2012-07-10 15:32:18 |
PierreF |
bug |
|
|
added bug |
2012-07-10 15:32:18 |
PierreF |
attachment added |
|
Log on one of slapd server when bug occure https://bugs.launchpad.net/bugs/1023025/+attachment/3218612/+files/syslog |
|
2012-07-10 15:32:59 |
PierreF |
bug |
|
|
added subscriber Lionel Porcheron |
2012-07-10 15:34:00 |
PierreF |
attachment added |
|
Configuration of slapd on "master" https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+attachment/3218625/+files/slapd-1.conf |
|
2012-07-10 15:34:20 |
PierreF |
attachment added |
|
Configuration of slapd on "slave" https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+attachment/3218626/+files/slapd-2.conf |
|
2012-07-10 16:09:42 |
Launchpad Janitor |
openldap (Ubuntu): status |
New |
Confirmed |
|
2012-07-10 16:09:57 |
cswingle |
bug |
|
|
added subscriber cswingle |
2012-07-19 12:11:16 |
Lionel Porcheron |
nominated for series |
|
Ubuntu Precise |
|
2012-07-19 12:11:46 |
Lionel Porcheron |
openldap (Ubuntu): importance |
Undecided |
Medium |
|
2012-07-19 12:18:43 |
James Page |
bug task added |
|
openldap (Ubuntu Precise) |
|
2012-07-19 12:18:54 |
James Page |
openldap (Ubuntu Precise): status |
New |
Triaged |
|
2012-07-19 12:19:00 |
James Page |
openldap (Ubuntu Precise): importance |
Undecided |
Medium |
|
2012-07-19 12:19:05 |
James Page |
openldap (Ubuntu Precise): milestone |
|
ubuntu-12.04.1 |
|
2012-07-19 12:19:20 |
James Page |
openldap (Ubuntu): status |
Confirmed |
Triaged |
|
2012-07-19 12:30:33 |
PierreF |
description |
On precise, the slapd daemon return "error code 2 - controls require LDAPv3" to client search. I don't see any reason why this would occure, because if you run the same command few seconds later, it (may) work.
For example, using nss_ldap, when running in a loop "id pierref", you may sometime have fewer group that you would normally have. And few seconds later, everything go back to normal.
We also have this issue with some other tools, like Confluence (Atlassian's wiki) and also a internal tools developped in Python.
On client side (confluence), we have "javax.naming.CommunicationException: [LDAP: error code 2 - controls require LDAPv3];"
On server side, we found the same "controls require LDAPv3" returned with get_ctrl function. I attached log extract of slapd server at loglevel any. On log I keep one successfull search done by confluence and one failed search.
Note: on server log - if I understand log correctly - the client bind with version 3 of protocol... while error complain about not behind version 3...
Version:
* server : Ubuntu precise 3.2.0-26-generic x86_64, slapd 2.4.28-1.1ubuntu4
* client 1 : Ubuntu lucid 2.6.32-41-server x86_64, libnss-ldap 264-2ubuntu2, ldap-utils 2.4.21-0ubuntu5.7
* client 2 : Ubuntu precise 3.2.0-26-virtual x86_64, libnss-ldap 264-2.2ubuntu2, ldap-utils 2.4.28-1.1ubuntu4
Their is two LDAP server (replication), I attached configuration of both.
I also attached a "test_nss.sh" which show this bug on client side. |
[IMPACT]
* Any client connecting in LDAPv3 and using v3 specific feature may fail
* This include libnss-ldap (so id user may not return all group). Thus you may login without all your groups and need to logout/login on more time.
* This issue is known and fixed on upsteam, ITS#7107 (commit 85c1c545f4e20882a2f748fcef5f732ea2d2ecf6).
[TESTCASE]
To reproduce this issue, you will need to do enougth search some with version 2, other with version 3 and some control.
Example:
* In terminal A, run: while true; do ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -P 2 > /dev/null;sleep 0.1;done
* Let the loop run for some time (it increase change of failure for next step).
* In terminal B, run ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -M. You should not have to run more than 20 times before an error occure. |
|
2012-07-19 12:37:12 |
PierreF |
attachment added |
|
lp1023025.debdiff https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+attachment/3228396/+files/lp1023025.debdiff |
|
2012-07-19 12:59:09 |
PierreF |
attachment added |
|
lp-1023025-quantal.debdiff https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1023025/+attachment/3228408/+files/lp-1023025-quantal.debdiff |
|
2012-07-19 13:30:12 |
Launchpad Janitor |
openldap (Ubuntu): status |
Triaged |
Fix Released |
|
2012-07-19 13:36:29 |
James Page |
description |
[IMPACT]
* Any client connecting in LDAPv3 and using v3 specific feature may fail
* This include libnss-ldap (so id user may not return all group). Thus you may login without all your groups and need to logout/login on more time.
* This issue is known and fixed on upsteam, ITS#7107 (commit 85c1c545f4e20882a2f748fcef5f732ea2d2ecf6).
[TESTCASE]
To reproduce this issue, you will need to do enougth search some with version 2, other with version 3 and some control.
Example:
* In terminal A, run: while true; do ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -P 2 > /dev/null;sleep 0.1;done
* Let the loop run for some time (it increase change of failure for next step).
* In terminal B, run ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -M. You should not have to run more than 20 times before an error occure. |
[IMPACT]
* Any client connecting in LDAPv3 and using v3 specific feature may fail
* This include libnss-ldap (so id user may not return all group). Thus you may login without all your groups and need to logout/login on more time.
* This issue is known and fixed on upsteam, ITS#7107 (commit 85c1c545f4e20882a2f748fcef5f732ea2d2ecf6).
[TESTCASE]
To reproduce this issue, you will need to do enough searches, some with version 2, other with version 3 and some control.
Example:
* In terminal A, run: while true; do ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -P 2 > /dev/null;sleep 0.1;done
* Let the loop run for some time (it increases change of failure for next step).
* In terminal B, run ldapsearch -h 127.0.0.1 -b o=company uid=dontcare -M.
You should not have to run more than 20 times before an error occurs.
[REGRESSION POTENTIAL]
Minimal, as this is a simple one-line change to initialize objects before re-use.
Fix has good heritage as Howard is the Chief TA of OpenLDAP. |
|
2012-07-19 13:39:37 |
James Page |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2012-07-19 13:39:50 |
James Page |
summary |
search fail with get_ctrls : controls require LDAPv3 |
[SRU] search fail with get_ctrls : controls require LDAPv3 |
|
2012-07-19 14:23:07 |
James Page |
openldap (Ubuntu Precise): assignee |
|
James Page (james-page) |
|
2012-07-19 14:35:32 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/openldap |
|
2012-07-19 21:10:06 |
James Page |
openldap (Ubuntu Precise): status |
Triaged |
In Progress |
|
2012-07-26 00:05:48 |
Clint Byrum |
openldap (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2012-07-26 00:05:52 |
Clint Byrum |
bug |
|
|
added subscriber SRU Verification |
2012-07-26 00:05:55 |
Clint Byrum |
tags |
|
verification-needed |
|
2012-07-26 00:49:28 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/precise/openldap/precise-proposed |
|
2012-07-26 08:41:51 |
PierreF |
tags |
verification-needed |
verification-done |
|
2012-08-02 21:17:34 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2012-08-02 21:24:09 |
Launchpad Janitor |
openldap (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
2022-06-13 18:23:01 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/openldap/+git/openldap/+merge/424341 |
|
2022-06-13 19:08:48 |
Launchpad Janitor |
merge proposal unlinked |
https://code.launchpad.net/~sergiodj/ubuntu/+source/openldap/+git/openldap/+merge/424341 |
|
|