From quanah at zimbra.com Thu Nov 5 17:23:02 2009 From: quanah at zimbra.com (Quanah Gibson-Mount) Date: Thu, 05 Nov 2009 09:23:02 -0800 Subject: [Pkg-openldap-devel] Suggestion about replication tests for openldap. In-Reply-To: <391159.37783.qm@web52102.mail.re2.yahoo.com> References: <391159.37783.qm@web52102.mail.re2.yahoo.com> Message-ID: <31472F2E227FD33C55AF18C5@[192.168.1.199]> --On Tuesday, November 04, 2008 7:55 PM -0800 Jos? Ildefonso Camargo Tolosa wrote: > Hi, again, > > please ignore my last mail.... I think that I'm falling asleep. You > *actually* do entries/attrs deletion on the tests (017 and 018). > > Thanks! > > Ildefonso Camargo > > > > ----- Original Message ---- > From: Jos? Ildefonso Camargo Tolosa > To: pkg-openldap-devel at lists.alioth.debian.org > Sent: Wednesday, November 5, 2008 11:13:25 PM > Subject: Suggestion about replication tests for openldap. > > Hi! > > I was just backporting openldap 2.4.11 from Lenny to Etch (as an > exercise, and for doing some testing), and I was looking at the tests, I > can see that you: create and modify entries, but you don't delete (or > move, ie, copy + delete) entries on the directory. I'm having some weird > replication problems (related to power outages, and intermittent links), > and most of them has occurred on delete-related operations, I'm using > syncrepl-persist. Anyway, I still don't have and *exact* procedure for > reproducing the problem, so I won't elaborate on it. Anyway, my 2.4 > backport is for testing purposes, just to see if the problem goes away > with it. > > So, I think you should include delete operations on the tests. > > Thanks for maintaining this package! I use it a lot. I think you are sending email to the wrong place. The OpenLDAP tests are maintained by the OpenLDAP project, not the debian project. ;) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration From ildefonso_camargo at yahoo.com Fri Nov 6 01:13:50 2009 From: ildefonso_camargo at yahoo.com (=?iso-8859-1?Q?Jos=E9_Ildefonso_Camargo_Tolosa?=) Date: Thu, 5 Nov 2009 17:13:50 -0800 (PST) Subject: [Pkg-openldap-devel] Suggestion about replication tests for openldap. In-Reply-To: <31472F2E227FD33C55AF18C5@[192.168.1.199]> Message-ID: <472463.35114.qm@web52106.mail.re2.yahoo.com> Hi! Wow, that mail is from a long time ago...... about a year ago. And yes: maybe I sent to the wrong list (as I stated, I was falling asleep). Anyway, thanks for taking the time to answer it! Sincerely, Ildefonso Camargo --- On Thu, 11/5/09, Quanah Gibson-Mount wrote: > From: Quanah Gibson-Mount > Subject: Re: [Pkg-openldap-devel] Suggestion about replication tests for openldap. > To: "Jos? Ildefonso Camargo Tolosa" , pkg-openldap-devel at lists.alioth.debian.org > Date: Thursday, November 5, 2009, 1:23 PM > --On Tuesday, November 04, 2008 7:55 > PM -0800 Jos? Ildefonso Camargo > Tolosa > wrote: > > > Hi, again, > > > > please ignore my last mail.... I think that I'm > falling asleep.? You > > *actually* do entries/attrs deletion on the tests (017 > and 018). > > > > Thanks! > > > > Ildefonso Camargo > > > > > > > > ----- Original Message ---- > > From: Jos? Ildefonso Camargo Tolosa > > To: pkg-openldap-devel at lists.alioth.debian.org > > Sent: Wednesday, November 5, 2008 11:13:25 PM > > Subject: Suggestion about replication tests for > openldap. > > > > Hi! > > > > I was just backporting openldap 2.4.11 from Lenny to > Etch (as an > > exercise, and for doing some testing), and I was > looking at the tests, I > > can see that you: create and modify entries, but you > don't delete (or > > move, ie, copy + delete) entries on the > directory.? I'm having some weird > > replication problems (related to power outages, and > intermittent links), > > and most of them has occurred on delete-related > operations, I'm using > > syncrepl-persist.? Anyway, I still don't have and > *exact* procedure for > > reproducing the problem, so I won't elaborate on > it.? Anyway, my 2.4 > > backport is for testing purposes, just to see if the > problem goes away > > with it. > > > > So, I think you should include delete operations on > the tests. > > > > Thanks for maintaining this package!? I use it a > lot. > > I think you are sending email to the wrong place.? The > OpenLDAP tests are > maintained by the OpenLDAP project, not the debian project. > ;) > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra ::? the leader in open source messaging and > collaboration > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From karl at fizzback.net Mon Nov 9 16:35:12 2009 From: karl at fizzback.net (The Jorginator) Date: Mon, 09 Nov 2009 16:35:12 +0000 Subject: [Pkg-openldap-devel] Bug#555409: ldap-utils: Untrusted LDAP server SSL certs result in misleading error message Message-ID: <20091109163512.9782.9688.reportbug@dev2.fizzback.net> Package: ldap-utils Version: 2.4.11-1 Severity: minor Background: We are trying to make use of LDAP over SSL with our own internal CA certificate (not customer-facing stuff, so internal CA will suffice.) When doing e.g.: ldapsearch -H ldaps://ldap.example.com -x uid=karl this fails with: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) when the real problem seems to be that the server certificate is not trusted. Once our CA certificate was added in /etc/ssl/certs (with symlink etc) on the client, ldap-search works fine. Removing the entries from /etc/ssl/certs reverts back to the old behaviour. My point: The error message is misleading - it took me a while to debug this, as the error message points towards lack of connectivity, DNS, firewalls or other red herrings... Could we have a better error message for this? If not, the at least others with the same problem might come across this in their favourite search engine... -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-vserver-686 (SMP w/2 CPU cores) Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages ldap-utils depends on: ii libc6 2.7-18 GNU C Library: Shared libraries ii libgnutls26 2.4.2-6+lenny1 the GNU TLS library - runtime libr ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra Versions of packages ldap-utils recommends: ii libsasl2-modules 2.1.22.dfsg1-23+lenny1 Cyrus SASL - pluggable authenticat ldap-utils suggests no packages. -- no debconf information From karl at jorgensen.org.uk Mon Nov 9 17:23:02 2009 From: karl at jorgensen.org.uk (Karl E. Jorgensen) Date: Mon, 09 Nov 2009 17:23:02 +0000 Subject: [Pkg-openldap-devel] Bug#555409: Correction Message-ID: <1257787382.4766.126.camel@the-jorg.fizzback.local> Correction: it depends on whether the CA certificate is listed in /etc/ssl/certs/ca-certificates.crt . Not /etc/ssl/certs + symlinks. Sorry about that. -- Karl E. J?rgensen Geek From karl at jorgensen.org.uk Mon Nov 9 19:09:30 2009 From: karl at jorgensen.org.uk (Karl E. Jorgensen) Date: Mon, 09 Nov 2009 19:09:30 +0000 Subject: [Pkg-openldap-devel] Bug#555409: More corrections :-( Message-ID: <1257793770.4766.131.camel@the-jorg.fizzback.local> Blergh.. Another correction: what *really* matters is /etc/ldap/ldap.conf : the TLS_CACERT line... Sorry about this confusing bug report. Having a bad day... -- Karl E. J?rgensen Geek From quanah at zimbra.com Tue Nov 10 17:19:32 2009 From: quanah at zimbra.com (Quanah Gibson-Mount) Date: Tue, 10 Nov 2009 09:19:32 -0800 Subject: [Pkg-openldap-devel] Bug#553432: Bug#553432: Bug#553432: Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name In-Reply-To: References: <20091031095705.15487.1501.reportbug@blog-devel.iuculano.it> <76CE4680DDC5189242DDB08A@[192.168.1.199]> Message-ID: --On Saturday, October 31, 2009 9:13 AM -0700 Quanah Gibson-Mount wrote: > Also, if Debian's still supporting anything based on OL 2.3, I have a > clean patch for this issue for it as well. 2.3 patch attached if needed. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration -------------- next part -------------- A non-text attachment was scrubbed... Name: ITS6239.patch Type: application/octet-stream Size: 3231 bytes Desc: not available URL: From iuculano at debian.org Tue Nov 10 17:58:29 2009 From: iuculano at debian.org (Giuseppe Iuculano) Date: Tue, 10 Nov 2009 18:58:29 +0100 Subject: [Pkg-openldap-devel] Bug#553432: Bug#553432: Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name Message-ID: <4AF9A9C5.3000600@debian.org> Hi, Quanah Gibson-Mount wrote: > Also, if Debian's still supporting anything based on OL 2.3, I have a clean > patch for this issue for it as well. Could you send the patch for OL 2.3 please? Thanks in advance, Giuseppe -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: From quanah at zimbra.com Tue Nov 10 18:09:12 2009 From: quanah at zimbra.com (Quanah Gibson-Mount) Date: Tue, 10 Nov 2009 10:09:12 -0800 Subject: [Pkg-openldap-devel] Bug#553432: Bug#553432: Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name In-Reply-To: <4AF9A9C5.3000600@debian.org> References: <4AF9A9C5.3000600@debian.org> Message-ID: <80A721D9E15F8A36494E12D7@[192.168.1.199]> --On Tuesday, November 10, 2009 6:58 PM +0100 Giuseppe Iuculano wrote: > Hi, > > Quanah Gibson-Mount wrote: >> Also, if Debian's still supporting anything based on OL 2.3, I have a >> clean patch for this issue for it as well. > > Could you send the patch for OL 2.3 please? Sent it this morning already. :) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration From dak at ftp-master.debian.org Tue Nov 10 19:37:44 2009 From: dak at ftp-master.debian.org (Archive Administrator) Date: Tue, 10 Nov 2009 19:37:44 +0000 Subject: [Pkg-openldap-devel] Processing of openldap_2.4.17-2.1_i386.changes Message-ID: openldap_2.4.17-2.1_i386.changes uploaded successfully to localhost along with the files: openldap_2.4.17-2.1.dsc openldap_2.4.17-2.1.diff.gz slapd_2.4.17-2.1_i386.deb ldap-utils_2.4.17-2.1_i386.deb libldap-2.4-2_2.4.17-2.1_i386.deb libldap-2.4-2-dbg_2.4.17-2.1_i386.deb libldap2-dev_2.4.17-2.1_i386.deb slapd-dbg_2.4.17-2.1_i386.deb Greetings, Your Debian queue daemon (running on host ries.debian.org) From giuseppe at iuculano.it Tue Nov 10 19:30:46 2009 From: giuseppe at iuculano.it (Giuseppe Iuculano) Date: Tue, 10 Nov 2009 20:30:46 +0100 Subject: [Pkg-openldap-devel] Bug#553432: NMU Message-ID: <4AF9BF66.4090508@iuculano.it> Hi, Attached is a debdiff of the changes I made for 2.4.17-2.1 0-day NMU. Cheers, Giuseppe -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openldap_2.4.17-2.1.debdiff URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: From installer at ftp-master.debian.org Tue Nov 10 19:47:43 2009 From: installer at ftp-master.debian.org (Archive Administrator) Date: Tue, 10 Nov 2009 19:47:43 +0000 Subject: [Pkg-openldap-devel] openldap_2.4.17-2.1_i386.changes ACCEPTED Message-ID: Accepted: ldap-utils_2.4.17-2.1_i386.deb to main/o/openldap/ldap-utils_2.4.17-2.1_i386.deb libldap-2.4-2-dbg_2.4.17-2.1_i386.deb to main/o/openldap/libldap-2.4-2-dbg_2.4.17-2.1_i386.deb libldap-2.4-2_2.4.17-2.1_i386.deb to main/o/openldap/libldap-2.4-2_2.4.17-2.1_i386.deb libldap2-dev_2.4.17-2.1_i386.deb to main/o/openldap/libldap2-dev_2.4.17-2.1_i386.deb openldap_2.4.17-2.1.diff.gz to main/o/openldap/openldap_2.4.17-2.1.diff.gz openldap_2.4.17-2.1.dsc to main/o/openldap/openldap_2.4.17-2.1.dsc slapd-dbg_2.4.17-2.1_i386.deb to main/o/openldap/slapd-dbg_2.4.17-2.1_i386.deb slapd_2.4.17-2.1_i386.deb to main/o/openldap/slapd_2.4.17-2.1_i386.deb Override entries for your package: ldap-utils_2.4.17-2.1_i386.deb - optional net libldap-2.4-2-dbg_2.4.17-2.1_i386.deb - extra debug libldap-2.4-2_2.4.17-2.1_i386.deb - standard libs libldap2-dev_2.4.17-2.1_i386.deb - extra libdevel openldap_2.4.17-2.1.dsc - source net slapd-dbg_2.4.17-2.1_i386.deb - extra debug slapd_2.4.17-2.1_i386.deb - optional net Announcing to debian-devel-changes at lists.debian.org Closing bugs: 553432 Thank you for your contribution to Debian. From owner at bugs.debian.org Tue Nov 10 19:51:04 2009 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Tue, 10 Nov 2009 19:51:04 +0000 Subject: [Pkg-openldap-devel] Bug#553432: marked as done (CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name) References: <20091031095705.15487.1501.reportbug@blog-devel.iuculano.it> Message-ID: Your message dated Tue, 10 Nov 2009 19:47:43 +0000 with message-id and subject line Bug#553432: fixed in openldap 2.4.17-2.1 has caused the Debian Bug report #553432, regarding CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 553432: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553432 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Giuseppe Iuculano Subject: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name Date: Sat, 31 Oct 2009 10:57:05 +0100 Size: 3229 URL: -------------- next part -------------- An embedded message was scrubbed... From: Giuseppe Iuculano Subject: Bug#553432: fixed in openldap 2.4.17-2.1 Date: Tue, 10 Nov 2009 19:47:43 +0000 Size: 6389 URL: From peter.fritzsche at gmx.de Thu Nov 12 08:47:12 2009 From: peter.fritzsche at gmx.de (Peter Fritzsche) Date: Thu, 12 Nov 2009 09:47:12 +0100 Subject: [Pkg-openldap-devel] Bug#555867: FTBFS with binutils-gold Message-ID: <200911120947.12027904689.peter.fritzsche@gmx.de> Source: openldap Version: 2.4.17-2 Severity: minor User: peter.fritzsche at gmx.de Usertags: no-add-needed Tried to build your package and it fails to build with GNU binutils-gold. The important difference is that --no-add-needed is the default behavior of of GNU binutils-gold. Please provide all needed libraries to the linker when building your executables. It is maybe better in your case that libldap.so gets linked against the needed libraries to fix that problem. You can use --no-undefined (or respective -Wl,--no-undefined when linking with g++ or gcc) to check your libraries if they still have symbols which doesn't get resolved by them. dpkg-shlibdeps will also print warnings about unresolved symbols when it gets run in your debian/rules. More informations can be found at http://wiki.debian.org/qa.debian.org/FTBFS#A2009-11-02Packagesfailingbecausebinutils-gold.2BAC8-indirectlinking /bin/sh ../../libtool --mode=link cc -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -O2 -o apitest apitest.o libldap.la ../../libraries/liblber/liblber.la ../../libraries/liblutil/liblutil.a -lsasl2 -lgnutls -lcrypt -lresolv libtool: link: cc -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -O2 -o .libs/apitest apitest.o ./.libs/libldap.so ../../libraries/liblber/.libs/liblber.so ../../libraries/liblutil/liblutil.a /usr/lib/libsasl2.so /usr/lib/libgnutls.so -lcrypt -lresolv /usr/bin/ld: ./.libs/libldap.so: error: undefined reference to 'gcry_control' collect2: ld returned 1 exit status make[3]: *** [apitest] Error 1 From owner at bugs.debian.org Thu Nov 12 10:06:05 2009 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 12 Nov 2009 10:06:05 +0000 Subject: [Pkg-openldap-devel] Processed: tagging 555867 In-Reply-To: <1258019846-3222-bts-vorlon@debian.org> References: <1258019846-3222-bts-vorlon@debian.org> Message-ID: Processing commands for control at bugs.debian.org: > tags 555867 confirmed Bug #555867 [src:openldap] FTBFS with binutils-gold Added tag(s) confirmed. > End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) From noreply at release.debian.org Sat Nov 14 16:39:28 2009 From: noreply at release.debian.org (Debian testing watch) Date: Sat, 14 Nov 2009 16:39:28 +0000 Subject: [Pkg-openldap-devel] openldap 2.4.17-2.1 MIGRATED to testing Message-ID: FYI: The status of the openldap source package in Debian's testing distribution has changed. Previous version: 2.4.17-1 Current version: 2.4.17-2.1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See http://release.debian.org/testing-watch/ for more information. From giuseppe at iuculano.it Mon Nov 16 18:28:11 2009 From: giuseppe at iuculano.it (Giuseppe Iuculano) Date: Mon, 16 Nov 2009 19:28:11 +0100 Subject: [Pkg-openldap-devel] openldap DSA Message-ID: <4B0199BB.7040806@iuculano.it> Hi, I'm preparing a DSA for openldap. It would be helpful, if you can take a look at the debdiff and test the packages[1]. Any comments would be appreciated. [1]http://sd6.iuculano.it/sec/openldap/ Cheers, Giuseppe. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: From javibarroso at gmail.com Wed Nov 25 12:21:09 2009 From: javibarroso at gmail.com (Javier Barroso) Date: Wed, 25 Nov 2009 13:21:09 +0100 Subject: [Pkg-openldap-devel] How to do TLSVerifyClient demand in slapd.conf works ? Message-ID: <81c921f30911250421t5cf07e1as871809bceb32f63@mail.gmail.com> Hi, First, sorry if this is not the correct list. I'm trying to configure ldap + starttls server. I tried various slapd version from etch, lenny and squeeze, but not luck. Finally now I'm trying compiling with openssl and not with gnutls (the problem is the same). I don't know what I am doing wrong: 1. Create CA. cacert-company.pem is generated # CA.pl -newca 2. Create ldap.company.com certificate (finally named ldap-company-{cert,key}.pem) # CA.pl -newreq # CA.pl -sign # openssl rsa -in newcert.pem -out newcert-without-password.pem 3. Create client certificate (client-{cert,key}.pem (steps idem to 2.) Now I configure my slapd.conf: #grep TLS /etc/ldap/slapd.conf TLSCACertificateFile /etc/ldap/tls/cacert-company.pem TLSCertificateFile /etc/ldap/tls/ldap-company-cert.pem TLSCertificateKeyFile /etc/ldap/tls/ldap-company-key.pem TLSVerifyClient allow Then configure my ldap.conf from client: TLS_CACERT /etc/ca-certificates/company/cacert-company.pem TLS_CERT /etc/ssl/client-cert.pem TLS_KEY /etc/ssl/private/client-key.pem TLS_REQCERT demand After restart slapd, I try search with ldapsearch works and tcpdump shows ssl traffic: ldapsearch -x -h ldap.company.com -b 'dc=company,dc=com' uid=jbarroso uid -ZZ result: 0 Success # numResponses: 2 # numEntries: 1 If I change from "TLSVerifyClient allow" to "TLSVerifyClient demand", ldapsearch command fails and finish: ... tls_write: want=6, written=6 0000: 14 03 01 00 01 01 ...... tls_write: want=197 error=Broken pipe TLS: can't connect: Error in the push function.. ldap_err2string ldap_start_tls: Connect error (-11) I compiled slapd from deb-src with openssl support and the same result but other client error: TLS trace: SSL_connect:SSLv3 flush data tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 28 .( TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure. ldap_err2string ldap_start_tls: Connect error (-11) I read http://www.openldap.org/lists/openldap-software/200703/msg00253.html, but I would like to understand why this config is not working. I tested certificates with gnutls-serv / gnutls-cli and with these certs work fine. So, this is a known bug, should I report this mail , or did I miss something to configure? A guy in debian IRC point me to ldap faq [1], but I would like use ldap from your packages (and I think this is not a package issue) Thank you very much [1] http://www.openldap.org/faq/data/cache/1456.html From ntyni at debian.org Mon Nov 30 10:08:20 2009 From: ntyni at debian.org (Niko Tyni) Date: Mon, 30 Nov 2009 12:08:20 +0200 Subject: [Pkg-openldap-devel] Bug#327585: embedding perl, libltdl and RTLD_GLOBAL Message-ID: <20091130100820.GA23175@kuusama.it.helsinki.fi> Hi, I've been looking at the "libltdl and RTLD_GLOBAL" issue with embedding perl in a dlopen'd plugin. An instance of this with freeradius is #416266 (recently reassigned to perl), and I see #327585 against openldap is another one. To recap, the problem is that lt_dlopen() from the Debian system libltdl has called dlopen(3) with RTLD_LOCAL instead of RTLD_GLOBAL ever since #195821 was fixed. As the compiled XS modules aren't linked against libperl, its symbols aren't exposed to them, resulting in errors like '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp'. Observations: - this problem isn't specific to perl and can easily be triggered with the freeradius rlm_python module too [1] - it's clearly possible to dlopen() compiled Perl modules from a dlopen'd module if you don't use libltdl, see apache2+libapache2-mod-perl2 for an example - the XS modules are actually plugins in a private directory, not generic shared libraries. Having unresolved symbols in a plugin without a corresponding NEEDED entry seems to be very common, see for example /usr/lib/apache2/modules, /usr/lib/python2.5/lib-dynload/, /usr/lib/cdebconf etc. - as noted in #327585, linking the XS shared objects against libperl is potentially a problem on *i386, where /usr/bin/perl is statically linked with libperl.a for performance reasons. (I don't have any data about these performance reasons myself, I'm relying on hearsay and /usr/share/doc/perl/README.Debian.gz here.) While this does seem to work in a quick and limited test of mine, it would bring in both libperl.a and libperl.so for all uses of /usr/bin/perl that need XS modules, and I'm not sure which version of the functions would get used later. If the PIC versions win, we'd be giving away the performance benefit we got from static linking in the first place. At the very least, it would add 1.5M to the size of the perl-base package on i386 AFAICS. I'm not sure how much the memory footprint of the /usr/bin/perl invocations would increase. Also note that we currently ship /usr/lib/libperl.a on all the architectures, so everything that applies to the i386 /usr/bin/perl case applies to anybody using the static library on the other archs too. Given that i386 is still our most popular architecture, the other proposed options don't seem very appealing either: * only link the modules against libperl.so on the other architectures (no fix for i386) * link /usr/bin/perl dynamically on i386 too (reduced performance in the very common case for the benefit of a very uncommon case) - it turns out libltdl nowadays does have an interface where you can specify RTLD_GLOBAL. From the libtool Changelog.2007: 2007-05-08 Gary V. Vaughan Without this patch, lt_dlopen always opens modules with symbol visibility set according to the underlying implementation. Here, we add lt_dlopenadvise() to allow callers to request, among other things, local or global symbol visibility from the underlying dlloader: Indeed, the attached proof of concept makes the freeradius problem go away for me, and I expect openldap could work with something similar. (FWIW, note that the trivial my_dlopenextglobal() function was adapted from the libtool documentation, so it might be considered to be under the GFDL.) Josip: based on the above, I think #416266 should be fixed in freeradius and not in perl. If you agree, please reassign back yourself. [1]: add python to the instantiate{} block in radiusd.conf and something like # cat /etc/freeradius/modules/python python { mod_instantiate = radiusd_test func_instantiate = instantiate } # cat /usr/local/lib/python2.5/site-packages/radiusd_test.py import sys import socket def instantiate(test): sys.stderr.write("hello, world!") and you get rlm_python:EXCEPT:: /usr/lib/python2.5/lib-dynload/_socket.so: undefined symbol: PyExc_ValueError rlm_python:python_load_function: failed to import python function 'radiusd_test.instantiate' -- Niko Tyni ntyni at debian.org From ntyni at debian.org Sun Nov 29 20:10:30 2009 From: ntyni at debian.org (Niko Tyni) Date: Sun, 29 Nov 2009 22:10:30 +0200 Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set. Message-ID: Proof of concept for fixing http://bugs.debian.org/416266 --- src/main/modules.c | 17 ++++++++++++++++- 1 files changed, 16 insertions(+), 1 deletions(-) diff --git a/src/main/modules.c b/src/main/modules.c index ea1c256..7a93b0e 100644 --- a/src/main/modules.c +++ b/src/main/modules.c @@ -391,6 +391,21 @@ int detach_modules(void) } +static lt_dlhandle my_dlopenextglobal (const char *filename) +{ + lt_dlhandle handle = 0; + lt_dladvise advise; + + if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) + && !lt_dladvise_global (&advise)) + handle = lt_dlopenadvise (filename, advise); + + lt_dladvise_destroy (&advise); + + return handle; +} + + /* * Find a module on disk or in memory, and link to it. */ @@ -411,7 +426,7 @@ static module_entry_t *linkto_module(const char *module_name, /* * Keep the handle around so we can dlclose() it. */ - handle = lt_dlopenext(module_name); + handle = my_dlopenextglobal(module_name); if (handle == NULL) { cf_log_err(cf_sectiontoitem(cs), "Failed to link to module '%s': %s\n", -- 1.6.5.2 --gKMricLos+KVdGMg--