Logged in as guest
Viewing Software Enhancements/3569 Full headers
Major security issue: yes no
Notes: low priority Notification:
Date: Thu, 24 Feb 2005 17:57:18 GMT From: john_de_f@hotmail.com To: openldap-its@OpenLDAP.org Subject: Issue with multiple suffixes in a single bdb backend
Full_Name: John de Freitas Version: 2.2.23 OS: Linux (RH 7.3 kernel 2.4.18-3) URL: Submission from: (NULL) (67.93.141.190) I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the backend. My slapd.conf has 2 suffixes for this backend (I added the BDB_MULTIPLE_SUFFIXES preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion of my slapd.conf is: database bdb suffix "dc=example,dc=com" suffix "o=My Certificate Authority" rootdn "dn=Manager,dc=example,dc=com" rootpwd secret I can add entries under the first suffix without problem; I cannot for the second. The error reported by slapd is: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) bdb_add: entry at root denied I believe the problem is in servers/slapd/back-bdb/cache.c, in bdb_cache_find_ndn(). The code there assumes that the current entry is for the first suffix: /* we're searching a full DN from the root */ ptr = ndn->bv_val + ndn->bv_len - op->o_bd->be_nsuffix[0].bv_len; ei.bei_nrdn.bv_val = ptr; ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len; I can add using this first suffix, but in order to add entries for suffixes 2...N, the code would need to search through all op->o_bd->be_nsuffix entries.Something like: int i=0; while(op->o_bd->be_nsuffix[i] != NULL) { /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] * if match, break; if not, i++ */ } gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add fails as slapd will then try to add an entry such as "cn=John,o=My Certificate Authority" to the root, which won't be permitted. Regards, John de Freitas
Date: Thu, 24 Feb 2005 22:17:52 -0800 From: Howard Chu <hyc@symas.com> To: john_de_f@hotmail.com CC: openldap-its@OpenLDAP.org Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend
This is a known deficiency in back-bdb, your analysis is correct. The ideal fix would be for slapd/backend.c:select_backend() to return the index of the suffix it matched in addition to the backend it found, so that this comparison need not be performed redundantly throughout the rest of the code. I may do this in 2.3, but no plans for 2.2. john_de_f@hotmail.com wrote: >Full_Name: John de Freitas >Version: 2.2.23 >OS: Linux (RH 7.3 kernel 2.4.18-3) >URL: >Submission from: (NULL) (67.93.141.190) > > >I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the backend. > >My slapd.conf has 2 suffixes for this backend (I added the BDB_MULTIPLE_SUFFIXES >preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion of >my slapd.conf is: > >database bdb >suffix "dc=example,dc=com" >suffix "o=My Certificate Authority" >rootdn "dn=Manager,dc=example,dc=com" >rootpwd secret > >I can add entries under the first suffix without problem; I cannot for the >second. The error reported by slapd is: > ><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) >bdb_add: entry at root denied > >I believe the problem is in servers/slapd/back-bdb/cache.c, in >bdb_cache_find_ndn(). >The code there assumes that the current entry is for the first suffix: > > /* we're searching a full DN from the root */ > ptr = ndn->bv_val + ndn->bv_len - >op->o_bd->be_nsuffix[0].bv_len; > ei.bei_nrdn.bv_val = ptr; > ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len; > >I can add using this first suffix, but in order to add entries for suffixes >2...N, the code would need to search through all op->o_bd->be_nsuffix >entries.Something like: > > >int i=0; >while(op->o_bd->be_nsuffix[i] != NULL) { > /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] > * if match, break; if not, i++ > */ >} > >gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add fails >as slapd will then try to add an entry such as "cn=John,o=My Certificate >Authority" to the root, which won't be permitted. > >Regards, >John de Freitas > > > > -- -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support
From: "John de Freitas" <john_de_f@hotmail.com> To: hyc@symas.com Cc: openldap-its@OpenLDAP.org Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend Date: Fri, 25 Feb 2005 14:12:35 +0000
Thank you for the reply. I searched the known bug list; is this a duplicate? Also, I have implemented a patch in back-bdb/cache.c to select the correct suffix, but now that I read your comment about backend.c, I see it's not the most appropriate fix. Would a patch to backend.c along the lines you suggested be considered for 2.2.x, or are all modifications of this type confined to 2.3? If so, I'll just go along with my local fix. Regards, John de Freitas >From: Howard Chu <hyc@symas.com> >To: john_de_f@hotmail.com >CC: openldap-its@OpenLDAP.org >Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb >backend >Date: Thu, 24 Feb 2005 22:17:52 -0800 > >This is a known deficiency in back-bdb, your analysis is correct. The ideal >fix would be for slapd/backend.c:select_backend() to return the index of >the suffix it matched in addition to the backend it found, so that this >comparison need not be performed redundantly throughout the rest of the >code. I may do this in 2.3, but no plans for 2.2. > >john_de_f@hotmail.com wrote: > >>Full_Name: John de Freitas >>Version: 2.2.23 >>OS: Linux (RH 7.3 kernel 2.4.18-3) >>URL: Submission from: (NULL) (67.93.141.190) >> >> >>I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the >>backend. >> >>My slapd.conf has 2 suffixes for this backend (I added the >>BDB_MULTIPLE_SUFFIXES >>preprocessor define to servers/slapd/back-bdb/init.c). The relevant >>portion of >>my slapd.conf is: >> >>database bdb >>suffix "dc=example,dc=com" >>suffix "o=My Certificate Authority" >>rootdn "dn=Manager,dc=example,dc=com" >>rootpwd secret >> >>I can add entries under the first suffix without problem; I cannot for the >>second. The error reported by slapd is: >> >><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found >>(-30989) >>bdb_add: entry at root denied >> >>I believe the problem is in servers/slapd/back-bdb/cache.c, in >>bdb_cache_find_ndn(). >>The code there assumes that the current entry is for the first suffix: >> >> /* we're searching a full DN from the root */ >> ptr = ndn->bv_val + ndn->bv_len - >>op->o_bd->be_nsuffix[0].bv_len; >> ei.bei_nrdn.bv_val = ptr; >> ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len; >> >>I can add using this first suffix, but in order to add entries for >>suffixes >>2...N, the code would need to search through all op->o_bd->be_nsuffix >>entries.Something like: >> >> >>int i=0; while(op->o_bd->be_nsuffix[i] != NULL) { >> /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] * if match, break; >>if not, i++ */ >>} >> >>gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add >>fails >>as slapd will then try to add an entry such as "cn=John,o=My Certificate >>Authority" to the root, which won't be permitted. >> >>Regards, >>John de Freitas >> >> >> >> > > >-- > -- Howard Chu > Chief Architect, Symas Corp. Director, Highland Sun > http://www.symas.com http://highlandsun.com/hyc > Symas: Premier OpenSource Development and Support >
Date: Mon, 28 Feb 2005 08:47:54 -0800 From: Howard Chu <hyc@symas.com> To: john_de_f@hotmail.com CC: openldap-its@OpenLDAP.org Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend
john_de_f@hotmail.com wrote: >Thank you for the reply. I searched the known bug list; is this a duplicate? > >Also, I have implemented a patch in back-bdb/cache.c to select the correct >suffix, but now that I read your comment about backend.c, I see it's not the >most appropriate fix. Would a patch to backend.c along the lines you >suggested be considered for 2.2.x, or are all modifications of this type >confined to 2.3? If so, I'll just go along with my local fix. > > Patching select_backend() will affect 30-some files, so I'm not sure we'd want to change this in 2.2. On the other hand, a patch against CVS HEAD would probably port equally well to 2.3 and 2.2. Multiple-suffix support is not a priority for us though, it's preferred that you use one suffix per database. Overall I'm less inclined to patch this in 2.2. As a hint, you need to add an (int *) argument to select_backend, and add an o_isuffix (or something) to the Operation structure in slap.h, and reference it consistently in back-bdb. >>From: Howard Chu <hyc@symas.com> >>To: john_de_f@hotmail.com >>CC: openldap-its@OpenLDAP.org >>Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb >>backend >>Date: Thu, 24 Feb 2005 22:17:52 -0800 >> >>This is a known deficiency in back-bdb, your analysis is correct. The ideal >>fix would be for slapd/backend.c:select_backend() to return the index of >>the suffix it matched in addition to the backend it found, so that this >>comparison need not be performed redundantly throughout the rest of the >>code. I may do this in 2.3, but no plans for 2.2. >> -- -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
