[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7420) Way to bypass overlay unique and constranit



kmenshikov@hostcomm.ru wrote:
> Full_Name: Konstantin Menshikov
> Version: 2.4.33
> OS: FreeBSD 8.2-RELEASE-p4
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (212.116.101.94)
>
>
> Overlay unique and constraint use list attributes for check.
> If we use restriction by rdn (attribute cn for example), and don`t add attribute
> cn in ldif-file, we can bypass restriction.
>
> Overlay unique look list attributes in op->ora_e->e_attrs,
> if this list not contain attribute cn, checks isn`t running.
>
> IMHO: problem not in overlays, but in slapd code, that allow add object without
> explicit set rdn.

The slapd behavior was discussed long ago, in ITS#2243. The current slapd 
behavior is consistent with RFC4511 (though this differs from older releases 
and the now obsoleted RFC2251). It seems that because of this behavior, the 
fix will have to be made to each overlay accordingly. It would be nice if we 
had a more centralized approach though.

>
> Example configuration:
> [root@rdn.problem openldap]# cat slapd.conf
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include         /usr/local/etc/openldap/schema/core.schema
> include         /usr/local/etc/openldap/schema/corba.schema
> include         /usr/local/etc/openldap/schema/cosine.schema
> include         /usr/local/etc/openldap/schema/dyngroup.schema
> include         /usr/local/etc/openldap/schema/inetorgperson.schema
> include         /usr/local/etc/openldap/schema/java.schema
> include         /usr/local/etc/openldap/schema/misc.schema
> include         /usr/local/etc/openldap/schema/nis.schema
> include         /usr/local/etc/openldap/schema/openldap.schema
> include         /usr/local/etc/openldap/schema/ppolicy.schema
> include         /usr/local/etc/openldap/schema/sudo.schema
> include         /usr/local/etc/openldap/schema/samba.schema
> include         /usr/local/etc/openldap/schema/spamassassin.schema
> include         /usr/local/etc/openldap/schema/openssh-lpk.schema
> include         /usr/local/etc/openldap/schema/vega-base.schema
> include         /usr/local/etc/openldap/schema/vega-corp.schema
> include         /usr/local/etc/openldap/schema/vega-net.schema
> include         /usr/local/etc/openldap/schema/oversun-base.schema
> include         /usr/local/etc/openldap/schema/oversun-corp.schema
> include         /usr/local/etc/openldap/schema/oversun-mail.schema
> include         /usr/local/etc/openldap/schema/oversun-net.schema
> include         /usr/local/etc/openldap/schema/asterisk.schema
>
>
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral       ldap://root.openldap.org
>
> pidfile         /var/run/openldap/slapd.pid
> argsfile        /var/run/openldap/slapd.args
> loglevel        config stats sync trace
>
> # Load dynamic backend modules:
> modulepath      /usr/local/libexec/openldap
> moduleload      back_hdb
>
> database        hdb
> suffix          "o=company"
> rootdn          "cn=ldapadm,o=company"
> rootpw          password
> directory       /var/db/openldap-data/o=company
>
> overlay unique
> unique_uri 	ldap:///ou=groups,o=company?cn?sub
>
> How to repeat:
>
> [root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
> ldap://127.0.0.5:389 -f /root/add.ldif.false
> adding new entry "cn=test,ou=system,ou=groups,o=company"
> ldap_add: Constraint violation (19)
> 	additional info: some attributes not unique
>
> [root@rdn.problem openldap]# cat /root/add.ldif.false
> dn: cn=test,ou=system,ou=groups,o=company
> changetype: add
> objectClass: posixGroup
> description: test
> cn: test
> gidNumber: 1000
> [root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
> ldap://127.0.0.5:389 -f /root/add.ldif.true
> adding new entry "cn=test,ou=system,ou=groups,o=company"
>
> [root@rdn.problem openldap]# cat /root/add.ldif.true
> dn: cn=test,ou=system,ou=groups,o=company
> changetype: add
> objectClass: posixGroup
> description: test
> gidNumber: 1000
> [root@rdn.problem openldap]# diff -U 3 /root/add.ldif.false /root/add.ldif.true
>
> --- /root/add.ldif.false	2012-10-23 06:22:16.000000000 +0000
> +++ /root/add.ldif.true	2012-10-23 06:22:25.000000000 +0000
> @@ -2,5 +2,4 @@
>   changetype: add
>   objectClass: posixGroup
>   description: test
> -cn: test
>   gidNumber: 1000
>
>
> Log file records:
>
> Oct 23 06:23:21 rdn slapd[44326]: slap_listener_activate(6):
> Oct 23 06:23:21 rdn slapd[44326]: >>> slap_listener(ldap://)
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 ACCEPT from IP=127.0.0.5:17098
> (IP=0.0.0.0:389)
> Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
> Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
> id=1006
> Oct 23 06:23:21 rdn slapd[44326]: op tag 0x60, time 1350973401
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 do_bind
> Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>,
> <cn=ldapadm,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company"
> method=128
> Oct 23 06:23:21 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company"
> method=128
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company"
> mech=SIMPLE ssf=0
> Oct 23 06:23:21 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to
> "cn=ldapadm,o=company"
> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=0 p=3
> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 RESULT tag=97 err=0 text=
> Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
> Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
> id=1006
> Oct 23 06:23:21 rdn slapd[44326]: op tag 0x68, time 1350973401
> Oct 23 06:23:21 rdn slapd[44326]: connection_input: conn=1006 deferring
> operation: binding
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 do_add
> Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal:
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal:
> <cn=test,ou=system,ou=groups,o=company>,
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 ADD
> dn="cn=test,ou=system,ou=groups,o=company"
> Oct 23 06:23:21 rdn slapd[44326]:
> bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:21 rdn slapd[44326]: =>
> hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:21 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
> matching key/data pair found (-30989)
> Oct 23 06:23:21 rdn slapd[44326]: hdb_referrals: tag=104
> target="cn=test,ou=system,ou=groups,o=company"
> matched="ou=system,ou=groups,o=company"
> Oct 23 06:23:21 rdn slapd[44326]: ==> unique_add
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: ==> unique_search (|(cn=test))
> Oct 23 06:23:21 rdn slapd[44326]: => hdb_search
> Oct 23 06:23:21 rdn slapd[44326]: bdb_dn2entry("ou=groups,o=company")
> Oct 23 06:23:21 rdn slapd[44326]: search_candidates: base="ou=groups,o=company"
> (0x00000002) scope=2
> Oct 23 06:23:21 rdn slapd[44326]: => hdb_dn2idl("ou=groups,o=company")
> Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (objectClass)
> Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (objectClass) not
> indexed
> Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (cn)
> Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (cn) not indexed
> Oct 23 06:23:21 rdn slapd[44326]: bdb_search_candidates: id=-1 first=2 last=5
> Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 2 does not match filter
> Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 3 does not match filter
> Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 4 does not match filter
> Oct 23 06:23:21 rdn slapd[44326]: ==> count_attr_cb
> <cn=test,ou=personal,ou=groups,o=company>
> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3
> Oct 23 06:23:21 rdn slapd[44326]: => unique_search found 1 records
> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3
> Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=19
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 RESULT tag=105 err=19 text=some
> attributes not unique
> Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
> Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
> id=1006
> Oct 23 06:23:21 rdn slapd[44326]: op tag 0x42, time 1350973401
> Oct 23 06:23:21 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0
> (Undefined error: 0)
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 do_unbind
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 UNBIND
> Oct 23 06:23:21 rdn slapd[44326]: connection_close: conn=1006 sd=10
> Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 closed
>
> Oct 23 06:23:52 rdn slapd[44326]: slap_listener_activate(6):
> Oct 23 06:23:52 rdn slapd[44326]: >>> slap_listener(ldap://)
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 ACCEPT from IP=127.0.0.5:20738
> (IP=0.0.0.0:389)
> Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
> Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
> id=1007
> Oct 23 06:23:52 rdn slapd[44326]: op tag 0x60, time 1350973432
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 do_bind
> Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company>
> Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>,
> <cn=ldapadm,o=company>
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company"
> method=128
> Oct 23 06:23:52 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company"
> method=128
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company"
> mech=SIMPLE ssf=0
> Oct 23 06:23:52 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to
> "cn=ldapadm,o=company"
> Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=0 p=3
> Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 RESULT tag=97 err=0 text=
> Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
> Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
> id=1007
> Oct 23 06:23:52 rdn slapd[44326]: op tag 0x68, time 1350973432
> Oct 23 06:23:52 rdn slapd[44326]: connection_input: conn=1007 deferring
> operation: binding
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 do_add
> Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal:
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal:
> <cn=test,ou=system,ou=groups,o=company>,
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 ADD
> dn="cn=test,ou=system,ou=groups,o=company"
> Oct 23 06:23:52 rdn slapd[44326]:
> bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:52 rdn slapd[44326]: =>
> hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
> matching key/data pair found (-30989)
> Oct 23 06:23:52 rdn slapd[44326]: hdb_referrals: tag=104
> target="cn=test,ou=system,ou=groups,o=company"
> matched="ou=system,ou=groups,o=company"
> Oct 23 06:23:52 rdn slapd[44326]: ==> unique_add
> <cn=test,ou=system,ou=groups,o=company>
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_required entry
> (cn=test,ou=system,ou=groups,o=company), objectClass "posixGroup"
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "objectClass"
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "description"
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "gidNumber"
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "structuralObjectClass"
> Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "cn"
> Oct 23 06:23:52 rdn slapd[44326]: slap_queue_csn: queing 0x7ffffebfc160
> 20121023062352.127471Z#000000#000#000000
> Oct 23 06:23:52 rdn slapd[44326]:
> bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:52 rdn slapd[44326]: =>
> hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
> Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
> matching key/data pair found (-30989)
> Oct 23 06:23:52 rdn slapd[44326]: => hdb_dn2id_add 0x6:
> "cn=test,ou=system,ou=groups,o=company"
> Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id_add 0x6: 0
> Oct 23 06:23:52 rdn slapd[44326]: => index_entry_add( 6,
> "cn=test,ou=system,ou=groups,o=company" )
> Oct 23 06:23:52 rdn slapd[44326]: <= index_entry_add( 6,
> "cn=test,ou=system,ou=groups,o=company" ) success
> Oct 23 06:23:52 rdn slapd[44326]: => entry_encode(0x00000006):
> Oct 23 06:23:52 rdn slapd[44326]: <= entry_encode(0x00000006):
> Oct 23 06:23:52 rdn slapd[44326]: hdb_add: added id=00000006
> dn="cn=test,ou=system,ou=groups,o=company"
> Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=1 p=3
> Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=0
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 RESULT tag=105 err=0 text=
> Oct 23 06:23:52 rdn slapd[44326]: slap_graduate_commit_csn: removing 0x80197aeb0
> 20121023062352.127471Z#000000#000#000000
> Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
> Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
> id=1007
> Oct 23 06:23:52 rdn slapd[44326]: op tag 0x42, time 1350973432
> Oct 23 06:23:52 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0
> (Undefined error: 0)
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 do_unbind
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 UNBIND
> Oct 23 06:23:52 rdn slapd[44326]: connection_close: conn=1007 sd=10
> Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 closed
>
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/