[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: rwm overlay causes slapd segfault

To: "Jarbas Peixoto JÃnior" <jarbas.junior@gmail.com>, <openldap-technical@openldap.org>
Subject: Antw: rwm overlay causes slapd segfault
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Wed, 12 Feb 2014 15:28:19 +0100
Content-disposition: inline
In-reply-to: <CAKJak0oDAi=REfJBH4KQS7_tW5HwU5HGLdbit50MH5+vpyucvg@mail.gmail.com>
References: <CAKJak0oDAi=REfJBH4KQS7_tW5HwU5HGLdbit50MH5+vpyucvg@mail.gmail.com>

Hi!

As the bug seems to occur in a C library routine, it could be helpful to
attach to slapd using "ltrace -p .." to see what the last call was.
You could also attach gdb to the process, and try a backtrace when there was a
segfault...

Ulrich

>>> Jarbas Peixoto JÃnior<jarbas.junior@gmail.com> schrieb am 12.02.2014 um
14:14
in Nachricht
<CAKJak0oDAi=REfJBH4KQS7_tW5HwU5HGLdbit50MH5+vpyucvg@mail.gmail.com>:
> Needed to enable authentication on ldap server via the mail attribute.
> 
> I used the overlay rwm as documentation:
>    * http://www.openldap.org/doc/admin24/overlays.html # Rewrite / Remap
>    * http://www.openldap.org/lists/openldap-software/200707/msg00487.html 
>    * 
>
http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&apropos=0&;

> manpath=OpenLDAP+2.4-Release
> 
> I run the current version of OpenLDAP :
> 
> dpkg -l | grep openldap
> ii  openldap-ltb                       2.4.39-1
> amd64        OpenLDAP server with addons from the LDAP Tool Box
> project
> ii  openldap-ltb-check-password        2.4.39-1
> amd64        check_password module for password policy
> ii  openldap-ltb-contrib-overlays      2.4.39-1
> amd64        Overlays contributed to OpenLDAP
> 
> My configuration snippet is shown below :
> 
> ...
> backend         hdb
> 
> moduleload      rwm
> overlay rwm
> rwm-rewriteEngine       on
> rwm-rewriteMap  ldap    attr2dn "ldaps:///dc=gov,dc=br?dn?sub?"
> rwm-rewriteContext      bindDN
> rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
> 
> database        hdb
> ...
> 
> Everything worked fine , but sometimes occurred a ' slapd segfault "
> there was no apparent cause .
> 
> A log analysis allowed us to identify the query that caused the "crash
> " was the folder containing " ** " as follows :
> 
> "(mail=*name**surname*)(mailAlternateAddress=*name**surname*)"
> 
> Redid several searches and this is really "crash " in some situations :
> 
> Normal
> =======
> ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
> "(uid=jarbas*peixoto)" mail
> dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br
> mail: jarbas.peixoto@dataprev.gov.br 
> 
> Normal
> =======
> ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
> "(uid=jarbas**peixoto)" mail
> ldap_search_ext: Bad search filter (-7)
> 
> Normal
> =======
> ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
> "(mail=jarbas*peixoto@dataprev.gov.br)" mail
> dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br
> mail: jarbas.peixoto@dataprev.gov.br 
> 
> Normal
> =======
> ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
> "(mail=jarbas**peixoto@dataprev.gov.br)" mail
> ldap_search_ext: Bad search filter (-7)
> 
> Segfault - Note that there is a space between the two asterisks ( "* *" )
> ================================================================
> ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
> "(mail=jarbas* *peixoto@dataprev.gov.br)" mail
> Additional information: massaged filter parse error
> 
> The excerpts from server logs are:
> 
> Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 ACCEPT from
> IP=10.82.0.22:46996 (IP=0.0.0.0:636)
> Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 TLS
> established tls_ssf=128 ssf=128
> Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 BIND dn=""
method=128
> Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 RESULT tag=97 err=0 
> text=
> Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH
> base="dc=gov,dc=br" scope=2 deref=0
> filter="(mail=jarbas**peixoto@dataprev.gov.br)"
> Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH attr=mail
> Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SEARCH RESULT
> tag=101 err=0 nentries=0 text=massaged filter parse error
> Feb 12 09:49:18 linuxprev kernel: [19683068.279488] slapd[27112]
> general protection ip:7f9c3520cac9 sp:7f9bc9eb2960 error:0 in
> libc-2.13.so[7f9c35191000+182000]
> 
> To work around this error I added the lines:
> 
> # Remove os '**" da pesquisa 'mail=**' evitando o segfault
> rwm-rewriteContext searchFilter
> rwm-rewriteRule "(.*)(\\* ?\\*)(.*)" "$1*$3" "@I"
> 
> This problem also occurs in other versions of slapd native Debian and 
> Ubuntu.
> 
> Without the overlay rwm not occur this BUG . Can anyone confirm if it
> is really a bug in the " rwm overlay" ?
> 
> 
> Regards,
> Jarbas

Follow-Ups:
- Re: rwm overlay causes slapd segfault
  - From: Jarbas Peixoto Júnior <jarbas.junior@gmail.com>

References:
- rwm overlay causes slapd segfault
  - From: Jarbas Peixoto Júnior <jarbas.junior@gmail.com>

Prev by Date: LDAP proxy and memberOf overlay
Next by Date: Re: Proper way to configure custom schemas
Index(es):
- Chronological
- Thread