[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Infinite loop with "mdb_search: 124xxxx1 scope not okay" while adding an entry



Here is the full LDIF file which also contains the cn=config
configuration of the newly created DB (sill ldapvi LDIF syntax).

Le 06/02, Benjamin Dauvergne a écrit :
> Hi,
> 
> I'm using OpenLDAP debian package from wheezy-backports (version
> 2.4.31+really2.4.40+dfsg) which is a 2.4.40 but backported I think under
> another version number to allow the jessie package to execute its migration
> when upgrade time will come.
> 
> When trying to initialize a new DB by loading an LDIF file using ldapvi,
> looking like that:
> 
> 	add dc=coin2,dc=fr
> 	objectClass: organization
> 	objectClass: dcObject
> 	objectClass: eduOrg
> 	objectClass: supannOrg
> 	dc: coin2
> 	o: whatever
> 	supannEtablissement: {UAI}ccc
> 
> 	add ou=people,dc=coin2,dc=fr
> 	objectClass: organizationalUnit
> 	ou: people
> 
> 	add uid=admin,ou=people,dc=coin2,dc=fr
> 	objectClass: inetOrgPerson
> 	objectClass: eduPerson
> 	objectClass: supannPerson
> 	uid: admin
> 	cn: Administrateur annuaire
> 	displayName: Administrateur annuaire
> 	givenName: Administrateur
> 	sn: annuaire
> 	supannListeRouge: TRUE
> 	userPassword: xxxx
> 	supannEtablissement: {UAI}COIN
> 
> It blocks on adding the ou=people. After setting loglever to 255 I got my
> syslog filled with such messages, soon filling the virtual machine virtual
> disk:
> 
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 1 scope not okay
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 2 scope not okay
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 3 scope not okay
> etc...
> 
> The log of the query finishing like that is:
> 
> Jun  2 02:34:26 ldap1-psl slapd[12159]: connection_get(15)
> Jun  2 02:34:26 ldap1-psl slapd[12159]: connection_get(15): got connid=1001
> Jun  2 02:34:26 ldap1-psl slapd[12159]: connection_read(15): checking for input on id=1001
> Jun  2 02:34:26 ldap1-psl slapd[12159]: op tag 0x68, time 1433205266
> Jun  2 02:34:26 ldap1-psl slapd[12159]: conn=1001 op=9 do_add
> Jun  2 02:34:26 ldap1-psl slapd[12159]: conn=1001 op=9 do_add: dn (ou=people,dc=coin2,dc=fr)
> Jun  2 02:34:26 ldap1-psl slapd[12159]: >>> dnPrettyNormal: <ou=people,dc=coin2,dc=fr>
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <<< dnPrettyNormal: <ou=people,dc=coin2,dc=fr>, <ou=people,dc=coin2,dc=fr>
> Jun  2 02:34:26 ldap1-psl slapd[12159]: ==> unique_add <ou=people,dc=coin2,dc=fr>
> Jun  2 02:34:26 ldap1-psl slapd[12159]: ==> unique_search (|(objectClass=organizationalUnit)(ou=people))
> Jun  2 02:34:26 ldap1-psl slapd[12159]: str2filter "(|(objectClass=organizationalUnit)(ou=people))"
> Jun  2 02:34:26 ldap1-psl slapd[12159]: begin get_filter
> Jun  2 02:34:26 ldap1-psl slapd[12159]: OR
> Jun  2 02:34:26 ldap1-psl slapd[12159]: begin get_filter_list
> Jun  2 02:34:26 ldap1-psl slapd[12159]: begin get_filter
> Jun  2 02:34:26 ldap1-psl slapd[12159]: EQUALITY
> Jun  2 02:34:26 ldap1-psl slapd[12159]: end get_filter 0
> Jun  2 02:34:26 ldap1-psl slapd[12159]: begin get_filter
> Jun  2 02:34:26 ldap1-psl slapd[12159]: EQUALITY
> Jun  2 02:34:26 ldap1-psl slapd[12159]: end get_filter 0
> Jun  2 02:34:26 ldap1-psl slapd[12159]: end get_filter_list
> Jun  2 02:34:26 ldap1-psl slapd[12159]: end get_filter 0
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_search
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_dn2entry("dc=coin2,dc=fr")
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_dn2id("dc=coin2,dc=fr")
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_dn2id: got id=0x1
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_entry_decode:
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_entry_decode
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => access_allowed: search access to "dc=coin2,dc=fr" "entry" requested
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= root access granted
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => access_allowed: search access granted by manage(=mwrscxd)
> Jun  2 02:34:26 ldap1-psl slapd[12159]: search_candidates: base="dc=coin2,dc=fr" (0x00000001) scope=-1
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_filter_candidates
> Jun  2 02:34:26 ldap1-psl slapd[12159]: #011OR
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_list_candidates 0xa1
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_filter_candidates
> Jun  2 02:34:26 ldap1-psl slapd[12159]: #011EQUALITY
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_equality_candidates (objectClass)
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => key_read
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_idl_fetch_key: [b49d1940]
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_index_read: failed (-30798)
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_equality_candidates: id=0, first=0, last=0
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_filter_candidates: id=0 first=0 last=0
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_filter_candidates
> Jun  2 02:34:26 ldap1-psl slapd[12159]: #011OR
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_list_candidates 0xa1
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_filter_candidates
> Jun  2 02:34:26 ldap1-psl slapd[12159]: #011EQUALITY
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_equality_candidates (objectClass)
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => key_read
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_idl_fetch_key: [9bee355f]
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_index_read: failed (-30798)
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_equality_candidates: id=0, first=0, last=0
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_filter_candidates: id=0 first=0 last=0
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_filter_candidates
> Jun  2 02:34:26 ldap1-psl slapd[12159]: #011EQUALITY
> Jun  2 02:34:26 ldap1-psl slapd[12159]: => mdb_equality_candidates (ou)
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_equality_candidates: (ou) not indexed
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_filter_candidates: id=-1 first=1 last=-1
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_list_candidates: id=-1 first=1 last=-1
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_filter_candidates: id=-1 first=1 last=-1
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_list_candidates: id=-1 first=1 last=-1
> Jun  2 02:34:26 ldap1-psl slapd[12159]: <= mdb_filter_candidates: id=-1 first=1 last=-1
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_search_candidates: id=-1 first=1 last=-1
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 1 scope not okay
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 2 scope not okay
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 3 scope not okay
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 4 scope not okay
> Jun  2 02:34:26 ldap1-psl slapd[12159]: mdb_search: 5 scope not okay
> etc...
> 
> I don't know why it's doing a search on an add but seeing the message "(ou) not
> indexed" I though that maybe adding an equality index on this attribute would
> help, and effectively it did. Now the add ou=people passed, but it started
> looping again when adding the uid=admin entry.
> 
> The infinite loop happen in server/slapd/back-mdb/search.c in mdb_search(). If
> you have any idea I can continue investigating or add debug logs.
> 
> The debian package has the following patches applied over openldap 2.4.40:
> 
> add-tlscacert-option-to-ldap-conf
> autogroup-makefile
> contrib-modules-use-dpkg-buildflags
> do-not-second-guess-sonames
> evolution-ntlm
> fix-build-top-mk
> getaddrinfo-is-threadsafe
> heimdal-fix
> index-files-created-as-root
> ITS6035-olcauthzregex-needs-restart.patch
> ITS7975-fix-mdb-onelevel-search.patch
> ITS8027-deref-reject-empty-attr-list.patch
> ITS8046-fix-vrFilter_free-crash.patch
> lastbind-makefile
> ldap-conf-tls-cacertdir
> ldapi-socket-place
> libldap-symbol-versions
> man-slapd
> no-AM_INIT_AUTOMAKE
> no-bdb-ABI-second-guessing
> pw-sha2-makefile
> sasl-default-path
> slapi-errorlog-file
> smbk5pwd-makefile
> switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
> wrong-database-location
> 
# LDAPVI syntax
add olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcSuffix: dc=coin2,dc=fr
olcDbDirectory: /var/lib/ldap/dc=coin2,dc=fr/
olcRootDN: uid=admin,ou=people,dc=coin2,dc=fr
olcRootPW: xxx
olcLastMod: TRUE
olcAddContentACL: FALSE
olcMonitoring: TRUE
olcSyncUseSubentry: FALSE
olcMaxDerefDepth: 0
olcLimits: {0}dn.exact="uid=admin,ou=people,dc=coin2,dc=fr" size.soft=unlimited  size.hard=unlimited  time.soft=unlimited  time.hard=unlimited
olcLimits: {1}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited  size.hard=unlimited  time.soft=unlimited  time.hard=unlimited
olcReadOnly: FALSE
# Index
olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId eq
olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub
# Accès super-utilisateur
olcAccess: {0}to *
   by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
   by group.exact="cn=admin,ou=groups,dc=coin2,dc=fr" manage 
   by * break
# Branche people
olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,dc=coin2,dc=fr" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,userPassword,labeledURI
   by self write
   by * break
# Les accès aux autres attributs utilisateurs
olcAccess: {2}to dn.one="ou=people,dc=coin2,dc=fr"
   by users read
   by anonymous auth
   by * none
# Branche groups
# Le propriétaire du groupe
olcAccess: {3}to dn.one="ou=groups,dc=coin2,dc=fr" 
   by set="this/owner & user" manage 
   by * break
# Les utilisateurs en général sur les attributs descriptifs
olcAccess: {4}to dn.one="ou=groups,dc=coin2,dc=fr" attrs=cn,description,owner,supannRefId
   by users read 
   by * break
# Les admin et lecteur des membres du groupe
# les membres peuvent trouver leurs groupes
olcAccess: {5}to dn.one="ou=groups,dc=coin2,dc=fr" attrs=member
   by set="this/supannGroupeAdminDN/member* & user" write
   by set="this/supannGroupeAdminDN & user" write
   by set="this/supannGroupeLecteurDN/member* & user" read
   by set="this/supannGroupeLecteurDN & user" read
   by dnattr=member search
# Branche structures
olcAccess: {6}to dn.one="ou=structures,dc=coin2,dc=fr" 
   by * read
# Autorisation de recherche par tous les utilisateurs sur toute la base
olcAccess: {7}to * by users search

# Create accesslog DIT
add olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcSuffix: cn=accesslog,dc=coin2,dc=fr
olcDbDirectory: /var/lib/ldap/dc=coin2,dc=fr/accesslog/
olcAccess: {0}to * 
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
  by group=cn=admin,ou=groupes,dc=coin2,dc=fr manage
  by * break

add olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

# Log all writes to the db
add olcOverlay={1}accesslog,olcDatabase={2}mdb,cn=config
objectClass: olcAccesslogConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {1}accesslog
olcAccessLogDB: cn=accesslog,dc=coin2,dc=fr
olcAccessLogOps: writes
# log are conserved one year and purged every day
olcAccessLogPurge: 365+00:00 1+00:00
# Keep a copy of everything
olcAccessLogOld: objectClass=*

add olcOverlay={2}refint,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {2}refint
olcRefintAttribute: member 
  eduPersonOrgDN 
  eduPersonOrgUnitDN
  owner
  eduPersonPrimaryOrgUnitDN
  supannGroupeAdminDN
  supannGroupeLecteurDN
  supannParrainDN
olcRefintNothing: dc=coin2,dc=fr

add olcOverlay={3}constraint,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConstraintConfig
olcOverlay: {3}constraint
# un seul cn pour les utilisateurs
olcConstraintAttribute: cn count 1 restrict="ldap:///ou=people,dc=coin2,dc=fr??sub?(objectClass=*)" 
#olcConstraintAttribute: cn regex "^[-A-Z' ]*$" restrict="ldap:///ou=people,dc=coin2,dc=fr??sub?(objectClass=*)" 
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///ou=groups,dc=coin2,dc=fr??sub?(objectClass=*)" 
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///dc=coin2,dc=fr??base?(objectClass=*)" 
olcConstraintAttribute: dc regex "^[a-z0-9-]*$" 
olcConstraintAttribute: eduOrgHomePageURI,eduOrgSuperiorURI,eduOrgWhitePagesURI regex "^https?://.*$" 
olcConstraintAttribute: eduPersonAffiliation regex "^(student|faculty|staff|employee|member|affiliate|alum|library-walk-in|researcher|retired|emeritus|teacher|registered-reader)$" 
olcConstraintAttribute: eduPersonPrincipalName regex "^.*@.*$" 
olcConstraintAttribute: mail count 1
olcConstraintAttribute: mail,supannMailPerso,supannAutreMail 
  regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$" 
# olcConstraintAttribute: mailForwardingAddress 
  regex "^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}|[a-zA-Z0-9]+)$" # mail ou uid
olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$" 
olcConstraintAttribute: supannCodeEntiteParent,supannEntiteAffectation uri  ldap:///ou=structures,dc=coin2,dc=fr?supannCodeEntite?sub?(objectClass=supannEntite)
olcConstraintAttribute: supannCodeINE count 1
olcConstraintAttribute: supannEmpId count 1
# FIXME: syntex regex pas bonne
olcConstraintAttribute: supannCivilite regex "^(M.|Mme|Mlle)$" 
olcConstraintAttribute: supannTypeEntite,supannEtuCursusAnnee regex "^\{SUPANN\}[A-Z][0-9]+$" 
# attribut issu d'une nomenclature
olcConstraintAttribute: supannEtablissement,
 supannEtuDiplome,
 supannEtuElementPedagogique,
 supannEtuEtape,
 supannEtuRegimeInscription,
 supannEtuSecteurDisciplinaire,
 supannEtuTypeDiplome,
  regex "^\{[^}]+\}.*$" 
olcConstraintAttribute: supannEtuAnneeInscription regex "^[0-9][0-9][0-9][0-9]$" 

add olcOverlay={4}unique,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcUniqueConfig
olcOverlay: {4}unique
olcUniqueURI: ldap://?supannAutreMail?sub

add dc=coin2,dc=fr
objectClass: organization
objectClass: dcObject
objectClass: eduOrg
objectClass: supannOrg
dc: coin2
o: COIN
supannEtablissement: {UAI}COIN

add ou=people,dc=coin2,dc=fr
objectClass: organizationalUnit
ou: people

add uid=admin,ou=people,dc=coin2,dc=fr
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: supannPerson
uid: admin
cn: Administrateur annuaire
displayName: Administrateur annuaire
givenName: Administrateur
sn: annuaire
supannListeRouge: TRUE
userPassword: xxx
supannEtablissement: {UAI}COIN

add ou=structures,dc=coin2,dc=fr
objectClass: organizationalUnit
ou: structures

add supannCodeEntite=COIN,ou=structures,dc=coin2,dc=fr
objectClass: supannOrg
objectClass: supannEntite
objectClass: organization
objectClass: eduOrg
o: COIN
supannCodeEntite: COIN
description: COIN

add ou=groups,dc=coin2,dc=fr
objectClass: organizationalUnit
ou: groups

add cn=admin,ou=groups,dc=coin2,dc=fr
objectClass: groupOfNames
objectClass: supannGroupe
cn: admin
description: Groupe des administrateurs de l'annuaire
member: uid=admin,ou=people,dc=coin2,dc=fr