https://bugs.openldap.org/show_bug.cgi?id=9265
Issue ID: 9265 Summary: modifying a schema beneath an overlay hits assert Product: OpenLDAP Version: 2.4.50 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: ratness@gmail.com Target Milestone: ---
I'm doing to demo this on debian-unstable so it's on 2.4.50, but I've also been able to achieve the following failure with CentOS7's package (openldap-servers-2.4.44-21.el7_6.x86_64), so I don't think it's packager-related. I apologize that I don't have a gdb run with this report, but I've been having poor luck compiling it or getting a non-stripped binary.
Steps to reproduce: * grab a vm/droplet/whatever of debian, convert source to unstable, apt update / apt full-upgrade * apt-get install slapd ldap-utils * reboot
* Add the ppolicy schema: ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
* Add the ppolicy module: ** ``` cat >/tmp/moduleadd <<EOF dn: cn=module{0},cn=config add: olcModuleLoad olcModuleLoad: ppolicy EOF ``` ** /usr/bin/ldapmodify -cQY EXTERNAL -H ldapi:/// -f /tmp/moduleadd
* Add a super boring ppolicy overlay: ``` cat >/tmp/overlayadd <<EOF dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE EOF ``` ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/overlayadd
* Halt slapd, and then start it up in debug mode: ** service slapd stop ** /usr/sbin/slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d -d any
* now, the weird one. Run an attempted 'replace' ldif against the ppolicy schema that would result in no net change to it. ``` cat >/tmp/trauma <<EOF dn: cn={4}ppolicy,cn=schema,cn=config changetype: modify replace: olcAttributeTypes olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - replace: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) ) - EOF ``` ** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/trauma
The client comes back with: modifying entry "cn={4}ppolicy,cn=schema,cn=config" ldap_result: Can't contact LDAP server (-1)
The server, however, has failed on an assertion. The tail of the debug stream is: 5ec71e94 => access_allowed: add access granted by manage(=mwrscxd) 5ec71e94 slap_queue_csn: queueing 0x7facb8105700 20200522003636.287264Z#000000#000#000000 5ec71e94 oc_check_required entry (cn={4}ppolicy,cn=schema,cn=config), objectClass "olcSchemaConfig" 5ec71e94 oc_check_allowed type "objectClass" 5ec71e94 oc_check_allowed type "cn" 5ec71e94 oc_check_allowed type "structuralObjectClass" 5ec71e94 oc_check_allowed type "entryUUID" 5ec71e94 oc_check_allowed type "creatorsName" 5ec71e94 oc_check_allowed type "createTimestamp" 5ec71e94 oc_check_allowed type "olcAttributeTypes" 5ec71e94 oc_check_allowed type "olcObjectClasses" 5ec71e94 oc_check_allowed type "entryCSN" 5ec71e94 oc_check_allowed type "modifiersName" 5ec71e94 oc_check_allowed type "modifyTimestamp" slapd: ../../../../servers/slapd/at.c:277: at_clean: Assertion `a->sat_syntax != NULL' failed. Aborted
"Why do you have an overlay there?" Beats me. It was like that when I got here, and since it's enforcing password policies, I don't think I can change it.
"Why would you ever run such a silly modify!?" I wouldn't. This stems from a Puppet module where any time it spots the timestamp of /etc/path/to/ldap/schema/foo.schema is newer than the 'modifyTimestamp' of schema 'foo' in slapd, it kicks off a modify so slapd will be timestamp-newer than what's on disk. It just happens that if you ever do something as simple as `touch /etc/ldap/slapd.d/ppolicy.schema`, it triggers this update process and crashes the server on the next Puppet run. And I bet most people don't have an overlay and so this is probably a not-often-seen edge case. But unfortunately I'm not a good C person so I don't see the issue well enough to offer a PR.
Thanks for reading.
https://bugs.openldap.org/show_bug.cgi?id=9265
--- Comment #1 from Greg ratness@gmail.com --- Retried on CentOS7 with 2.4.50 from ltb-project's RPMs:
Program received signal SIGABRT, Aborted. [Switching to Thread 0x7f8a56df4700 (LWP 2896)] 0x00007f8a99c4c2c7 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00007f8a99c4c2c7 in raise () from /lib64/libc.so.6 #1 0x00007f8a99c4d9b8 in abort () from /lib64/libc.so.6 #2 0x00007f8a99c450e6 in __assert_fail_base () from /lib64/libc.so.6 #3 0x00007f8a99c45192 in __assert_fail () from /lib64/libc.so.6 #4 0x0000000000480739 in at_clean (a=a@entry=0x7f8a48107090) at at.c:277 #5 0x0000000000480785 in at_destroy_one (v=0x7f8a48106d40) at at.c:309 #6 0x0000000000425be6 in at_insert (rat=rat@entry=0x7f8a56dee2a8, prev=prev@entry=0x0, err=err@entry=0x7f8a56dee2f8) at at.c:494 #7 0x00000000004814b0 in at_add (at=at@entry=0x7f8a48107020, user=user@entry=1, rsat=rsat@entry=0x7f8a56dee360, prev=prev@entry=0x0, err=err@entry=0x7f8a56dee2f8) at at.c:935 #8 0x000000000047dd28 in parse_at (c=c@entry=0x7f8a56df15f0, sat=sat@entry=0x7f8a56dee360, prev=prev@entry=0x0) at schemaparse.c:316 #9 0x000000000043199a in config_generic (c=0x7f8a56df15f0) at bconfig.c:1707 #10 0x0000000000436703 in config_set_vals (Conf=0x886280 <config_back_cf_table+448>, c=0x7f8a56df15f0) at config.c:353 #11 0x0000000000437305 in config_parse_add (ct=ct@entry=0x886280 <config_back_cf_table+448>, c=c@entry=0x7f8a56df15f0, valx=<optimized out>) at config.c:697 #12 0x000000000042bd89 in config_modify_add (ct=ct@entry=0x886280 <config_back_cf_table+448>, ca=ca@entry=0x7f8a56df15f0, i=i@entry=0, ad=<optimized out>) at bconfig.c:5541 #13 0x000000000042cb7a in config_modify_internal (ca=0x7f8a56df15f0, rs=<optimized out>, op=<optimized out>, ce=<optimized out>) at bconfig.c:5798 #14 config_back_modify (op=<optimized out>, rs=<optimized out>) at bconfig.c:5943 #15 0x00000000004566c1 in fe_op_modify (op=0x7f8a48002690, rs=0x7f8a56df39a0) at modify.c:303 #16 0x00000000004583cb in do_modify (op=0x7f8a48002690, rs=0x7f8a56df39a0) at modify.c:177 #17 0x0000000000440b3e in connection_operation (ctx=ctx@entry=0x7f8a56df3ad0, arg_v=arg_v@entry=0x7f8a48002690) at connection.c:1175 #18 0x0000000000440e1a in connection_read_thread (ctx=0x7f8a56df3ad0, argv=0xd) at connection.c:1311 #19 0x00000000005921b9 in ldap_int_thread_pool_wrapper (xpool=0x180ef30) at tpool.c:696 #20 0x00007f8a9b140dd5 in start_thread () from /lib64/libpthread.so.0 #21 0x00007f8a99d1402d in clone () from /lib64/libc.so.6
https://bugs.openldap.org/show_bug.cgi?id=9265
--- Comment #2 from Ryan Tandy ryan@openldap.org --- (In reply to Greg from comment #0)
I apologize that I don't have a gdb run with this report, but I've been having poor luck compiling it or getting a non-stripped binary.
Just for the record, Debian does publish debugging symbols for all the major suites, but in a separate repository: https://wiki.debian.org/AutomaticDebugPackages#Archive
-
openldap-its@openldap.org