OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/7468
Full headers

From: tim.j.watts@kcl.ac.uk
Subject: ppolicy and rwm/relay segfaulting
Compose comment
Download message
State:
0 replies:
0 followups:

Major security issue: yes  no

Notes:

Notification:


Date: Sat, 08 Dec 2012 14:22:49 +0000
From: tim.j.watts@kcl.ac.uk
To: openldap-its@OpenLDAP.org
Subject: ppolicy and rwm/relay segfaulting
Full_Name: Tim Watts
Version: 2.4.23
OS: Debian 6/amd64
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (81.2.78.46)


Hi,

We load slapd up with actual entries for the dc=new,dc=example,dc=com domain.

slapd is configured to map all records with rwm/relay to
dc=old,dc=example,dc=com so clients with the old config still work.

ie

we load a real record:

1)   dn: uid=testuser,ou=people,dc=new,dc=example,dc=com

and we want clients asking about

2)   dn: uid=testuser,ou=people,dc=old,dc=example,dc=com

will be served from (1)


========  OK here's an example ================

=== Server ====

Running debian 6 server with debian slapd 2.4.23-7.2

/usr/sbin/slapd  -d 4 -h "ldap:/// ldaps:/// ldapi:///" -g openldap -u openldap
-f /etc/ldap/slapd.conf



=== Test client ===

Running test against the "old" realm:

ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com

# Enter the wrong password and it fails correctly and server runs OK.

# Enter the right password and the client says:

ldap_result: Can't contact LDAP server (-1)

Server says (last few lines from slapd):
[rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" ->
"uid=testuser,ou=people,dc=old,dc=example,dc=com"
[rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" ->
"uid=testuser,ou=people,dc=new,dc=example,dc=com"
=> ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com,0)
<= ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0
=> bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
=> bdb_entry_get: ndn: "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
==> hdb_bind: dn: uid=testuser,ou=people,dc=new,dc=example,dc=com
send_ldap_result: err=0 matched="" text=""
=> bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
Segmentation fault

However, queries against the "new" domain work:

ldapwhoami -x -W -D uid=testuser,ou=people,dc=new,dc=example,dc=com
Enter LDAP Password:
dn:uid=testuser,ou=people,dc=new,dc=example,dc=com

If I disable ppolicy in slapd.conf, queries agains the "old" domain work:

root@ldaptest1:/etc# ldapwhoami -x -W -D
uid=testuser,ou=people,dc=old,dc=example,dc=com
Enter LDAP Password:
dn:uid=testuser,ou=people,dc=new,dc=example,dc=com


(the rewrite is not perfect - but that may not matter for my clients).



Almost certainly I have done something stupid - and it seems clear that ppolicy
is being upset by the relay mappings. Any ideas how to fix would be *very*
welcome - I have been all over Google and the man pages.


All the best!

Tim



OK - boring stuff:


slapd.conf
###########################################
#######################################################################
# Global Directives:

# Features to permit
allow bind_anon_cred bind_anon_dn update_anon

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/ppolicy.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        sync stats

sizelimit 5000
tool-threads 1

modulepath      /usr/lib/ldap
moduleload      back_hdb
moduleload      back_relay
moduleload      rwm
moduleload      ppolicy

overlay rwm
rwm-rewriteEngine on

backend         hdb

#######################################################################
# Global ACLs
#

# Ensure read access to the base for things like
# supportedSASLMechanisms.
access to dn.base="" by * read

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# This ACL must be first or password leakage will happen!!!
access to attrs=userPassword,shadowLastChange
        by peername.path="/var/run/slapd/ldapi" manage
        by dn="cn=admin,dc=new,dc=example,dc=com" manage
        by set="user/uid &
[cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write
        by self write
        by * auth

# The admin dn has full write access, everyone else
# can read everything. Local unix domain socket (root only)
# Can do everything
access to *
        by peername.path="/var/run/slapd/ldapi" manage
        by dn="cn=admin,dc=new,dc=example,dc=com" manage
        by set="user/uid &
[cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write
        by * read

#######################################################################
# Main new.

Message of length 8094 truncated
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org