2013-05-30 17:27:48 |
Ryan Tandy |
bug |
|
|
added bug |
2013-05-30 17:29:07 |
Ryan Tandy |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673038 |
|
2013-05-30 17:29:07 |
Ryan Tandy |
bug task added |
|
openldap (Debian) |
|
2013-05-30 18:39:45 |
Bug Watch Updater |
openldap (Debian): status |
Unknown |
Fix Released |
|
2013-05-30 18:52:33 |
Ryan Tandy |
description |
Debian #673038 was fixed in wheezy but the fix has never been merged to Ubuntu. I verified the existence of this bug in precise, quantal, raring, and saucy using more or less the procedure from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673038#111:
# apt-get install ldap-utils slapd
<configure admin password>
# ldapadd -D cn=admin,dc=nodomain -w adminpw <<end
dn: cn=test,dc=nodomain
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: test
userPassword: test
end
# while true; do slapcat | wc -l; done
and in another terminal...
$ while true; do ldappasswd -D cn=admin,dc=nodomain -w adminpw cn=test,dc=nodomain; done
In the first terminal, note that the output from wc is usually 41 but sometimes smaller. It should be the same line count every time.
I'm building and testing patched packages now and will post debdiffs shortly. |
Debian #673038 was fixed in wheezy but the fix has never been merged to Ubuntu. I verified the existence of this bug in precise, quantal, raring, and saucy using more or less the procedure from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673038#111:
# apt-get install ldap-utils slapd
<configure admin password>
# ldapadd -D cn=admin,dc=nodomain -w adminpw <<end
dn: cn=test,dc=nodomain
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: test
userPassword: test
end
# while true; do slapcat | wc -l; done
and in another terminal...
$ while true; do ldappasswd -H ldap:// -D cn=admin,dc=nodomain -w adminpw cn=test,dc=nodomain; done
In the first terminal, note that the output from wc is usually 41 but sometimes smaller. It should be the same line count every time.
I'm building and testing patched packages now and will post debdiffs shortly. |
|
2013-05-30 18:54:34 |
Launchpad Janitor |
branch linked |
|
lp:~rtandy/ubuntu/saucy/openldap/lp1185908 |
|
2013-06-03 08:53:50 |
James Page |
openldap (Ubuntu): status |
New |
Fix Released |
|
2013-06-03 09:05:40 |
James Page |
nominated for series |
|
Ubuntu Precise |
|
2013-06-03 09:05:40 |
James Page |
bug task added |
|
openldap (Ubuntu Precise) |
|
2013-06-03 09:05:40 |
James Page |
nominated for series |
|
Ubuntu Quantal |
|
2013-06-03 09:05:40 |
James Page |
bug task added |
|
openldap (Ubuntu Quantal) |
|
2013-06-03 09:05:40 |
James Page |
nominated for series |
|
Ubuntu Raring |
|
2013-06-03 09:05:40 |
James Page |
bug task added |
|
openldap (Ubuntu Raring) |
|
2013-06-03 09:05:57 |
James Page |
openldap (Ubuntu Precise): importance |
Undecided |
Medium |
|
2013-06-03 09:05:59 |
James Page |
openldap (Ubuntu Quantal): importance |
Undecided |
Medium |
|
2013-06-03 09:06:00 |
James Page |
openldap (Ubuntu Raring): importance |
Undecided |
Medium |
|
2013-06-03 09:06:04 |
James Page |
openldap (Ubuntu Precise): status |
New |
Triaged |
|
2013-06-03 09:06:06 |
James Page |
openldap (Ubuntu Quantal): status |
New |
Triaged |
|
2013-06-03 09:06:08 |
James Page |
openldap (Ubuntu Raring): status |
New |
Triaged |
|
2013-06-03 09:12:03 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2013-06-03 22:18:38 |
Ryan Tandy |
description |
Debian #673038 was fixed in wheezy but the fix has never been merged to Ubuntu. I verified the existence of this bug in precise, quantal, raring, and saucy using more or less the procedure from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673038#111:
# apt-get install ldap-utils slapd
<configure admin password>
# ldapadd -D cn=admin,dc=nodomain -w adminpw <<end
dn: cn=test,dc=nodomain
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: test
userPassword: test
end
# while true; do slapcat | wc -l; done
and in another terminal...
$ while true; do ldappasswd -H ldap:// -D cn=admin,dc=nodomain -w adminpw cn=test,dc=nodomain; done
In the first terminal, note that the output from wc is usually 41 but sometimes smaller. It should be the same line count every time.
I'm building and testing patched packages now and will post debdiffs shortly. |
SRU justification:
[Impact]
The slapd tools (slapcat, slapadd, et al) don't retry after failing to acquire a BDB read lock, and on a busy LDAP server can sometimes return incomplete data. This could result in data loss, for example when slapcat is used to take a hot backup.
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673038
OpenLDAP thread: http://www.openldap.org/lists/openldap-technical/201301/msg00195.html
OpenLDAP ITS:
- http://www.openldap.org/its/index.cgi?findid=6365
- http://www.openldap.org/its/index.cgi?findid=7503
The impact is limited to slapd servers with a write load high enough to generate lock contention. It's been present at least since 2.4.17 and maybe longer, and at least some people got used to working around it, e.g. [1], but not everyone is aware that the problem exists.
The fix is minimal and has been tested in OpenLDAP upstream and Debian wheezy.
[1] https://github.com/elmar/ldap-git-backup/blob/master/README.mdown#safe-ldif
[Test Case]
# apt-get install ldap-utils slapd
<configure admin password>
# ldapadd -D cn=admin,dc=nodomain -w adminpw <<end
dn: cn=test,dc=nodomain
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: test
userPassword: test
end
# while true; do slapcat | wc -l; done
and in another terminal...
$ while true; do ldappasswd -H ldap:// -D cn=admin,dc=nodomain -w adminpw cn=test,dc=nodomain; done
In the first terminal, note that the output from wc is usually 41 but sometimes smaller. It should be the same line count every time.
[Regression Potential]
The regression risk should be small. The change is minimal, was authored by upstream, and has been accepted and released in Debian wheezy. I admit to not being familiar enough with the code to comment in detail on what regressions might be possible. If the fix were faulty wrt locking, I would hope for it to turn up during verification since the test case involves inducing a heavy write load on the server.
original description:
Debian #673038 was fixed in wheezy but the fix has never been merged to Ubuntu. I verified the existence of this bug in precise, quantal, raring, and saucy using more or less the procedure from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673038#111:
# apt-get install ldap-utils slapd
<configure admin password>
# ldapadd -D cn=admin,dc=nodomain -w adminpw <<end
dn: cn=test,dc=nodomain
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: test
userPassword: test
end
# while true; do slapcat | wc -l; done
and in another terminal...
$ while true; do ldappasswd -H ldap:// -D cn=admin,dc=nodomain -w adminpw cn=test,dc=nodomain; done
In the first terminal, note that the output from wc is usually 41 but sometimes smaller. It should be the same line count every time.
I'm building and testing patched packages now and will post debdiffs shortly. |
|
2013-06-04 16:24:51 |
Ryan Tandy |
attachment added |
|
precise debdiff, tested on amd64 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1185908/+attachment/3694554/+files/openldap_2.4.28-1.1ubuntu4.3.debdiff |
|
2013-06-04 16:27:01 |
Ryan Tandy |
attachment added |
|
quantal debdiff, tested on amd64 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1185908/+attachment/3694555/+files/openldap_2.4.31-1ubuntu2.1.debdiff |
|
2013-06-04 16:31:30 |
Ryan Tandy |
attachment added |
|
raring debdiff, tested on amd64 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1185908/+attachment/3694556/+files/openldap_2.4.31-1ubuntu2.1.debdiff |
|
2013-06-04 16:33:41 |
Ryan Tandy |
tags |
|
patch precise quantal raring |
|
2013-06-04 16:36:51 |
Ryan Tandy |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2013-06-19 17:36:52 |
Sebastien Bacher |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2013-06-19 17:36:58 |
Sebastien Bacher |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2013-06-19 17:37:00 |
Sebastien Bacher |
openldap (Ubuntu Precise): status |
Triaged |
In Progress |
|
2013-06-19 17:37:02 |
Sebastien Bacher |
openldap (Ubuntu Quantal): status |
Triaged |
Won't Fix |
|
2013-06-19 17:37:06 |
Sebastien Bacher |
openldap (Ubuntu Raring): status |
Triaged |
In Progress |
|
2013-06-20 17:07:40 |
Brian Murray |
openldap (Ubuntu Raring): status |
In Progress |
Fix Committed |
|
2013-06-20 17:07:44 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2013-06-20 17:07:53 |
Brian Murray |
tags |
patch precise quantal raring |
patch precise quantal raring verification-needed |
|
2013-06-20 17:14:02 |
Brian Murray |
openldap (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2013-06-20 17:15:39 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/raring-proposed/openldap |
|
2013-06-20 17:25:09 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/openldap |
|
2013-06-21 15:40:51 |
Ryan Tandy |
tags |
patch precise quantal raring verification-needed |
patch precise quantal raring verification-done |
|
2013-06-27 20:44:38 |
Launchpad Janitor |
openldap (Ubuntu Raring): status |
Fix Committed |
Fix Released |
|
2013-06-27 20:44:43 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2013-06-27 20:46:05 |
Launchpad Janitor |
openldap (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|