[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy and rwm/relay segfaulting

To: openldap-technical@openldap.org
Subject: Re: ppolicy and rwm/relay segfaulting
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Wed, 05 Dec 2012 17:10:50 +0100
In-reply-to: <CAHEFaoQ36x7eCUrVtA6Q0hZsSCw+QE6OmykW5=g9u44xLTLiow@mail.gmail.com>
References: <50BE6D99.4030208@dionic.net> <CAHEFaoRLUhCzQnJyMQoESCi_DTcaGzqSLcCQCo1DMmKjMxFmuQ@mail.gmail.com> <50BE7462.6030502@dionic.net> <CAHEFaoQ36x7eCUrVtA6Q0hZsSCw+QE6OmykW5=g9u44xLTLiow@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121028 Thunderbird/16.0.2

On 12/04/2012 11:19 PM, Gregory Haverkamp wrote:

On Tue, Dec 4, 2012 at 2:08 PM, Tim Watts <tw@dionic.net> wrote:

In my case I would have to shelve ppolicy until all my clients had been
converted - I have over 150 clients and 600 user accounts (under my
control) but LDAP is not just used by PAM/NSS (if it were it would be easy)
- there are undocumented usages in apache configs, Confluence, possibly
webapps written in all manner of languages etc etc.

It's a real mess...


I agree.  It was a real mess for me.

I can give you a quick rundown of what I encountered.  I feel a bit guilty
that I never submitted complete ITS reports, but I was too busy trying to
recover from software that was suddenly crashing repeatedly and predictably
once put into production.

Give a man a fish and you feed him for a day. Teach a man to fish andyou feed him for a lifetime.

If you consider more productive fix symptoms rather than fix the rootcause, that's your problem.

back-relay and slapo-ppolicy, as you mentioned, crashed the server.

back-ldap and slapo-rwm would cause the server to crash if a certain
malformed search filters were used (as a developer working on some code
here discovered within the first day we were up and running.)

You seem to be one of the few complaining about that. If instead ofwhining you filed a report, it would have been fixed ages ago.

back-meta would cause the server to hang if there were an additional space
in a search base (our old primary naming context was "o=lawrence berkeley
laboratory,c=us" and a mail client user had
"o=lawrence[space][space]berkeley lab,c=us" in his configuration.

Back meta rewrites the way you ask it to do. If you configure it torewrite "o=lawrence[space]berkeley lab,c=us" don't whine if it fails torewrite "o=lawrence[space][space]berkeley lab,c=us". Tell it to rewrite"o=lawrence[space]\+berkeley lab,c=us" instead, and it'll do what youwant. Machines tend to be as clever as users, seldom cleverer.

Given some of the explanation I received after posting the first bug, I
couldn't help but come to the conclusion that using any of the rewriting
infrastructure in the wild was a bad idea.

That's correct. It should be one's last resort to deal with poorlydesigned systems.

And that's where I ended up.
  So, we shortened the lifetime of our legacy naming context, wrote some
additional synchronization tools, and just cranked up a new database with
that content.


That's exactly what one is expected to do.

If you find a solution that works reliably, I'm all ears.


RTFM?  p.

--
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano

Follow-Ups:
- Re: ppolicy and rwm/relay segfaulting
  - From: Tim Watts <tw@dionic.net>

References:
- ppolicy and rwm/relay segfaulting
  - From: Tim Watts <tw@dionic.net>
- Re: ppolicy and rwm/relay segfaulting
  - From: Gregory Haverkamp <gahaverkamp@lbl.gov>
- Re: ppolicy and rwm/relay segfaulting
  - From: Tim Watts <tw@dionic.net>
- Re: ppolicy and rwm/relay segfaulting
  - From: Gregory Haverkamp <gahaverkamp@lbl.gov>

Prev by Date: Re: dnMatch flooding logs and access blocked
Next by Date: Re: OpenLDAP as an address book for MS Outlook
Index(es):
- Chronological
- Thread