On 08/22/2011 02:51 PM, Anthony Messina wrote:
On 08/16/2011 04:40 PM, Rich Megginson wrote:
> On 08/16/2011 03:33 PM, Anthony Messina wrote:
>> On 08/16/2011 03:25 PM, Rich Megginson wrote:
>>>> I havent filed a bug yet as I am working on a virtual environment to
>>>> test, which I'm sure you'll want me to, in order to be able to
>>>> the issue ;)
>>> Indeed, yes, please let us know asap.
>> Sure. If you know the settings I need to enable to increase logging, as
>> well as what you would need for this type of problem, etc., please let
>> me know as this will greatly speed up my ability to provide useful
>> information. -A
> If it is aci related, there are two:
> 128 Access control list processing (very detailed!)
> 262144 ACI summary information
> probably the latter for starters. Otherwise, just a way to reproduce
> the problem in a few steps. If you do get the server to hang, follow
> the steps at
> that, instead of a core file, pass in the process id of the running slapd.
I've tried to reproduce this issue in a virtual host and I can reproduce
it, when logging error logging is basically off. Using either 128 or
262144 slows things down, but I don't get the server hang.
Steps to reproduce:
1) Install 389-ds-base and admin-serv with setup-ds-admin.pl, option 2.
2) Remove the "Allow anonymous access" ACI from the root entry
3) Starting doing some searches.
Wait for the server to stop accepting requests. Again, with
nsslapd-errorlog-level set to> 0, I cannot reproduce the problem.
the latest code on RHEL 6.1 x86_64. This is what I did:
setup-ds.pl - use suffix dc=example,dc=com
after the server starts, use ldapmodify:
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access"; allow (read, search, compare) userdn="ldap:///anyone";)
Then did a bunch of subtree scope searches from dc=example,dc=com - as
directory manager and as root
No hang. How long does it take for you to see hangs? You say "Wait for
the server to stop accepting requests" - how long do you wait?
Any chance you could use gdb to get a stack trace of the server while it
is hung? Basically, following the directions at
ps -ef|grep ns-slapd
to get the pid, then use
gdb /usr/sbin/ns-slapd $pid
Does anyone else remove the "Allow anonymous" ACI from the
My goal is to only allow anonymous access to hosts from inside the LAN
using dns= or ip= entries.