OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/7439
Full headers

From: glen@delfi.ee
Subject: crash in rwm when tree is syncrepl synced and database ldap with rwm inside same tree
 Compose comment
Download message
State:
0 replies:
0 followups:

Major security issue: yes  no

Notes:

Notification: 


Date: Thu, 15 Nov 2012 21:24:06 +0000
From: glen@delfi.ee
To: openldap-its@OpenLDAP.org
Subject: crash in rwm when tree is syncrepl synced and database ldap with rwm inside same tree

Full_Name: Elan Ruusam.e
Version: 2.4.33
OS: PLD Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.131.56.149)


i'm setting up my tree so that People has one subtree via database ldap as
ou=something,ou=People,dc=example (subordinate), and and i have also whole
dc=example setup replica as syncrepl. and if i have both (syncrepl and the
database ldap) enabled slapd crashes

also the database ldap is rwm rewritten to match tree it's linked into

--- slapd.conf ---:
include         /usr/share/openldap/schema/core.schema
include         /usr/share/openldap/schema/cosine.schema
include         /usr/share/openldap/schema/inetorgperson.schema
include         /usr/share/openldap/schema/nis.schema
include         /usr/share/openldap/schema/misc.schema
include         /usr/share/openldap/schema/rfc2739.schema
include         /usr/share/openldap/schema/courier.schema
include         /usr/share/openldap/schema/horde.schema
include         /usr/share/openldap/schema/openssh-lpk.schema
include         /usr/share/openldap/schema/samba.schema
include         /usr/share/openldap/schema/sudo.schema
include         /etc/openldap/schema/local.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
allow           bind_v2
loglevel        -1
modulepath      /usr/lib64/openldap
moduleload      back_bdb.la
moduleload      back_ldap.la
moduleload      back_monitor.la
moduleload      back_relay.la
moduleload      rwm.la
moduleload      syncprov.la
moduleload      translucent.la
include /etc/openldap/slapd-ad.conf
include /etc/openldap/slapd-db.conf


--- slapd-ad.conf ---:
database ldap
suffix "ou=Basement,ou=People,dc=example,dc=net"
uri "ldap://a.b.c.d/"
idassert-bind bindmethod=simple
binddn=CN=glen,OU=Serviceaccounts,OU=Technical,DC=example,DC=org
credentials=OBFUSCATED
idle-timeout 1800
subordinate
chase-referrals no
rebind-as-user yes
overlay rwm
rwm-suffixmassage "ou=Basement,ou=People,dc=example,dc=net"
"ou=Technical,dc=example,dc=org"
rwm-map objectclass account user
rwm-map attribute uidNumber employeeID
rwm-map attribute gidNumber primaryGroupID
rwm-map attribute uid  sAMAccountName
rwm-map attribute physicalDeliveryOfficeName
rwm-map attribute cn name
rwm-map attribute sn sn
rwm-map attribute mail mail
rwm-map attribute company company
rwm-map attribute entry entry
rwm-map attribute title title
rwm-map attribute givenName givenName
rwm-map attribute homeDirectory homeDirectory
rwm-map attribute displayName displayName
rwm-map attribute dn distinguishedName
rwm-map attribute userPassword unicodePassword
rwm-map attribute departmentNumber department
rwm-map attribute member member
rwm-map attribute manager managedby
rwm-map attribute sambaProfilePath profilePath
rwm-map attribute *

--- slapd-db.conf ---:
database        bdb
suffix          "dc=example,dc=net"
rootdn          "cn=Manager,dc=example,dc=net"
rootpw          OBFUSCATED
directory       /var/lib/openldap-data
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID eq
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_bsize 2097152
include /etc/openldap/slapd-syncrepl.conf


--- slapd-syncrepl.conf ---:
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
sizelimit 10000
syncrepl rid=7 provider=ldap://ldap searchbase="dc=example,dc=net"
    type=refreshOnly
    interval=00:00:01:00
    retry="120 +"
    scope=sub
    attrs="*"
    bindmethod=simple
    binddn="cn=replica,ou=Service Users,dc=example,dc=net"
    credentials=OBFUSCATED

trace obtained as (altho glibc MALLOC_CHECK_ kicks in and gdb has no chance):
# gdb --args slapd -u slapd -g slapd -h "ldap:/// ldapi:///"  -d -1
(gdb) r
...
50a55ca9 => access_allowed: search access to
"uid=user1,ou=People,dc=example,dc=net" "entryUUID" requested
50a55ca9 <= root access granted
50a55ca9 => access_allowed: search access granted by manage(=mwrscxd)
50a55ca9 <= test_filter 6
50a55ca9 => bdb_dn2id_children("uid=user1,ou=people,dc=example,dc=net")
50a55ca9 <= bdb_dn2id_children("uid=user1,ou=people,dc=example,dc=net"): no 
(-30989)
50a55ca9 send_ldap_result: conn=-1 op=0 p=3
50a55ca9 send_ldap_result: err=0 matched="" text=""
50a55ca9 ==> rewrite_context_apply [depth=1]
string='ou=Basement,ou=People,dc=example,dc=net'
50a55ca9 ==> rewrite_rule_apply rule='((.+),)?ou=Basement,[ ]?ou=People,[
]?dc=delfi,[ ]?dc=net$' string='ou=Basement,ou=People,dc=example,dc=net' [1
pass(es)]
50a55ca9 ==> rewrite_context_apply [depth=1]
res={0,'ou=Serviceaccounts,ou=Technical,dc=example,dc=org'}
50a55ca9 [rw] searchDN: "ou=Basement,ou=People,dc=example,dc=net" ->
"ou=Serviceaccounts,ou=Technical,dc=example,dc

Message of length 12994 truncated
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org