Re: (ITS#8005) crash when multiple olcDbURI are defined for chaining
by hyc@symas.com
Khosrow Ebrahimpour wrote:
>
> On 12/17/2014 03:22 PM, Howard Chu wrote:
>>>> Note that test032-chain in the test suite tests a config with two URIs
>>>> and it passes successfully.
>>> From what I see although test032 tests two URIs, it doesn't test two
>>> URIs defined in the same olcDbURI field. The crash I've discovered only
>>> occurs when two URIs are defined at the same time. And like I mentioned
>>> in the issue report, this should be valid according to the man-page.
No. slapo-chain(5) states explicitly:
chain-uri <ldapuri>
This directive instantiates a new underlying ldap database and
instructs it about which URI to contact to chase referrals. As
opposed to what stated in slapd-ldap(5), only one URI can appear
after this directive;
Closing this ITS.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
8 years, 5 months
Re: (ITS#8005) crash when multiple olcDbURI are defined for chaining
by khosrow.ebrahimpour@ssc-spc.gc.ca
On 12/16/2014 04:47 PM, Howard Chu wrote:
> Khosrow Ebrahimpour wrote:
>>
>> On 12/15/2014 01:20 PM, Howard Chu wrote:
>>> khosrow.ebrahimpour(a)ssc-spc.gc.ca wrote:
>>>> On 12/15/2014 12:09 PM, Howard Chu wrote:
>>>>> khosrow.ebrahimpour(a)ssc-spc.gc.ca wrote:
>>>>>> Full_Name: K. Ebrahimpour
>>>>>> Version: RE24 (commit dbc6741750de79b852ec9f728abb8b1425b6f03f)
>>>>>> OS: Ubuntu 14.04.1
>>>>>> URL: https://gist.github.com/khosrow/cc6640cad9275a2cd041
>>>>>> Submission from: (NULL) (205.211.133.128)
>>>>>
>>>>>> Finally, I'm running OpenLDAP 2.4.31 on Ubuntu Trusty, but was also
>>>>>> able to
>>>>>> replicate this same error on OpenLDAP 2.4.28 on Ubuntu Precise.
>>>>>
>>>>> The current release is 2.4.40. For such old releases you should
>>>>> contact Ubuntu for support.
>>>>>
>>>> I may not have been clear enough on which versions I have tested.
>>>> Please
>>>> see the *VERSION* field in the ITS submission form for the correct
>>>> version.
>>>>
>>>> To clarify, I have tested and reproduced the bug on the following
>>>> versions:
>>>>
>>>> * 2.4.28 on Ubuntu 12.04 (official Ubuntu package)
>>>> * 2.4.31 on Ubuntu 14.04 (official Ubuntu package)
>>>> * RE24 commit #dbc6741750de79b852ec9f728abb8b1425b6f03f on Ubuntu
>>>> 14.04
>>>> (from OpenLDAP git repo)
>>>>
>>>> I understand the two first instances are old releases, I simply tested
>>>> the bug on progressively newer versions of the software. Are you
>>>> saying
>>>> that the third tested version is also old?
>>>
>>> That commit ID is a few months old, from before 2.4.40 was released.
>>> We are currently preparing to release 2.4.41, so yes, it's old.
>>>
>> Bug confirmed and replicated against OPENLDAP_REL_ENG_2_4 branch on
>> commit 87c3614bee6de3a29ff95e311b2870322f1e35f0. I have updated the gist
>> (in the bug report) with a new crash log from the replica server.
>
> Note that test032-chain in the test suite tests a config with two URIs
> and it passes successfully.
From what I see although test032 tests two URIs, it doesn't test two
URIs defined in the same olcDbURI field. The crash I've discovered only
occurs when two URIs are defined at the same time. And like I mentioned
in the issue report, this should be valid according to the man-page.
>
> 1) provide a gdb stack trace of your crash
> 2) provide a complete config that reproduces your crash, including the
> data and commands used.
Crash data now available at http://khosrow.ca/its8005
>
> It might be easiest for you to edit the test032 setup to match yours.
>
Thanks,
8 years, 5 months
Re: (ITS#8005) crash when multiple olcDbURI are defined for chaining
by hyc@symas.com
Khosrow Ebrahimpour wrote:
>
> On 12/15/2014 01:20 PM, Howard Chu wrote:
>> khosrow.ebrahimpour(a)ssc-spc.gc.ca wrote:
>>> On 12/15/2014 12:09 PM, Howard Chu wrote:
>>>> khosrow.ebrahimpour(a)ssc-spc.gc.ca wrote:
>>>>> Full_Name: K. Ebrahimpour
>>>>> Version: RE24 (commit dbc6741750de79b852ec9f728abb8b1425b6f03f)
>>>>> OS: Ubuntu 14.04.1
>>>>> URL: https://gist.github.com/khosrow/cc6640cad9275a2cd041
>>>>> Submission from: (NULL) (205.211.133.128)
>>>>
>>>>> Finally, I'm running OpenLDAP 2.4.31 on Ubuntu Trusty, but was also
>>>>> able to
>>>>> replicate this same error on OpenLDAP 2.4.28 on Ubuntu Precise.
>>>>
>>>> The current release is 2.4.40. For such old releases you should
>>>> contact Ubuntu for support.
>>>>
>>> I may not have been clear enough on which versions I have tested. Please
>>> see the *VERSION* field in the ITS submission form for the correct
>>> version.
>>>
>>> To clarify, I have tested and reproduced the bug on the following
>>> versions:
>>>
>>> * 2.4.28 on Ubuntu 12.04 (official Ubuntu package)
>>> * 2.4.31 on Ubuntu 14.04 (official Ubuntu package)
>>> * RE24 commit #dbc6741750de79b852ec9f728abb8b1425b6f03f on Ubuntu 14.04
>>> (from OpenLDAP git repo)
>>>
>>> I understand the two first instances are old releases, I simply tested
>>> the bug on progressively newer versions of the software. Are you saying
>>> that the third tested version is also old?
>>
>> That commit ID is a few months old, from before 2.4.40 was released.
>> We are currently preparing to release 2.4.41, so yes, it's old.
>>
> Bug confirmed and replicated against OPENLDAP_REL_ENG_2_4 branch on
> commit 87c3614bee6de3a29ff95e311b2870322f1e35f0. I have updated the gist
> (in the bug report) with a new crash log from the replica server.
Note that test032-chain in the test suite tests a config with two URIs
and it passes successfully.
1) provide a gdb stack trace of your crash
2) provide a complete config that reproduces your crash, including the
data and commands used.
It might be easiest for you to edit the test032 setup to match yours.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
8 years, 5 months
Re: (ITS#8005) crash when multiple olcDbURI are defined for chaining
by khosrow.ebrahimpour@ssc-spc.gc.ca
On 12/15/2014 01:20 PM, Howard Chu wrote:
> khosrow.ebrahimpour(a)ssc-spc.gc.ca wrote:
>> On 12/15/2014 12:09 PM, Howard Chu wrote:
>>> khosrow.ebrahimpour(a)ssc-spc.gc.ca wrote:
>>>> Full_Name: K. Ebrahimpour
>>>> Version: RE24 (commit dbc6741750de79b852ec9f728abb8b1425b6f03f)
>>>> OS: Ubuntu 14.04.1
>>>> URL: https://gist.github.com/khosrow/cc6640cad9275a2cd041
>>>> Submission from: (NULL) (205.211.133.128)
>>>
>>>> Finally, I'm running OpenLDAP 2.4.31 on Ubuntu Trusty, but was also
>>>> able to
>>>> replicate this same error on OpenLDAP 2.4.28 on Ubuntu Precise.
>>>
>>> The current release is 2.4.40. For such old releases you should
>>> contact Ubuntu for support.
>>>
>> I may not have been clear enough on which versions I have tested. Please
>> see the *VERSION* field in the ITS submission form for the correct
>> version.
>>
>> To clarify, I have tested and reproduced the bug on the following
>> versions:
>>
>> * 2.4.28 on Ubuntu 12.04 (official Ubuntu package)
>> * 2.4.31 on Ubuntu 14.04 (official Ubuntu package)
>> * RE24 commit #dbc6741750de79b852ec9f728abb8b1425b6f03f on Ubuntu 14.04
>> (from OpenLDAP git repo)
>>
>> I understand the two first instances are old releases, I simply tested
>> the bug on progressively newer versions of the software. Are you saying
>> that the third tested version is also old?
>
> That commit ID is a few months old, from before 2.4.40 was released.
> We are currently preparing to release 2.4.41, so yes, it's old.
>
Bug confirmed and replicated against OPENLDAP_REL_ENG_2_4 branch on
commit 87c3614bee6de3a29ff95e311b2870322f1e35f0. I have updated the gist
(in the bug report) with a new crash log from the replica server.
--
Khosrow
8 years, 5 months
Re: (ITS#8008) proxyauth with saslmech EXTERNAL not working
by hyc@symas.com
dkastens(a)uos.de wrote:
> Full_Name: Dirk Kastens
> Version: 2.4.40
> OS: RedHat SL 7.0
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:638:508:3d0:8d09:a681:a06e:29f0)
>
>
> This is a duplicate of bug #7993 that has been closed.
>
> Meanwhile I compiled openldap myself.
>
> At first, I compiled openldap-2.4.40. I configured ldap as a replica server. It
> connects with saslmech EXTERNAL to the master server.
> When I configure idassert-bind with saslmech EXTERNAL and try to change an
> entry, ldapmodify fails with
>
> ldap_modify: Other (e.g., implementation specific) error (80)
>
> slapd logs the message:
> ---------------------------
> send_ldap_result: referral="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
> >>> dnPrettyNormal:
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
> <<< dnPrettyNormal:
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>,
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
> conn=1000 op=1 ldap_chain_op:
> ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
> -> "ldap://ldap-master.rz.uni-osnabrueck.de"
> conn=1000 op=1 ldap_chain_op:
> ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de":
> URI="ldap://ldap-master.rz.uni-osnabrueck.de" found in cache
> =>ldap_back_getconn: conn=1000 op=1: lc=0x7faca820bc70 inserted refcnt=1
> rc=0
> Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?
> send_ldap_result: conn=1000 op=1 p=3
> send_ldap_result: err=80 matched="" text="misconfigured URI?"
> send_ldap_result: conn=1000 op=1 p=3
> send_ldap_result: err=80 matched="" text=""
> send_ldap_response: msgid=2 tag=103 err=80
> ---------------------------
>
> Then I compiled openldap-2.4.26 and used the same configuration. The modify with
> saslmech EXTERNAL succeeded:
>
> ---------------------------
> send_ldap_result: conn=1001 op=1 p=3
> send_ldap_result: err=10 matched="" text=""
> send_ldap_result: referral="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
> >>> dnPrettyNormal:
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
> <<< dnPrettyNormal:
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>,
> <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
> conn=1001 op=1 ldap_chain_op:
> ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
> -> "ldap://ldap-master.rz.uni-osnabrueck.de"
> conn=1001 op=1 ldap_chain_op:
> ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de":
> URI="ldap://ldap-master.rz.uni-osnabrueck.de" found in cache
> =>ldap_back_getconn: conn=1001 op=1: lc=0x7f4f201fe6f0 inserted refcnt=1
> rc=0
> send_ldap_result: conn=1001 op=1 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_response: msgid=2 tag=103 err=0
> ---------------------------
>
> With a quick look I found out, that the function ldap_back_dobind_int in
> server/slapd/back-ldap/bind.c differs. In 2.4.26 you have:
>
> ---------------------------
> if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
> if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY(
> &bindcred ) ) {
> /* if we got here, it shouldn't return result */
> rc = ldap_back_is_proxy_authz( op, rs,
> LDAP_BACK_DONTSEND, &binddn, &bindcred );A A assert( rc ==
> 1 );
> }
> rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn,
> &bindcred );
> goto done;
> }
> ---------------------------
>
> while in 2.4.40 there is:
>
> ---------------------------
> if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
> if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) )
> {
> /* if we got here, it shouldn't return result */
> rc = ldap_back_is_proxy_authz( op, rs,
> LDAP_BACK_DONTSEND, &binddn,2&bindcred );
> if ( rc != 1 ) {
> Debug( LDAP_DEBUG_ANY, "Error: ldap_back_is_proxy_authz "
> "returned %d, misconfigured URI?\n", rc, 0, 0 );
> rs->sr_err = LDAP_OTHER;
> rs->sr_text = "misconfigured URI?";
> LP_P_BACK_CONN_ISBOUND_CLEAR( lc );
> if ( sendok & LDAP_BACK_SENDERR ) {
> send_ldap_result( op, rs );
> }
> goto done;
> }
> rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn,
> &bindcred );
> goto done;
> }
> --------------------------
>
> This is where the error message comes from ("misconfigured URI?")
Looks like you've compiled without DEBUG enabled, otherwise your 2.4.26
build would have died with an assert() failure there.
Send a complete config that reproduces the issue. Also give the complete
command you used. So far this just looks like a misconfiguration to me.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
8 years, 5 months
(ITS#8008) proxyauth with saslmech EXTERNAL not working
by dkastens@uos.de
Full_Name: Dirk Kastens
Version: 2.4.40
OS: RedHat SL 7.0
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:638:508:3d0:8d09:a681:a06e:29f0)
This is a duplicate of bug #7993 that has been closed.
Meanwhile I compiled openldap myself.
At first, I compiled openldap-2.4.40. I configured ldap as a replica server. It
connects with saslmech EXTERNAL to the master server.
When I configure idassert-bind with saslmech EXTERNAL and try to change an
entry, ldapmodify fails with
ldap_modify: Other (e.g., implementation specific) error (80)
slapd logs the message:
---------------------------
send_ldap_result: referral="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
>>> dnPrettyNormal:
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
<<< dnPrettyNormal:
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>,
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
conn=1000 op=1 ldap_chain_op:
ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
-> "ldap://ldap-master.rz.uni-osnabrueck.de"
conn=1000 op=1 ldap_chain_op:
ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de":
URI="ldap://ldap-master.rz.uni-osnabrueck.de" found in cache
=>ldap_back_getconn: conn=1000 op=1: lc=0x7faca820bc70 inserted refcnt=1
rc=0
Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=80 matched="" text="misconfigured URI?"
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=80 matched="" text=""
send_ldap_response: msgid=2 tag=103 err=80
---------------------------
Then I compiled openldap-2.4.26 and used the same configuration. The modify with
saslmech EXTERNAL succeeded:
---------------------------
send_ldap_result: conn=1001 op=1 p=3
send_ldap_result: err=10 matched="" text=""
send_ldap_result: referral="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
>>> dnPrettyNormal:
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
<<< dnPrettyNormal:
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>,
<uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>
conn=1001 op=1 ldap_chain_op:
ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de"
-> "ldap://ldap-master.rz.uni-osnabrueck.de"
conn=1001 op=1 ldap_chain_op:
ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de":
URI="ldap://ldap-master.rz.uni-osnabrueck.de" found in cache
=>ldap_back_getconn: conn=1001 op=1: lc=0x7f4f201fe6f0 inserted refcnt=1
rc=0
send_ldap_result: conn=1001 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=103 err=0
---------------------------
With a quick look I found out, that the function ldap_back_dobind_int in
server/slapd/back-ldap/bind.c differs. In 2.4.26 you have:
---------------------------
if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY(
&bindcred ) ) {
/* if we got here, it shouldn't return result */
rc = ldap_back_is_proxy_authz( op, rs,
LDAP_BACK_DONTSEND, &binddn, &bindcred );A A assert( rc ==
1 );
}
rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn,
&bindcred );
goto done;
}
---------------------------
while in 2.4.40 there is:
---------------------------
if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) {
if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) )
{
/* if we got here, it shouldn't return result */
rc = ldap_back_is_proxy_authz( op, rs,
LDAP_BACK_DONTSEND, &binddn,2&bindcred );
if ( rc != 1 ) {
Debug( LDAP_DEBUG_ANY, "Error: ldap_back_is_proxy_authz "
"returned %d, misconfigured URI?\n", rc, 0, 0 );
rs->sr_err = LDAP_OTHER;
rs->sr_text = "misconfigured URI?";
LP_P_BACK_CONN_ISBOUND_CLEAR( lc );
if ( sendok & LDAP_BACK_SENDERR ) {
send_ldap_result( op, rs );
}
goto done;
}
rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn,
&bindcred );
goto done;
}
--------------------------
This is where the error message comes from ("misconfigured URI?")
8 years, 5 months