[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dnNormalize2 failed assertion (sasl_regexp?)

* Stephen Frost (sfrost@snowman.net) wrote:
>   My slapd is crashing with the following message:
> slapd: /data1/sfrost/debs/openldap21/openldap21-2.1.12/servers/slapd/dn.c:379: dnNormalize2: Assertion `strlen( val->bv_val ) == val->bv_len' failed.
>   This is running 2.1.12 (obviously).  Prior to this is:
> >>> dnPrettyNormal: <>
> <<< dnPrettyNormal: <>, <>
> do_sasl_bind: dn () mech GSSAPI
> ==> sasl_bind: dn="" mech=<continuing> datalen=113
> SASL Canonicalize [conn=2]:
> authzid="dn:uid=sfrost/ldap,cn=SNOWMAN.NET,cn=gssapi,cn=auth"
> slap_sasl_getdn: id=dn:uid=sfrost/ldap,cn=SNOWMAN.NET,cn=gssapi,cn=auth
> >>> dnNormalize: <uid=sfrost/ldap,cn=SNOWMAN.NET,cn=gssapi,cn=auth>
> => ldap_bv2dn(uid=sfrost/ldap,cn=SNOWMAN.NET,cn=gssapi,cn=auth,0)
> <= ldap_bv2dn(uid=sfrost/ldap,cn=SNOWMAN.NET,cn=gssapi,cn=auth,0)=0

Just in case anyone actually *reads* this list, I've found out some more
rather interesting things:

738     in getdn.c
(gdb) p *bv
$3 = {bv_len = 48, bv_val = 0x81418cf "uid=sfrost/ldap,cn=SNOWMAN.NET,cn=gssapi,cn=auth\b"}
(gdb) p strlen(bv->bv_val)
$4 = 49

No clue where the \b is coming from.  The command I'm using is:

sfrost@ldap1:/home/sfrost> ldapsearch -X dn:uid=sfrost/ldap,cn=SNOWMAN.NET,cn=gssapi,cn=auth
SASL/GSSAPI authentication started

Other fun things from the logs...

Feb  6 09:38:35 syslog@ldap1 slapd[19873]: do_sasl_bind: dn () mech GSSAPI
Feb  6 09:38:35 syslog@ldap1 slapd[19873]: ==> sasl_bind: dn="" mech=<continuing> datalen=113
Feb  6 09:38:35 syslog@ldap1 slapd[19873]: SASL Canonicalize [conn=0]: authzid="dn:uid=sfrost/ldap,cn=SNOWMAN.NET,cn=gssapi,cn=aut"
Feb  6 09:38:35 syslog@ldap1 slapd[19873]: slap_sasl_getdn: id=dn:uid=sfrost/ldap,cn=SNOWMAN.NET,cn=gssapi,cn=auth
Feb  6 09:38:35 syslog@ldap1 slapd[19873]: >>> dnNormalize: <uid=sfrost/ldap,cn=SNOWMAN.NET,cn=gssapi,cn=aut>

Note the missing 'h', which is because of the \b.  Not sure why I didn't
see it before.

Ok, so, I contend that the assert that's there is just plain wrong.  The
length is being passed around, who cares what strlen says?  I'm guessing
this thing isn't actually required to be NULL-terminated (why does it
need to be, you've got the length!).  Things appear to work reasonably
when it's not, in fact.

Of course, I find it very annoying that SASL (I think..?) drops the
cn=SNOWMAN.NET if that's the local domain..  Or at least, it seems to,
sometimes.  It's quite odd.


Attachment: pgp9cxCIi3BPh.pgp
Description: PGP signature