Full_Name: Tim Watts Version: 2.4.23 OS: Debian 6/amd64 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (81.2.78.46) Hi, We load slapd up with actual entries for the dc=new,dc=example,dc=com domain. slapd is configured to map all records with rwm/relay to dc=old,dc=example,dc=com so clients with the old config still work. ie we load a real record: 1) dn: uid=testuser,ou=people,dc=new,dc=example,dc=com and we want clients asking about 2) dn: uid=testuser,ou=people,dc=old,dc=example,dc=com will be served from (1) ======== OK here's an example ================ === Server ==== Running debian 6 server with debian slapd 2.4.23-7.2 /usr/sbin/slapd -d 4 -h "ldap:/// ldaps:/// ldapi:///" -g openldap -u openldap -f /etc/ldap/slapd.conf === Test client === Running test against the "old" realm: ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com # Enter the wrong password and it fails correctly and server runs OK. # Enter the right password and the client says: ldap_result: Can't contact LDAP server (-1) Server says (last few lines from slapd): [rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" -> "uid=testuser,ou=people,dc=old,dc=example,dc=com" [rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" -> "uid=testuser,ou=people,dc=new,dc=example,dc=com" => ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com,0) <= ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" => bdb_entry_get: ndn: "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" ==> hdb_bind: dn: uid=testuser,ou=people,dc=new,dc=example,dc=com send_ldap_result: err=0 matched="" text="" => bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" Segmentation fault However, queries against the "new" domain work: ldapwhoami -x -W -D uid=testuser,ou=people,dc=new,dc=example,dc=com Enter LDAP Password: dn:uid=testuser,ou=people,dc=new,dc=example,dc=com If I disable ppolicy in slapd.conf, queries agains the "old" domain work: root@ldaptest1:/etc# ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com Enter LDAP Password: dn:uid=testuser,ou=people,dc=new,dc=example,dc=com (the rewrite is not perfect - but that may not matter for my clients). Almost certainly I have done something stupid - and it seems clear that ppolicy is being upset by the relay mappings. Any ideas how to fix would be *very* welcome - I have been all over Google and the man pages. All the best! Tim OK - boring stuff: slapd.conf ########################################### ####################################################################### # Global Directives: # Features to permit allow bind_anon_cred bind_anon_dn update_anon # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ppolicy.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel sync stats sizelimit 5000 tool-threads 1 modulepath /usr/lib/ldap moduleload back_hdb moduleload back_relay moduleload rwm moduleload ppolicy overlay rwm rwm-rewriteEngine on backend hdb ####################################################################### # Global ACLs # # Ensure read access to the base for things like # supportedSASLMechanisms. access to dn.base="" by * read # The userPassword by default can be changed # by the entry owning it if they are authenticated. # This ACL must be first or password leakage will happen!!! access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" manage by dn="cn=admin,dc=new,dc=example,dc=com" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write by self write by * auth # The admin dn has full write access, everyone else # can read everything. Local unix domain socket (root only) # Can do everything access to * by peername.path="/var/run/slapd/ldapi" manage by dn="cn=admin,dc=new,dc=example,dc=com" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write by * read ####################################################################### # Main new.example.com authoritative database # database hdb suffix dc=new,dc=example,dc=com rootdn "cn=admin,dc=new,dc=example,dc=com" rootpw "{SSHA}NoNoNooo..." directory "/var/lib/ldap" dbconfig set_cachesize 0 134217728 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30 ####################################################################### # # Password Policy # # overlay ppolicy ppolicy_default "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext ####################################################################### # Virtual maps - compatibility with old.example.com only # # map dc=old to dc=new # database relay suffix "dc=old,dc=example,dc=com" relay "dc=new,dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=new,dc=example,dc=com" ########################################### Initial database loaded with slapadd from this ldif: ########################################### dn: dc=new,dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: new.example.com dc: new dn: cn=admin,dc=new,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: NoNoNoooo... dn: ou=people,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: ou=pwpolicies,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: pwpolicies # # # Standard policy for normal people # dn: cn=default,ou=pwpolicies,dc=new,dc=example,dc=com objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 15811200 pwdExpireWarning: 1814400 pwdGraceAuthnLimit: 3 pwdInHistory: 6 pwdCheckQuality: 2 pwdMaxFailure: 5 pwdMinLength: 8 pwdLockout: TRUE pwdLockoutDuration: 300 pwdFailureCountInterval: 300 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE dn: uid=testuser,ou=people,dc=new,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Test User employeeType: Staff gecos: Test User gidNumber: 1000 givenName: Test homeDirectory: /homes/testuser loginShell: /bin/bash mail: testuser@new.example.com sn: User uid: testuser uidNumber: 1000 userPassword: {SSHA}NoNoNoooo... dn: cn=ddh-staff,ou=groups,dc=new,dc=example,dc=com objectClass: top objectClass: posixGroup cn: ddh-staff description: Test Group gidNumber: 1000 memberUid: testuser dn: cn=sysadmin,ou=groups,dc=new,dc=example,dc=com objectClass: top objectClass: posixGroup cn: sysadmin description: Staff: System Admin Group gidNumber: 1001 memberUid: testuser ###########################################
moved from Incoming to Software Bugs
I have been able to reproduce this in master with the following config (no rwm involved): database relay suffix "ou=People,dc=example,dc=com" relay "dc=example,dc=com" database mdb suffix "dc=example,dc=com" rootdn "dc=example,dc=com" rootpw OBFUSCATED directory ./db3 overlay ppolicy ppolicy_default "cn=default,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext back-mdb hits a null pointer: 0x0000000000535161 in mdb_env_pick_meta (env=0x78f420) at ./../../../libraries/liblmdb/mdb.c:3944 3944 return metas[ metas[0]->mm_txnid < metas[1]->mm_txnid ]; (gdb) bt #0 0x0000000000535161 in mdb_env_pick_meta (env=0x78f420) at ./../../../libraries/liblmdb/mdb.c:3944 #1 0x000000000052feae in mdb_txn_renew0 (txn=0x7fffb6cef010) at ./../../../libraries/liblmdb/mdb.c:2688 #2 0x0000000000530914 in mdb_txn_begin (env=0x78f420, parent=0x0, flags=131072, ret=0x7fffe8004290) at ./../../../libraries/liblmdb/mdb.c:2910 #3 0x00000000005afe53 in mdb_opinfo_get (op=Bind request = {...}, mdb=0x78f1b0, rdonly=1, moip=0x7ffff61cad68) at id2entry.c:778 #4 0x00000000005af5d6 in mdb_entry_get (op=Bind request = {...}, ndn=0x7fffe8002bf8, oc=NULL, at=NULL, rw=0, ent=0x7ffff61cb388) at id2entry.c:607 #5 0x00000000004fd377 in overlay_entry_get_ov (op=Bind request = {...}, dn=0x7fffe8002bf8, oc=NULL, ad=NULL, rw=0, e=0x7ffff61cb388, on=0x0) at backover.c:378 #6 0x00000000004ffd36 in over_entry_get_rw (op=Bind request = {...}, dn=0x7fffe8002bf8, oc=NULL, ad=NULL, rw=0, e=0x7ffff61cb388) at backover.c:412 #7 0x0000000000466d6b in be_entry_get_rw (op=Bind request = {...}, ndn=0x7fffe8002bf8, oc=NULL, at=NULL, rw=0, e=0x7ffff61cb388) at backend.c:1443 #8 0x00007ffff791d0e3 in ppolicy_bind_response (op=Bind request = {...}, rs=0x7ffff61cb9f8) at ppolicy.c:1424 #9 0x000000000046d8d6 in slap_response_play (op=Bind request = {...}, rs=0x7ffff61cb9f8) at result.c:567 #10 0x000000000046948d in send_ldap_response (op=Bind request = {...}, rs=0x7ffff61cb9f8) at result.c:642 #11 0x000000000046a33e in slap_send_ldap_result (op=Bind request = {...}, rs=0x7ffff61cb9f8) at result.c:918 #12 0x000000000047f666 in fe_op_bind_success (op=Bind request = {...}, rs=0x7ffff61cb9f8) at bind.c:552 #13 0x000000000047f26c in fe_op_bind (op=Bind request = {...}, rs=0x7ffff61cb9f8) at bind.c:386 #14 0x000000000047e8ab in do_bind (op=Bind request = {...}, rs=0x7ffff61cb9f8) at bind.c:206 #15 0x00000000004528b7 in connection_operation (ctx=0x7ffff61cbb78, arg_v=0x7fffe8002bb0) at connection.c:1163 #16 0x0000000000450a90 in connection_read_thread (ctx=0x7ffff61cbb78, argv=0xc) at connection.c:1314 #17 0x00007ffff7fb01fe in ldap_int_thread_pool_wrapper (xpool=0x7266c0) at tpool.c:1051 (gdb) p metas[0] $1 = (MDB_meta * const) 0x0
fixed in master
trunk: • b979b57d by Howard Chu at 2021-01-21T13:23:34+00:00 ITS#7468 slapd-relay: set real op->o_bd on successful bind