the rest of the patches: > ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-unified-080624.patch If it makes life easier, we can add the DN eq rule to monitorContext and configContext. Since they're OpenLDAP-specific attributes we can make this change without any repercussions. IMO, it really needs to be added to namingContexts since that's multivalued. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
unix.gurus@gmail.com wrote: > If someone wants to accept or comment on what needs fixing in the > patch below, that would help me to generate the rest of the patches: > ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-unified-080624.patch In back-monitor/database.c you don't need to normalize the DNs before comparing them. The stored values are already Prettied, so all you need is to use a case-insensitive compare here. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Howard Chu wrote: > unix.gurus@gmail.com wrote: >> If someone wants to accept or comment on what needs fixing in the >> patch below, that would help me to generate the rest of the patches: >> ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-unified-080624.patch > > In back-monitor/database.c you don't need to normalize the DNs before > comparing them. The stored values are already Prettied, so all you need is to > use a case-insensitive compare here. Duh. Or just compare a->a_vals and be->be_suffix instead. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi, On Sat, Jun 28, 2008 at 7:47 PM, Howard Chu <hyc@symas.com> wrote: > Howard Chu wrote: >> unix.gurus@gmail.com wrote: >>> If someone wants to accept or comment on what needs fixing in the >>> patch below, that would help me to generate the rest of the patches: >>> >>> ftp://ftp.openldap.org/incoming/sean-burford-monitor-normalize-unified-080624.patch >> >> In back-monitor/database.c you don't need to normalize the DNs before >> comparing them. The stored values are already Prettied, so all you need is >> to >> use a case-insensitive compare here. > > Duh. Or just compare a->a_vals and be->be_suffix instead. Good point. I've uploaded the following patch which does that as well as adding matching rules to configContext and monitorContext: ftp://ftp.openldap.org/sean-burford-monitor-normalize-unified-080706.patch This patch should make the handling of normalization within cn=monitor consistent. -- Thanks, Sean Burford
Hi, On Tue, Jun 24, 2008 at 12:50 PM, Sean Burford <unix.gurus@gmail.com> wrote: > namingContexts was the trickiest, since RFC 4512 defines it without an > equality matching rule but monitor_back_register_database() compares > it with backend suffixes. It has to deal with capitalised values > properly otherwise we end up with duplicate namingContexts entries, so > normalization is required. I have uploaded ftp://ftp.openldap.org/incoming/sean-burford-monitor-test-080706.patch which adds a test for various things under cn=monitor. If duplicate namingContexts creep in (as mentioned above) it detects that. The duplicate naming contexts thing was fixed by comparing a_vals with be_suffix, I just wrote the test since there was no existing cn=monitor test. -- Thanks, Sean Burford
unix.gurus@gmail.com wrote: > Hi, > > On Tue, Jun 24, 2008 at 12:50 PM, Sean Burford<unix.gurus@gmail.com> wrote: >> namingContexts was the trickiest, since RFC 4512 defines it without an >> equality matching rule but monitor_back_register_database() compares >> it with backend suffixes. It has to deal with capitalised values >> properly otherwise we end up with duplicate namingContexts entries, so >> normalization is required. > > I have uploaded > ftp://ftp.openldap.org/incoming/sean-burford-monitor-test-080706.patch > which adds a test for various things under cn=monitor. If duplicate > namingContexts creep in (as mentioned above) it detects that. > > The duplicate naming contexts thing was fixed by comparing a_vals with > be_suffix, I just wrote the test since there was no existing > cn=monitor test. Sorry for dropping the ball on this. These last two patches are now committed in HEAD. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes
in progress...
Howard, Is there anything left to do for this issue? Comment #25 I think means all the work here is done?
(In reply to Quanah Gibson-Mount from comment #28) > Howard, > > Is there anything left to do for this issue? Comment #25 I think means all > the work here is done? Comment #26 says "changed notes" - it would have been useful to preserve the actual contents of the notes. Where are they?
(In reply to Howard Chu from comment #29) > (In reply to Quanah Gibson-Mount from comment #28) > > Howard, > > > > Is there anything left to do for this issue? Comment #25 I think means all > > the work here is done? > > Comment #26 says "changed notes" - it would have been useful to preserve the > actual contents of the notes. Where are they? Every note is a comment in the bug. So the note is comment #27
Created attachment 592 [details] sean-burford-monitor-normalize-2008-06-24.patch From FTP server
Created attachment 593 [details] sean-burford-monitor-normalize-unified-2008-06-24.patch
Created attachment 594 [details] sean-burford-monitor-normalize-unified-2008-07-06.patch
Created attachment 595 [details] sean-burford-structural-error-2008-06-28.patch
Created attachment 596 [details] sean-burford-rootdn-2008-06-28.patch
Created attachment 597 [details] sean-burford-monitor-test-2008-07-06.patch
The matching rules were the missing part of the work, and those were done in bug #8286