Full_Name: Ted C. Cheng Version: HEAD OS: Redhat Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.80.56.88) We encountered a back-ldap assertion failure with the back-ldap as a proxy to a remote Active Directory on Windows 2003 R2. The assertion failure occurred when the slapd server was checking ACLs via the rwm overlay. Snippet of the stack trace: Thread 1 (Thread 32267): .... #2 0x0000003c354296e6 in __assert_fail () from /lib64/libc.so.6 #3 0x00002ac57daaf6c1 in ldap_back_dobind_int (lcp=0x42f70170, op=0x42f702f0, rs=0x42f700a0, sendok=LDAP_BACK_GETCONN, retries=0, dolock=1) at /home/build/sol-2.4.23.101221/sol24x/ldap24/servers/slapd/back-ldap/bind.c:1389 #4 0x00002ac57daafda0 in ldap_back_dobind (lcp=0x42f70170, op=0x42f702f0, rs=0x42f700a0, sendok=LDAP_BACK_DONTSEND) at /home/build/sol-2.4.23.101221/sol24x/ldap24/servers/slapd/back-ldap/bind.c:1572 #5 0x00002ac57daac7a7 in ldap_back_entry_get (op=0x42f702f0, ndn=0x42f701d0, oc=0x0, at=0x135ad370, rw=0, ent=0x42f70a58) Analysis of the assertion failure: The ldap_back_entry_get() function, back-ldap/search.c, is called for ACL entries, via rwm overlay. The function sets op->o_do_not_cache to 1 before calling into ldap_back_dobind(): /* Tell getconn this is a privileged op */ do_not_cache = op->o_do_not_cache; tag = op->o_tag; /* do not cache */ op->o_do_not_cache = 1; /* ldap_back_entry_get() is an entry lookup, so it does not need * to know what the entry is being looked up for */ op->o_tag = LDAP_REQ_SEARCH; rc = ldap_back_dobind( &lc, op, &rs, LDAP_BACK_DONTSEND ); The ldap_back_dobind() function calls ldap_back_dobind_int() for bind, back-ldap/bind.c. The following ldap_back_dobind_int() code is destined for assertion failure, if op->o_do_not_cache flag is set and there is no valid binddn and bindcred returned by ldap_back_getconn(). Setting an invalid LDAP URI for the remote AD Windows box is such a case. ldap_back_dobind_int(�) { ... if (sendok & LDAP_BACK_GETCONN) { � lc = ldap_back_getconn(op, rs, sendoff, &binddn, &bindcred); ... } � if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) { if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) ) { /* if we got here, it shouldn't return result */ rc = ldap_back_is_proxy_authz( op, rs, LDAP_BACK_DONTSEND, &binddn, &bindcred ); /* ldap_back_is_proxy_authz always returns 0 when op->o_do_not_cache is set, see below */ assert( rc == 1 );------> assertion failure } rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn, &bindcred ); � } } When the op->o_do_not_cache flag is set, the ldap_back_is_proxy_authz() function always returns 0. ldap_back_is_proxy_authz( ... ) { ... int dobind = 0; if ( op->o_conn == NULL || op->o_do_not_cache ) { goto done; } ... done:; return dobind; <--- always returns 0 } Ted C. Cheng Symas Corporation
The following patch fixed the issue: Index: servers/slapd/back-ldap/bind.c =================================================================== RCS file: /var/CVSROOT/ldap24/servers/slapd/back-ldap/bind.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -u -r1.12 -r1.13 --- servers/slapd/back-ldap/bind.c 28 Jul 2011 09:31:34 -0000 1.12 +++ servers/slapd/back-ldap/bind.c 17 Nov 2011 21:35:46 -0000 1.13 @@ -2056,7 +2056,7 @@ struct berval ndn; int dobind = 0; - if ( op->o_conn == NULL || op->o_do_not_cache ) { + if ( op->o_conn == NULL ) { goto done; } Ted C. Cheng Symas Corporation
tedcheng@symas.com wrote: > The following patch fixed the issue: > > Index: servers/slapd/back-ldap/bind.c > =================================================================== > RCS file: /var/CVSROOT/ldap24/servers/slapd/back-ldap/bind.c,v > retrieving revision 1.12 > retrieving revision 1.13 > diff -u -u -r1.12 -r1.13 > --- servers/slapd/back-ldap/bind.c 28 Jul 2011 09:31:34 -0000 1.12 > +++ servers/slapd/back-ldap/bind.c 17 Nov 2011 21:35:46 -0000 1.13 > @@ -2056,7 +2056,7 @@ > struct berval ndn; > int dobind = 0; > > - if ( op->o_conn == NULL || op->o_do_not_cache ) { > + if ( op->o_conn == NULL ) { > goto done; > } > In your original post you state: >>> The ldap_back_dobind() function calls ldap_back_dobind_int() for bind, back-ldap/bind.c. The following ldap_back_dobind_int() code is destined for assertion failure, if op->o_do_not_cache flag is set and there is no valid binddn and bindcred returned by ldap_back_getconn(). Setting an invalid LDAP URI for the remote AD Windows box is such a case. <<< So it sounds like this assert only triggers because you have an invalid configuration. I don't believe your patch is the correct solution if that's the only error case. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Software Bugs
hyc@symas.com wrote: > >>> > The ldap_back_dobind() function calls ldap_back_dobind_int() for bind, > back-ldap/bind.c. The following ldap_back_dobind_int() code is destined for > assertion failure, if op->o_do_not_cache flag is set and there is no valid > binddn and bindcred returned by ldap_back_getconn(). Setting an invalid LDAP URI > for the remote AD Windows box is such a case. > <<< > > So it sounds like this assert only triggers because you have an invalid > configuration. I don't believe your patch is the correct solution if that's > the only error case. I've committed an alternate fix, turning the assert into an error return. Please test. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Test to Release
changed notes changed state Release to Closed
fixed in master fixed in RE24