[SRU] Slave slapd crashes when doing syncrepl

Hi Thanks for the bug report can you describe more of your test setup?

Thanks
chuck

Humm...

I have an OpenLDAP server listening in ldaps:// and ldapi://. Simple and SASL authentication are enabled.

I am trying to run in the same machine another OpenLDAP server listening only in ldap://, but acting as a replica of the existing OpenLDAP server. In this second server, I want to disable simple authentication and enforce stronger SASL mechanisms in order to bind to it. My intention is to use ldap:// to serve NSS_LDAP modules and use ldaps:// to serve PAM_LDAP modules on workstations.

Now, I am using ldaps:// to serve either NSS_LDAP and PAM_LDAP and if I run 2500 instances of "getent passwd", my LDAP server eats all CPU resources because of the encryption. If I run 2500 instances of "getent passwd" agains a ldap:// server, the server uses no more than 5% of CPU resources. Good performance, but using ldap:// in PAM_LDAP arises a security problem in my network.

The file I attached here has the full LDAP base and OpenLDAP configuration I use here. I only moved configuration and databases to my home directory (/home/amg1127) in order to avoid conflict with my existing server. Unfortunately, I couldn't reproduce the bug by using a little base.

A question: the bug didn't occur in your setup?

I was able to reproduce the bug but I dont have a fix for it yet.

Thanks
chuck

I tried running your test setup with a newer version with openldap. I was still able to reproduce I have opened up a bug upstream: http://www.openldap.org/its/index.cgi?findid=5503.

Thanks
chuck

Are you alive? :-)

Sorry still investigating we dont have a fix for it yet.

Thanks
chuck

Chuck I read the openldap thread and apparently they're waiting for some more checks from you. Any more news to this? It's quite crippling not having Ldap slaves.

This is fixed for upstream but not for hardy.

Thanks
chuck

Ran the test routine above using openldap2.3 - 2.4.9-1ubuntu1~ppa1 from Chuck's PPA, and there was no segfault when using syncrepl. Everything worked as advertised.

I just tested Chuck's openldap2.3 - 2.4.9-1ubuntu1~ppa1 on my production test systems and didn't find any regressions. I tested adding users, deleting users, syncrepl, and RequestTracker configured to use OpenLDAP for authentication. Everything worked great.

At this time those are the main features I use OpenLDAP for, but if there are other things that I can check please let me know.

Thanks for you work on this Chuck.

syncrepl is working for me, also.

Thanks!

This is due to a bug in the upstream version however there are so many problems with 2.4.7 I have uploaded 2.4.9 with a patch that fixes this issue:

TEST CASE:

1. Install openldap 2.4.9
2 Run the script mentioned above.
3. openldap 2.4.9 will not crash.

I have attached the patch which fixes this issue. If you have any questions please let me know.

Thanks
chuck

Looks fine. Please incorporate it into the pending 2.4.9 SRU once the remaining question there is solved. Is this patch fixed in 2.4.9 upstream, or does it still need to be applied there?

This bug was fixed in the package openldap2.3 - 2.4.9-1ubuntu2

---------------
openldap2.3 (2.4.9-1ubuntu2) intrepid; urgency=low

  * Rebuild for perl 5.10 transition (LP: #230016)
  * debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using
    syncrepl. (LP: #227178)

 -- Chuck Short <email address hidden> Mon, 09 Jun 2008 14:56:40 +0000

The patch has been applied upstream and is in 2.4.10.

2.4.9 still need the patch applied.

Accepted into -proposed, please test and give feedback here

Sorry, I didn't saw your packages before, because of version numbering. I had installed packages from Chuck's PPA, with version 2.4.9-1ubuntu1~ppa1 and packages from hardy-proposed has version 2.4.9-0ubuntu0.8.04.

In order to allow automatic installation of hardy-proposed packages with a standard dist-upgrade, can version numbering be changed?

I just installed them now... No crashes while starting services...

Copied to hardy-updates.