Issue 6347 - VLV search sometime fails with operation error #6349

progier389 · 2024-09-30T10:25:53Z

if enabling certificate pruning freeipa tests sometime fails because VLV search sometime fails with err=1 and
error logs show - ERR - vlv_build_idl - Can't follow db cursor (err -12797)
Cause: The end of records is reached when trying to get a record in vlv index using its position
Solution: avoid to return MDB_NOT_FOUND in such case but return the last record instead

Issue: #6347

Reviewed by: tbordaz (Thanks!)

ldap/servers/slapd/back-ldbm/db-mdb/mdb_layer.c

tbordaz · 2024-10-02T12:50:15Z

LGTM

tbordaz

LGTM

A better fix than PR 6349 about corrupted vlv cache Problem is a race condition because txn was released while building the cache. Solution keep the write txn open until the cache is fully rebuilt. Also fixed some debug logs And also added the source of a tool useful to check the vlv cache consistency Note: this remove PR #6349 and integrate PR #6356 Issue: #6347 Reviewed by @tbodaz (Thanks!)

A better fix than PR 6349 about corrupted vlv cache Problem is a race condition because txn was released while building the cache. Solution keep the write txn open until the cache is fully rebuilt. Also fixed some debug logs And also added the source of a tool useful to check the vlv cache consistency Note: this remove PR #6349 and integrate PR #6356 Issue: #6347 Reviewed by @tbodaz (Thanks!) (cherry picked from commit 8366819)

Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: 389ds#6349 Author: William Brown <william@blackhats.net.au> Review by: ???

@tbordaz

Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)

@tbordaz

Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)

@tbordaz

Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)

@tbordaz

Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)

@tbordaz

Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)

@tbordaz

Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)

@tbordaz

Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)

@tbordaz

Bug Description: slapd_SSL_client_auth uses the values of KeyExtractFile and CertExtractFile from the configuration entry, and each time it's called attempts to determine if this is an absolute or relative path. If the path is relative, it prepends a /tmp location based on if the running system /tmp is a private namespace or not. This causes a replication client that uses TLS certificate authentication to repeatedly emit warnings that the key extraction occurred to non-private tmp in a container. Fix Description: During key extraction, we extract keys and files using the "last token" from nss as the item that we extract. Because of this, we know that there can only be a single extracted key and cert, allowing us to extract these and store the full abs path of the extracted files rather than deriving them during each client iteration. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @tbordaz @progier389 @droideck (Thanks!)

Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: 389ds#6349 Author: William Brown <william@blackhats.net.au> Review by: ???

@progier389

Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz

@progier389

Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz

@progier389

Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz

@progier389

Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz

@progier389

Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz

@progier389

Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz

Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: After more testing, if the connection is dropped and restarted, the certpath is retrieved but re-extraction does not occur. This still triggers the warning however. To resolve this, we only warn about the tpm namespace during library initialisation. I really hope I got it right this time :( fixes: 389ds#6349 Author: William Brown <william@blackhats.net.au> Review by: ???

@progier389

Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz

@progier389

Bug Description: Keys/Certs are extracted to PEM repeatedly causing many warnings during outbound TLS authenticated replication Fix Description: slapd_ssl_init() is called every time an outbound TLS connection is made, and will trigger a key extraction. If key extraction is already complete then the extraction is skipped. fixes: #6349 Author: William Brown <william@blackhats.net.au> Review by: @progier389 @tbordaz

Issue 6347 - VLV search sometime fails with operation error

30a4ffd

progier389 linked an issue Sep 30, 2024 that may be closed by this pull request

VLV search sometime fails with operation error #6347

Closed

tbordaz reviewed Sep 30, 2024

View reviewed changes

ldap/servers/slapd/back-ldbm/db-mdb/mdb_layer.c Show resolved Hide resolved

tbordaz approved these changes Oct 2, 2024

View reviewed changes

progier389 merged commit d862f3a into 389ds:main Oct 2, 2024
197 checks passed

This was referenced Oct 8, 2024

Issue 6356 - On LMDB, after an update the impact VLV index, the vlv r… #6357

Merged

Issue 6347 - better fix for desyncronized vlv cache #6358

Merged

Firstyear mentioned this pull request Oct 16, 2024

Issue 6349 - RFE - Use previously extracted key path #6363

Merged

progier389 mentioned this pull request Oct 16, 2024

Code cleanup - wrong error message in ssl.c #6364

Open

Firstyear mentioned this pull request Nov 6, 2024

Issue 6340 - RFE - extract keys once (#6394) #6394

Merged

Firstyear mentioned this pull request Nov 21, 2024

Issue 6349 - RFE - extract keys once (#6363) (#6394) #6413

Merged

progier389 deleted the i6347 branch May 20, 2025 13:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Issue 6347 - VLV search sometime fails with operation error #6349

Issue 6347 - VLV search sometime fails with operation error #6349

Uh oh!

progier389 commented Sep 30, 2024 •

edited

Loading

Uh oh!

Uh oh!

tbordaz commented Oct 2, 2024

Uh oh!

tbordaz left a comment

Uh oh!

Uh oh!

Uh oh!

Issue 6347 - VLV search sometime fails with operation error #6349

Issue 6347 - VLV search sometime fails with operation error #6349

Uh oh!

Conversation

progier389 commented Sep 30, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

tbordaz commented Oct 2, 2024

Uh oh!

tbordaz left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

progier389 commented Sep 30, 2024 •

edited

Loading