OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Documentation/6181
Full headers

From: daniel@pluta.biz
Subject: slapo-unique: slaptest fails in case unique_uri is prepended the keywords "strict" or "ignore"
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 18 Jun 2009 22:25:15 +0000
From: daniel@pluta.biz
To: openldap-its@OpenLDAP.org
Subject: slapo-unique: slaptest fails in case unique_uri is prepended the keywords "strict" or "ignore"
Full_Name: Daniel Pluta
Version: OPENLDAP_STABLE
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (91.12.203.84)


Hi,

from slapo-unique's manpage:

"... It is possible to set strict checking for the uniqueness domain by
prepending the keyword strict. ..."

I've tried to use "unique_uri strict ldap:///....." and/or "unique_uri ignore
ldap:///..." configuration syntax within slapd.conf. Both settings cause
slaptest to fail with the error message:

line 86: <strict> invalid ldap urilist

my slapd.conf's line 86 looks (similar) to this one:
unique_uri strict ldap:///dc=example,dc=com?uid?sub?(objectClass=account)

The error message disapears and slapd starts up only in case the keywords
"strict" and/or "ignore" get removed from slapd.conf again.


After a quick look into unique's source I think the problem's cause seems to be
located within/around the ConfigDriver function "unique_cf_uri", especially
regarding the section "case LDAP_MOD_ADD:"

        if ( c->line ) rc = unique_new_domain ( &domain, c->line, c
);
        else rc = unique_new_domain ( &domain, c->argv[1], c );

I've added the following Debug statement
Debug ( LDAP_DEBUG_TRACE, "c->line: %s\n", c->line, NULL, NULL );
just before the above condition. The output results in the following trace
output:
==> unique_db_init
line 86 (unique_uri strict
ldap:///dc=example,dc=com?uid?sub?(objectClass=account))
c->line: (null)
==> unique_new_domain <strict>

Because c->line is (null) only the else branch get's traversed... I don't
understand exactly why. I've always used c->argv[n] (never used of
c->line) in
the past.


Regarding the function:
unique_new_domain( unique_domain **domainp, char *domain_spec, ConfigArgs *c )

    if ( strncasecmp ( uri_start, "ignore ",
               STRLENOF( "ignore " ) ) == 0 ) {
        domain->ignore = 1;
        uri_start += STRLENOF( "ignore " );
    }
    if ( strncasecmp ( uri_start, "strict ",
               STRLENOF( "strict " ) ) == 0 ) {
        domain->strict = 1;
        uri_start += STRLENOF( "strict " );
        if ( !domain->ignore
             && strncasecmp ( uri_start, "ignore ",
                      STRLENOF( "ignore " ) ) == 0 ) {
            domain->ignore = 1;
            uri_start += STRLENOF( "ignore " );
        }
    }

I'm not sure whether I've understand the design idea correctly but in my opinion
the above strncasecmp-condition block shouldn't be located in this function. I
would suggest to not handle the parsing and differentiation between "strict |
ignore | ldap_uri" here. In my opinion this could also/better be handled in
advance; perhaps directly within the ConfigDriver function by using the already
parsed configuration tokens c->argv[n] instead of "c->line"?

BTW:
1.) initially using "unique_uri ldap:///...." in slapd.conf
2.) converting slapd.conf into slapd.d-format
3.) Starting slapd
4.) Editing olcUniqueURI online via cn=config:
    inserting "strict" here work's fine (at least no error message is displayed
;-))

I've not tested whether the "strict" logic works correctly after these 4 steps.

Cheers
Daniel

Followup 1

Download message
Date: Mon, 3 Aug 2009 13:00:27 +0200 (CEST)
Subject: Re: (ITS#6181) slapo-unique: slaptest fails in case unique_uri is 
     prepended the keywords "strict" or "ignore"
From: masarati@aero.polimi.it
To: daniel@pluta.biz
Cc: openldap-its@openldap.org
The "strict" and the "ignore" keywords must be part of a single argument. 
In fact, the unique_uri statement only takes one argument, consisting of
the optional "strict" and "ignore" keywords followed by a list of URIs. 
In order to be recognized as a single argument, the whole thing needs to
be included in double quotes, like

unique_uri "strict ldap:///dc=example,dc=com?uid?sub?(objectClass=account)"

p.



Followup 2

Download message
Date: Mon, 03 Aug 2009 15:04:46 +0200
From: Daniel Pluta <daniel@pluta.biz>
To: masarati@aero.polimi.it
CC: openldap-its@openldap.org
Subject: Re: (ITS#6181) slapo-unique: slaptest fails in case unique_uri is
      prepended the keywords "strict" or "ignore"
masarati@aero.polimi.it wrote:
> The "strict" and the "ignore" keywords must be part of a single argument. 
> In fact, the unique_uri statement only takes one argument, consisting of
> the optional "strict" and "ignore" keywords followed by a list of URIs. 
> In order to be recognized as a single argument, the whole thing needs to
> be included in double quotes, like
>
> unique_uri "strict ldap:///dc=example,dc=com?uid?sub?(objectClass=account)"
>
> p.
ahh I understand - this in mind the manpage makes sense, too. ;-)

unique_uri <[strict ][ignore ]URI[URI...]...>

Thanks a lot for the clarification!



Followup 3

Download message
Date: Mon, 3 Aug 2009 15:08:58 +0200 (CEST)
Subject: Re: (ITS#6181) slapo-unique: slaptest fails in case unique_uri is 
     prepended the keywords "strict" or "ignore"
From: masarati@aero.polimi.it
To: daniel@pluta.biz
Cc: openldap-its@openldap.org
The ITS remains open, as the man page clearly needs to be improved to
avoid any misunderstanding.  An example would probably suffice.

p.

> masarati@aero.polimi.it wrote:
>> The "strict" and the "ignore" keywords must be part of a single
>> argument.
>> In fact, the unique_uri statement only takes one argument, consisting
of
>> the optional "strict" and "ignore" keywords followed by a list of URIs.
>> In order to be recognized as a single argument, the whole thing needs
to
>> be included in double quotes, like
>>
>> unique_uri "strict
>> ldap:///dc=example,dc=com?uid?sub?(objectClass=account)"
>>
>> p.
> ahh I understand - this in mind the manpage makes sense, too. ;-)
>
> unique_uri <[strict ][ignore ]URI[URI...]...>
>
> Thanks a lot for the clarification!
>
>
>
>



Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org