Issue 7262 - slapo-ppolicy overlay cannot use a policy stored in a different backend from the account that it controls
Summary: slapo-ppolicy overlay cannot use a policy stored in a different backend from ...
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: overlays (show other issues)
Version: 2.4.26
Hardware: All All
: --- normal
Target Milestone: 2.5.2
Assignee: Ondřej Kuzník
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-02 20:00 UTC by Andrew Findlay
Modified: 2021-02-26 23:35 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Andrew Findlay 2012-05-02 20:00:00 UTC 
Full_Name: Andrew Findlay
Version: 2.4.26
OS: OpenSuSE 11.4
URL: ftp://ftp.openldap.org/incoming/andrew-findlay-2012050201.tar
Submission from: (NULL) (2a01:348:28c:1::94)


I have a setup where several OUs share a server, with one backend database per
OU.
Config data like password policies and service accounts is in another backend
DB.
The password policies do not work unless they are copied into each backend DB.

The attached tar contains a full test to demonstrate the problem.
Here is a summary of the README:

There are two databases, for suffixes dc=a,dc=example,dc=org and
dc=zzz,dc=example,dc=org (note different length, which helps later)
There are two accounts - a1 and zzz1 - each stored in a different backend
database.
Both accounts are locked with 'pwdAccountLockedTime: 00000101000000Z'

Each database uses the ppolicy overlay, and both have
cn=ppol-a,dc=a,dc=example,dc=org
as the default policy.

The run-test script does this:

        echo "Binding as a1"
        ldapwhoami -x -D uid=a1,dc=a,dc=example,dc=org  -w "secret"

        echo "Binding as zzz1"
        ldapwhoami -x -D uid=zzz1,dc=zzz,dc=example,dc=org  -w "secret"

Both accounts are locked so both should fail to bind.
In practice a1 fails correctly, but zzz1 binds.

If you run slapd with debug:

./start-slapd -d 65535

you can see some clues:

=> bdb_entry_get: found entry: "uid=zzz1,dc=zzz,dc=example,dc=org"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=ppol-a,dc=a,dc=example,dc=org"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=ppol-a,dc=a,dc=example,dc=org")
=> hdb_dn2id("a,dc=a,dc=example,dc=org")
--------------^^
INVALID DN
<= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
=> bdb_entry_get: cannot find entry: "cn=ppol-a,dc=a,dc=example,dc=org"

The corresponding lines for a1 are:

=> bdb_entry_get: found entry: "uid=a1,dc=a,dc=example,dc=org"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=ppol-a,dc=a,dc=example,dc=org"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=ppol-a,dc=a,dc=example,dc=org")
=> hdb_dn2id("cn=ppol-a,dc=a,dc=example,dc=org")


The big clue here is this line:
=> hdb_dn2id("a,dc=a,dc=example,dc=org")

The invalid DN has the same length as the suffix of the other DB:
a,dc=a,dc=example,dc=org
dc=zzz,dc=example,dc=org

I think the overlay is looking for cn=ppol-a,dc=a,dc=example,dc=org in the DB
containing dc=zzz,dc=example,dc=org

Andrew
Comment 1 OpenLDAP project 2017-04-12 21:05:10 UTC 
Test case provided
Comment 2 Quanah Gibson-Mount 2017-04-12 21:05:10 UTC 
changed notes
moved from Incoming to Software Bugs
Comment 3 Quanah Gibson-Mount 2021-02-22 17:40:12 UTC 
Ondrej to examine if this is already fixed with ppolicy10.  If it isn't or is not a simple fix, will move out to 2.6
Comment 5 Quanah Gibson-Mount 2021-02-24 23:14:58 UTC 
Commits: 
  • 38ea26b3 
by Ondřej Kuzník at 2021-02-24T22:15:48+00:00 
ITS#7262 Retrieve the policy from the correct backend