[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8629) slapauth segfault with GSSAPI + olcAuthzRegexp using internal LDAP search + ppolicy overlay

To: openldap-its@OpenLDAP.org
Subject: (ITS#8629) slapauth segfault with GSSAPI + olcAuthzRegexp using internal LDAP search + ppolicy overlay
From: clement.oudot@savoirfairelinux.com
Date: Thu, 30 Mar 2017 13:01:11 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Clement Oudot
Version: 2.4.44
OS: GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (193.248.50.71)


Hello,

with a simple olcAuthzRegexp configuration like:

olcAuthzRegexp: {0}uid=(.*),cn=gssapi,cn=auth
ldap:///dc=example,dc=com???(uid=$1)

And ppolicy overlay configured, for example like:

dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE



We have a segfault when running this command:

$ /usr/local/openldap/sbin/slapauth -F
/home/clement/configuration/openldap/example /slapd.d/ -v coudot -M GSSAPI


Here is the GDB backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000055644f in ppolicy_restrict (op=0x7fffffffd0e0, rs=0x7fffffffd070) at
ppolicy.c:1379
1379    ppolicy.c: Aucun fichier ou dossier de ce type.
(gdb) bt
#0  0x000000000055644f in ppolicy_restrict (op=0x7fffffffd0e0,
rs=0x7fffffffd070) at ppolicy.c:1379
#1  0x00000000004a55ca in overlay_op_walk (op=op@entry=0x7fffffffd0e0,
rs=0x7fffffffd070, which=op_search, oi=0xa59ef0, on=0xa571d0) at backover.c:661
#2  0x00000000004a574e in over_op_func (op=0x7fffffffd0e0, rs=<optimized out>,
which=<optimized out>) at backover.c:730
#3  0x0000000000487375 in slap_sasl2dn (opx=0x7fffffffd710, saslname=0x0,
sasldn=0x7fffffffd310, flags=-16, flags@entry=2) at saslauthz.c:2008
#4  0x000000000048e42b in slap_sasl_getdn (conn=conn@entry=0x7fffffffd450,
op=op@entry=0x7fffffffd710, id=id@entry=0x7fffffffd440, user_realm=0x0, 
    dn=dn@entry=0x7fffffffd410, flags=flags@entry=2) at sasl.c:1891
#5  0x00000000004aba73 in do_check (c=c@entry=0x7fffffffd450,
op=op@entry=0x7fffffffd710, id=id@entry=0x7fffffffd440) at slapauth.c:44
#6  0x00000000004abe54 in slapauth (argc=<optimized out>, argv=0x7fffffffdcc8)
at slapauth.c:161
#7  0x0000000000425e98 in main (argc=7, argv=0x7fffffffdc98) at main.c:664



Note that there is no bug if one of this condition is true:
* overlay ppolicy is not configured
* olcAuthRegexp does not use internal LDAP search
* GSSAPI schema is not requested in slapauth


Hope you have enough information in this report. Feel free to ask more if
needed.

Prev by Date: Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?
Next by Date: Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?
Index(es):
- Chronological
- Thread