(ITS#7420) Way to bypass overlay unique and constranit - openldap-bugs

22 Oct 2012

Full_Name: Konstantin Menshikov
Version: 2.4.33
OS: FreeBSD 8.2-RELEASE-p4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (212.116.101.94)
Overlay unique and constraint use list attributes for check.
If we use restriction by rdn (attribute cn for example), and don`t add attribute
cn in ldif-file, we can bypass restriction.
Overlay unique look list attributes in op->ora_e->e_attrs,
if this list not contain attribute cn, checks isn`t running.
IMHO: problem not in overlays, but in slapd code, that allow add object without
explicit set rdn.
Example configuration:
[root@rdn.problem openldap]# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/corba.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/java.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/sudo.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/spamassassin.schema
include         /usr/local/etc/openldap/schema/openssh-lpk.schema
include         /usr/local/etc/openldap/schema/vega-base.schema
include         /usr/local/etc/openldap/schema/vega-corp.schema
include         /usr/local/etc/openldap/schema/vega-net.schema
include         /usr/local/etc/openldap/schema/oversun-base.schema
include         /usr/local/etc/openldap/schema/oversun-corp.schema
include         /usr/local/etc/openldap/schema/oversun-mail.schema
include         /usr/local/etc/openldap/schema/oversun-net.schema
include         /usr/local/etc/openldap/schema/asterisk.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
loglevel        config stats sync trace
# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_hdb
database        hdb
suffix          "o=company"
rootdn          "cn=ldapadm,o=company"
rootpw          password
directory       /var/db/openldap-data/o=company
overlay unique
unique_uri 	ldap:///ou=groups,o=company?cn?sub
How to repeat:
[root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
ldap://127.0.0.5:389 -f /root/add.ldif.false 
adding new entry "cn=test,ou=system,ou=groups,o=company"
ldap_add: Constraint violation (19)
    additional info: some attributes not unique
[root@rdn.problem openldap]# cat /root/add.ldif.false
dn: cn=test,ou=system,ou=groups,o=company
changetype: add
objectClass: posixGroup
description: test
cn: test
gidNumber: 1000
[root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
ldap://127.0.0.5:389 -f /root/add.ldif.true 
adding new entry "cn=test,ou=system,ou=groups,o=company"
[root@rdn.problem openldap]# cat /root/add.ldif.true 
dn: cn=test,ou=system,ou=groups,o=company
changetype: add
objectClass: posixGroup
description: test
gidNumber: 1000
[root@rdn.problem openldap]# diff -U 3 /root/add.ldif.false /root/add.ldif.true

--- /root/add.ldif.false	2012-10-23 06:22:16.000000000 +0000
+++ /root/add.ldif.true	2012-10-23 06:22:25.000000000 +0000
@@ -2,5 +2,4 @@
 changetype: add
 objectClass: posixGroup
 description: test
-cn: test
 gidNumber: 1000
Log file records:
Oct 23 06:23:21 rdn slapd[44326]: slap_listener_activate(6): 
Oct 23 06:23:21 rdn slapd[44326]: >>> slap_listener(ldap://)
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 ACCEPT from IP=127.0.0.5:17098
(IP=0.0.0.0:389)
Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
id=1006
Oct 23 06:23:21 rdn slapd[44326]: op tag 0x60, time 1350973401
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 do_bind
Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company>
Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>,
<cn=ldapadm,o=company>
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company"
method=128
Oct 23 06:23:21 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company"
method=128
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company"
mech=SIMPLE ssf=0
Oct 23 06:23:21 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to
"cn=ldapadm,o=company"
Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=0 p=3
Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 RESULT tag=97 err=0 text=
Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
id=1006
Oct 23 06:23:21 rdn slapd[44326]: op tag 0x68, time 1350973401
Oct 23 06:23:21 rdn slapd[44326]: connection_input: conn=1006 deferring
operation: binding
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 do_add
Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal:
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal:
<cn=test,ou=system,ou=groups,o=company>,
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 ADD
dn="cn=test,ou=system,ou=groups,o=company"
Oct 23 06:23:21 rdn slapd[44326]:
bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:21 rdn slapd[44326]: =>
hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:21 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
matching key/data pair found (-30989)
Oct 23 06:23:21 rdn slapd[44326]: hdb_referrals: tag=104
target="cn=test,ou=system,ou=groups,o=company"
matched="ou=system,ou=groups,o=company"
Oct 23 06:23:21 rdn slapd[44326]: ==> unique_add
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:21 rdn slapd[44326]: ==> unique_search (|(cn=test))
Oct 23 06:23:21 rdn slapd[44326]: => hdb_search
Oct 23 06:23:21 rdn slapd[44326]: bdb_dn2entry("ou=groups,o=company")
Oct 23 06:23:21 rdn slapd[44326]: search_candidates: base="ou=groups,o=company"
(0x00000002) scope=2
Oct 23 06:23:21 rdn slapd[44326]: => hdb_dn2idl("ou=groups,o=company")
Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (objectClass)
Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (objectClass) not
indexed
Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (cn)
Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (cn) not indexed
Oct 23 06:23:21 rdn slapd[44326]: bdb_search_candidates: id=-1 first=2 last=5
Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 2 does not match filter
Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 3 does not match filter
Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 4 does not match filter
Oct 23 06:23:21 rdn slapd[44326]: ==> count_attr_cb
<cn=test,ou=personal,ou=groups,o=company>
Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3
Oct 23 06:23:21 rdn slapd[44326]: => unique_search found 1 records
Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3
Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=19
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 RESULT tag=105 err=19 text=some
attributes not unique
Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
id=1006
Oct 23 06:23:21 rdn slapd[44326]: op tag 0x42, time 1350973401
Oct 23 06:23:21 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0
(Undefined error: 0)
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 do_unbind
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 UNBIND
Oct 23 06:23:21 rdn slapd[44326]: connection_close: conn=1006 sd=10
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 closed
Oct 23 06:23:52 rdn slapd[44326]: slap_listener_activate(6): 
Oct 23 06:23:52 rdn slapd[44326]: >>> slap_listener(ldap://)
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 ACCEPT from IP=127.0.0.5:20738
(IP=0.0.0.0:389)
Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
id=1007
Oct 23 06:23:52 rdn slapd[44326]: op tag 0x60, time 1350973432
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 do_bind
Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company>
Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>,
<cn=ldapadm,o=company>
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company"
method=128
Oct 23 06:23:52 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company"
method=128
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company"
mech=SIMPLE ssf=0
Oct 23 06:23:52 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to
"cn=ldapadm,o=company"
Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=0 p=3
Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 RESULT tag=97 err=0 text=
Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
id=1007
Oct 23 06:23:52 rdn slapd[44326]: op tag 0x68, time 1350973432
Oct 23 06:23:52 rdn slapd[44326]: connection_input: conn=1007 deferring
operation: binding
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 do_add
Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal:
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal:
<cn=test,ou=system,ou=groups,o=company>,
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 ADD
dn="cn=test,ou=system,ou=groups,o=company"
Oct 23 06:23:52 rdn slapd[44326]:
bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:52 rdn slapd[44326]: =>
hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
matching key/data pair found (-30989)
Oct 23 06:23:52 rdn slapd[44326]: hdb_referrals: tag=104
target="cn=test,ou=system,ou=groups,o=company"
matched="ou=system,ou=groups,o=company"
Oct 23 06:23:52 rdn slapd[44326]: ==> unique_add
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:52 rdn slapd[44326]: oc_check_required entry
(cn=test,ou=system,ou=groups,o=company), objectClass "posixGroup"
Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "objectClass"
Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "description"
Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "gidNumber"
Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "structuralObjectClass"
Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "cn"
Oct 23 06:23:52 rdn slapd[44326]: slap_queue_csn: queing 0x7ffffebfc160
20121023062352.127471Z#000000#000#000000
Oct 23 06:23:52 rdn slapd[44326]:
bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:52 rdn slapd[44326]: =>
hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
matching key/data pair found (-30989)
Oct 23 06:23:52 rdn slapd[44326]: => hdb_dn2id_add 0x6:
"cn=test,ou=system,ou=groups,o=company"
Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id_add 0x6: 0
Oct 23 06:23:52 rdn slapd[44326]: => index_entry_add( 6,
"cn=test,ou=system,ou=groups,o=company" )
Oct 23 06:23:52 rdn slapd[44326]: <= index_entry_add( 6,
"cn=test,ou=system,ou=groups,o=company" ) success
Oct 23 06:23:52 rdn slapd[44326]: => entry_encode(0x00000006): 
Oct 23 06:23:52 rdn slapd[44326]: <= entry_encode(0x00000006): 
Oct 23 06:23:52 rdn slapd[44326]: hdb_add: added id=00000006
dn="cn=test,ou=system,ou=groups,o=company"
Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=1 p=3
Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=0
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 RESULT tag=105 err=0 text=
Oct 23 06:23:52 rdn slapd[44326]: slap_graduate_commit_csn: removing 0x80197aeb0
20121023062352.127471Z#000000#000#000000
Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
id=1007
Oct 23 06:23:52 rdn slapd[44326]: op tag 0x42, time 1350973432
Oct 23 06:23:52 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0
(Undefined error: 0)
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 do_unbind
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 UNBIND
Oct 23 06:23:52 rdn slapd[44326]: connection_close: conn=1007 sd=10
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 closed

    