On 08/22/2011 02:51 PM, Anthony Messina wrote: > On 08/16/2011 04:40 PM, Rich Megginson wrote: >> On 08/16/2011 03:33 PM, Anthony Messina wrote: >>> On 08/16/2011 03:25 PM, Rich Megginson wrote: >>>>> I havent filed a bug yet as I am working on a virtual environment to >>>>> test, which I'm sure you'll want me to, in order to be able to >>>>> replicate >>>>> the issue ;) >>>> Indeed, yes, please let us know asap. >>> Sure. If you know the settings I need to enable to increase logging, as >>> well as what you would need for this type of problem, etc., please let >>> me know as this will greatly speed up my ability to provide useful >>> information. -A >> If it is aci related, there are two: >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> 128 Access control list processing (very detailed!) >> 262144 ACI summary information >> >> probably the latter for starters. Otherwise, just a way to reproduce >> the problem in a few steps. If you do get the server to hang, follow >> the steps at >> http://directory.fedoraproject.org/wiki/FAQ#Debugging_Crashes except >> that, instead of a core file, pass in the process id of the running slapd. > I've tried to reproduce this issue in a virtual host and I can reproduce > it, when logging error logging is basically off. Using either 128 or > 262144 slows things down, but I don't get the server hang. > > Steps to reproduce: > 1) Install 389-ds-base and admin-serv with setup-ds-admin.pl, option 2. > > 2) Remove the "Allow anonymous access" ACI from the root entry > > 3) Starting doing some searches. > > Wait for the server to stop accepting requests. Again, with > nsslapd-errorlog-level set to> 0, I cannot reproduce the problem. I'm using the latest code on RHEL 6.1 x86_64. This is what I did: setup-ds.pl - use suffix dc=example,dc=com after the server starts, use ldapmodify: dn: dc=example,dc=com changetype: modify delete: aci aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";;) Then did a bunch of subtree scope searches from dc=example,dc=com - as directory manager and as root No hang. How long does it take for you to see hangs? You say "Wait for the server to stop accepting requests" - how long do you wait? Any chance you could use gdb to get a stack trace of the server while it is hung? Basically, following the directions at http://directory.fedoraproject.org/wiki/FAQ#Debugging_Crashes except do ps -ef|grep ns-slapd to get the pid, then use gdb /usr/sbin/ns-slapd $pid > Does anyone else remove the "Allow anonymous" ACI from the root entry? > > My goal is to only allow anonymous access to hosts from inside the LAN > using dns= or ip= entries. > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
