Re: (ITS#7420) Way to bypass overlay unique and constranit - openldap-bugs

23 Oct 2012

kmenshikov@hostcomm.ru wrote:
...
Full_Name: Konstantin Menshikov
Version: 2.4.33
OS: FreeBSD 8.2-RELEASE-p4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (212.116.101.94)
Overlay unique and constraint use list attributes for check.
If we use restriction by rdn (attribute cn for example), and don`t add attribute
cn in ldif-file, we can bypass restriction.
Overlay unique look list attributes in op->ora_e->e_attrs,
if this list not contain attribute cn, checks isn`t running.
IMHO: problem not in overlays, but in slapd code, that allow add object without
explicit set rdn.
The slapd behavior was discussed long ago, in ITS#2243. The current slapd 
behavior is consistent with RFC4511 (though this differs from older releases 
and the now obsoleted RFC2251). It seems that because of this behavior, the 
fix will have to be made to each overlay accordingly. It would be nice if we 
had a more centralized approach though.
...
Example configuration:
[root@rdn.problem openldap]# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/corba.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/java.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/sudo.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/spamassassin.schema
include         /usr/local/etc/openldap/schema/openssh-lpk.schema
include         /usr/local/etc/openldap/schema/vega-base.schema
include         /usr/local/etc/openldap/schema/vega-corp.schema
include         /usr/local/etc/openldap/schema/vega-net.schema
include         /usr/local/etc/openldap/schema/oversun-base.schema
include         /usr/local/etc/openldap/schema/oversun-corp.schema
include         /usr/local/etc/openldap/schema/oversun-mail.schema
include         /usr/local/etc/openldap/schema/oversun-net.schema
include         /usr/local/etc/openldap/schema/asterisk.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
loglevel        config stats sync trace
# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_hdb
database        hdb
suffix          "o=company"
rootdn          "cn=ldapadm,o=company"
rootpw          password
directory       /var/db/openldap-data/o=company
overlay unique
unique_uri 	ldap:///ou=groups,o=company?cn?sub
How to repeat:
[root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
ldap://127.0.0.5:389 -f /root/add.ldif.false
adding new entry "cn=test,ou=system,ou=groups,o=company"
ldap_add: Constraint violation (19)
   additional info: some attributes not unique
[root@rdn.problem openldap]# cat /root/add.ldif.false
dn: cn=test,ou=system,ou=groups,o=company
changetype: add
objectClass: posixGroup
description: test
cn: test
gidNumber: 1000
[root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
ldap://127.0.0.5:389 -f /root/add.ldif.true
adding new entry "cn=test,ou=system,ou=groups,o=company"
[root@rdn.problem openldap]# cat /root/add.ldif.true
dn: cn=test,ou=system,ou=groups,o=company
changetype: add
objectClass: posixGroup
description: test
gidNumber: 1000
[root@rdn.problem openldap]# diff -U 3 /root/add.ldif.false /root/add.ldif.true

--- /root/add.ldif.false	2012-10-23 06:22:16.000000000 +0000
+++ /root/add.ldif.true	2012-10-23 06:22:25.000000000 +0000
@@ -2,5 +2,4 @@
  changetype: add
  objectClass: posixGroup
  description: test
-cn: test
  gidNumber: 1000
Log file records:
Oct 23 06:23:21 rdn slapd[44326]: slap_listener_activate(6):
Oct 23 06:23:21 rdn slapd[44326]: >>> slap_listener(ldap://)
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 ACCEPT from IP=127.0.0.5:17098
(IP=0.0.0.0:389)
Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
id=1006
Oct 23 06:23:21 rdn slapd[44326]: op tag 0x60, time 1350973401
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 do_bind
Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company>
Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>,
<cn=ldapadm,o=company>
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company"
method=128
Oct 23 06:23:21 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company"
method=128
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company"
mech=SIMPLE ssf=0
Oct 23 06:23:21 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to
"cn=ldapadm,o=company"
Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=0 p=3
Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 RESULT tag=97 err=0 text=
Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
id=1006
Oct 23 06:23:21 rdn slapd[44326]: op tag 0x68, time 1350973401
Oct 23 06:23:21 rdn slapd[44326]: connection_input: conn=1006 deferring
operation: binding
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 do_add
Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal:
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal:
<cn=test,ou=system,ou=groups,o=company>,
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 ADD
dn="cn=test,ou=system,ou=groups,o=company"
Oct 23 06:23:21 rdn slapd[44326]:
bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:21 rdn slapd[44326]: =>
hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:21 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
matching key/data pair found (-30989)
Oct 23 06:23:21 rdn slapd[44326]: hdb_referrals: tag=104
target="cn=test,ou=system,ou=groups,o=company"
matched="ou=system,ou=groups,o=company"
Oct 23 06:23:21 rdn slapd[44326]: ==> unique_add
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:21 rdn slapd[44326]: ==> unique_search (|(cn=test))
Oct 23 06:23:21 rdn slapd[44326]: => hdb_search
Oct 23 06:23:21 rdn slapd[44326]: bdb_dn2entry("ou=groups,o=company")
Oct 23 06:23:21 rdn slapd[44326]: search_candidates: base="ou=groups,o=company"
(0x00000002) scope=2
Oct 23 06:23:21 rdn slapd[44326]: => hdb_dn2idl("ou=groups,o=company")
Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (objectClass)
Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (objectClass) not
indexed
Oct 23 06:23:21 rdn slapd[44326]: => bdb_equality_candidates (cn)
Oct 23 06:23:21 rdn slapd[44326]: <= bdb_equality_candidates: (cn) not indexed
Oct 23 06:23:21 rdn slapd[44326]: bdb_search_candidates: id=-1 first=2 last=5
Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 2 does not match filter
Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 3 does not match filter
Oct 23 06:23:21 rdn slapd[44326]: hdb_search: 4 does not match filter
Oct 23 06:23:21 rdn slapd[44326]: ==> count_attr_cb
<cn=test,ou=personal,ou=groups,o=company>
Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3
Oct 23 06:23:21 rdn slapd[44326]: => unique_search found 1 records
Oct 23 06:23:21 rdn slapd[44326]: send_ldap_result: conn=1006 op=1 p=3
Oct 23 06:23:21 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=19
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=1 RESULT tag=105 err=19 text=some
attributes not unique
Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
id=1006
Oct 23 06:23:21 rdn slapd[44326]: op tag 0x42, time 1350973401
Oct 23 06:23:21 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0
(Undefined error: 0)
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 do_unbind
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=2 UNBIND
Oct 23 06:23:21 rdn slapd[44326]: connection_close: conn=1006 sd=10
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 closed
Oct 23 06:23:52 rdn slapd[44326]: slap_listener_activate(6):
Oct 23 06:23:52 rdn slapd[44326]: >>> slap_listener(ldap://)
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 ACCEPT from IP=127.0.0.5:20738
(IP=0.0.0.0:389)
Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
id=1007
Oct 23 06:23:52 rdn slapd[44326]: op tag 0x60, time 1350973432
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 do_bind
Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal: <cn=ldapadm,o=company>
Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal: <cn=ldapadm,o=company>,
<cn=ldapadm,o=company>
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company"
method=128
Oct 23 06:23:52 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company"
method=128
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 BIND dn="cn=ldapadm,o=company"
mech=SIMPLE ssf=0
Oct 23 06:23:52 rdn slapd[44326]: do_bind: v3 bind: "cn=ldapadm,o=company" to
"cn=ldapadm,o=company"
Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=0 p=3
Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=1 tag=97 err=0
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=0 RESULT tag=97 err=0 text=
Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
id=1007
Oct 23 06:23:52 rdn slapd[44326]: op tag 0x68, time 1350973432
Oct 23 06:23:52 rdn slapd[44326]: connection_input: conn=1007 deferring
operation: binding
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 do_add
Oct 23 06:23:52 rdn slapd[44326]: >>> dnPrettyNormal:
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:52 rdn slapd[44326]: <<< dnPrettyNormal:
<cn=test,ou=system,ou=groups,o=company>,
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 ADD
dn="cn=test,ou=system,ou=groups,o=company"
Oct 23 06:23:52 rdn slapd[44326]:
bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:52 rdn slapd[44326]: =>
hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
matching key/data pair found (-30989)
Oct 23 06:23:52 rdn slapd[44326]: hdb_referrals: tag=104
target="cn=test,ou=system,ou=groups,o=company"
matched="ou=system,ou=groups,o=company"
Oct 23 06:23:52 rdn slapd[44326]: ==> unique_add
<cn=test,ou=system,ou=groups,o=company>
Oct 23 06:23:52 rdn slapd[44326]: oc_check_required entry
(cn=test,ou=system,ou=groups,o=company), objectClass "posixGroup"
Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "objectClass"
Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "description"
Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "gidNumber"
Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "structuralObjectClass"
Oct 23 06:23:52 rdn slapd[44326]: oc_check_allowed type "cn"
Oct 23 06:23:52 rdn slapd[44326]: slap_queue_csn: queing 0x7ffffebfc160
20121023062352.127471Z#000000#000#000000
Oct 23 06:23:52 rdn slapd[44326]:
bdb_dn2entry("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:52 rdn slapd[44326]: =>
hdb_dn2id("cn=test,ou=system,ou=groups,o=company")
Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id: get failed: DB_NOTFOUND: No
matching key/data pair found (-30989)
Oct 23 06:23:52 rdn slapd[44326]: => hdb_dn2id_add 0x6:
"cn=test,ou=system,ou=groups,o=company"
Oct 23 06:23:52 rdn slapd[44326]: <= hdb_dn2id_add 0x6: 0
Oct 23 06:23:52 rdn slapd[44326]: => index_entry_add( 6,
"cn=test,ou=system,ou=groups,o=company" )
Oct 23 06:23:52 rdn slapd[44326]: <= index_entry_add( 6,
"cn=test,ou=system,ou=groups,o=company" ) success
Oct 23 06:23:52 rdn slapd[44326]: => entry_encode(0x00000006):
Oct 23 06:23:52 rdn slapd[44326]: <= entry_encode(0x00000006):
Oct 23 06:23:52 rdn slapd[44326]: hdb_add: added id=00000006
dn="cn=test,ou=system,ou=groups,o=company"
Oct 23 06:23:52 rdn slapd[44326]: send_ldap_result: conn=1007 op=1 p=3
Oct 23 06:23:52 rdn slapd[44326]: send_ldap_response: msgid=2 tag=105 err=0
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=1 RESULT tag=105 err=0 text=
Oct 23 06:23:52 rdn slapd[44326]: slap_graduate_commit_csn: removing 0x80197aeb0
20121023062352.127471Z#000000#000#000000
Oct 23 06:23:52 rdn slapd[44326]: connection_get(10): got connid=1007
Oct 23 06:23:52 rdn slapd[44326]: connection_read(10): checking for input on
id=1007
Oct 23 06:23:52 rdn slapd[44326]: op tag 0x42, time 1350973432
Oct 23 06:23:52 rdn slapd[44326]: ber_get_next on fd 10 failed errno=0
(Undefined error: 0)
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 do_unbind
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 op=2 UNBIND
Oct 23 06:23:52 rdn slapd[44326]: connection_close: conn=1007 sd=10
Oct 23 06:23:52 rdn slapd[44326]: conn=1007 fd=10 closed
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



    