openldap-bugs November 2006

openldap-bugs@openldap.org

34 participants
148 discussions

Re: (ITS#4758) valsort + dynlist can cause 100% cpu utilization causing slapd to become unresponsive
by ando＠sys-net.it 25 Nov '06

25 Nov '06

michael.heep(a)o2.com wrote: > the following valsort + dynlist combination causes slapd to utilize 100% cpu > time when issueing searches against parts of the DIT containing attribute-value > pairs "created" by dynlist: > > overlay dynlist > dynlist-attrset extensibleObject memberURL uniqueMember > > overlay valsort > valsort-attr uniqueMember dc=o2online,dc=de alpha-ascend > > When run independent both overlays work flawlessly. > To be honest, I don't quite see the point in keeping sorted a set of values that by definition is dynamically built. There seems to be contradiction between the two overlays that prevents them from being used together anyway. If your intention is to partition a tree so that the intersection of data subjected to valsort and data subjected to dynlist is empty, then I guess the solution is to use the <attri> and <baseDN> parameters of valsort to exclude those entries that are subjected to dynlist. If this is not enough, you could ask for an enhancement that turns the <attr> <baseDN> into a more general specification that allows increased granularity; for example, an attr and a filter, which incidentally could be specified by means of an URL so that base, attribute list, scope and filter can be present. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4762) Bugs in meta backend
by Kurt＠OpenLDAP.org 24 Nov '06

24 Nov '06

As there is no major security issue here, this report is now public. At 03:01 AM 11/24/2006, jerome.thevenet(a)aviation-civile.gouv.fr wrote: >Full_Name: >Version: 2.3.27 >OS: ubuntu >URL: ftp://ftp.openldap.org/incoming/ >Submission from: (NULL) (213.41.243.192) > > >In Database meta: >When we define several servers (uri: ldap//....), >onerr CONTINUE > >If all servers are ok, the research is ok. >But if one of them is off, the result of a research is error 52 even if the >others send good result. > >Thanks

1 0

RE: (ITS#4760) problem with group caching and proxyAuth control
by richter＠ecos.de 24 Nov '06

24 Nov '06

> > Fixed (differently) in HEAD/re23; please test. Thanks for > reporting. p. > Just looked at your changes, of course it makes sense to put this in a common function. I will test over the weekend Gerald > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.n.c. > Via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > ------------------------------------------ > Office: +39.02.23998309 > Mobile: +39.333.4963172 > Email: pierangelo.masarati(a)sys-net.it > ------------------------------------------ > > > > ** Virus checked by BB-5000 Mailfilter ** > !DSPAM:4566ce0e132554386119908! > ** Virus checked by BB-5000 Mailfilter **

1 0

Re: (ITS#4760) problem with group caching and proxyAuth control
by ando＠sys-net.it 24 Nov '06

24 Nov '06

richter(a)ecos.de wrote: Fixed (differently) in HEAD/re23; please test. Thanks for reporting. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

(ITS#4761) error in "group" authorization parsing
by ando＠sys-net.it 24 Nov '06

24 Nov '06

Full_Name: Pierangelo Masarati Version: HEAD,re23 OS: irrelevant URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (87.28.220.33) Submitted by: ando When an authorization rule using groups, like "group:<dn>" is used, the default member attribute "member" is erroneously set to an empy berval, resulting in an invalid filter being used for the internal lookup to check for membership. A workaround consists in avoiding defaults: "group/<oc>/<at>:<dn>". "group/<oc>:<dn>" appears to work as intended, i.e. in this case the default attribute is correctly used. A fix is coming. p.

1 0

Re: (ITS#4760) problem with group caching and proxyAuth control
by ando＠sys-net.it 24 Nov '06

24 Nov '06

Gerald Richter wrote: >> I'm not sure I understand the issue you describe. In fact, >> groups appear to be cached on a per-operation basis, and user >> membership is evaluated using the authorized identity (B in >> your case), so the behavior should be correct. I've made a >> simple check using re23 and things appear to work as >> expected: I log in as a user (A) that is not in a group and >> authorize as a user (B) that is in that group. I previously >> configured slapd so that only members of that group are >> allowed to read an attribute in the whole db (say "cn"). >> Things work as expected: if I login as user A I can't see >> "cn", but if I either log in as user B, or login as user A >> and proxyAuthz as B I can read the "cn". Can you provide a >> simple example (slapd.conf, db.ldif and sequence of >> operations, e.g. in a shell script) that causes the issue you see? >> >> > > I think the point is that the group must be evaluated already in the search > for the AuthzTo attribute. > > So my User A has the AuthzTo attribute set to User B and I have the > following access control: > > > access to * > by group/accessCTRL/uniqueMember="cn=Admins,dc=testuml,dc=test" > write > by * break > > ... > > > access to * attrs=authzTo > by self read > by * break > > ... > > User A is not member of cn=Admins,dc=testuml,dc=test, but user B is. So when > I log in as user A and proxyAuth to Openldap will evaluate the group > membership for A and cache it, during the search for the ACL to authzTo. A > is not member. > > Now when the actual search operation takes places, openldap will used the > cached result (which was "is not member"), which is wrong because the user > has changed since the group membership was cached. > > I hope this makes the problem more clear (I have a test environment here, > but it is very complex and easy transferable) > OK, I see. In my test ACLs for authzTo didn't make use of groups. It makes sense to clear out identity related cached stuff when the identity changes. What I'm looking for is a __simple__ test that exploits the feature. This would allow to clearly spot the issue in the first place, and prepare a regression test. I'll do some more testing. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

RE: (ITS#4760) problem with group caching and proxyAuth control
by richter＠ecos.de 23 Nov '06

23 Nov '06

> I'm not sure I understand the issue you describe. In fact, > groups appear to be cached on a per-operation basis, and user > membership is evaluated using the authorized identity (B in > your case), so the behavior should be correct. I've made a > simple check using re23 and things appear to work as > expected: I log in as a user (A) that is not in a group and > authorize as a user (B) that is in that group. I previously > configured slapd so that only members of that group are > allowed to read an attribute in the whole db (say "cn"). > Things work as expected: if I login as user A I can't see > "cn", but if I either log in as user B, or login as user A > and proxyAuthz as B I can read the "cn". Can you provide a > simple example (slapd.conf, db.ldif and sequence of > operations, e.g. in a shell script) that causes the issue you see? > I think the point is that the group must be evaluated already in the search for the AuthzTo attribute. So my User A has the AuthzTo attribute set to User B and I have the following access control: access to * by group/accessCTRL/uniqueMember="cn=Admins,dc=testuml,dc=test" write by * break ... access to * attrs=authzTo by self read by * break ... User A is not member of cn=Admins,dc=testuml,dc=test, but user B is. So when I log in as user A and proxyAuth to Openldap will evaluate the group membership for A and cache it, during the search for the ACL to authzTo. A is not member. Now when the actual search operation takes places, openldap will used the cached result (which was "is not member"), which is wrong because the user has changed since the group membership was cached. I hope this makes the problem more clear (I have a test environment here, but it is very complex and easy transferable) Gerald ** Virus checked by BB-5000 Mailfilter **

1 0

RE: (ITS#4759) aci comptibilty to V2.1; multiple attrs
by richter＠ecos.de 23 Nov '06

23 Nov '06

> > I have no objection at accepting this code, since it seems to > create no backwards compatibility issues but rather solves a > (irrelevant?) compatibility issue with an ancient version of > the code in an area that I believe to be of questionable > usefulness. At least it had help me by upgrading a bunch of servers from 2.1 which used this feature. > In fact, ACIs have been deprecated ever since, > so I wouldn't spend too much time with them. If there's no > IPR issues (as, for what I can tell, there appear to be > none), I'd try to apply the patch to HEAD code. > Thanks. We use ACI, because we have a setup where we replicate different parts of the tree to different slave ldap servers. By using ACI's the access information get's replicated too. To get the same behaviour with ACL's it would be much more compilcated, because we would need to sort out which ACL's to replicate and which not, because not simply subtrees are replicated (we cannot simply replicate all ACL's because this would leak too much informations). >From this point of view ACI are quite usefull, at least for us. Gerald ** Virus checked by BB-5000 Mailfilter **

1 0

Re: (ITS#4759) aci comptibilty to V2.1; multiple attrs
by ando＠sys-net.it 23 Nov '06

23 Nov '06

richter(a)ecos.de wrote: I have no objection at accepting this code, since it seems to create no backwards compatibility issues but rather solves a (irrelevant?) compatibility issue with an ancient version of the code in an area that I believe to be of questionable usefulness. In fact, ACIs have been deprecated ever since, so I wouldn't spend too much time with them. If there's no IPR issues (as, for what I can tell, there appear to be none), I'd try to apply the patch to HEAD code. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4760) problem with group caching and proxyAuth control
by ando＠sys-net.it 23 Nov '06

23 Nov '06

richter(a)ecos.de wrote: > I noticed that when I use the proxyAuth control group members are not correctly > resolved. > > What I do is to login as user A and do a search with proxyAuth control with an > authzid of user B. > > User B is member of a group, which grants him access to the some items. User A > is not. > > When directly logging in as user B, everything is ok. Using proxyAuth user B > doesn't have access to the items that are granted to the group. > > The reason is that the group membership is cached, and therefore users A > membership is used for ACL evaluation, instead of users B membership. > > The attached patch, simply deletes all cached groups, when inside the proxyAuth > control setup, which resolvs this issue. > I'm not sure I understand the issue you describe. In fact, groups appear to be cached on a per-operation basis, and user membership is evaluated using the authorized identity (B in your case), so the behavior should be correct. I've made a simple check using re23 and things appear to work as expected: I log in as a user (A) that is not in a group and authorize as a user (B) that is in that group. I previously configured slapd so that only members of that group are allowed to read an attribute in the whole db (say "cn"). Things work as expected: if I login as user A I can't see "cn", but if I either log in as user B, or login as user A and proxyAuthz as B I can read the "cn". Can you provide a simple example (slapd.conf, db.ldif and sequence of operations, e.g. in a shell script) that causes the issue you see? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs November 2006