Issue 3569 - Issue with multiple suffixes in a single bdb backend
Summary: Issue with multiple suffixes in a single bdb backend
Status: VERIFIED SUSPENDED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-24 17:57 UTC by john_de_f@hotmail.com
Modified: 2021-08-03 17:59 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description john_de_f@hotmail.com 2005-02-24 17:57:18 UTC
Full_Name: John de Freitas
Version: 2.2.23
OS: Linux (RH 7.3 kernel 2.4.18-3)
URL: 
Submission from: (NULL) (67.93.141.190)


I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the backend.

My slapd.conf has 2 suffixes for this backend (I added the BDB_MULTIPLE_SUFFIXES
preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion of
my slapd.conf is:

database         bdb
suffix           "dc=example,dc=com"
suffix           "o=My Certificate Authority"
rootdn           "dn=Manager,dc=example,dc=com"
rootpwd          secret

I can add entries under the first suffix without problem; I cannot for the
second. The error reported by slapd is: 

<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
bdb_add: entry at root denied

I believe the problem is in servers/slapd/back-bdb/cache.c, in
bdb_cache_find_ndn().
The code there assumes that the current entry is for the first suffix:

                /* we're searching a full DN from the root */
                ptr = ndn->bv_val + ndn->bv_len -
op->o_bd->be_nsuffix[0].bv_len;
                ei.bei_nrdn.bv_val = ptr;
                ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len;

I can add using this first suffix, but in order to add entries for suffixes
2...N, the code would need to search through all op->o_bd->be_nsuffix
entries.Something like:


int i=0; 
while(op->o_bd->be_nsuffix[i] != NULL) {
  /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] 
   * if match, break; if not, i++ 
   */
}

gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add fails
as slapd will then try to add an entry such as "cn=John,o=My Certificate
Authority" to the root, which won't be permitted.

Regards,
John de Freitas



Comment 1 Howard Chu 2005-02-25 06:17:52 UTC
This is a known deficiency in back-bdb, your analysis is correct. The 
ideal fix would be for slapd/backend.c:select_backend() to return the 
index of the suffix it matched in addition to the backend it found, so 
that this comparison need not be performed redundantly throughout the 
rest of the code. I may do this in 2.3, but no plans for 2.2.

john_de_f@hotmail.com wrote:

>Full_Name: John de Freitas
>Version: 2.2.23
>OS: Linux (RH 7.3 kernel 2.4.18-3)
>URL: 
>Submission from: (NULL) (67.93.141.190)
>
>
>I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the backend.
>
>My slapd.conf has 2 suffixes for this backend (I added the BDB_MULTIPLE_SUFFIXES
>preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion of
>my slapd.conf is:
>
>database         bdb
>suffix           "dc=example,dc=com"
>suffix           "o=My Certificate Authority"
>rootdn           "dn=Manager,dc=example,dc=com"
>rootpwd          secret
>
>I can add entries under the first suffix without problem; I cannot for the
>second. The error reported by slapd is: 
>
><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
>bdb_add: entry at root denied
>
>I believe the problem is in servers/slapd/back-bdb/cache.c, in
>bdb_cache_find_ndn().
>The code there assumes that the current entry is for the first suffix:
>
>                /* we're searching a full DN from the root */
>                ptr = ndn->bv_val + ndn->bv_len -
>op->o_bd->be_nsuffix[0].bv_len;
>                ei.bei_nrdn.bv_val = ptr;
>                ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len;
>
>I can add using this first suffix, but in order to add entries for suffixes
>2...N, the code would need to search through all op->o_bd->be_nsuffix
>entries.Something like:
>
>
>int i=0; 
>while(op->o_bd->be_nsuffix[i] != NULL) {
>  /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] 
>   * if match, break; if not, i++ 
>   */
>}
>
>gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add fails
>as slapd will then try to add an entry such as "cn=John,o=My Certificate
>Authority" to the root, which won't be permitted.
>
>Regards,
>John de Freitas
>
>
>  
>


-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Comment 2 john_de_f@hotmail.com 2005-02-25 14:12:35 UTC
Thank you for the reply. I searched the known bug list; is this a duplicate?

Also, I have implemented a patch in back-bdb/cache.c to select the correct 
suffix, but now that I read your comment about backend.c, I see it's not the 
most appropriate fix. Would a patch to backend.c along the lines you 
suggested be considered for 2.2.x, or are all modifications of this type 
confined to 2.3? If so, I'll just go along with my local fix.

Regards,
John de Freitas

>From: Howard Chu <hyc@symas.com>
>To: john_de_f@hotmail.com
>CC: openldap-its@OpenLDAP.org
>Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb 
>backend
>Date: Thu, 24 Feb 2005 22:17:52 -0800
>
>This is a known deficiency in back-bdb, your analysis is correct. The ideal 
>fix would be for slapd/backend.c:select_backend() to return the index of 
>the suffix it matched in addition to the backend it found, so that this 
>comparison need not be performed redundantly throughout the rest of the 
>code. I may do this in 2.3, but no plans for 2.2.
>
>john_de_f@hotmail.com wrote:
>
>>Full_Name: John de Freitas
>>Version: 2.2.23
>>OS: Linux (RH 7.3 kernel 2.4.18-3)
>>URL: Submission from: (NULL) (67.93.141.190)
>>
>>
>>I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the 
>>backend.
>>
>>My slapd.conf has 2 suffixes for this backend (I added the 
>>BDB_MULTIPLE_SUFFIXES
>>preprocessor define to servers/slapd/back-bdb/init.c). The relevant 
>>portion of
>>my slapd.conf is:
>>
>>database         bdb
>>suffix           "dc=example,dc=com"
>>suffix           "o=My Certificate Authority"
>>rootdn           "dn=Manager,dc=example,dc=com"
>>rootpwd          secret
>>
>>I can add entries under the first suffix without problem; I cannot for the
>>second. The error reported by slapd is:
>>
>><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found 
>>(-30989)
>>bdb_add: entry at root denied
>>
>>I believe the problem is in servers/slapd/back-bdb/cache.c, in
>>bdb_cache_find_ndn().
>>The code there assumes that the current entry is for the first suffix:
>>
>>                /* we're searching a full DN from the root */
>>                ptr = ndn->bv_val + ndn->bv_len -
>>op->o_bd->be_nsuffix[0].bv_len;
>>                ei.bei_nrdn.bv_val = ptr;
>>                ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len;
>>
>>I can add using this first suffix, but in order to add entries for 
>>suffixes
>>2...N, the code would need to search through all op->o_bd->be_nsuffix
>>entries.Something like:
>>
>>
>>int i=0; while(op->o_bd->be_nsuffix[i] != NULL) {
>>  /* compare ndn->bv_val and op->o_bd->be_nsuffix[i]   * if match, break; 
>>if not, i++   */
>>}
>>
>>gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add 
>>fails
>>as slapd will then try to add an entry such as "cn=John,o=My Certificate
>>Authority" to the root, which won't be permitted.
>>
>>Regards,
>>John de Freitas
>>
>>
>>
>>
>
>
>--
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support
>


Comment 3 Howard Chu 2005-02-28 16:47:54 UTC
john_de_f@hotmail.com wrote:

>Thank you for the reply. I searched the known bug list; is this a duplicate?
>
>Also, I have implemented a patch in back-bdb/cache.c to select the correct 
>suffix, but now that I read your comment about backend.c, I see it's not the 
>most appropriate fix. Would a patch to backend.c along the lines you 
>suggested be considered for 2.2.x, or are all modifications of this type 
>confined to 2.3? If so, I'll just go along with my local fix.
>  
>
Patching select_backend() will affect 30-some files, so I'm not sure 
we'd want to change this in 2.2. On the other hand, a patch against CVS 
HEAD would probably port equally well to 2.3 and 2.2. Multiple-suffix 
support is not a priority for us though, it's preferred that you use one 
suffix per database. Overall I'm less inclined to patch this in 2.2.

As a hint, you need to add an (int *) argument to select_backend, and 
add an o_isuffix (or something) to the Operation structure in slap.h, 
and reference it consistently in back-bdb.

>>From: Howard Chu <hyc@symas.com>
>>To: john_de_f@hotmail.com
>>CC: openldap-its@OpenLDAP.org
>>Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb 
>>backend
>>Date: Thu, 24 Feb 2005 22:17:52 -0800
>>
>>This is a known deficiency in back-bdb, your analysis is correct. The ideal 
>>fix would be for slapd/backend.c:select_backend() to return the index of 
>>the suffix it matched in addition to the backend it found, so that this 
>>comparison need not be performed redundantly throughout the rest of the 
>>code. I may do this in 2.3, but no plans for 2.2.
>>


-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Comment 4 Howard Chu 2005-04-16 19:07:14 UTC
changed notes
Comment 5 Howard Chu 2005-04-21 08:45:50 UTC
changed state Open to Suspended
moved from Incoming to Software Enhancements
Comment 6 OpenLDAP project 2014-08-01 21:04:52 UTC
low priority