[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3569) Issue with multiple suffixes in a single bdb backend

Thank you for the reply. I searched the known bug list; is this a duplicate?

Also, I have implemented a patch in back-bdb/cache.c to select the correct 
suffix, but now that I read your comment about backend.c, I see it's not the 
most appropriate fix. Would a patch to backend.c along the lines you 
suggested be considered for 2.2.x, or are all modifications of this type 
confined to 2.3? If so, I'll just go along with my local fix.

John de Freitas

>From: Howard Chu <hyc@symas.com>
>To: john_de_f@hotmail.com
>CC: openldap-its@OpenLDAP.org
>Subject: Re: (ITS#3569) Issue with multiple suffixes in a single bdb 
>Date: Thu, 24 Feb 2005 22:17:52 -0800
>This is a known deficiency in back-bdb, your analysis is correct. The ideal 
>fix would be for slapd/backend.c:select_backend() to return the index of 
>the suffix it matched in addition to the backend it found, so that this 
>comparison need not be performed redundantly throughout the rest of the 
>code. I may do this in 2.3, but no plans for 2.2.
>john_de_f@hotmail.com wrote:
>>Full_Name: John de Freitas
>>Version: 2.2.23
>>OS: Linux (RH 7.3 kernel 2.4.18-3)
>>URL: Submission from: (NULL) (
>>I am running OpenLDAP 2.2.23 with Sleepycat Berkeley DB 4.3.27 as the 
>>My slapd.conf has 2 suffixes for this backend (I added the 
>>preprocessor define to servers/slapd/back-bdb/init.c). The relevant 
>>portion of
>>my slapd.conf is:
>>database         bdb
>>suffix           "dc=example,dc=com"
>>suffix           "o=My Certificate Authority"
>>rootdn           "dn=Manager,dc=example,dc=com"
>>rootpwd          secret
>>I can add entries under the first suffix without problem; I cannot for the
>>second. The error reported by slapd is:
>><= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found 
>>bdb_add: entry at root denied
>>I believe the problem is in servers/slapd/back-bdb/cache.c, in
>>The code there assumes that the current entry is for the first suffix:
>>                /* we're searching a full DN from the root */
>>                ptr = ndn->bv_val + ndn->bv_len -
>>                ei.bei_nrdn.bv_val = ptr;
>>                ei.bei_nrdn.bv_len = op->o_bd->be_nsuffix[0].bv_len;
>>I can add using this first suffix, but in order to add entries for 
>>2...N, the code would need to search through all op->o_bd->be_nsuffix
>>entries.Something like:
>>int i=0; while(op->o_bd->be_nsuffix[i] != NULL) {
>>  /* compare ndn->bv_val and op->o_bd->be_nsuffix[i]   * if match, break; 
>>if not, i++   */
>>gdb confirms that ei.bei_nrdn.bv_val is incorrectly offset, and so the add 
>>as slapd will then try to add an entry such as "cn=John,o=My Certificate
>>Authority" to the root, which won't be permitted.
>>John de Freitas
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support