[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6455) Able to crash slapd while using back_ldap
Apart from some changes, I can't reproduce. See comments below.
> Full_Name: J
> Version: 2.4.20
> OS: Debian-Lenny/amd64
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (68.15.14.98)
>
>
> Host running Debian Lenny amd64 is experiencing a strange issue. slapd is
> segfaulting for no obvious reason. Syslog output:
>
> Jan 15 19:29:59 ldapc1 kernel: [10702.262741] slapd[3218]: segfault at 40
> ip
> 7fb2b4829875 sp 44d90940 error 4 in
> back_ldap-2.4.so.2.5.3[7fb2b4819000+1f000]
This is not a useful bug report. You should rather follow instructions
here <http://www.openldap.org/faq/data/cache/56.html> and provide useful
information. A stack backtrace is essentially mandatory. Also, details
about the DIT and the exact offending operations would be of help.
> We are running slapd 2.4.20, via this config:
>
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/inetorgperson.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
>
> disallow bind_anon
>
> loglevel 0
> sizelimit 999999
> idletimeout 10
>
> modulepath /usr/lib/ldap
> moduleload back_ldap
> moduleload back_hdb
> moduleload pcache
>
> TLSCertificateFile /etc/ldap/ssl/wildcard.crt
> TLSCertificateKeyFile /etc/ldap/ssl/wildcard.key
> TLSCACertificateFile /etc/ldap/ssl/wildcard.pem
>
> database ldap
> uri ldaps://192.168.1.1:636/
> suffix "ou=svcs,cn=auth"
> rootdn "uid=slapd,ou=svcs,cn=auth"
I note that "cn=auth" should not be used, as this naming context is used
internally for SASL identities.
> idassert-bind
> bindmethod=simple
> binddn="uid=auth,ou=svcs,cn=auth"
> credentials="password"
> mode=none
> idassert-authzFrom "dn.subtree:ou=svcs,cn=auth"
>
> ### For some reason, we can no longer use indexes like we could in slapd
> 2.3
> ### while using back_ldap (uncommenting these will present slapd from
> starting).
>
> #index objectClass eq
> #index uid,mail,cn eq,sub
> #index queryid eq
2.4 is pickier about syntax. "index" has no meaning within back-ldap. In
2.3 unrecognized keywords were plainly ignored.
> overlay pcache
> proxycache hdb 1000 1 50 1200
> directory "/var/lib/ldap"
> proxycachequeries 100
> proxyattrset 0 uid mail cn
> proxytemplate (uid=) 0 600
>
> include /etc/ldap/acls.slapd
>
> ##########
>
>
> My hunch, given ITS #6452 (which I remarked was "solved"), is that id
> assertion
> may cause slapd to crash when an identity tries to assert as itself?
>
> e.g: uid=auth,ou=svcs,cn=auth >--idassert--> uid=auth,ou=svcs,cn=auth by
> means
> of the idassert-authzFrom parameter, which authorizes the entire subtree
> in
> which this account resides. Again, just a hunch ...
I had it working auth'ing both as idassert's "binddn" and as another user
within the allowed subtree.
Please improve the report and feed back.
p.