[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy and rwm/relay segfaulting



Hi,

This is weird - quite possible a config problem, I'm hoping someone can spot it :)

I have a minimal slapd server which works fine with either an rwm/relay section or a ppolicy section - but not both at once.

I'm happy to explain *why* I need to do this if asked, but for now it would just clutter this message. I do have a Really Good(TM) reason.



============ Actual problem ===================

We load slapd up with actual entries for the dc=new,dc=example,dc=com domain.

slapd is configured to map all records with rwm/relay to dc=old,dc=example,dc=com so clients with the old config still work.

ie

we load a real record:

1)   dn: uid=testuser,ou=people,dc=new,dc=example,dc=com

and we want clients asking about

2)   dn: uid=testuser,ou=people,dc=old,dc=example,dc=com

will be served from (1)


========  OK here's an example ================

=== Server ====

Running debian 6 server with debian slapd 2.4.23-7.2

/usr/sbin/slapd -d 4 -h "ldap:/// ldaps:/// ldapi:///" -g openldap -u openldap -f /etc/ldap/slapd.conf



=== Test client ===

Running test against the "old" realm:

ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com

# Enter the wrong password and it fails correctly and server runs OK.

# Enter the right password and the client says:

ldap_result: Can't contact LDAP server (-1)

Server says (last few lines from slapd):
[rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" -> "uid=testuser,ou=people,dc=old,dc=example,dc=com" [rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" -> "uid=testuser,ou=people,dc=new,dc=example,dc=com"
=> ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com,0)
<= ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0
=> bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
=> bdb_entry_get: ndn: "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
==> hdb_bind: dn: uid=testuser,ou=people,dc=new,dc=example,dc=com
send_ldap_result: err=0 matched="" text=""
=> bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
Segmentation fault



However, queries against the "new" domain work:

ldapwhoami -x -W -D uid=testuser,ou=people,dc=new,dc=example,dc=com
Enter LDAP Password:
dn:uid=testuser,ou=people,dc=new,dc=example,dc=com



If I disable ppolicy in slapd.conf, queries agains the "old" domain work:

root@ldaptest1:/etc# ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com
Enter LDAP Password:
dn:uid=testuser,ou=people,dc=new,dc=example,dc=com


(the rewrite is not perfect - but that may not matter for my clients).



Almost certainly I have done something stupid - and it seems clear that ppolicy is being upset by the relay mappings. Any ideas how to fix would be *very* welcome - I have been all over Google and the man pages.


All the best!

Tim



OK - boring stuff:


slapd.conf
###########################################
#######################################################################
# Global Directives:

# Features to permit
allow bind_anon_cred bind_anon_dn update_anon

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/ppolicy.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        sync stats

sizelimit 5000
tool-threads 1

modulepath      /usr/lib/ldap
moduleload      back_hdb
moduleload      back_relay
moduleload      rwm
moduleload      ppolicy

overlay rwm
rwm-rewriteEngine on

backend         hdb

#######################################################################
# Global ACLs
#

# Ensure read access to the base for things like
# supportedSASLMechanisms.
access to dn.base="" by * read

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# This ACL must be first or password leakage will happen!!!
access to attrs=userPassword,shadowLastChange
        by peername.path="/var/run/slapd/ldapi" manage
        by dn="cn=admin,dc=new,dc=example,dc=com" manage
by set="user/uid & [cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write
        by self write
        by * auth

# The admin dn has full write access, everyone else
# can read everything. Local unix domain socket (root only)
# Can do everything
access to *
        by peername.path="/var/run/slapd/ldapi" manage
        by dn="cn=admin,dc=new,dc=example,dc=com" manage
by set="user/uid & [cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write
        by * read

#######################################################################
# Main new.example.com authoritative database
#

database        hdb
suffix          dc=new,dc=example,dc=com

rootdn          "cn=admin,dc=new,dc=example,dc=com"
rootpw          "{SSHA}NoNoNooo..."

directory       "/var/lib/ldap"
dbconfig set_cachesize 0 134217728 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
checkpoint      512 30

#######################################################################
#
#  Password Policy
#
#
overlay ppolicy
ppolicy_default "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext

#######################################################################
# Virtual maps - compatibility with old.example.com only
#
# map dc=old to dc=new
#
database                relay
suffix                  "dc=old,dc=example,dc=com"
relay                   "dc=new,dc=example,dc=com"
overlay                 rwm
rwm-suffixmassage       "dc=new,dc=example,dc=com"
###########################################


Initial database loaded with slapadd from this ldif:
###########################################
dn: dc=new,dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: new.example.com
dc: new

dn: cn=admin,dc=new,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: NoNoNoooo...

dn: ou=people,dc=new,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=new,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: ou=pwpolicies,dc=new,dc=example,dc=com
objectClass: organizationalUnit
ou: pwpolicies

#
#
# Standard policy for normal people
#

dn: cn=default,ou=pwpolicies,dc=new,dc=example,dc=com
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 15811200
pwdExpireWarning: 1814400
pwdGraceAuthnLimit: 3
pwdInHistory: 6
pwdCheckQuality: 2
pwdMaxFailure: 5
pwdMinLength: 8
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdFailureCountInterval: 300
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

dn: uid=testuser,ou=people,dc=new,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Test User
employeeType: Staff
gecos: Test User
gidNumber: 1000
givenName: Test
homeDirectory: /homes/testuser
loginShell: /bin/bash
mail: testuser@new.example.com
sn: User
uid: testuser
uidNumber: 1000
userPassword: {SSHA}NoNoNoooo...

dn: cn=ddh-staff,ou=groups,dc=new,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: ddh-staff
description: Test Group
gidNumber: 1000
memberUid: testuser

dn: cn=sysadmin,ou=groups,dc=new,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: sysadmin
description: Staff: System Admin Group
gidNumber: 1001
memberUid: testuser

###########################################
###########################################
###########################################
###########################################
###########################################
###########################################



--
Tim Watts
Personal Blog: http://www.dionic.net/tim/

"A fanatic is one who can't change his mind and won't change the subject."