Full_Name: John de Freitas Version: 2.2.23 OS: Linux (RH 7.3 kernel 2.4.18-3) URL: Submission from: (NULL) (67.93.141.190) I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the backend. My slapd.conf has 2 suffixes for this backend (I added the BDB_MULTIPLE_SUFFIXES preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion of my slapd.conf is: database bdb suffix "dc=example,dc=com" suffix "o=My Certificate Authority" rootdn "dn=Manager,dc=example,dc=com" rootpwd secret I can add entries under the first suffix without problem; I cannot for the second. The error reported by slapd is: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) bdb_add: entry at root denied I believe the problem is in servers/slapd/back-bdb/cache.c, in bdb_cache_find_ndn(). The code there assumes that the current entry is for the first suffix: /* we're searching a full DN from the root */ ptr = ndn->bv_val + ndn->bv_len - op->o_bd->be_nsuffix[0].bv_len; ei.bei_nrdn.bv_val = ptr; ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len; I can add using this first suffix, but in order to add entries for suffixes 2...N, the code would need to search through all op->o_bd->be_nsuffix entries.Something like: int i=0; while(op->o_bd->be_nsuffix[i] != NULL) { /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] * if match, break; if not, i++ */ } gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add fails as slapd will then try to add an entry such as "cn=John,o=My Certificate Authority" to the root, which won't be permitted. Regards, John de Freitas
This is a known deficiency in back-bdb, your analysis is correct. The ideal fix would be for slapd/backend.c:select_backend() to return the index of the suffix it matched in addition to the backend it found, so that this comparison need not be performed redundantly throughout the rest of the code. I may do this in 2.3, but no plans for 2.2. john_de_f@hotmail.com wrote: >Full_Name: John de Freitas >Version: 2.2.23 >OS: Linux (RH 7.3 kernel 2.4.18-3) >URL: >Submission from: (NULL) (67.93.141.190) > > >I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the backend. > >My slapd.conf has 2 suffixes for this backend (I added the BDB_MULTIPLE_SUFFIXES >preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion of >my slapd.conf is: > >database bdb >suffix "dc=example,dc=com" >suffix "o=My Certificate Authority" >rootdn "dn=Manager,dc=example,dc=com" >rootpwd secret > >I can add entries under the first suffix without problem; I cannot for the >second. The error reported by slapd is: > ><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) >bdb_add: entry at root denied > >I believe the problem is in servers/slapd/back-bdb/cache.c, in >bdb_cache_find_ndn(). >The code there assumes that the current entry is for the first suffix: > > /* we're searching a full DN from the root */ > ptr = ndn->bv_val + ndn->bv_len - >op->o_bd->be_nsuffix[0].bv_len; > ei.bei_nrdn.bv_val = ptr; > ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len; > >I can add using this first suffix, but in order to add entries for suffixes >2...N, the code would need to search through all op->o_bd->be_nsuffix >entries.Something like: > > >int i=0; >while(op->o_bd->be_nsuffix[i] != NULL) { > /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] > * if match, break; if not, i++ > */ >} > >gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add fails >as slapd will then try to add an entry such as "cn=John,o=My Certificate >Authority" to the root, which won't be permitted. > >Regards, >John de Freitas > > > > -- -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support
Thank you for the reply. I searched the known bug list; is this a duplicate? Also, I have implemented a patch in back-bdb/cache.c to select the correct suffix, but now that I read your comment about backend.c, I see it's not the most appropriate fix. Would a patch to backend.c along the lines you suggested be considered for 2.2.x, or are all modifications of this type confined to 2.3? If so, I'll just go along with my local fix. Regards, John de Freitas >From: Howard Chu <hyc@symas.com> >To: john_de_f@hotmail.com >CC: openldap-its@OpenLDAP.org >Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb >backend >Date: Thu, 24 Feb 2005 22:17:52 -0800 > >This is a known deficiency in back-bdb, your analysis is correct. The ideal >fix would be for slapd/backend.c:select_backend() to return the index of >the suffix it matched in addition to the backend it found, so that this >comparison need not be performed redundantly throughout the rest of the >code. I may do this in 2.3, but no plans for 2.2. > >john_de_f@hotmail.com wrote: > >>Full_Name: John de Freitas >>Version: 2.2.23 >>OS: Linux (RH 7.3 kernel 2.4.18-3) >>URL: Submission from: (NULL) (67.93.141.190) >> >> >>I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the >>backend. >> >>My slapd.conf has 2 suffixes for this backend (I added the >>BDB_MULTIPLE_SUFFIXES >>preprocessor define to servers/slapd/back-bdb/init.c). The relevant >>portion of >>my slapd.conf is: >> >>database bdb >>suffix "dc=example,dc=com" >>suffix "o=My Certificate Authority" >>rootdn "dn=Manager,dc=example,dc=com" >>rootpwd secret >> >>I can add entries under the first suffix without problem; I cannot for the >>second. The error reported by slapd is: >> >><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found >>(-30989) >>bdb_add: entry at root denied >> >>I believe the problem is in servers/slapd/back-bdb/cache.c, in >>bdb_cache_find_ndn(). >>The code there assumes that the current entry is for the first suffix: >> >> /* we're searching a full DN from the root */ >> ptr = ndn->bv_val + ndn->bv_len - >>op->o_bd->be_nsuffix[0].bv_len; >> ei.bei_nrdn.bv_val = ptr; >> ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len; >> >>I can add using this first suffix, but in order to add entries for >>suffixes >>2...N, the code would need to search through all op->o_bd->be_nsuffix >>entries.Something like: >> >> >>int i=0; while(op->o_bd->be_nsuffix[i] != NULL) { >> /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] * if match, break; >>if not, i++ */ >>} >> >>gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add >>fails >>as slapd will then try to add an entry such as "cn=John,o=My Certificate >>Authority" to the root, which won't be permitted. >> >>Regards, >>John de Freitas >> >> >> >> > > >-- > -- Howard Chu > Chief Architect, Symas Corp. Director, Highland Sun > http://www.symas.com http://highlandsun.com/hyc > Symas: Premier OpenSource Development and Support >
john_de_f@hotmail.com wrote: >Thank you for the reply. I searched the known bug list; is this a duplicate? > >Also, I have implemented a patch in back-bdb/cache.c to select the correct >suffix, but now that I read your comment about backend.c, I see it's not the >most appropriate fix. Would a patch to backend.c along the lines you >suggested be considered for 2.2.x, or are all modifications of this type >confined to 2.3? If so, I'll just go along with my local fix. > > Patching select_backend() will affect 30-some files, so I'm not sure we'd want to change this in 2.2. On the other hand, a patch against CVS HEAD would probably port equally well to 2.3 and 2.2. Multiple-suffix support is not a priority for us though, it's preferred that you use one suffix per database. Overall I'm less inclined to patch this in 2.2. As a hint, you need to add an (int *) argument to select_backend, and add an o_isuffix (or something) to the Operation structure in slap.h, and reference it consistently in back-bdb. >>From: Howard Chu <hyc@symas.com> >>To: john_de_f@hotmail.com >>CC: openldap-its@OpenLDAP.org >>Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb >>backend >>Date: Thu, 24 Feb 2005 22:17:52 -0800 >> >>This is a known deficiency in back-bdb, your analysis is correct. The ideal >>fix would be for slapd/backend.c:select_backend() to return the index of >>the suffix it matched in addition to the backend it found, so that this >>comparison need not be performed redundantly throughout the rest of the >>code. I may do this in 2.3, but no plans for 2.2. >> -- -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support
changed notes
changed state Open to Suspended moved from Incoming to Software Enhancements
low priority