[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend
From: hyc@symas.com
Date: Fri, 25 Feb 2005 06:21:36 GMT

This is a known deficiency in back-bdb, your analysis is correct. The 
ideal fix would be for slapd/backend.c:select_backend() to return the 
index of the suffix it matched in addition to the backend it found, so 
that this comparison need not be performed redundantly throughout the 
rest of the code. I may do this in 2.3, but no plans for 2.2.

john_de_f@hotmail.com wrote:

>Full_Name: John de Freitas
>Version: 2.2.23
>OS: Linux (RH 7.3 kernel 2.4.18-3)
>URL: 
>Submission from: (NULL) (67.93.141.190)
>
>
>I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the backend.
>
>My slapd.conf has 2 suffixes for this backend (I added the BDB_MULTIPLE_SUFFIXES
>preprocessor define to servers/slapd/back-bdb/init.c). The relevant portion of
>my slapd.conf is:
>
>database         bdb
>suffix           "dc=example,dc=com"
>suffix           "o=My Certificate Authority"
>rootdn           "dn=Manager,dc=example,dc=com"
>rootpwd          secret
>
>I can add entries under the first suffix without problem; I cannot for the
>second. The error reported by slapd is: 
>
><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
>bdb_add: entry at root denied
>
>I believe the problem is in servers/slapd/back-bdb/cache.c, in
>bdb_cache_find_ndn().
>The code there assumes that the current entry is for the first suffix:
>
>                /* we're searching a full DN from the root */
>                ptr = ndn->bv_val + ndn->bv_len -
>op->o_bd->be_nsuffix[0].bv_len;
>                ei.bei_nrdn.bv_val = ptr;
>                ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len;
>
>I can add using this first suffix, but in order to add entries for suffixes
>2...N, the code would need to search through all op->o_bd->be_nsuffix
>entries.Something like:
>
>
>int i=0; 
>while(op->o_bd->be_nsuffix[i] != NULL) {
>  /* compare ndn->bv_val and op->o_bd->be_nsuffix[i] 
>   * if match, break; if not, i++ 
>   */
>}
>
>gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add fails
>as slapd will then try to add an entry such as "cn=John,o=My Certificate
>Authority" to the root, which won't be permitted.
>
>Regards,
>John de Freitas
>
>
>  
>


-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Prev by Date: RE: (ITS#3568) Failed Assertion in io.c
Next by Date: Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend
Index(es):
- Chronological
- Thread