[Date Prev][Date Next] [Chronological] [Thread] [Top]

rwm overlay causes slapd segfault

Needed to enable authentication on ldap server via the mail attribute.

I used the overlay rwm as documentation:
   * Http://www.openldap.org/doc/admin24/overlays.html # Rewrite / Remap
   * http://www.openldap.org/lists/openldap-software/200707/msg00487.html
   * http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release

I run the current version of OpenLDAP :

dpkg -l | grep openldap
ii  openldap-ltb                       2.4.39-1
amd64        OpenLDAP server with addons from the LDAP Tool Box
project
ii  openldap-ltb-check-password        2.4.39-1
amd64        check_password module for password policy
ii  openldap-ltb-contrib-overlays      2.4.39-1
amd64        Overlays contributed to OpenLDAP

My configuration snippet is shown below :

...
backend         hdb

moduleload      rwm
overlay rwm
rwm-rewriteEngine       on
rwm-rewriteMap  ldap    attr2dn "ldaps:///dc=gov,dc=br?dn?sub?"
rwm-rewriteContext      bindDN
rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"

database        hdb
...

Everything worked fine , but sometimes occurred a ' slapd segfault "
there was no apparent cause .

A log analysis allowed us to identify the query that caused the "crash
" was the folder containing " ** " as follows :

"(mail=*name**surname*)(mailAlternateAddress=*name**surname*)"

Redid several searches and this is really "crash " in some situations :

Normal
=======
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
"(uid=jarbas*peixoto)" mail
dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br
mail: jarbas.peixoto@dataprev.gov.br

Normal
=======
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
"(uid=jarbas**peixoto)" mail
ldap_search_ext: Bad search filter (-7)

Normal
=======
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
"(mail=jarbas*peixoto@dataprev.gov.br)" mail
dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br
mail: jarbas.peixoto@dataprev.gov.br

Normal
=======
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
"(mail=jarbas**peixoto@dataprev.gov.br)" mail
ldap_search_ext: Bad search filter (-7)

Segfault - Note that there is a space between the two asterisks ( "* *" )
================================================================
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
"(mail=jarbas* *peixoto@dataprev.gov.br)" mail
Additional information: massaged filter parse error

The excerpts from server logs are:

Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 ACCEPT from
IP=10.82.0.22:46996 (IP=0.0.0.0:636)
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 TLS
established tls_ssf=128 ssf=128
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 BIND dn="" method=128
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 RESULT tag=97 err=0 text=
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH
base="dc=gov,dc=br" scope=2 deref=0
filter="(mail=jarbas**peixoto@dataprev.gov.br)"
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH attr=mail
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SEARCH RESULT
tag=101 err=0 nentries=0 text=massaged filter parse error
Feb 12 09:49:18 linuxprev kernel: [19683068.279488] slapd[27112]
general protection ip:7f9c3520cac9 sp:7f9bc9eb2960 error:0 in
libc-2.13.so[7f9c35191000+182000]

To work around this error I added the lines:

# Remove os '**" da pesquisa 'mail=**' evitando o segfault
rwm-rewriteContext searchFilter
rwm-rewriteRule "(.*)(\\* ?\\*)(.*)" "$1*$3" "@I"

This problem also occurs in other versions of slapd native Debian and Ubuntu.

Without the overlay rwm not occur this BUG . Can anyone confirm if it
is really a bug in the " rwm overlay" ?


Regards,
Jarbas