OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Enhancements/3569
Full headers

From: john_de_f@hotmail.com
Subject: Issue with multiple suffixes in a single bdb backend
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 24 Feb 2005 17:57:18 GMT
From: john_de_f@hotmail.com
To: openldap-its@OpenLDAP.org
Subject: Issue with multiple suffixes in a single bdb backend
Full_Name: John de Freitas
Version: 2.2.23
OS: Linux (RH 7.3 kernel 2.4.18-3)
URL: 
Submission from: (NULL) (67.93.141.190)


I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the backend.

My slapd.conf has 2 suffixes for this backend (I added the BDB_MULTIPLE_SUFFIXES
preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion of
my slapd.conf is:

database         bdb
suffix           "dc=example,dc=com"
suffix           "o=My Certificate Authority"
rootdn           "dn=Manager,dc=example,dc=com"
rootpwd          secret

I can add entries under the first suffix without problem; I cannot for the
second. The error reported by slapd is: 

<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
(-30989)
bdb_add: entry at root denied

I believe the problem is in servers/slapd/back-bdb/cache.c, in
bdb_cache_find_ndn().
The code there assumes that the current entry is for the first suffix:

                /* we're searching a full DN from the root */
                ptr = ndn->bv_val + ndn->bv_len -
op->o_bd->be_nsuffix[0].bv_len;
                ei.bei_nrdn.bv_val = ptr;
                ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len;

I can add using this first suffix, but in order to add entries for suffixes
2...N, the code would need to search through all op->o_bd->be_nsuffix
entries.Something like:


int i=0; 
while(op->o_bd->be_nsuffix[i] != NULL) {
  /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] 
   * if match, break; if not, i++ 
   */
}

gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add fails
as slapd will then try to add an entry such as "cn=John,o=My Certificate
Authority" to the root, which won't be permitted.

Regards,
John de Freitas




Followup 1

Download message
Date: Thu, 24 Feb 2005 22:17:52 -0800
From: Howard Chu <hyc@symas.com>
To: john_de_f@hotmail.com
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend
This is a known deficiency in back-bdb, your analysis is correct. The 
ideal fix would be for slapd/backend.c:select_backend() to return the 
index of the suffix it matched in addition to the backend it found, so 
that this comparison need not be performed redundantly throughout the 
rest of the code. I may do this in 2.3, but no plans for 2.2.

john_de_f@hotmail.com wrote:

>Full_Name: John de Freitas
>Version: 2.2.23
>OS: Linux (RH 7.3 kernel 2.4.18-3)
>URL: 
>Submission from: (NULL) (67.93.141.190)
>
>
>I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the
backend.
>
>My slapd.conf has 2 suffixes for this backend (I added the
BDB_MULTIPLE_SUFFIXES
>preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion
of
>my slapd.conf is:
>
>database         bdb
>suffix           "dc=example,dc=com"
>suffix           "o=My Certificate Authority"
>rootdn           "dn=Manager,dc=example,dc=com"
>rootpwd          secret
>
>I can add entries under the first suffix without problem; I cannot for the
>second. The error reported by slapd is: 
>
><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
(-30989)
>bdb_add: entry at root denied
>
>I believe the problem is in servers/slapd/back-bdb/cache.c, in
>bdb_cache_find_ndn().
>The code there assumes that the current entry is for the first suffix:
>
>                /* we're searching a full DN from the root */
>                ptr = ndn->bv_val + ndn->bv_len -
>op->o_bd->be_nsuffix[0].bv_len;
>                ei.bei_nrdn.bv_val = ptr;
>                ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len;
>
>I can add using this first suffix, but in order to add entries for suffixes
>2...N, the code would need to search through all op->o_bd->be_nsuffix
>entries.Something like:
>
>
>int i=0; 
>while(op->o_bd->be_nsuffix[i] != NULL) {
>  /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] 
>   * if match, break; if not, i++ 
>   */
>}
>
>gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add
fails
>as slapd will then try to add an entry such as "cn=John,o=My Certificate
>Authority" to the root, which won't be permitted.
>
>Regards,
>John de Freitas
>
>
>  
>


-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support



Followup 2

Download message
From: "John de Freitas" <john_de_f@hotmail.com>
To: hyc@symas.com
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend
Date: Fri, 25 Feb 2005 14:12:35 +0000
Thank you for the reply. I searched the known bug list; is this a duplicate?

Also, I have implemented a patch in back-bdb/cache.c to select the correct 
suffix, but now that I read your comment about backend.c, I see it's not the 
most appropriate fix. Would a patch to backend.c along the lines you 
suggested be considered for 2.2.x, or are all modifications of this type 
confined to 2.3? If so, I'll just go along with my local fix.

Regards,
John de Freitas

>From: Howard Chu <hyc@symas.com>
>To: john_de_f@hotmail.com
>CC: openldap-its@OpenLDAP.org
>Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb 
>backend
>Date: Thu, 24 Feb 2005 22:17:52 -0800
>
>This is a known deficiency in back-bdb, your analysis is correct. The ideal 
>fix would be for slapd/backend.c:select_backend() to return the index of 
>the suffix it matched in addition to the backend it found, so that this 
>comparison need not be performed redundantly throughout the rest of the 
>code. I may do this in 2.3, but no plans for 2.2.
>
>john_de_f@hotmail.com wrote:
>
>>Full_Name: John de Freitas
>>Version: 2.2.23
>>OS: Linux (RH 7.3 kernel 2.4.18-3)
>>URL: Submission from: (NULL) (67.93.141.190)
>>
>>
>>I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the 
>>backend.
>>
>>My slapd.conf has 2 suffixes for this backend (I added the 
>>BDB_MULTIPLE_SUFFIXES
>>preprocessor define to servers/slapd/back-bdb/init.c). The relevant 
>>portion of
>>my slapd.conf is:
>>
>>database         bdb
>>suffix           "dc=example,dc=com"
>>suffix           "o=My Certificate Authority"
>>rootdn           "dn=Manager,dc=example,dc=com"
>>rootpwd          secret
>>
>>I can add entries under the first suffix without problem; I cannot for
the
>>second. The error reported by slapd is:
>>
>><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair
found 
>>(-30989)
>>bdb_add: entry at root denied
>>
>>I believe the problem is in servers/slapd/back-bdb/cache.c, in
>>bdb_cache_find_ndn().
>>The code there assumes that the current entry is for the first suffix:
>>
>>                /* we're searching a full DN from the root */
>>                ptr = ndn->bv_val + ndn->bv_len -
>>op->o_bd->be_nsuffix[0].bv_len;
>>                ei.bei_nrdn.bv_val = ptr;
>>                ei.bei_nrdn.bv_len =
op->o_bd->be_nsuffix[0].bv_len;
>>
>>I can add using this first suffix, but in order to add entries for 
>>suffixes
>>2...N, the code would need to search through all
op->o_bd->be_nsuffix
>>entries.Something like:
>>
>>
>>int i=0; while(op->o_bd->be_nsuffix[i] != NULL) {
>>  /* compare ndn->bv_val and op->o_bd->be_nsuffix[i]   * if
match, break; 
>>if not, i++   */
>>}
>>
>>gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the
add 
>>fails
>>as slapd will then try to add an entry such as "cn=John,o=My Certificate
>>Authority" to the root, which won't be permitted.
>>
>>Regards,
>>John de Freitas
>>
>>
>>
>>
>
>
>--
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support
>




Followup 3

Download message
Date: Mon, 28 Feb 2005 08:47:54 -0800
From: Howard Chu <hyc@symas.com>
To: john_de_f@hotmail.com
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend
john_de_f@hotmail.com wrote:

>Thank you for the reply. I searched the known bug list; is this a duplicate?
>
>Also, I have implemented a patch in back-bdb/cache.c to select the correct 
>suffix, but now that I read your comment about backend.c, I see it's not the

>most appropriate fix. Would a patch to backend.c along the lines you 
>suggested be considered for 2.2.x, or are all modifications of this type 
>confined to 2.3? If so, I'll just go along with my local fix.
>  
>
Patching select_backend() will affect 30-some files, so I'm not sure 
we'd want to change this in 2.2. On the other hand, a patch against CVS 
HEAD would probably port equally well to 2.3 and 2.2. Multiple-suffix 
support is not a priority for us though, it's preferred that you use one 
suffix per database. Overall I'm less inclined to patch this in 2.2.

As a hint, you need to add an (int *) argument to select_backend, and 
add an o_isuffix (or something) to the Operation structure in slap.h, 
and reference it consistently in back-bdb.

>>From: Howard Chu <hyc@symas.com>
>>To: john_de_f@hotmail.com
>>CC: openldap-its@OpenLDAP.org
>>Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb 
>>backend
>>Date: Thu, 24 Feb 2005 22:17:52 -0800
>>
>>This is a known deficiency in back-bdb, your analysis is correct. The
ideal 
>>fix would be for slapd/backend.c:select_backend() to return the index of

>>the suffix it matched in addition to the backend it found, so that this 
>>comparison need not be performed redundantly throughout the rest of the 
>>code. I may do this in 2.3, but no plans for 2.2.
>>


-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org