https://bugs.openldap.org/show_bug.cgi?id=9185
Bug ID: 9185
Summary: glue entry
Product: OpenLDAP
Version: 2.4.48
Hardware: All
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: client tools
Assignee: bugs(a)openldap.org
Reporter: gnoe(a)symas.com
Target Milestone: ---
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
https://bugs.openldap.org/show_bug.cgi?id=9249
Bug ID: 9249
Summary: A dollar sign ($) at the end of the 2nd argument of
olcAuthzRegexp crashes slapd
Product: OpenLDAP
Version: 2.4.47
Hardware: All
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: kop(a)karlpinc.com
Target Milestone: ---
The following ldif, fed to ldapmodify, crashes slapd.
dn: cn=config
changetype: modify
replace: olcAuthzRegexp
olcAuthzRegexp: "^([^,]+),cn=PLAIN,cn=auth" "$1,ou=People,dc=example,dc=com$"
Happens on Debian 10 with openldap 2.4.47 and RHEL 8 with openldap 2.4.46.
Doing ldapmodify -d -1 seems to crash only 1 out of 3 times, but it always
crashes without the -d -1.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=9271
Issue ID: 9271
Summary: ldap_parse_intermediate undocumented
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: documentation
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
ldap_parse_intermediate is missing from manpages, should probably be included
in ldap_parse_result.3.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9263
Issue ID: 9263
Summary: test064 fails on FreeBSD
Product: OpenLDAP
Version: 2.4.50
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: build
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
test064 fails when executed on FreeBSD because it tries to use /bin/bash. On
FrreeBSD, this is /usr/local/bin/bash
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9262
Bug ID: 9262
Summary: Segmentation Fault on ldap_chain_op during Network
Issues
Product: OpenLDAP
Version: 2.4.49
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: jeremy.diaz(a)rexconsulting.net
Target Milestone: ---
Created attachment 733
--> https://bugs.openldap.org/attachment.cgi?id=733&action=edit
Full backtrace
This is a follow up to the following OpenLDAP mailing list post:
https://www.openldap.org/lists/openldap-technical/202001/msg00045.html
The issue is as follows:
Slapd crashes with a segmentation fault periodically and seems to occur most
often during periods of high load. The issue seems to be related to the chain
overlay.
Some background info:
This environment was originally made up of 3 producers and 6 consumers all on
OpenLdap 2.4.48.
Initially the issue did not appear to be caused directly by high load. We
noticed that there was an uptick in saslauthd errors around the time when a
crash occurred:
Dec 11 07:23:20 {REDACTED} saslauthd[2720]: user ldap_search_st() failed: Timed
out
Dec 11 07:23:30 {REDACTED} saslauthd[2718]: user ldap_search_st() failed: Timed
out
Dec 11 07:23:40 {REDACTED} saslauthd[2718]: user ldap_search_st() failed: Timed
out
Dec 11 07:23:56 {REDACTED} saslauthd[2717]: user ldap_search_st() failed: Timed
out
Dec 11 07:23:57 {REDACTED} saslauthd[2720]: user ldap_search_st() failed: Timed
out
Dec 11 07:23:57 {REDACTED} saslauthd[2719]: user ldap_search_st() failed: Timed
out
Dec 11 07:24:05 {REDACTED} saslauthd[2718]: user ldap_search_st() failed: Timed
out
Dec 11 07:24:06 {REDACTED} saslauthd[2717]: user ldap_search_st() failed: Timed
out
Dec 11 07:24:54 {REDACTED} saslauthd[2719]: : write failure
Dec 11 07:24:54 {REDACTED} saslauthd[2717]: : write failure
Dec 11 07:24:54 {REDACTED} saslauthd[2719]: : write: Broken pipe
Dec 11 07:24:54 {REDACTED} saslauthd[2717]: : write: Broken pipe
Dec 11 07:24:54 {REDACTED} saslauthd[2718]: : write failure
Dec 11 07:24:54 {REDACTED} saslauthd[2720]: : write failure
Dec 11 07:24:54 {REDACTED} saslauthd[2718]: : write: Broken pipe
Dec 11 07:24:54 {REDACTED} saslauthd[2720]: : write: Broken pipe
Dec 11 07:25:04 {REDACTED} saslauthd[2721]: : write failure
Dec 11 07:25:04 {REDACTED} saslauthd[2721]: : write: Broken pipe
This seemed to indicate an issue with either AD, saslauthd or the ldap meta
instance. Slapd with log level -1 did not return any obvious error messages.
One consumer server was particularly problematic since it was in a data center
that had a slower network connection. This server was also dealing with a
subset of traffic corresponding to another one of our applications so overall
there was more traffic going into this server than some the other servers.
After some network improvements the segfault occurences dropped to about 1
every couple of days mostly confined to the problematic server.
The environment was eventually updated to 2.4.49 but there was no obvious
reduction in the number of segfaults.
A while after an incident occurred that caused an increase in the latency of
the network connections causing most of the slapd instances to crash constantly
every few minutes. The crashing stopped only after the network latency was
reduced.
Ultimately what seemed to significantly reduce the number of segfaults was
adding another 3 consumers to further reduce the load on each server.
The following backtrace we captured seems to indicate that there is an issue
with the chain overlay:
#0 ldap_chain_op (op=op@entry=0x7ffbe41f0870, rs=rs@entry=0x7ffbf09bbb20,
op_f=0x4a845e <ldap_back_search>, ref=ref@entry=0x0, depth=depth@entry=0) at
chain.c:422
#1 0x00000000004e61da in ldap_chain_response (op=0x7ffbe41f0870,
rs=0x7ffbf09bbb20) at chain.c:1090
#2 0x000000000049d323 in over_back_response (op=0x7ffbe41f0870,
rs=0x7ffbf09bbb20) at backover.c:237
#3 0x0000000000447c1a in slap_response_play (op=op@entry=0x7ffbe41f0870,
rs=rs@entry=0x7ffbf09bbb20) at result.c:508
#4 0x00000000004480f5 in send_ldap_response (op=op@entry=0x7ffbe41f0870,
rs=rs@entry=0x7ffbf09bbb20) at result.c:583
The issue ultimately seems to stem from slapd being really sensitive to network
latency. The chain overlay appears to be attempting to dereference a value that
never gets set due to a timeout mechanism being exceeded because of high load
and/or high network latency as chain.c:422 seems to suggest:
for ( ; !BER_BVISNULL( ref ); ref++ ) {
Attached is the updated full backtrace of all the threads and below is the
relevant portions of our olc configuration regarding the chain overlay:
dn: olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {1}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: TRUE
dn: olcDatabase={0}ldap,olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbStartTLS: ldaps starttls=no
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: TRUE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0
dn: olcDatabase={1}ldap,olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {1}ldap
olcDbURI: “{REDACTED URI 1}“
olcDbStartTLS: ldaps starttls=no tls_cacert=“/{REDACTED}/openldap/tls/
cacerts.cer" tls_reqcert=demand tls_crlcheck=none
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindm
ethod=simple timeout=0 network-timeout=0 binddn={REDACTED}
credentials={REDACTED} keepalive=0:0:0
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: TRUE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0
dn: olcDatabase={2}ldap,olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {2}ldap
olcDbURI: “{REDACTED URI 2}“
olcDbStartTLS: ldaps starttls=no tls_cacert=“/{REDACTED}/openldap/tls/
cacerts.cer" tls_reqcert=demand tls_crlcheck=none
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindm
ethod=simple timeout=0 network-timeout=0 binddn={REDACTED}
credentials={REDACTED} keepalive=0:0:0
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: TRUE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0
dn: olcDatabase={3}ldap,olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {3}ldap
olcDbURI: “{REDACTED URI 3}“
olcDbStartTLS: ldaps starttls=no tls_cacert=“/{REDACTED}/openldap/tls/
cacerts.cer" tls_reqcert=demand tls_crlcheck=none
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindm
ethod=simple timeout=0 network-timeout=0 binddn={REDACTED}
credentials={REDACTED} keepalive=0:0:0
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: TRUE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=9248
Bug ID: 9248
Summary: argon2 Makefile detects prefix incorrectly
Product: OpenLDAP
Version: 2.4.50
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: contrib
Assignee: bugs(a)openldap.org
Reporter: ryan(a)openldap.org
Target Milestone: ---
argon2 tries to auto-detect the prefix from the core Makefile, but gets it
slightly wrong.
$ make DESTDIR=/home/ryan/tmp/sysroot install
mkdir -p /home/ryan/tmp/sysroot`grep -e "^prefix =" ../../../../Makefile | cut
-d= -f2`/libexec/openldap
mkdir: cannot create directory ‘/usr/libexec’: Permission denied
make: *** [Makefile:63: install-lib] Error 1
$ grep -e "^prefix =" ../../../../Makefile | cut -d= -f2
/usr
$ grep -e "^prefix =" ../../../../Makefile
prefix = /usr
The problem is the space after the equals sign.
I'd probably just remove this auto-detection and default it to
prefix=/usr/local, like every other contrib Makefile does, for the sake of
simplicity.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=9227
Bug ID: 9227
Summary: Fix syncrepl exattrs to not delete local attrs
Product: OpenLDAP
Version: 2.4.50
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: quanah(a)openldap.org
Target Milestone: ---
An issue with syncrepl using exattrs is that the local replica may delete attrs
that are being managed by locally deployed overlays such as memberOf (See
bug#7400 for example). This behavior needs to be fixed so that the locally
managed attributes are not deleted when included in an exattrs statement.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugs.openldap.org/show_bug.cgi?id=9265
Issue ID: 9265
Summary: modifying a schema beneath an overlay hits assert
Product: OpenLDAP
Version: 2.4.50
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ratness(a)gmail.com
Target Milestone: ---
I'm doing to demo this on debian-unstable so it's on 2.4.50, but I've also been
able to achieve the following failure with CentOS7's package
(openldap-servers-2.4.44-21.el7_6.x86_64), so I don't think it's
packager-related. I apologize that I don't have a gdb run with this report,
but I've been having poor luck compiling it or getting a non-stripped binary.
Steps to reproduce:
* grab a vm/droplet/whatever of debian, convert source to unstable, apt update
/ apt full-upgrade
* apt-get install slapd ldap-utils
* reboot
* Add the ppolicy schema:
** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
* Add the ppolicy module:
**
```
cat >/tmp/moduleadd <<EOF
dn: cn=module{0},cn=config
add: olcModuleLoad
olcModuleLoad: ppolicy
EOF
```
** /usr/bin/ldapmodify -cQY EXTERNAL -H ldapi:/// -f /tmp/moduleadd
* Add a super boring ppolicy overlay:
```
cat >/tmp/overlayadd <<EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
EOF
```
** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/overlayadd
* Halt slapd, and then start it up in debug mode:
** service slapd stop
** /usr/sbin/slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F
/etc/ldap/slapd.d -d any
* now, the weird one. Run an attempted 'replace' ldif against the ppolicy
schema that would result in no net change to it.
```
cat >/tmp/trauma <<EOF
dn: cn={4}ppolicy,cn=schema,cn=config
changetype: modify
replace: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY
objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit'
EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY
booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration'
EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval'
EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUALITY
booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange'
EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUALITY
booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailure'
EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
-
replace: olcObjectClasses
olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top
AUXILIARY MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $
pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $
pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) )
-
EOF
```
** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/trauma
The client comes back with:
modifying entry "cn={4}ppolicy,cn=schema,cn=config"
ldap_result: Can't contact LDAP server (-1)
The server, however, has failed on an assertion. The tail of the debug stream
is:
5ec71e94 => access_allowed: add access granted by manage(=mwrscxd)
5ec71e94 slap_queue_csn: queueing 0x7facb8105700
20200522003636.287264Z#000000#000#000000
5ec71e94 oc_check_required entry (cn={4}ppolicy,cn=schema,cn=config),
objectClass "olcSchemaConfig"
5ec71e94 oc_check_allowed type "objectClass"
5ec71e94 oc_check_allowed type "cn"
5ec71e94 oc_check_allowed type "structuralObjectClass"
5ec71e94 oc_check_allowed type "entryUUID"
5ec71e94 oc_check_allowed type "creatorsName"
5ec71e94 oc_check_allowed type "createTimestamp"
5ec71e94 oc_check_allowed type "olcAttributeTypes"
5ec71e94 oc_check_allowed type "olcObjectClasses"
5ec71e94 oc_check_allowed type "entryCSN"
5ec71e94 oc_check_allowed type "modifiersName"
5ec71e94 oc_check_allowed type "modifyTimestamp"
slapd: ../../../../servers/slapd/at.c:277: at_clean: Assertion `a->sat_syntax
!= NULL' failed.
Aborted
"Why do you have an overlay there?"
Beats me. It was like that when I got here, and since it's enforcing password
policies, I don't think I can change it.
"Why would you ever run such a silly modify!?"
I wouldn't. This stems from a Puppet module where any time it spots the
timestamp of /etc/path/to/ldap/schema/foo.schema is newer than the
'modifyTimestamp' of schema 'foo' in slapd, it kicks off a modify so slapd will
be timestamp-newer than what's on disk. It just happens that if you ever do
something as simple as `touch /etc/ldap/slapd.d/ppolicy.schema`, it triggers
this update process and crashes the server on the next Puppet run. And I bet
most people don't have an overlay and so this is probably a not-often-seen edge
case. But unfortunately I'm not a good C person so I don't see the issue well
enough to offer a PR.
Thanks for reading.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=8675
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords|has_patch, IPR_OK, |
|openldap-scratch |
--
You are receiving this mail because:
You are on the CC list for the issue.