OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/7985
Full headers

From: belykh.o@gmail.com
Subject: Recursive values
Compose comment
Download message
State:
0 replies:
5 followups: 1 2 3 4 5

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 18 Nov 2014 11:47:10 +0000
From: belykh.o@gmail.com
To: openldap-its@OpenLDAP.org
Subject: Recursive values
Full_Name: Oleg Belykh
Version: 2.4.40
OS: FreeBSD
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (37.99.40.12)


We are testing latest OpenLDAP 2.4.40 with mdb (FreeBSD 10) with our custom
schema and structure. 
Error details: request returns recursive values on some leaves. Some sensitive
values replaced with '...' Please check:
custom schema:
# Telephone Attributes
attributetype ( 1.3.6.1.4.1.4203.666.6273.2.1 NAME 'telephoneNumberAccessCode'
        DESC 'Access code for telephoneNumber services'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.4203.666.6273.2.2 NAME 'faxDeliveryMailbox'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.4203.666.6273.2.3 NAME 'voiceDeliveryMailbox'
        DESC 'Voice Mailbox'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.4203.666.6273.2.4 NAME 'phoneGroupName'
        DESC 'Telephone Group Name'D0D
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.4203.666.6273.2.100 NAME 'telephoneNumberAccount'
        DESC 'Telephone account'
        SUP top STRUCTURAL
        MUST ( telephoneNumber )
        MAY ( userPassword $ telephoneNumberAccessCode $ macAddress $
faxDeliveryMailbox ) )

ldapsearch results:
root@sw:/lib/ldap # ldapsearch -H 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/' -W
-b 'dc=...' -D 'cn=ldroot,dc=...'

Enter LDAP Password: 

# extended LDIF
#
# LDAPv3
# base <dc=...> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ...
dn: dc=...
objectClass: dcObject
objectClass: organization
objectClass: top
dc: ...
o: ...

# accounts, ...
dn: ou=accounts,dc=...
objectClass: top
objectClass: organizationalUnit
ou: accounts

# persons, accounts, ...
dn: ou=persons,ou=accounts,dc=...
objectClass: organizationalUnit
ou: persons

# kerberos, accounts, ...
dn: ou=kerberos,ou=accounts,dc=...
objectClass: organizaonalalUnit
ou: kerberos

# mails, accounts, ...
dn: ou=mails,ou=accounts,dc=...
objectClass: organizationalUnit
ou: mails

# phones, accounts, ...
dn: ou=phones,ou=accounts,dc=...
objectClass: organizationalUnit
ou: phones

# groups, ...
dn: ou=groups,dc=...
objectClass: top
objectClass: organizationalUnit
ou: groups

# userGroups, groups, ...
dn: ou=userGroups,ou=groups,dc=...
objectClass: organizationalUnit
ou: usergroups

# phoneGroups, groups, ...
dn: ou=phoneGroups,ou=groups,dc>2E2..
objectClass: organizationalUnit
ou: phonegroups

# computers, ...
dn: ou=computers,dc=...
objectClass: top
objectClass: organizationalUnit
ou: computers

# services, ...
dn: ou=services,dc=...
objectClass: top
objectClass: organizationalUnit
ou: services

# manager, accounts, ...
dn: uid=manager,ou=accounts,dc=...
objectClass: account
objectClass: simpleSecurityObject
uid: manager
userPassword:: ...

# freeswitch, accounts, ...
dn: uid=freeswitch,ou=accounts,dc=...
objectClass: account
objectClass: simpleSecurityObject
uid: freeswitch
userPassword:: ...

# admins, userGroups, groups, ...
dn: cn=admins,ou=userGroups,ou=groups,dc=...
objectClass: posixGroup
cn: admins
gidNumber: 10000
description: Group account
memberUid: ...

# users, userGroups, groups, ...
dn: cn=users,ou=userGroups,ou=groups,dc=...
objectClass: posixGroup
cn: users
gidNumber: 10001
description: Group account

# ..., persons, accounts, ...
dn: uid=...,ou=persons,ou=accounts,dc=2%2..
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 10000
givenName: ...
initials: v
sn: ..
displayName: ...
uid: ...
homeDirectory: /dev/null
loginShell: /bin/sh
cn: ...
uidNumber: 20107
userPassword:: ...
telephoneNumber: 2020


( !!!! )

# 1000, phones, accounts, ...
dn: telephoneNumber=1000,ou=phones,ou=accounts,dc=...
telephoneNumber: 1000
telephoneNumberAccessCode: 8864
objectClass: telephoneNumberAccount
userPassword:: ....

# 2020, phones, accounts, ...
dn: telephoneNumber=2020,ou=phones,ou=accounts,dc=...
telephoneNumber: 2020
telephoneNumberAccessCode: 8864
objectClass: telephoneNumberAccount
userPassword:: ....

# 1000, 2020, phones, accounts, ...
dn: telephoneNumber=1000,telephonumumber=2020,ou=phones,ou=accounts,dc=...
telephoneNumber: 1000
telephoneNumberAccessCode: 8864
objectClass: telephoneNumberAccount
userPassword:: ....

# 1000, 1000, 2020, phones, accounts, ...
dn: telephoneNumber=1000,telephoneNumber=0000,telephoneNumber=2020,ou=phones,o
 u=accounts,dc=...
telephoneNumber: 1000
telephoneNumberAccessCode: 8864
objectClass: telephoneNumberAccount
userPassword:: ....

# 1000, 1000, 1000, 2020, phones, accounts, ...
dn: telephoneNumber=1000,telephoneNumber=1000,telephoneNumber=1

Message of length 8046 truncated

Followup 1

Download message
Date: Tue, 18 Nov 2014 16:54:24 +0000
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: belykh.o@gmail.com
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7985) Recursive values
On Tue, Nov 18, 2014 at 11:47:10AM +0000, belykh.o@gmail.com wrote:

> Error details: request returns recursive values on some leaves. Some
sensitive
> values replaced with '...' Please check:

That is certainly an odd one. You are going to have to supply a lot
more information before the developers will consider this a usable
bug report, but before getting into that I suggest you stop the server
and use slapindex to re-build all the indexes. If you have been modifying the
configuration after loading data it is possible that the index data
is inconsistent.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------



Followup 2

Download message
Date: Tue, 18 Nov 2014 19:57:37 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: belykh.o@gmail.com, openldap-its@OpenLDAP.org
Subject: Re: (ITS#7985) Recursive values
belykh.o@gmail.com wrote:
> Error details: request returns recursive values on some leaves.

What does the slapcat output look like?

Also which overlays are configured? slapo-rwm?

Ciao, Michael.




Followup 3

Download message
Date: Wed, 19 Nov 2014 01:16:08 +0600
Subject: Re: (ITS#7985) Recursive values
From: Oleg Belykh <belykh.o@gmail.com>
To: openldap-its@openldap.org
--f46d04428fb47234e2050826ed02
Content-Type: text/plain; charset=UTF-8

Database reindexing: no effect.

Overlays:
overlay syncprov

Same problems (recursion) with slapcat -

dn: telephoneNumber=1000,telephoneNumber=1000,telephoneNumber=2020,ou=phones
 ,ou=accounts,dc=...
telephoneNumber: 1000
telephoneNumberAccessCode: 8864
objectClass: telephoneNumberAccount
userPassword:: ...
structuralObjectClass: telephoneNumberAccount
entryUUID: bc8a4014-0355-1034-8cad-1351d00c5bbd
creatorsName: cn=ldroot,dc=...
createTimestamp: 20141118100223Z
entryCSN: 20141118100223.423286Z#000000#000#000000
modifiersName: cn=ldroot,dc=...
modifyTimestamp: 20141118100223Z

dn: telephoneNumber=1000,telephoneNumber=1000,telephoneNumber=1000,telephone
 Number=2020,ou=phones,ou=accounts,dc=...
telephoneNumber: 1000
telephoneNumberAccessCode: 8864
objectClass: telephoneNumberAccount
userPassword:: ...
structuralObjectClass: telephoneNumberAccount
entryUUID: bc8d2860-0355-1034-8cae-1351d00c5bbd
creatorsName: cn=ldroot,dc=...
createTimestamp: 20141118100223Z
entryCSN: 20141118100223.442503Z#000000#000#000000
modifiersName: cn=ldroot,dc=...
modifyTimestamp: 20141118100223Z

dn: telephoneNumber=1000,telephoneNumber=1000,telephoneNumber=1000,telephone
 Number=1000,telephoneNumber=2020,ou=phones,ou=accounts,dc=...
telephoneNumber: 1000
telephoneNumberAccessCode: 8864
objectClass: telephoneNumberAccount
userPassword:: ...
structuralObjectClass: telephoneNumberAccount
entryUUID: bc914c06-0355-1034-8caf-1351d00c5bbd
creatorsName: cn=ldroot,dc=...
createTimestamp: 20141118100223Z
entryCSN: 20141118100223.469632Z#000000#000#000000
modifiersName: cn=ldroot,dc=...
modifyTimestamp: 20141118100223Z

dn: telephoneNumber=1000,telephoneNumber=1000,telephoneNumber=1000,telephone
 Number=1000,telephoneNumber=1000,telephoneNumber=2020,ou=phones,ou=accounts
 ,dc=...
telephoneNumber: 1000
telephoneNumberAccessCode: 8864
objectClass: telephoneNumberAccount
userPassword:: ...
structuralObjectClass: telephoneNumberAccount
entryUUID: bc9429a8-0355-1034-8cb0-1351d00c5bbd
creatorsName: cn=ldroot,dc=...
createTimestamp: 20141118100223Z


On 18 November 2014 17:47, <openldap-its@openldap.org> wrote:

>
> *** THIS IS AN AUTOMATICALLY GENERATED REPLY ***
>
> Thanks for your report to the OpenLDAP Issue Tracking System.  Your
> report has been assigned the tracking number ITS#7985.
>
> One of our support engineers will look at your report in due course.
> Note that this may take some time because our support engineers
> are volunteers.  They only work on OpenLDAP when they have spare
> time.
>
> If you need to provide additional information in regards to your
> issue report, you may do so by replying to this message.  Note that
> any mail sent to openldap-its@openldap.org with (ITS#7985)
> in the subject will automatically be attached to the issue report.
>
>         mailto:openldap-its@openldap.org?subject=(ITS#7985)
>
> You may follow the progress of this report by loading the following
> URL in a web browser:
>     http://www.OpenLDAP.org/its/index.cgi?findid=7985
>
> Please remember to retain your issue tracking number (ITS#7985)
> on any further messages you send to us regarding this report.  If
> you don't then you'll just waste our time and yours because we
> won't be able to properly track the report.
>
> Please note that the Issue Tracking System is not intended to
> be used to seek help in the proper use of OpenLDAP Software.
> Such requests will be closed.
>
> OpenLDAP Software is user supported.
>         http://www.OpenLDAP.org/support/
>
> --------------
> Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
>
>

--f46d04428fb47234e2050826ed02
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Database reindexing: no
effect.</div><div><br></div><=
div>Overlays:</div><div>overlay
syncprov</div><div><br></div><div>Same prob=
lems (recursion) with slapcat -=C2=A0</div><div><br
style=3D"color:rgb(0,0,=
0);font-family:Helvetica;font-size:medium;text-align:-webkit-auto"><div
sty=
le=3D"color:rgb(0,0,0);font-family:Helvetica;font-size:medium;text-align:-w=
ebkit-auto"><div>dn:
telephoneNumber=3D1000,telephoneNumber=3D1000,telephon=
eNumber=3D2020,ou=3Dphones</div><div>=C2=A0,ou=3Daccounts,dc=3D...</div><di=
v>telephoneNumber: 1000</div><div>telephoneNumberAccessCode:
8864</div><div=
>objectClass: telephoneNumberAccount</div><div>userPassword::
...</div><div=
>structuralObjectClass:
telephoneNumberAccount</div><div>entryUUID: bc8a401=
4-0355-1034-8cad-1351d00c5bbd</div><div>creatorsName:
cn=3Dldroot,dc=3D...<=
/div><div>createTimestamp:
20141118100223Z</div&g

Message of length 10438 truncated


Followup 4

Download message
Date: Tue, 18 Nov 2014 20:47:21 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: belykh.o@gmail.com, openldap-its@OpenLDAP.org
Subject: Re: (ITS#7985) Recursive values
belykh.o@gmail.com wrote:
> Same problems (recursion) with slapcat -

In this case I rather suspect something's wrong with your LDAP management
client application. I'd check the slapd logs covering the period the entries
were created.

Ciao, Michael.



Followup 5

Download message
Date: Wed, 19 Nov 2014 10:36:41 +0000
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: michael@stroeder.com, belykh.o@gmail.com
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7985) Recursive values
On Tue, Nov 18, 2014 at 07:48:28PM +0000, michael@stroeder.com wrote:

> > Same problems (recursion) with slapcat -
> 
> In this case I rather suspect something's wrong with your LDAP management
> client application. I'd check the slapd logs covering the period the
entries
> were created.

Good point. The critical thing to note in the slapcat output is that
the entryUUID values are all different. I had missed that first time
around but it clearly indicates that those entries actually exist.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org