openldap-bugs June 2010

openldap-bugs@openldap.org

23 participants
57 discussions

Re: (ITS#6572) slapd crash caused by refint's cn=config modification
by mbackes＠symas.com 12 Jun '10

12 Jun '10

> Here's a patch that fixes 6572. Heh, okay Quanah. This patch file is derived from OpenLDAP Software. All of the = modifications to OpenLDAP Software represented in the previous patch was = developed by me for Symas and the OpenLDAP project. I am authorized by = Symas, my employer, to release this work under the following terms. Portions Copyright 2010 Symas Corporation. Redistribution and use in source and binary forms, with or without = modification, are permitted only as authorized by the OpenLDAP Public = License. Matthew Backes Symas Corporation mbackes(a)symas.com

1 0

Re: (ITS#6572) slapd crash caused by refint's cn=config modification
by mbackes＠symas.com 12 Jun '10

12 Jun '10

--Apple-Mail-322--405209956 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Here's a patch that fixes 6572. * Switch to use BER_BVISNULL, BER_BVZERO, and ch_free instead * Clean up Ozone's "breadcrumbs" while we're at it (unrelated but trivial) * Should apply cleanly to RE24 and HEAD * Older dyn-config refints (RE22, RE23) likely have the same problem Matthew Backes Symas Corporation mbackes(a)symas.com --Apple-Mail-322--405209956 Content-Disposition: attachment; filename=refint-patch-its-6572.txt Content-Type: text/plain; name="refint-patch-its-6572.txt" Content-Transfer-Encoding: 7bit Index: refint.c =================================================================== RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/overlays/refint.c,v retrieving revision 1.46 diff -u -r1.46 refint.c --- refint.c 13 Apr 2010 20:18:25 -0000 1.46 +++ refint.c 13 Jun 2010 04:02:09 -0000 @@ -76,7 +76,6 @@ } refint_q; typedef struct refint_data_s { - const char *message; /* breadcrumbs */ struct refint_attrs_s *attrs; /* list of known attrs */ BerValue dn; /* basedn in parent, */ BerValue nothing; /* the nothing value, if needed */ @@ -210,21 +209,17 @@ rc = 0; break; case REFINT_NOTHING: - if ( dd->nothing.bv_val ) - ber_memfree ( dd->nothing.bv_val ); - if ( dd->nnothing.bv_val ) - ber_memfree ( dd->nnothing.bv_val ); - dd->nothing.bv_len = 0; - dd->nnothing.bv_len = 0; + ch_free( dd->nothing.bv_val ); + ch_free( dd->nnothing.bv_val ); + BER_BVZERO( &dd->nothing ); + BER_BVZERO( &dd->nnothing ); rc = 0; break; case REFINT_MODIFIERSNAME: - if ( dd->refint_dn.bv_val ) - ber_memfree ( dd->refint_dn.bv_val ); - if ( dd->refint_ndn.bv_val ) - ber_memfree ( dd->refint_ndn.bv_val ); - dd->refint_dn.bv_len = 0; - dd->refint_ndn.bv_len = 0; + ch_free( dd->refint_dn.bv_val ); + ch_free( dd->refint_ndn.bv_val ); + BER_BVZERO( &dd->refint_dn ); + BER_BVZERO( &dd->refint_ndn ); rc = 0; break; default: @@ -256,22 +251,26 @@ } break; case REFINT_NOTHING: - if ( dd->nothing.bv_val ) - ber_memfree ( dd->nothing.bv_val ); - if ( dd->nnothing.bv_val ) - ber_memfree ( dd->nnothing.bv_val ); - dd->nothing = c->value_dn; - dd->nnothing = c->value_ndn; - rc = 0; + if ( !BER_BVISNULL( &c->value_ndn )) { + ch_free ( dd->nothing.bv_val ); + ch_free ( dd->nnothing.bv_val ); + dd->nothing = c->value_dn; + dd->nnothing = c->value_ndn; + rc = 0; + } else { + rc = ARG_BAD_CONF; + } break; case REFINT_MODIFIERSNAME: - if ( dd->refint_dn.bv_val ) - ber_memfree ( dd->refint_dn.bv_val ); - if ( dd->refint_ndn.bv_val ) - ber_memfree ( dd->refint_ndn.bv_val ); - dd->refint_dn = c->value_dn; - dd->refint_ndn = c->value_ndn; - rc = 0; + if ( !BER_BVISNULL( &c->value_ndn )) { + ch_free( &dd->refint_dn.bv_val ); + ch_free( &dd->refint_ndn.bv_val ); + dd->refint_dn = c->value_dn; + dd->refint_ndn = c->value_ndn; + rc = 0; + } else { + rc = ARG_BAD_CONF; + } break; default: abort (); @@ -299,7 +298,6 @@ slap_overinst *on = (slap_overinst *)be->bd_info; refint_data *id = ch_calloc(1,sizeof(refint_data)); - id->message = "_init"; on->on_bi.bi_private = id; ldap_pvt_thread_mutex_init( &id->qmutex ); return(0); @@ -335,7 +333,6 @@ { slap_overinst *on = (slap_overinst *)be->bd_info; refint_data *id = on->on_bi.bi_private; - id->message = "_open"; if ( BER_BVISNULL( &id->dn )) { if ( BER_BVISNULL( &be->be_nsuffix[0] )) @@ -354,7 +351,6 @@ ** foreach configured attribute: ** free it; ** free our basedn; -** (do not) free id->message; ** reset on_bi.bi_private; ** free our config data; ** @@ -369,7 +365,6 @@ slap_overinst *on = (slap_overinst *) be->bd_info; refint_data *id = on->on_bi.bi_private; refint_attrs *ii, *ij; - id->message = "_close"; for(ii = id->attrs; ii; ii = ij) { ij = ii->next; @@ -870,8 +865,6 @@ BackendDB *db = NULL; refint_attrs *ip; - id->message = "_refint_response"; - /* If the main op failed or is not a Delete or ModRdn, ignore it */ if (( op->o_tag != LDAP_REQ_DELETE && op->o_tag != LDAP_REQ_MODRDN ) || rs->sr_err != LDAP_SUCCESS ) --Apple-Mail-322--405209956--

1 0

(ITS#6572)
by daniel＠pluta.biz 09 Jun '10

09 Jun '10

short add-on note: any kind of modify operation on this attribute seems to crash slapd

1 0

Re: (ITS#6573) schema errors
by Kurt＠OpenLDAP.org 06 Jun '10

06 Jun '10

On Jun 6, 2010, at 8:27 PM, peychart(a)mail.pf wrote: > Full_Name: Philippe EYCHART > Version: last > OS: linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (203.185.181.157) >=20 >=20 > Hi, >=20 > 1/- It seems there is one schema definition error : the "street" = attribute is > defined twice in the "domain" objectClass (cosine.schema) ... > So, the LDAP database repeat this error ; see: ldapsearch -x -b = "cn=3Dsubschema" > -s base objectclasses As far as the old RFC 1274 version of 'domain', cosine.schema is = correct. (It's not an error to list attributes multiple times in schema = descriptions. There's a number of multiple listings found in RFC = specifications of object classes.) =20 Of course, all of cosine.schema should be replaced with a new file = derived directly from RFC 4524 with non-conflicting deprecated stuff at = the end of the file or moved to cosine-old.schema file. >=20 > 2/- the attribute "internationaliSDNNumber" is defined with a "i" for = "iSDN" but > with a "I" in the "domain" objectClass definition ... (so, a compare = with no > sensitive case option must be done to find it ...) Names are case insensitive. >=20 > (cf.: <http://home.gna.org/ldapcppei/Frontends/Howto-5.fr.html#S5>) > Regards, > Philippe EYCHART >=20

1 0

(ITS#6573) schema errors
by peychart＠mail.pf 06 Jun '10

06 Jun '10

Full_Name: Philippe EYCHART Version: last OS: linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (203.185.181.157) Hi, 1/- It seems there is one schema definition error : the "street" attribute is defined twice in the "domain" objectClass (cosine.schema) ... So, the LDAP database repeat this error ; see: ldapsearch -x -b "cn=subschema" -s base objectclasses 2/- the attribute "internationaliSDNNumber" is defined with a "i" for "iSDN" but with a "I" in the "domain" objectClass definition ... (so, a compare with no sensitive case option must be done to find it ...) (cf.: <http://home.gna.org/ldapcppei/Frontends/Howto-5.fr.html#S5>) Regards, Philippe EYCHART

1 0

(ITS#6572) slapd crash caused by refint's cn=config modification
by daniel＠pluta.biz 06 Jun '10

06 Jun '10

Full_Name: Daniel Pluta Version: 2.4.21 OS: Lnx URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:470:9feb:ff02:6834:fd61:37f:67da) Hi, after a silly typo (removed the "," rdn-separator character) in refint's cn=config settings while modifying "olcRefintNothing" attribute the attribute contained the following escaped value: olcRefintNothing: cn=refintcn\3Dconfig Using ldapmodify with cn=config to correct this value back into e.g. "cn=refint,cn=config" caused slapd to crash. Re-starting slapd (recovering db files...) worked fine but the value of course is still the "ugly" one above. Trying to correct (using ldapmodify) this value once more caused slapd to crash again. Cheers Daniel

1 0

Re: (ITS#6556) test031 core dumps after applying first filter
by dieter＠dkluenter.de 06 Jun '10

06 Jun '10

Hi, I have run slapd in valgrind now, which produced following error: ==15353== 1 errors in context 1 of 5: ==15353== Invalid write of size 4 ==15353== at 0x80E64B5: slap_sl_free (sl_malloc.c:492) ==15353== by 0x80A0EEA: ch_free (ch_malloc.c:137) ==15353== by 0x80E3DC9: mra_free (mra.c:43) ==15353== by 0x80855B0: filter_free_x (filter.c:556) ==15353== by 0x80836CD: do_search (search.c:230) ==15353== by 0x8080588: connection_operation (connection.c:1109) ==15353== by 0x403B376: ldap_int_thread_pool_wrapper (tpool.c:685) ==15353== by 0x43046E4: start_thread (in /lib/libpthread-2.10.1.so) ==15353== by 0x43045FF: ??? (in /lib/libpthread-2.10.1.so) ==15353== Address 0x843692b1 is not stack'd, malloc'd or (recently) free'd Full valgrind log can be found at http://pastebin.de/6914 -Dieter

1 0

(ITS#6571) rebind-as-user only works on first connection attempt
by maci＠satgnu.net 04 Jun '10

04 Jun '10

Full_Name: Marcel Wysocki Version: 2.4.22 OS: Solaris/Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (88.79.126.162) Hello, i have the same problem as described here: http://www.openldap.org/lists/openldap-software/200712/msg00283.html here are some logs: @(#) $OpenLDAP: slapd 2.4.22 (Jun 4 2010 11:56:46) $ slapd starting Initial connection: ########################## conn=1000 fd=11 ACCEPT from IP=127.0.0.1:45654 (IP=0.0.0.0:389) conn=1000 op=0 BIND dn="uid=FOOO,ou=applications,ou=admin,ou=BAR,c=de,o=bazbaz" method=128 conn=1000 op=0 BIND dn="uid=FOOO,ou=applications,ou=admin,ou=BAR,c=de,o=bazbaz" mech=SIMPLE ssf=0 conn=1000 op=0 RESULT tag=97 err=0 text= ########################## First ldapsearch: ########################## conn=1000 op=2 SRCH base="ou=users,ou=BAR,c=de,o=bazbaz" scope=1 deref=3 filter="(mobile=491721000227)" conn=1000 op=2 SRCH attr=objectclass conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= ########################## backend server has been restarted, sencond ldapsearch: ########################## conn=1000 op=3 SRCH base="ou=users,ou=BAR,c=de,o=bazbaz" scope=1 deref=3 filter="(mobile=491721000227)" conn=1000 op=3 SRCH attr=objectclass conn=1000 op=3 ldap_back_retry: retrying URI="ldap://10.2.163.13:389" DN="uid=FOOO,ou=applications,ou=admin,ou=BAR,c=de,o=bazbaz" conn=1000 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= ########################## backend server has been stopped, third ldapsearch, fails as it should: ########################## conn=1000 op=4 SRCH base="ou=users,ou=BAR,c=de,o=bazbaz" scope=1 deref=3 filter="(mobile=491721000227)" conn=1000 op=4 SRCH attr=objectclass conn=1000 op=4 ldap_back_retry: retrying URI="ldap://10.2.163.13:389" DN="uid=FOOO,ou=applications,ou=admin,ou=BAR,c=de,o=bazbaz" conn=1000 op=4 SEARCH RESULT tag=101 err=52 nentries=0 text= ########################## backend server has been restarted, fourth ldapsearch, rebind fails: ########################## conn=1000 op=5 SRCH base="ou=users,ou=BAR,c=de,o=bazbaz" scope=1 deref=3 filter="(mobile=491721000227)" conn=1000 op=5 SRCH attr=objectclass conn=1000 op=5 ldap_back_dobind_int: DN="uid=FOOO,ou=applications,ou=admin,ou=BAR,c=de,o=bazbaz" without creds, binding anonymously conn=1000 op=5 SEARCH RESULT tag=101 err=0 nentries=0 text= ########################## following the configuration for back-ldap: database ldap suffix "o=bazbaz" uri ldap://10.2.163.13:389 rootdn "cn=PEX,o=bazbaz" rootpw secret idle-timeout 301 rebind-as-user yes single-conn yes chase-referrals no acl-bind bindmethod=simple binddn="uid=FOOO,ou=applications,ou=admin,ou=BAR,c=de,o=bazbaz" credentials=supersecret

1 0

Re: (ITS#6567) Enable GSSAPI support and expose ldap_gssadpi_bind_s
by Kurt＠OpenLDAP.org 02 Jun '10

02 Jun '10

On Jun 2, 2010, at 11:11 AM, Michael Str=F6der wrote: > Kurt(a)OpenLDAP.org wrote: >> However, one issue I have with this code is that highly dependent =3D >> behaviors which, aside from not be standardized, aren't even = specified =3D >> in RFCs. For instance, there is no RFC describing dnsHostName or =3D >> ldapServiceName or any specification detailing how GSS-SPNEGO is to = be =3D >> used in LDAP. Without a formal specification (e.g., RFC), I oppose =3D= >> release of this code. That is, it should stay HEAD only until such = time =3D >> that a formal specification (e.g., RFC) is available. >=20 > Kurt, I somewhat can understand your concerns. > But as a general answer to your comment above: There is already a lot = of code > in OpenLDAP for which no RFC or at least an I-D was specified but = which serves > a certain use-case. Strictly (following your statement above) speaking = one > would have to hunk out all the stuff only specified in I-Ds. An I-D would be a start. I would think there's a number of interesting = security considerations that would bubble up if someone would ever have = taken the time to submit a specification regarding use of SPNEGO in SASL = and in application protocols such as LDAP to an open standards = organization such as the IETF. > So I don't see > the strong need to be overly strict here. It's long been a stated goal of the project to promote interoperability = through open standards. This work seems more to come from a community = whose stated goal is to behave like one particular vendor. I'm not a = fan of chasing any particular vendor. > Quality of certain code is another story. But I cannot comment on = this. How can one independently verify the code acts as intended without a = specification of the intended behavior? (Saying it should act like = some particular commercial product, is not a specification.) -- Kurt >=20 > Ciao, Michael.

1 0

Re: (ITS#6567) Enable GSSAPI support and expose ldap_gssadpi_bind_s
by michael＠stroeder.com 02 Jun '10

02 Jun '10

Kurt(a)OpenLDAP.org wrote: > However, one issue I have with this code is that highly dependent = > behaviors which, aside from not be standardized, aren't even specified = > in RFCs. For instance, there is no RFC describing dnsHostName or = > ldapServiceName or any specification detailing how GSS-SPNEGO is to be = > used in LDAP. Without a formal specification (e.g., RFC), I oppose = > release of this code. That is, it should stay HEAD only until such time = > that a formal specification (e.g., RFC) is available. Kurt, I somewhat can understand your concerns. But as a general answer to your comment above: There is already a lot of code in OpenLDAP for which no RFC or at least an I-D was specified but which serves a certain use-case. Strictly (following your statement above) speaking one would have to hunk out all the stuff only specified in I-Ds. So I don't see the strong need to be overly strict here. Quality of certain code is another story. But I cannot comment on this. Ciao, Michael.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs June 2010