openldap-bugs March 2010

openldap-bugs@openldap.org

31 participants
72 discussions

Re: (ITS#6478) slapd crashes with segfault
by masarati＠aero.polimi.it 23 Mar '10

23 Mar '10

> Hello, here is a backtrace > of the crash, however not yet from > a version with full debug symbols enabled. > We are still working on that. You rbacktrace, although incomplete, looks weird: > #0 0x00000037a4e30045 in raise () from /lib64/libc.so.6 > #1 0x00000037a4e31ae0 in abort () from /lib64/libc.so.6 > #2 0x00000037a4e681bb in __libc_message () from /lib64/libc.so.6 > #3 0x00000037a4e6da07 in malloc_consolidate () from /lib64/libc.so.6 > #4 0x00000037a4e6f1fb in _int_free () from /lib64/libc.so.6 > #5 0x00000037a4e72a6c in free () from /lib64/libc.so.6 > #6 0x00000037a4ecabda in __vsyslog_chk () from /lib64/libc.so.6 > #7 0x00000037a4ecaf33 in __syslog_chk () from /lib64/libc.so.6 > #8 0x0000000000437869 in slapd_remove () > #9 0x00000037a5a062e7 in start_thread () from /lib64/libpthread.so.0 > #10 0x00000037a4ece3bd in clone () from /lib64/libc.so.6 libc is raising an assertion during a free related to printing something on syslog. However, in slapd_remove() I don't see anything that could be harmful for syslog, as the only information that may be printed is printed at a very verbose loglevel, and basically consists of integers, so it seems impossible that things like NULL or invalid pointers slip through. p.

1 0

Re: (ITS#6487) Nssov pam_authz authorizedUserService
by crispy＠cluenet.org 23 Mar '10

23 Mar '10

I found that there's an alternate way to achieve this same functionality that's more elegant, probably more efficient, and doesn't require any patches. The approach uses the authorizedService attributes on the host entry. With nssov, individual users can be granted or revoked access based on the slapd ACLs and whether or not they have "compare" access to the authorizedService attribute. I created groups of users underneath the host entry - one for each service - and used regex's in the ACLs to grant compare access to the correct authorizedService attribute when the user is present in the corresponding group. Also the buffer sizes were determined to be a non-issue and do not need to be changed. Chris Breneman On Mon, 2010-03-22 at 00:03 -0500, Kean Johnston wrote: > I like what this offers administrators but I have a comment about how you > handle "wildcards". They aren't wild at all, but "magic strings" with only > one possible meaning: all users/services with the single magic character > "*". If you have a defined user naming convention like i_whatever for > interns and c_whatever for contractors, it would be useful to be able to > either include or exclude such users from using certain services. > > My patch at http://www.openldap.org/its/index.cgi?findid=6495 does this for > userhost and userservices attributes, and includes negation. Would you be > interested in working with me to expand this to support real wildcards? > Also I suggest you make this two patches, as the patch submission > guidelines clearly state that one patch for 1 feature, and the meaty parts > of this are obfuscated by increasing the buffer sizes which should probably > be in a separate patch. > > Regards, Kean

1 0

Re: (ITS#6497) Infinite loop in translucent.c
by masarati＠aero.polimi.it 23 Mar '10

23 Mar '10

Fixed in HEAD; please test. Thanks, p.

1 0

Re: (ITS#6478) slapd crashes with segfault
by wolfgang.hummel＠hp.com 23 Mar '10

23 Mar '10

Hello, here is a backtrace of the crash, however not yet from a version with full debug symbols enabled. We are still working on that. [root@ts2mstsv010 dumps]# gdb /usr/sbin/slapd core.slapd.12403 GNU gdb Red Hat Linux (6.5-25.el5rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you ar= e welcome to change it and/or distribute copies of it under certain condition= s. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu"...(no debugging symbol= s found) Using host libthread_db library "/lib64/libthread_db.so.1". Reading symbols from /usr/lib64/libltdl.so.3...(no debugging symbols found)= ...done. Loaded symbols for /usr/lib64/libltdl.so.3 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...don= e. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libuuid.so.1...(no debugging symbols found)...d= one. Loaded symbols for /lib64/libuuid.so.1 Reading symbols from /usr/lib64/libslapd_db-4.7.so...(no debugging symbols = found)...done. Loaded symbols for /usr/lib64/libslapd_db-4.7.so Reading symbols from /usr/lib64/libodbc.so.1...(no debugging symbols found)= ...done. Loaded symbols for /usr/lib64/libodbc.so.1 Reading symbols from /usr/lib64/libsasl2.so.2... (no debugging symbols found)...done. Loaded symbols for /usr/lib64/libsasl2.so.2 Reading symbols from /lib64/libssl.so.6...(no debugging symbols found)...do= ne. Loaded symbols for /lib64/libssl.so.6 Reading symbols from /lib64/libcrypto.so.6...(no debugging symbols found)..= .done. Loaded symbols for /lib64/libcrypto.so.6 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...= done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)..= .done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libpthread.so.0... (no debugging symbols found)...done. Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /usr/lib64/libwrap.so.0...(no debugging symbols found)= ...done. Loaded symbols for /usr/lib64/libwrap.so.0 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done= . Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols fo= und)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...(no debugging symbols= found)...done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3... (no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found).= ..done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libk5crypto.so.3...(no debugging symbols fo= und)...done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /usr/lib64/libz.so.1...(no debugging symbols found)...= done. Loaded symbols for /usr/lib64/libz.so.1 Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...do= ne. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /usr/lib64/libkrb5support.so.0... (no debugging symbols found)...done. Loaded symbols for /usr/lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)= ...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found).= ..done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libsepol.so.1...(no debugging symbols found)...= done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_dns.so.2...(no debugging symbols found).= ..done. Loaded symbols for /lib64/libnss_dns.so.2 Reading symbols from /lib64/libnss_files.so.2... (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /usr/lib64/sasl2/libplain.so.2...(no debugging symbols= found)...done. Loaded symbols for /usr/lib64/sasl2/libplain.so.2 Reading symbols from /usr/lib64/sasl2/libanonymous.so.2...(no debugging sym= bols found)...done. Loaded symbols for /usr/lib64/sasl2/libanonymous.so.2 Reading symbols from /usr/lib64/sasl2/liblogin.so.2...(no debugging symbols= found)...done. Loaded symbols for /usr/lib64/sasl2/liblogin.so.2 Reading symbols from /usr/lib64/openldap/syncprov-2.4.so.2...(no debugging = symbols found)...done. Loaded symbols for /usr/lib64/openldap/syncprov-2.4.so.2 Reading symbols from /usr/lib64/openldap/cms_template-2.4.so.2... (no debugging symbols found)...done. Loaded symbols for /usr/lib64/openldap/cms_template-2.4.so.2 Reading symbols from /usr/lib64/openldap/cms_modif-2.4.so.2...(no debugging= symbols found)...done. Loaded symbols for /usr/lib64/openldap/cms_modif-2.4.so.2 Reading symbols from /lib64/libgcc_s.so.1...(no debugging symbols found)...= done. Loaded symbols for /lib64/libgcc_s.so.1 Core was generated by `/usr/sbin/slapd -h ldap:/// -u ldap'. Program terminated with signal 6, Aborted. #0 0x00000037a4e30045 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00000037a4e30045 in raise () from /lib64/libc.so.6 #1 0x00000037a4e31ae0 in abort () from /lib64/libc.so.6 #2 0x00000037a4e681bb in __libc_message () from /lib64/libc.so.6 #3 0x00000037a4e6da07 in malloc_consolidate () from /lib64/libc.so.6 #4 0x00000037a4e6f1fb in _int_free () from /lib64/libc.so.6 #5 0x00000037a4e72a6c in free () from /lib64/libc.so.6 #6 0x00000037a4ecabda in __vsyslog_chk () from /lib64/libc.so.6 #7 0x00000037a4ecaf33 in __syslog_chk () from /lib64/libc.so.6 #8 0x0000000000437869 in slapd_remove () #9 0x00000037a5a062e7 in start_thread () from /lib64/libpthread.so.0 #10 0x00000037a4ece3bd in clone () from /lib64/libc.so.6 (gdb) Wolfgang Hummel

1 0

Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
by quanah＠zimbra.com 22 Mar '10

22 Mar '10

--On Monday, March 22, 2010 9:00 PM -0700 Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > As already noted, there is no need to give root access to admins. My > guess is you really do not understand how ACLs work. I would advise > carefully reading the slapd-access(5) man page. You may also find a page I wrote some time ago useful in helping to understand how ACLs work: <http://www.stanford.edu/services/directory/openldap/configuration/slapd-acl…> Regards, Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
by quanah＠zimbra.com 22 Mar '10

22 Mar '10

--On Monday, March 22, 2010 12:41 PM +0000 kean.johnston(a)gmail.com wrote: >> Authorization is the job of the ACL engine. Putting ad-hoc rules into >> user entries is, in a word, stupid. It's also unscaleable and will >> become an administration nightmare. > Well OK then. Using a configuration mechanism like ACL's that cannot be > distributed to multiple users (like editing a directory can) is, in a > word, stupid. It is also unscaleable and will become an administration > nightmare. And authorisation is not (or SHOULD not be) the job of ACL's > its the job of authorisation modules, which nssov is. > > Being forced to give admins who simply want to be able to change access > to a random host in a centralised server root access to what may be a > critical server with other sensitive data on it is simply wrong. As already noted, there is no need to give root access to admins. My guess is you really do not understand how ACLs work. I would advise carefully reading the slapd-access(5) man page. Regards, Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: (ITS#6481) Asssert with acl-sets and referals
by masarati＠aero.polimi.it 22 Mar '10

22 Mar '10

Fixed in HEAD; please test. Thanks, p.

1 0

Re: (ITS#6490) dds and pcache overlays not checking NULL value
by masarati＠aero.polimi.it 22 Mar '10

22 Mar '10

Fixed (slighlty differently) in HEAD. Please test. Thanks, p.

1 0

(ITS#6497) Infinite loop in translucent.c
by ondrej.kuznik＠acision.com 22 Mar '10

22 Mar '10

Full_Name: Ondrej Kuznik Version: HEAD OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (62.168.56.1) Hi, there is a bug in translucent.c:208 in translucent_cf_gen such that modification of olcTranslucentRemote or olcTranslucentLocal can trigger an infinite loop, making the server unresponsive. Please see the attached patch that fixes the issue and consider including it in your codebase: --- servers/slapd/overlays/translucent.c 2009-11-30 12:59:06.000000000 +0100 +++ servers/slapd/overlays/fixed.c 2010-03-22 16:23:39.000000000 +0100 @@ -205,7 +205,7 @@ i = c->valx; ch_free( (*an)[i].an_name.bv_val ); do { - (*an)[i] = (*an)[i+1]; + (*an)[i] = (*an)[++i]; } while ( !BER_BVISNULL( &(*an)[i].an_name )); } return 0;

1 0

Re: (ITS#6487) Nssov pam_authz authorizedUserService
by kean.johnston＠gmail.com 22 Mar '10

22 Mar '10

> So let them edit the host permissions. Delegate the privileges to > groups, and give them write access to their respective groups. ... > Irrelevant. Using slapd.conf doesn't preclude delegation of privileges > or dynamic updates to privilege memberships. I have read the admin guide from cover to cover, several times. I am not an LDAP expert (yet) so perhaps some things you take for granted are not obvious to the newcomer. Everything I have read just makes me confused about how the above can work. If you can point me at a relevant place in teh the man pages, or the admin guide, or an example of how this is possible, I will both be very grateful and have a deeper understanding of why this patch isn't necessary. The documentation says: Authorization is checked by performing an LDAP Compare operation looking for the PAM service name in the authorizedService attribute. slapd ACLs should be set to grant or deny Compare privilege to the appropriate users or groups as desired. As the OpenLDAP architect and someone who has been using LDAP for decades, that may seem obvious to you. It is not to others. As I understand that to mean, I would have to have something like: access to dn.exact="cn=host1,ou=hosts,dc=example,dc=com" attrs=authroizedService by dn="uid=user1,ou=people,dc=example,dc=com" compare by dn=uid=user2,ou=people,dc=example,dc=com" compare by group.exact="cn=somegroup,ou=groups,dc=example,dc=com" compare by * none which is how I would give access to a group of people as well as individuals. Now I want to grant special access to user3, who isn't part of any particular group, just a random user who needs access to the host. Now I have to change the above ACL. That ACL is in slapd.conf. How to I delegate being able to give a non-root user permissions to add user3 to that host. How do I delegate a non-root user to set permissions for host2 and host 3 etc. I realise this may be incorrect but thats how I understand the docs. I am not particularly dumb so if thats what I took away from the docs, chances are others did too, and at best, the documentation needs beefing up. > On the contrary - for security management, it's the BEST thing. Keeping > your authorization rules scattered across the data space not only makes > it harder to administer, it also makes it easier to subvert. Keeping it > all isolated in a single administrative space negates both of those > problems. Clearly you have never worked in an organisation with several tens or even hundreds of thousands of users. I don't see how putting everything in the one place helps at all. In fact it makes it a bottleneck of the worst kind. But being able to partition things and giving team A responsibility over access to this group of hosts and team B responsibility over that group of hosts and having the host access and authorization information actually be in the host entry just makes more sense, and it scales better.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs March 2010