[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend

This is a known deficiency in back-bdb, your analysis is correct. The 
ideal fix would be for slapd/backend.c:select_backend() to return the 
index of the suffix it matched in addition to the backend it found, so 
that this comparison need not be performed redundantly throughout the 
rest of the code. I may do this in 2.3, but no plans for 2.2.

john_de_f@hotmail.com wrote:

>Full_Name: John de Freitas
>Version: 2.2.23
>OS: Linux (RH 7.3 kernel 2.4.18-3)
>Submission from: (NULL) (
>I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the backend.
>My slapd.conf has 2 suffixes for this backend (I added the BDB_MULTIPLE_SUFFIXES
>preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion of
>my slapd.conf is:
>database         bdb
>suffix           "dc=example,dc=com"
>suffix           "o=My Certificate Authority"
>rootdn           "dn=Manager,dc=example,dc=com"
>rootpwd          secret
>I can add entries under the first suffix without problem; I cannot for the
>second. The error reported by slapd is: 
><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
>bdb_add: entry at root denied
>I believe the problem is in servers/slapd/back-bdb/cache.c, in
>The code there assumes that the current entry is for the first suffix:
>                /* we're searching a full DN from the root */
>                ptr = ndn->bv_val + ndn->bv_len -
>                ei.bei_nrdn.bv_val = ptr;
>                ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len;
>I can add using this first suffix, but in order to add entries for suffixes
>2...N, the code would need to search through all op->o_bd->be_nsuffix
>entries.Something like:
>int i=0; 
>while(op->o_bd->be_nsuffix[i] != NULL) {
>  /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] 
>   * if match, break; if not, i++ 
>   */
>gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add fails
>as slapd will then try to add an entry such as "cn=John,o=My Certificate
>Authority" to the root, which won't be permitted.
>John de Freitas

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support