slapd: slapcat output truncated every now and then
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Debian) |
Fix Released
|
Unknown
|
|||
openldap (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned | ||
Quantal |
Won't Fix
|
Medium
|
Unassigned | ||
Raring |
Fix Released
|
Medium
|
Unassigned |
Bug Description
SRU justification:
[Impact]
The slapd tools (slapcat, slapadd, et al) don't retry after failing to acquire a BDB read lock, and on a busy LDAP server can sometimes return incomplete data. This could result in data loss, for example when slapcat is used to take a hot backup.
Debian bug: http://
OpenLDAP thread: http://
OpenLDAP ITS:
- http://
- http://
The impact is limited to slapd servers with a write load high enough to generate lock contention. It's been present at least since 2.4.17 and maybe longer, and at least some people got used to working around it, e.g. [1], but not everyone is aware that the problem exists.
The fix is minimal and has been tested in OpenLDAP upstream and Debian wheezy.
[1] https:/
[Test Case]
# apt-get install ldap-utils slapd
<configure admin password>
# ldapadd -D cn=admin,
dn: cn=test,dc=nodomain
objectClass: organizationalRole
objectClass: simpleSecurityO
cn: test
userPassword: test
end
# while true; do slapcat | wc -l; done
and in another terminal...
$ while true; do ldappasswd -H ldap:// -D cn=admin,
In the first terminal, note that the output from wc is usually 41 but sometimes smaller. It should be the same line count every time.
[Regression Potential]
The regression risk should be small. The change is minimal, was authored by upstream, and has been accepted and released in Debian wheezy. I admit to not being familiar enough with the code to comment in detail on what regressions might be possible. If the fix were faulty wrt locking, I would hope for it to turn up during verification since the test case involves inducing a heavy write load on the server.
original description:
Debian #673038 was fixed in wheezy but the fix has never been merged to Ubuntu. I verified the existence of this bug in precise, quantal, raring, and saucy using more or less the procedure from http://
# apt-get install ldap-utils slapd
<configure admin password>
# ldapadd -D cn=admin,
dn: cn=test,dc=nodomain
objectClass: organizationalRole
objectClass: simpleSecurityO
cn: test
userPassword: test
end
# while true; do slapcat | wc -l; done
and in another terminal...
$ while true; do ldappasswd -H ldap:// -D cn=admin,
In the first terminal, note that the output from wc is usually 41 but sometimes smaller. It should be the same line count every time.
I'm building and testing patched packages now and will post debdiffs shortly.
Changed in openldap (Debian): | |
status: | Unknown → Fix Released |
description: | updated |
Tried to propose a branch. New to this UDD thing, please give me hints if I've done some part incorrectly. Tested the fix on saucy amd64.