[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend
This is a known deficiency in back-bdb, your analysis is correct. The
ideal fix would be for slapd/backend.c:select_backend() to return the
index of the suffix it matched in addition to the backend it found, so
that this comparison need not be performed redundantly throughout the
rest of the code. I may do this in 2.3, but no plans for 2.2.
john_de_f@hotmail.com wrote:
>Full_Name: John de Freitas
>Version: 2.2.23
>OS: Linux (RH 7.3 kernel 2.4.18-3)
>URL:
>Submission from: (NULL) (67.93.141.190)
>
>
>I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the backend.
>
>My slapd.conf has 2 suffixes for this backend (I added the BDB_MULTIPLE_SUFFIXES
>preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion of
>my slapd.conf is:
>
>database bdb
>suffix "dc=example,dc=com"
>suffix "o=My Certificate Authority"
>rootdn "dn=Manager,dc=example,dc=com"
>rootpwd secret
>
>I can add entries under the first suffix without problem; I cannot for the
>second. The error reported by slapd is:
>
><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
>bdb_add: entry at root denied
>
>I believe the problem is in servers/slapd/back-bdb/cache.c, in
>bdb_cache_find_ndn().
>The code there assumes that the current entry is for the first suffix:
>
> /* we're searching a full DN from the root */
> ptr = ndn->bv_val + ndn->bv_len -
>op->o_bd->be_nsuffix[0].bv_len;
> ei.bei_nrdn.bv_val = ptr;
> ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len;
>
>I can add using this first suffix, but in order to add entries for suffixes
>2...N, the code would need to search through all op->o_bd->be_nsuffix
>entries.Something like:
>
>
>int i=0;
>while(op->o_bd->be_nsuffix[i] != NULL) {
> /* compare ndn->bv_val and op->o_bd->be_nsuffix[i]
> * if match, break; if not, i++
> */
>}
>
>gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add fails
>as slapd will then try to add an entry such as "cn=John,o=My Certificate
>Authority" to the root, which won't be permitted.
>
>Regards,
>John de Freitas
>
>
>
>
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support