Re: (ITS#6478) slapd crashes with segfault
by masarati@aero.polimi.it
> Hello, here is a backtrace
> of the crash, however not yet from
> a version with full debug symbols enabled.
> We are still working on that.
You rbacktrace, although incomplete, looks weird:
> #0 0x00000037a4e30045 in raise () from /lib64/libc.so.6
> #1 0x00000037a4e31ae0 in abort () from /lib64/libc.so.6
> #2 0x00000037a4e681bb in __libc_message () from /lib64/libc.so.6
> #3 0x00000037a4e6da07 in malloc_consolidate () from /lib64/libc.so.6
> #4 0x00000037a4e6f1fb in _int_free () from /lib64/libc.so.6
> #5 0x00000037a4e72a6c in free () from /lib64/libc.so.6
> #6 0x00000037a4ecabda in __vsyslog_chk () from /lib64/libc.so.6
> #7 0x00000037a4ecaf33 in __syslog_chk () from /lib64/libc.so.6
> #8 0x0000000000437869 in slapd_remove ()
> #9 0x00000037a5a062e7 in start_thread () from /lib64/libpthread.so.0
> #10 0x00000037a4ece3bd in clone () from /lib64/libc.so.6
libc is raising an assertion during a free related to printing something
on syslog. However, in slapd_remove() I don't see anything that could be
harmful for syslog, as the only information that may be printed is printed
at a very verbose loglevel, and basically consists of integers, so it
seems impossible that things like NULL or invalid pointers slip through.
p.
13 years
Re: (ITS#6487) Nssov pam_authz authorizedUserService
by crispy@cluenet.org
I found that there's an alternate way to achieve this same functionality
that's more elegant, probably more efficient, and doesn't require any
patches. The approach uses the authorizedService attributes on the host
entry. With nssov, individual users can be granted or revoked access
based on the slapd ACLs and whether or not they have "compare" access to
the authorizedService attribute. I created groups of users underneath
the host entry - one for each service - and used regex's in the ACLs to
grant compare access to the correct authorizedService attribute when the
user is present in the corresponding group.
Also the buffer sizes were determined to be a non-issue and do not need
to be changed.
Chris Breneman
On Mon, 2010-03-22 at 00:03 -0500, Kean Johnston wrote:
> I like what this offers administrators but I have a comment about how you
> handle "wildcards". They aren't wild at all, but "magic strings" with only
> one possible meaning: all users/services with the single magic character
> "*". If you have a defined user naming convention like i_whatever for
> interns and c_whatever for contractors, it would be useful to be able to
> either include or exclude such users from using certain services.
>
> My patch at http://www.openldap.org/its/index.cgi?findid=6495 does this for
> userhost and userservices attributes, and includes negation. Would you be
> interested in working with me to expand this to support real wildcards?
> Also I suggest you make this two patches, as the patch submission
> guidelines clearly state that one patch for 1 feature, and the meaty parts
> of this are obfuscated by increasing the buffer sizes which should probably
> be in a separate patch.
>
> Regards, Kean
13 years
Re: (ITS#6478) slapd crashes with segfault
by wolfgang.hummel@hp.com
Hello, here is a backtrace
of the crash, however not yet from
a version with full debug symbols enabled.
We are still working on that.
[root@ts2mstsv010 dumps]# gdb /usr/sbin/slapd core.slapd.12403
GNU gdb Red Hat Linux (6.5-25.el5rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you ar=
e
welcome to change it and/or distribute copies of it under certain condition=
s.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...(no debugging symbol=
s found)
Using host libthread_db library "/lib64/libthread_db.so.1".
Reading symbols from /usr/lib64/libltdl.so.3...(no debugging symbols found)=
...done.
Loaded symbols for /usr/lib64/libltdl.so.3
Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...don=
e.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /lib64/libuuid.so.1...(no debugging symbols found)...d=
one.
Loaded symbols for /lib64/libuuid.so.1
Reading symbols from /usr/lib64/libslapd_db-4.7.so...(no debugging symbols =
found)...done.
Loaded symbols for /usr/lib64/libslapd_db-4.7.so
Reading symbols from /usr/lib64/libodbc.so.1...(no debugging symbols found)=
...done.
Loaded symbols for /usr/lib64/libodbc.so.1
Reading symbols from /usr/lib64/libsasl2.so.2...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libsasl2.so.2
Reading symbols from /lib64/libssl.so.6...(no debugging symbols found)...do=
ne.
Loaded symbols for /lib64/libssl.so.6
Reading symbols from /lib64/libcrypto.so.6...(no debugging symbols found)..=
.done.
Loaded symbols for /lib64/libcrypto.so.6
Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...=
done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)..=
.done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /lib64/libpthread.so.0...
(no debugging symbols found)...done.
Loaded symbols for /lib64/libpthread.so.0
Reading symbols from /usr/lib64/libwrap.so.0...(no debugging symbols found)=
...done.
Loaded symbols for /usr/lib64/libwrap.so.0
Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done=
.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols fo=
und)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /usr/lib64/libgssapi_krb5.so.2...(no debugging symbols=
found)...done.
Loaded symbols for /usr/lib64/libgssapi_krb5.so.2
Reading symbols from /usr/lib64/libkrb5.so.3...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libkrb5.so.3
Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found).=
..done.
Loaded symbols for /lib64/libcom_err.so.2
Reading symbols from /usr/lib64/libk5crypto.so.3...(no debugging symbols fo=
und)...done.
Loaded symbols for /usr/lib64/libk5crypto.so.3
Reading symbols from /usr/lib64/libz.so.1...(no debugging symbols found)...=
done.
Loaded symbols for /usr/lib64/libz.so.1
Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...do=
ne.
Loaded symbols for /lib64/libnsl.so.1
Reading symbols from /usr/lib64/libkrb5support.so.0...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libkrb5support.so.0
Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)=
...done.
Loaded symbols for /lib64/libkeyutils.so.1
Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found).=
..done.
Loaded symbols for /lib64/libselinux.so.1
Reading symbols from /lib64/libsepol.so.1...(no debugging symbols found)...=
done.
Loaded symbols for /lib64/libsepol.so.1
Reading symbols from /lib64/libnss_dns.so.2...(no debugging symbols found).=
..done.
Loaded symbols for /lib64/libnss_dns.so.2
Reading symbols from /lib64/libnss_files.so.2...
(no debugging symbols found)...done.
Loaded symbols for /lib64/libnss_files.so.2
Reading symbols from /usr/lib64/sasl2/libplain.so.2...(no debugging symbols=
found)...done.
Loaded symbols for /usr/lib64/sasl2/libplain.so.2
Reading symbols from /usr/lib64/sasl2/libanonymous.so.2...(no debugging sym=
bols found)...done.
Loaded symbols for /usr/lib64/sasl2/libanonymous.so.2
Reading symbols from /usr/lib64/sasl2/liblogin.so.2...(no debugging symbols=
found)...done.
Loaded symbols for /usr/lib64/sasl2/liblogin.so.2
Reading symbols from /usr/lib64/openldap/syncprov-2.4.so.2...(no debugging =
symbols found)...done.
Loaded symbols for /usr/lib64/openldap/syncprov-2.4.so.2
Reading symbols from /usr/lib64/openldap/cms_template-2.4.so.2...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/openldap/cms_template-2.4.so.2
Reading symbols from /usr/lib64/openldap/cms_modif-2.4.so.2...(no debugging=
symbols found)...done.
Loaded symbols for /usr/lib64/openldap/cms_modif-2.4.so.2
Reading symbols from /lib64/libgcc_s.so.1...(no debugging symbols found)...=
done.
Loaded symbols for /lib64/libgcc_s.so.1
Core was generated by `/usr/sbin/slapd -h ldap:/// -u ldap'.
Program terminated with signal 6, Aborted.
#0 0x00000037a4e30045 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00000037a4e30045 in raise () from /lib64/libc.so.6
#1 0x00000037a4e31ae0 in abort () from /lib64/libc.so.6
#2 0x00000037a4e681bb in __libc_message () from /lib64/libc.so.6
#3 0x00000037a4e6da07 in malloc_consolidate () from /lib64/libc.so.6
#4 0x00000037a4e6f1fb in _int_free () from /lib64/libc.so.6
#5 0x00000037a4e72a6c in free () from /lib64/libc.so.6
#6 0x00000037a4ecabda in __vsyslog_chk () from /lib64/libc.so.6
#7 0x00000037a4ecaf33 in __syslog_chk () from /lib64/libc.so.6
#8 0x0000000000437869 in slapd_remove ()
#9 0x00000037a5a062e7 in start_thread () from /lib64/libpthread.so.0
#10 0x00000037a4ece3bd in clone () from /lib64/libc.so.6
(gdb)
Wolfgang Hummel
13 years
Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
by quanah@zimbra.com
--On Monday, March 22, 2010 9:00 PM -0700 Quanah Gibson-Mount
<quanah(a)zimbra.com> wrote:
> As already noted, there is no need to give root access to admins. My
> guess is you really do not understand how ACLs work. I would advise
> carefully reading the slapd-access(5) man page.
You may also find a page I wrote some time ago useful in helping to
understand how ACLs work:
<http://www.stanford.edu/services/directory/openldap/configuration/slapd-a...>
Regards,
Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
13 years
Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
by quanah@zimbra.com
--On Monday, March 22, 2010 12:41 PM +0000 kean.johnston(a)gmail.com wrote:
>> Authorization is the job of the ACL engine. Putting ad-hoc rules into
>> user entries is, in a word, stupid. It's also unscaleable and will
>> become an administration nightmare.
> Well OK then. Using a configuration mechanism like ACL's that cannot be
> distributed to multiple users (like editing a directory can) is, in a
> word, stupid. It is also unscaleable and will become an administration
> nightmare. And authorisation is not (or SHOULD not be) the job of ACL's
> its the job of authorisation modules, which nssov is.
>
> Being forced to give admins who simply want to be able to change access
> to a random host in a centralised server root access to what may be a
> critical server with other sensitive data on it is simply wrong.
As already noted, there is no need to give root access to admins. My guess
is you really do not understand how ACLs work. I would advise carefully
reading the slapd-access(5) man page.
Regards,
Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
13 years
(ITS#6497) Infinite loop in translucent.c
by ondrej.kuznik@acision.com
Full_Name: Ondrej Kuznik
Version: HEAD
OS:
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (62.168.56.1)
Hi,
there is a bug in translucent.c:208 in translucent_cf_gen such that modification
of olcTranslucentRemote or olcTranslucentLocal can trigger an infinite loop,
making the server unresponsive. Please see the attached patch that fixes the
issue and consider including it in your codebase:
--- servers/slapd/overlays/translucent.c 2009-11-30 12:59:06.000000000
+0100
+++ servers/slapd/overlays/fixed.c 2010-03-22 16:23:39.000000000 +0100
@@ -205,7 +205,7 @@
i = c->valx;
ch_free( (*an)[i].an_name.bv_val );
do {
- (*an)[i] = (*an)[i+1];
+ (*an)[i] = (*an)[++i];
} while ( !BER_BVISNULL( &(*an)[i].an_name ));
}
return 0;
13 years
Re: (ITS#6487) Nssov pam_authz authorizedUserService
by kean.johnston@gmail.com
> So let them edit the host permissions. Delegate the privileges to
> groups, and give them write access to their respective groups.
...
> Irrelevant. Using slapd.conf doesn't preclude delegation of privileges
> or dynamic updates to privilege memberships.
I have read the admin guide from cover to cover, several times. I am not an
LDAP expert (yet) so perhaps some things you take for granted are not
obvious to the newcomer. Everything I have read just makes me confused
about how the above can work. If you can point me at a relevant place in
teh the man pages, or the admin guide, or an example of how this is
possible, I will both be very grateful and have a deeper understanding of
why this patch isn't necessary.
The documentation says:
Authorization is checked by performing an LDAP Compare operation looking
for the PAM service name in the authorizedService attribute. slapd
ACLs should be set to grant or deny Compare privilege to the appropriate
users or groups as desired.
As the OpenLDAP architect and someone who has been using LDAP for decades,
that may seem obvious to you. It is not to others. As I understand that to
mean, I would have to have something like:
access to dn.exact="cn=host1,ou=hosts,dc=example,dc=com"
attrs=authroizedService
by dn="uid=user1,ou=people,dc=example,dc=com" compare
by dn=uid=user2,ou=people,dc=example,dc=com" compare
by group.exact="cn=somegroup,ou=groups,dc=example,dc=com" compare
by * none
which is how I would give access to a group of people as well as individuals.
Now I want to grant special access to user3, who isn't part of any
particular group, just a random user who needs access to the host. Now I
have to change the above ACL. That ACL is in slapd.conf. How to I delegate
being able to give a non-root user permissions to add user3 to that host.
How do I delegate a non-root user to set permissions for host2 and host 3 etc.
I realise this may be incorrect but thats how I understand the docs. I am
not particularly dumb so if thats what I took away from the docs, chances
are others did too, and at best, the documentation needs beefing up.
> On the contrary - for security management, it's the BEST thing. Keeping
> your authorization rules scattered across the data space not only makes
> it harder to administer, it also makes it easier to subvert. Keeping it
> all isolated in a single administrative space negates both of those
> problems.
Clearly you have never worked in an organisation with several tens or even
hundreds of thousands of users. I don't see how putting everything in the
one place helps at all. In fact it makes it a bottleneck of the worst kind.
But being able to partition things and giving team A responsibility over
access to this group of hosts and team B responsibility over that group of
hosts and having the host access and authorization information actually be
in the host entry just makes more sense, and it scales better.
13 years
