7964 – overlay rwm escape issue with more the 9 rules / rewrite statements

Issue 7964 - overlay rwm escape issue with more the 9 rules / rewrite statements

Summary: overlay rwm escape issue with more the 9 rules / rewrite statements

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	2.4.40
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-10-13 06:40 UTC by uwe.werler@retiolum.eu
Modified:	2015-11-30 18:20 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description uwe.werler@retiolum.eu 2014-10-13 06:40:59 UTC

Full_Name: Uwe Werler
Version: 2.4.40
OS: Linux / SLES 11 SP3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (155.56.68.214)


If I have rewrite rules like this:

23 olcOverlay={1}rwm,olcDatabase={3}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: {1}rwm
olcRwmRewrite: {0}rwm-rewriteEngine on
olcRwmRewrite: {1}rwm-rewriteContext searchFilter
olcRwmRewrite: {2}rwm-rewriteRule "(.*\\()uid=sapr3(\\).*)" "$1uid=dlmsapr3$2"
olcRwmRewrite: {3}rwm-rewriteRule "(.*\\()uid=sdb(\\).*)" "$1uid=sdb$2"
olcRwmRewrite: {4}rwm-rewriteRule
"(.*\\()uid=sapadm(\\).*)%2"%2$1uid=dlmsapadm$2"
olcRwmRewrite: {5}rwm-rewriteRule "(.*\\()uid=sapmnt(\\).*)" "$1uid=sapmnt$2"
olcRwmRewrite: {6}rwm-rewriteRule "(.*\\()uid=[a-z0-9]{3}adm(\\).*)"
"$1uid=dlmsidadm$2"
olcRwmRewrite: {7}rwm-rewriteRule "(.*\\()uid=sqd[a-z0-9]%3%3}(\\).*)"
"$1uid=dlmsqdsid$2"
olcRwmRewrite: {8}rwm-rewriteRule "(.*\\()uid=ora[a-z0-9]{3}(\\).*)"
"$1uid=dlmorasid$2"
olcRwmRewrite: {9}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}(\\).*)"
"$1uid=dlmsapr3$2"
olcRwmRewrite: {10}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}db(\\).*)"
"$1uid=dlmsapr3db$2"
olcRwmRewrite: {11}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}(\\).*)"
"$1uid=dlmdb2sid$2"
olcRwmRewrite: {12}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}ap(\\).*)"
"$1uid=dlmdb2sid$2"

then the ninth rule / statent f failes to escape. In this example ora*** get's
not correctly rewritten to dlmora***: See loglevel trace:

543b711d ==> rewrite_rule_apply rule='(.*\()uid=sapr3(\).*)'
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]
543b711d ==> rewrite_rule_apply rule='(.*\()uid=sdb(\).*)'
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]
543b711d ==> rewrite_rule_apply rule='(.*\()uid=sapadm(\).*)'
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]
543b711d ==> rewrite_rule_apply rule='(.*\()uid=sapmnt(\).*)'
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]
543b711d ==E E rewrite_rule_apply rule='(.*\()uid=[a-z0-9]{3}adm(\).*)'
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]
543b711d ==> rewrite_rule_apply rule='(.*\()uid=sqd[a-z0-9]{3}(\).*)'
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]
543b711d ==> rewrite_rule_apply rule='(.*\\()uid=ora[a-z0-9]{3}(\\).*)'
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]
543b711d ==> rewrite_rule_apply rule='(.*\()uid=sap[a-z0-9]{3}(\).*)'
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]
543b711d ==> rewrite_rule_apply rule='(.*\()uid=sap[a-z0-9]{3}db(\).*)'
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]
543b711d ==> rewrite_rule_apply rule='(.*\()uid=db2[a-z0-9]{3}(\).*)'
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]
543b711d ==> rewrite_rule_apply rule='(.*\()uid=db2[a-z0-9]{3}ap(\).*"727
string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
[1 pass(es)]

If I insert a dummy statement like this:

olcRwmRewrite: {0}rwm-rewriteEngine on
olcRwmRewrite: {1}rwm-rewriteContext searchFilter
olcRwmRewrite: {2}rwm-rewriteRule "(.*\\()uid=sapr3(\\).*)" "$1uid=dlmsapr3$2"
olcRwmRewrite: {3}rwm-rewriteRule "(.*\\()uid=sdb(\\).*)" "$1uid=sdb$2"
olcRwmRewrite: {4}rwm-rewriteRule "(.*\\()uid=sapadm(\\).*)"
"$1uid=dlmsapadm$2"
olcRwmRewrite: {5}rwm-rewriteRule "(.*\\()uid=sapmnt(\\).*)" "$1uid=sapmnt$2"
olcRwmRewrite: {6}rwm-rewriteRule "(.*\\()uid=[a-z0-9]{3}adm(\\).*)"
"$1uid=dlmsidadm$2"
olcRwmRewrite: {7}rwm-rewriteRule "(.*\\()uid=sqd[a-z0-9]{3}(\\).*)"
"$1uid=dlmsqdsid$2"
olcRwmRewrite: {8}rwm-rewriteRule "(.*\\()uid=ora[a-z0-9]{3}(\\).*)"
"$1uid=dlmorasid$2"
olcRwmRewrite: {9}rwm-rewriteContext placeHolder alias searchFilter
olcRwmRewrite: {10}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}(\\).*)"
"$1uid=dlmsapr3$2"
olcRwmRewrite: {11}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}db(\\).*)"
"$1uid=dlmsapr3db$2"
olcRwmRewrite: {12}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}(\\).*)"
"$1uid=dlmdb2sid$2"
olcRwmRewrite: {13}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}ap(\\).*)"
"$1uid=dlmdb2sid$2"

then the escapes are working properly.

Sometimes this occurs with the last rule too.

I first tried with 2.4.26 (standard version in SLES11 SP3) and now with 2.4.40.

Regards Uwe

Comment 1 Ryan Tandy 2015-09-07 04:36:34 UTC

Uwe Werler wrote:
> If I have rewrite rules like this:
> 
> 23 olcOverlay={1}rwm,olcDatabase={3}hdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcRwmConfig
> olcOverlay: {1}rwm
> olcRwmRewrite: {0}rwm-rewriteEngine on
> olcRwmRewrite: {1}rwm-rewriteContext searchFilter
> olcRwmRewrite: {2}rwm-rewriteRule "(.*\\()uid=sapr3(\\).*)"
"$1d%d=dlmsapr3$2"
> olcRwmRewrite: {3}rwm-rewriteRule "(.*\\()uid=sdb(\\).*)" "$1uid=sdb$2"
> olcRwmRewrite: {4}rwm-rewriteRule
> "(.*\\()uid=sapadm(\\).*)" "$1uid=dlmsapadm$2"
> olcRwmRewrite: {5}rwm-rewriteRule "(.*\\()uid=sapmnt(\\).*)" "$1uid=sapmnt$2"
> olcRwmRewrite: {6}m-m-rewriteRule "(.*\\()uid=[a-z0-9]{3}adm(\\).*)"
> "$1uid=dlmsidadm$2"
> olcRwmRewrite: {7}rwm-rewriteRule "(.*\\()uid=sqd[a-z0-9]{3}(\\).*)"
> "$1uid=dlmsqdsid$2"
> olcRwmRewrite: {8}rwm-rewriteRule "(.*\\()uid=ora[a-z0-9]{3}(\\).*)"
> "$1uid=dlmorasid$2"
> olcRwmRewrite: {9}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}(\\).*)"
> "$1uid=dlmsapr3$2"
> olcRwmRewrite: {10}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}db(\\).*)"
> "$1uid=dlmsapr3db$2"
> olcRwmRewrite: {11}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}(\\).*)"
> "$1uid=dlmdb2sid$2"
> olcRwmRewrite: {12}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}ap(\\).*)"
> "$1uid=dlmdb2sid$2"
> 
> then the ninth rule / statent f failes to escape. In this example ora***
get's
> not correctly rewritten  d dlmora***: See loglevel trace:
> 
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sapr3(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sdb(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sapadm(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sapmnt(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=[a-z0-9]{3}adm(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sqd[a-z0-9]{3}(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\\()uid=ora[a-z0-9]{3}(\\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sap[a-z0-9]{3}(\).2929'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=sap[a-z0-9]{3}db(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=db2[a-z0-9]{3}(\).*)'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 543b711d ==> rewrite_rule_apply rule='(.*\()uid=db2[a-z0-9]{3}a28%5\).*'
> string='(&(objectClass=dynamicObject)(entryExpireTimestamp<=20141013062840Z))'
> [1 pass(es)]
> 
> If I insert a dummy statement like this:
> 
> olcRwmRewrite: {0}rwm-rewriteEngine on
> olcRwmRewrite: {1}rwm-rewriteContext searchFilter
> olcRwmRewrite: {2}rwm-rewriteRule "(.*\\()uid=sapr3(\\).*)"
"$1uid=dlmsapr3$2"
> olcRwmRewrite: {3}rwm-rewriteRule "(.*\\()uid=sdb(\\).*)" "$1uid=sdb$2"
> olcRwmRewrite: {4}rwm-rewriteRule "(.*\\()uid=sapadm(\\).*)"
> "$1uid=dlmsapadm$2"
> olcRwmRewrite: {5}rwm-rewriteRule "(.*\\()uid=sapmnt(\\).*)" "$1uid=sapmnt$2"
> olcRwmRewrite: {6}rwm-rewriteRule "(.*\\()uid=[a-z0-9]{3}adm(\\).*)"
> "$1uid=dlmsidadm$2"
> olcRwmRewrite: {7}rwm-rewriteRule "(.*\\()uid=sqd[a-z0-9]{3}(\\).*)"
E E "$1uid=dlmsqdsid$2"
> olcRwmRewrite: {8}rwm-rewriteRule "(.*\\()uid=ora[a-z0-9]{3}(\\).*)"
> "$1uid=dlmorasid$2"
> olcRwmRewrite: {9}rwm-rewriteContext placeHolder alias searchFilter
> olcRwmRewrite: {10}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}(\C%C).*)"
> "$1uid=dlmsapr3$2"
> olcRwmRewrite: {11}rwm-rewriteRule "(.*\\()uid=sap[a-z0-9]{3}db(\\).*)"
> "$1uid=dlmsapr3db$2"
> olcRwmRewrite: {12}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}(\\).*)"
> "$1uid=dlmdb2sid$2"
> olcRwmRewrite: {13}rwm-rewriteRule "(.*\\()uid=db2[a-z0-9]{3}ap(\\).*)"
> "$1uid=dlmdb2sid$2"
> 
> then the escapes are working properly.
> 
> Sometimes this occurs with the last rule too.

It seems to me that this happens with the rule most recently inserted. If slapd
was recently restarted, 
this would be the last rule in the list.

The parsing rules are slightly different for slapd.conf vs ldif. Notable is that
ldif parsing does not 
perform escape processing. So this slapd.conf line:

rwm-rewriteRule "(.*\\()uid=sapr3(\\).*)" "$1uid=dlmsapr3$2"

should actually correspond to this cn=config attribute:

olcRwmRewrite: rwm-rewriteRule "(.*\()uid=sapr3(\).*)" "$1uid=dlmsapr3$2"

This is exactly the output of conversion with, for example, slaptest -f
slapd.conf -F slapd.d.

When a new rwm rule is added, existing rules are reloaded. The bug is that the
existing rules were being 
passed through the slapd.conf line processor, which dropped backslashes on the
way, while the rule 
actually being inserted was passed to the rewrite routines untouched.

Fixed in git master by removing the extra escaping on insert. You will have to
adjust your rules to use a 
single backslash instead of two.

(bonus: rwm is needlessly reloading existing rules when appending with valx >=
last, while it could be

Comment 2 Ryan Tandy 2015-09-07 04:37:37 UTC

changed notes
changed state Open to Test
moved from Incoming to Software Bugs

Comment 3 Quanah Gibson-Mount 2015-09-11 17:06:40 UTC

changed notes
changed state Test to Release

Comment 4 Michael Ströder 2015-09-12 12:38:44 UTC

Ryan Tandy wrote:
> Fixed in git master by removing the extra escaping on insert. You will have to
> adjust your rules to use a single backslash instead of two.

I wonder whether that caused a regression parsing multi-line DESC '..' in
schema descriptions.

Up to now I could load this but it does not work with current RE24 branch:

objectClass ( 1.3.6.1.4.1.412.100.2.1.3.2 NAME 'dlm1ManagedSystemElement'
     DESC 'ManagedSystemElement is the base class for the
           System Element hierarchy. Membership Criteria: Any
           distinguishable component of a System is a candidate
           for inclusion in this class. Examples: software
           components, such as files; and devices, such as disk
           drives and controllers, and physical components such
           as chips and cards.'
     SUP dlm1ManagedElement ABSTRACT
     MAY ( dlmInstallDate $ dlmName $ dlmStatus ) )

This is not schema generated by me.

Ciao, Michael.

Comment 5 Ryan Tandy 2015-09-12 20:03:21 UTC

Hi Michael,

On Sat, Sep 12, 2015 at 02:38:44PM +0200, Michael Ströder wrote:
>I wonder whether that caused a regression parsing multi-line DESC '..' in
>schema descriptions.
>
>Up to now I could load this but it does not work with current RE24 branch:
>
>objectClass ( 1.3.6.1.4.1.412.100.2.1.3.2 NAME 'dlm1ManagedSystemElement'
>     DESC 'ManagedSystemElement is the base class for the
>           System Element hierarchy. Membership Criteria: Any
>           distinguishable component of a System is a candidate
>           for inclusion in this class. Examples: software
>           components, such as files; and devices, such as disk
>           drives and controllers, and physical components such
>           as chips and cards.'
>     SUP dlm1ManagedElement ABSTRACT
>     MAY ( dlmInstallDate $ dlmName $ dlmStatus ) )
>
>This is not schema generated by me.

A schema with the above DESC (including line breaks), and SUP top 
ABSTRACT MAY description, is working fine for me on RE24 (as of c5b4cd6) 
configured with "--disable-bdb --disable-hdb --enable-rwm".

I tested embedding it directly in slapd.conf, including via 'include 
test.schema', and ldapadd'ing an LDIF version into cn=config at runtime.  
(admittedly the last is probably not relevant, since it becomes one long 
logical LDIF line.)

Can you provide some more details about the failure you see?

Glancing at the RE24 log, I'd look at ITS#8233 as the change most likely 
to be related, but can't say anything for sure without a reproducible 
test case.

thanks,
Ryan

Comment 6 OpenLDAP project 2015-11-30 18:20:42 UTC

fixed in master
fixed in RE25
fixed in RE24

Comment 7 Quanah Gibson-Mount 2015-11-30 18:20:42 UTC

changed notes
changed state Release to Closed