This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools.
--4178219828-1091139785-1378839346=:6609 Content-Type: TEXT/PLAIN; CHARSET=UTF-8; FORMAT=flowed Content-Transfer-Encoding: 8BIT Content-ID: alpine.BSF.2.00.1309102056121.6609@pohjola.cksoft.de
Hi,
On Tue, 10 Sep 2013, Michael Ströder wrote:
ck@cksoft.de wrote:
we have a java application using JNDI that uses the password modify extended operation to change user passwords. [..] When running slapd with heavy logging we save the only difference to ldappasswd which works fine against our masters is that JNDI sets the ManageDsaIT by default.
Of course slapd should never crash.
yes of course not. This opens an attack vector for shooting down the slapd to at least anyone who has bind access which is concerning me.
Apart from that the customers problem is solved. We just stopped sending the control. A bit like Dr. Dr. it hurts when I Do this. Then why don't you stop doing it.
But strictly speaking the semantics of using ManageDsaIT control along with password modify ext.op. is not specified - at least not in RFC 3062.
yes. jndi sets the control by default.
From looking at the assert
slapd: chain.c:199: chaining_control_remove: Assertion `op->o_ctrls != ((void *)0)' failed.
the comment in chain.c seems to hint at an overly simple assumption. But in understand too little of slapd internals and code flow:
188 static int 189 chaining_control_remove( 190 Operation *op, 191 LDAPControl ***oldctrlsp ) 192 { 193 LDAPControl **oldctrls = *oldctrlsp; 194 195 /* we assume that the first control is the chaining control 196 * added by the chain overlay, so it's the only one we explicitly 197 * free */ 198 if ( op->o_ctrls != oldctrls ) { 199 assert( op->o_ctrls != NULL ); 200 assert( op->o_ctrls[ 0 ] != NULL ); 201 202 free( op->o_ctrls ); 203 204 op->o_chaining = 0; 205 op->o_ctrls = oldctrls; 206 } 207 208 *oldctrlsp = NULL; 209 210 return 0; 211 }
Could it be as simple as walking the linked list and just removing the chaining control.
Of course another strategy might be to filter anything but the chaining control up front.
Greetings Christian
Ciao, Michael.