[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL parsing getting incorrect data from connection (ITS#985)
Full_Name: Jim Dutton
Version: 2.0.7
OS: FreeBSD-4.1 (Solaris-2.8, NetBSD-1.2.4)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.230.6.142)
It appears that ACL regex parsing is using the "(IP=:: 389)" port indicator
from a connection instead of the IP address:
[SLAPD log]
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
daemon: conn=0 fd=9 connection from IP=131.230.6.141:58522 (IP=:: 389)
accepted.
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
conn=0 op=0 BIND dn="CN=LDAPSEARCH,OU=SIUC,CN=DUTTON2,DS=OPENLDAP-2.0.7"
method=128
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
conn=0 op=0 RESULT tag=97 err=0 text=
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
conn=0 op=1 SRCH base="o=siuc,c=us" scope=2 filter="(cn=Dutton4 Samba Users)"
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
conn=0 op=1 SEARCH RESULT tag=101 err=0 text=
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
conn=0 op=2 UNBIND
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
conn=-1 fd=9 closed
[SLAPD ACL clause]
access to filter="cn=Dutton4 Samba Users"
by self write
by dn="cn=Manager,o=SIUC,c=US" write
by sockname=131.230.6.142 read
by sockname=131.230.6.141 read
by sockname=131.230.6.182 read
by * none
[SLAPD debug trace]
daemon: activity on 1 descriptors
daemon: new connection on 9
daemon: added 9r
daemon: activity on:
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
connection_get(9)
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 3e >
ldap_read: want=62, got=62
0000: 02 01 01 60 39 02 01 03 04 32 63 6e 3d 4c 44 41 ...`9....2cn=LDA
0010: 50 53 45 41 52 43 48 2c 6f 75 3d 73 69 75 63 2c PSEARCH,ou=siuc,
0020: 63 6e 3d 64 75 74 74 6f 6e 32 2c 64 73 3d 6f 70 cn=dutton2,ds=op
0030: 65 6e 6c 64 61 70 2d 32 2e 30 2e 37 80 00 enldap-2.0.7..
ber_get_next: tag 0x30 len 62 contents:
ber_dump: buf=0x080a1880 ptr=0x080a1880 end=0x080a18be len=62
0000: 02 01 01 60 39 02 01 03 04 32 63 6e 3d 4c 44 41 ...`9....2cn=LDA
0010: 50 53 45 41 52 43 48 2c 6f 75 3d 73 69 75 63 2c PSEARCH,ou=siuc,
0020: 63 6e 3d 64 75 74 74 6f 6e 32 2c 64 73 3d 6f 70 cn=dutton2,ds=op
0030: 65 6e 6c 64 61 70 2d 32 2e 30 2e 37 80 00 enldap-2.0.7..
ber_get_next
ldap_read: want=1 error=Resource temporarily unavailable
do_bind
ber_get_next on fd 9 failed errno=35 (Resource temporarily unavailable)
ber_scanf fmt ({iat) ber:
ber_dump: buf=0x080a1880 ptr=0x080a1883 end=0x080a18be len=59
0000: 60 39 02 01 03 04 32 63 6e 3d 4c 44 41 50 53 45 `9....2cn=LDAPSE
0010: 41 52 43 48 2c 6f 75 3d 73 69 75 63 2c 63 6e 3d ARCH,ou=siuc,cn=
0020: 64 75 74 74 6f 6e 32 2c 64 73 3d 6f 70 65 6e 6c dutton2,ds=openl
0030: 64 61 70 2d 32 2e 30 2e 37 80 00 dap-2.0.7..
ber_scanf fmt (o}) ber:
ber_dump: buf=0x080a1880 ptr=0x080a18bc end=0x080a18be len=2
0000: 80 00 ..
do_bind: version=3 dn="cn=LDAPSEARCH,ou=siuc,cn=dutton2,ds=openldap-2.0.7"
method=128
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: 0::
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 9
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
do_bind: v3 anonymous bind
daemon: select: listen=8 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
connection_get(9)
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 3e >
ldap_read: want=62, got=62
0000: 02 01 02 63 39 04 0b 6f 3d 73 69 75 63 2c 63 3d ...c9..o=siuc,c=
0010: 75 73 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 us..............
0020: 00 a3 19 04 02 63 6e 04 13 44 75 74 74 6f 6e 34 .....cn..Dutton4
0030: 20 53 61 6d 62 61 20 55 73 65 72 73 30 00 Samba Users0.
ber_get_next: tag 0x30 len 62 contents:
ber_dump: buf=0x080a1840 ptr=0x080a1840 end=0x080a187e len=62
0000: 02 01 02 63 39 04 0b 6f 3d 73 69 75 63 2c 63 3d ...c9..o=siuc,c=
0010: 75 73 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 us..............
0020: 00 a3 19 04 02 63 6e 04 13 44 75 74 74 6f 6e 34 .....cn..Dutton4
0030: 20 53 61 6d 62 61 20 55 73 65 72 73 30 00 Samba Users0.
ber_get_next
ldap_read: want=1 error=Resource temporarily unavailable
do_search
ber_scanf fmt ({aiiiib) ber:
ber_get_next on fd 9 failed errno=35 (Resource temporarily unavailable)
ber_dump: buf=0x080a1840 ptr=0x080a1843 end=0x080a187e len=59
0000: 63 39 04 0b 6f 3d 73 69 75 63 2c 63 3d 75 73 0a c9..o=siuc,c=us.
0010: 01 02 0a 01 00 0 0020: 04 02 63 6e 04 13 44 75 74 74 6f 6e 34 20 53
61 ..cn..Dutton4 Sa
0030: 6d 62 61 20 55 73 65 72 73 30 00 mba Users0.
SRCH "o=siuc,c=us" 2 0 0 0 0
begin get_filter
EQUALITY
ber_scanf fmt ({oo}) ber:
ber_dump: buf=0x080a1840 ptr=0x080a1861 end=0x080a187e len=29
0000: a3 19 04 02 63 6e 04 13 44 75 74 74 6f 6e 34 20 ....cn..Dutton4
0010: 53 61 6d 62 61 20 55 73 65 72 73 30 00 Samba Users0.
end get_filter 0
filter: (cn=Dutton4 Samba Users)
ber_scanf fmt ({v}}) ber:
ber_dump: buf=0x080a1840 ptr=0x080a187c end=0x080a187e len=2
0000: 30 00 0.
attrs:
=> ldbm_back_search
dn2entry_r: dn: "O=SIUC,C=US"
=> dn2id( "O=SIUC,C=US" )
=> ldbm_cache_open( "/usr/tmp/openldap/dn2id.dbb", 514, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 5)
<= ldbm_cache_open (opened 0)
<= dn2id 1
=> id2entry_r( 1 )
=> ldbm_cache_open( "/usr/tmp/openldap/id2entry.dbb", 514, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 5)
<= ldbm_cache_open (opened 1)
=> str2entry
<= str2entry(o=SIUC,c=US) -> -1 (0x80bd960)
entry_rdwr_rlock: ID: 1
<= id2entry_r( 1 ) 0x80bd960 (disk)
search_candidates: base="O=SIUC,C=US" s=2 d=0
=> filter_candidates
AND
=> list_candidates 0xa0
=> filter_candidates
DN SUBTREE
=> dn2idl( "@O=SIUC,C=US" )
=> ldbm_cache_open( "/usr/tmp/openldap/dn2id.dbb", 514, 600 )
<= ldbm_cache_open (cache 0)
<= filter_candidates 599
=> filter_candidates
OR
2 01 00 02 01 00 01 01 00 a3 19 ................
=> list_candidates 0xa1
=> filter_candidates
EQUALITY
=> equality_candidates
=> ldbm_cache_open( "/usr/tmp/openldap/nextid.dbb", 514, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 5)
<= ldbm_cache_open (opened 2)
=> ldbm_cache_open( "/usr/tmp/openldap/objectClass.dbb", 0, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 5)
<= ldbm_cache_open (opened 3)
=> key_read
<= index_read 0 candidates
<= equality_candidates NULL
daemon: select: listen=8 active_threads=1 tvp=NULL
<= equality_candidates 0
<= filter_candidates 0
=> filter_candidates
EQUALITY
=> equality_candidates
=> ldbm_cache_open( "/usr/tmp/openldap/cn.dbb", 0, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 5)
<= ldbm_cache_open (opened 4)
=> key_read
<= index_read 2 candidates
<= equality_candidates 2
<= filter_candidates 2
<= list_candidates 2
<= filter_candidates 2
<= list_candidates 2
<= filter_candidates 2
entry_rdwr_runlock: ID: 1
====> cache_return_entry_r( 1 ): created (0)
=> id2entry_r( 505 )
=> ldbm_cache_open( "/usr/tmp/openldap/id2entry.dbb", 514, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry(cn=Samba
Users,cn=Samba,ou=Services,cn=dutton4.it.siu.edu,ou=Network Hosts,ou=Information
Technology,o=Departments,o=SIUC,c=US) -> -1 (0x80bda60)
entry_rdwr_rlock: ID: 505
<= id2entry_r( 505 ) 0x80bda60 (disk)
=> test_filter
EQUALITY
=> access_allowed: search access to "cn=Samba
Users,cn=Samba,ou=Services,cn=dutton4.it.siu.edu,ou=Networ
k Hosts,ou=Information Technology,o=Departments,o=SIUC,c=US" "cn" requested
=> dnpat: [1] .*,dc=siu,dc=edu,o=SIUC,d=US nsub: 0
=> dnpat: [2] .*,dc=AppleTalk,o=SIUC,c=US nsub: 0
=> test_filter
EQUALITY
<= test_filter 6
=> acl_get: [3] check attr cn
<= acl_get: [3] acl cn=Samba
Users,cn=Samba,ou=Services,cn=dutton4.it.siu.edu,ou=Network Hosts,ou=Information
Technology,o=Departments,o=SIUC,c=US attr: cn
=> acl_mask: access to entry "cn=Samba
Users,cn=Samba,ou=Services,cn=dutton4.it.siu.edu,ou=Network Hosts,ou=Information
Technology,o=Departments,o=SIUC,c=US", attr "cn" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: cn=Manager,o=SIUC,c=US
=> string_expand: pattern: cn=Manager,o=SIUC,c=US
=> string_expand: expanded: cn=Manager,o=SIUC,c=US
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.142
=> string_expand: pattern: 131.230.6.142
=> string_expand: expanded: 131.230.6.142
=> regex_matches: string: IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.141
=> string_expand: pattern: 131.230.6.141
=> string_expand: expanded: 131.230.6.141
=> regex_matches: string: IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.182
=> string_expand: pattern: 131.230.6.182
=> string_expand: expanded: 131.230.6.182
=> regex_matches: string: IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: *
<= acl_mask: [6] applying none (=n) (stop)
<= acl_mask: [6] mask: none (=n)
=> access_allowed: search access denied by none (=n)
<= test_filter 50
ldbm_search: candidate 505 does not match filter
entry_rdwr_runlock: ID: 505
====> cache_return_entry_r( 505 ): created (0)
=> id2entry_r( 509 )
=> ldbm_cache_open( "/usr/tmp/openldap/id2entry.dbb", 514, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry(cn=Dutton4 Samba Users,ou=Groups,o=SIUC,c=US) -> -1 (0x80bdbe0)
entry_rdwr_rlock: ID: 509
<= id2entry_r( 509 ) 0x80bdbe0 (disk)
=> test_filter
EQUALITY
=> access_allowed: search access to "cn=Dutton4 Samba
Users,ou=Groups,o=SIUC,c=US" "cn" requested
=> dnpat: [1] .*,dc=siu,dc=edu,o=SIUC,d=US nsub: 0
=> dnpat: [2] .*,dc=AppleTalk,o=SIUC,c=US nsub: 0
=> test_filter
EQUALITY
<= test_filter 6
=> acl_get: [3] check attr cn
<= acl_get: [3] acl cn=Dutton4 Samba Users,ou=Groups,o=SIUC,c=US attr: cn
=> acl_mask: access to entry "cn=Dutton4 Samba Users,ou=Groups,o=SIUC,c=US",
attr "cn" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: cn=Manager,o=SIUC,c=US
=> string_expand: pattern: cn=Manager,o=SIUC,c=US
=> string_expand: expanded: cn=Manager,o=SIUC,c=US
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.142
=> string_expand: pattern: 131.230.6.142
=> string_expand: expanded: 131.230.6.142
=> regex_matches: string: IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.141
=> string_expand: pattern: 131.230.6.141
=> string_expand: expanded: 131.230.6.141
=> regex_matches: string: IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.182
=> string_expand: pattern: 131.230.6.182
=> string_expand: expanded: 131.230.6.182
=> regex_matches: string: IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: *
<= acl_mask: [6] applying none (=n) (stop)
<= acl_mask: [6] mask: none (=n)
=> access_allowed: search access denied by none (=n)
<= test_filter 50
ldbm_search: candidate 509 does not match filter
entry_rdwr_runlock: ID: 509
====> cache_return_entry_r( 509 ): created (0)
send_ldap_search_result 0::
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 9
0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........
ldap_write: want=14, written=14
0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........