OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Enhancements/5990
Full headers

From: crispy@cluenet.org
Subject: Segmentation Fault with slapd with two olcSyncrepl directives in the config database
Compose comment
Download message
State:
0 replies:
1 followups: 1

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 04 Mar 2009 21:12:09 +0000
From: crispy@cluenet.org
To: openldap-its@OpenLDAP.org
Subject: Segmentation Fault with slapd with two olcSyncrepl directives in the config database
Full_Name: Chris Breneman
Version: 2.4.15
OS: Debian Lenny
URL: 
Submission from: (NULL) (207.38.203.80)


Using this configuration on a replication consumer, it segfaults almost
immediately, and on startup.

Config (standard schema files left out):
=== ./slapd.d/cn=config.ldif ===
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /home/slapd/slapd.conf.skel
olcConfigDir: /home/slapd/usr/etc/openldap/slapd.d
olcArgsFile: /home/slapd/usr/var/run/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /home/slapd/usr/var/run/slapd.pid
olcReadOnly: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCRLCheck: none
olcTLSVerifyClient: never
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 410a9404-9d47-102d-884d-57b95f7e164c
creatorsName: cn=config
createTimestamp: 20090304203158Z
entryCSN: 20090304203158.642980Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090304203158Z

=== ./slapd.d/cn=config/olcDatabase={-1}frontend.ldif ===
dn: olcDatabase={-1}frontend
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 0
olcReadOnly: FALSE
olcSchemaDN: cn=Subschema
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 410b05ba-9d47-102d-8853-57b95f7e164c
creatorsName: cn=config
createTimestamp: 20090304203158Z
entryCSN: 20090304203158.642980Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090304203158Z

=== ./slapd.d/cn=config/olcDatabase={0}config.ldif ===
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcRootPW:: XXXXXXXXXXX
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 410b0970-9d47-102d-8854-57b95f7e164c
creatorsName: cn=config
createTimestamp: 20090304203158Z
olcSyncrepl: {0}rid=3 provider=ldap://ldap.cluenet.org type=refreshAndPersist 
 interval=00:00:01:00 retry="60 10 300 +" searchbase="cn=schema,cn=config" bin
 dmethod=simple binddn="cn=replicator,dc=cluenet,dc=org" credentials="xxxxxxxx
 xxxxxxxxx" starttls=critical tls_cacert=/etc/ssl/certs/Cluenet.pem tls_reqcer
 t=demand
olcSyncrepl: {1}rid=4 provider=ldap://ldap.cluenet.org type=refreshAndPersist 
 interval=00:00:01:00 retry="60 10 300 +" searchbase="olcDatabase={0}config,cn
 =config" attrs=olcAccess bindmethod=simple binddn="cn=replicator,dc=cluenet,d
 c=org" credentials="xxxxxxxxxxxxxxxxx" starttls=critical tls_cacert=/etc/ssl/
 certs/Cluenet.pem tls_reqcert=demand
entryCSN: 20090304203402.651594Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090304203402Z

Backtrace:
#0  0x0805a0e7 in config_add_internal (cfb=0x8207ba0, e=0x8fe5554,
ca=0xb68fc568, rs=0xb68fd974, renum=0xb68fd6e0, op=0xb68fdd24) at
bconfig.c:4521
#1  0x0805a9c8 in config_back_add (op=0xb68fdd24, rs=0xb68fd974) at
bconfig.c:4730
#2  0x080dda6c in syncrepl_entry (si=0x900bd08, op=0xb68fdd24, entry=0x8fe5554,
modlist=0xb68fdb38, syncstate=1, syncUUID=0xb68fdb90, syncCSN=0x0)
    at syncrepl.c:2153
#3  0x080d9622 in do_syncrep2 (op=0xb68fdd24, si=0x900bd08) at syncrepl.c:890
#4  0x080daf2c in do_syncrepl (ctx=0xb68fe210, arg=0x900c008) at
syncrepl.c:1333
#5  0x0806cf10 in connection_read_thread (ctx=0xb68fe210, argv=0xd) at
connection.c:1225
#6  0x0816ba54 in ldap_int_thread_pool_wrapper (xpool=0x8fccf08) at tpool.c:663
#7  0xb7e4bf3b in start_thread () from /lib/libpthread.so.0
#8  0xb7be0bee in clone () from /lib/libc.so.6


Last lines with -d -1:
syncrepl_entry: rid=003 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
syncrepl_entry: rid=003 inserted UUID 3d9f90aa-9ba6-102d-9a95-995804f089ee
=> access_allowed: search access to "cn=schema,cn=config" "entry" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> test_filter
    EQUALITY
=> access_allowed: search access to "cn=schema,cn=config" "entryUUID"
requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
<= test_filter 5
=> test_filter
    EQUALITY
=> access_allowed: search access to "cn={0}core,cn=schema,cn=config"
"entryUUID"
requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
<= test_filter 5
=> test_filter
    EQUALITY
=> access_allowed: search access to "cn={1}cosine,cn=schema,cn=config"
"entryUUID" requested
<= root access granted
=> access_allowed: s

Message of length 6150 truncated

Followup 1

Download message
Date: Wed, 04 Mar 2009 14:48:35 -0800
From: Howard Chu <hyc@symas.com>
To: crispy@cluenet.org
CC: openldap-its@openldap.org
Subject: Re: (ITS#5990) Segmentation Fault with slapd with two olcSyncrepl
 directives in the config database
crispy@cluenet.org wrote:
> Full_Name: Chris Breneman
> Version: 2.4.15
> OS: Debian Lenny
> URL:
> Submission from: (NULL) (207.38.203.80)
>
>
> Using this configuration on a replication consumer, it segfaults almost
> immediately, and on startup.

> === ./slapd.d/cn=config/olcDatabase={0}config.ldif ===
> dn: olcDatabase={0}config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcAccess: {0}to *  by * none
> olcAddContentAcl: TRUE
> olcLastMod: TRUE
> olcMaxDerefDepth: 15
> olcReadOnly: FALSE
> olcRootDN: cn=config
> olcRootPW:: XXXXXXXXXXX
> olcMonitoring: FALSE
> structuralObjectClass: olcDatabaseConfig
> entryUUID: 410b0970-9d47-102d-8854-57b95f7e164c
> creatorsName: cn=config
> createTimestamp: 20090304203158Z
> olcSyncrepl: {0}rid=3 provider=ldap://ldap.cluenet.org
type=refreshAndPersist
>   interval=00:00:01:00 retry="60 10 300 +" searchbase="cn=schema,cn=config"
bin
>   dmethod=simple binddn="cn=replicator,dc=cluenet,dc=org"
credentials="xxxxxxxx
>   xxxxxxxxx" starttls=critical tls_cacert=/etc/ssl/certs/Cluenet.pem
tls_reqcer
>   t=demand
> olcSyncrepl: {1}rid=4 provider=ldap://ldap.cluenet.org
type=refreshAndPersist
>   interval=00:00:01:00 retry="60 10 300 +"
searchbase="olcDatabase={0}config,cn
>   =config" attrs=olcAccess bindmethod=simple
binddn="cn=replicator,dc=cluenet,d
>   c=org" credentials="xxxxxxxxxxxxxxxxx" starttls=critical
tls_cacert=/etc/ssl/
>   certs/Cluenet.pem tls_reqcert=demand
> entryCSN: 20090304203402.651594Z#000000#000#000000
> modifiersName: cn=config
> modifyTimestamp: 20090304203402Z

This replication config is not currently supported. Fractional replication 
means the consumer gets a subset of the provider's attributes. But it also 
means that the consumer can *only* have that subset. Here, cn=config needs all 
of its attributes in order to function, but the consumer code will attempt to 
delete the non-replicated ones because they aren't part of the info received 
from the provider.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org