(ITS#7258) Possible suffixmassage and syncrepl bug - openldap-bugs

23 Apr 2012


      Full_Name: Jon C. Kidder
Version: 2.4.30
OS: rhel 5.0
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (167.239.77.30)
Gentlemen, I need some help. I've been working on a problem for a couple of
weeks and I can't seem to find a solution. I have encountered at least one bug
and possibly two.
I am building a new directory for my company using OpenLDAP 2.4.30 and BDB
5.3.15. I am trying to pull in records from a foreign directory and map them
into my directory. All of the foreign records are proxied into 3 child nodes of
my directory. I am able to do this successfully using back-ldif and overlay-rwm.
The problem I am encountering is that I have setup multi-master replication of
the entire new directory with a filter to exclude the proxied nodes because each
of my directory servers independently proxies those nodes. When the replication
starts syncrepl causes an ABEND on every node that attempts replication. I have
discovered that the ABEND occurs because my filter does not work and syncrepl is
trying to replicate the proxied records. I have also discovered that my filter
is not working because rwm-suffixmassage does not appear to be rewriting the
entryDN of my proxied records. If my entryDN problem is configuration related I
could use some help figuring it out. I am still submitting this as a bug because
even if the entryDN problem is not a bug syncrepl should detect the
replication/proxy conflict and abort the replication gracefully rather than
ABEND the directory server.
I love the work the OpenLDAP team is doing. I am a very strong advocate of open
source products at my company. I would love to take a deep dive into the code
and resolve this issue myself but unfortunately can not. I am an
administrator/operator by day and a single parent of 6 year old triplet boys by
night. I am not afforded as many opportunities to exercise my development skills
as I would like. Any assistance the OpenLDAP team can render would be greatly
appreciated. I can try to build a complete test suite that will allow
recreation/testing of these 2 issues if needed.
Sample ldapsearch result showing inconsistent DN rewrite (DN is rewritten but
entryDN is not):
/appl/openldap/bin/ldapsearch -x -D "cn=Directory
Manager,dc=Global,dc=aep,dc=com" -y $HOME/buildpwd -s sub -b
'dc=Global,dc=aep,dc=com' '(cn=s012235)' '+'
# extended LDIF
#
# LDAPv3
# base <dc=Global,dc=aep,dc=com> with scope subtree
# filter: (cn=s012235)
# requesting: + 
#
# s012235, Information Technology, AD_Corp, Employees, Users, Global.aep.com
dn: cn=s012235,ou=Information Technology,ou=AD_Corp,ou=Employees,ou=Users,dc=G
 lobal,dc=aep,dc=com
entryDN: cn=s012235,ou=Information Technology,ou=LOB Users,dc=corp,dc=aepsc,dc
 =com
subschemaSubentry: cn=Subschema
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Log excerpt showing syncrepl abend:
4f9165ba Config: ** successfully added syncrepl rid=401
"ldap://ctldapcop1.aepsc.com:33389"
4f9165ba Config: ** successfully added syncrepl rid=402
"ldap://ctldaprop1.aepsc.com:33389"
4f9165ba syncprov_matchops: skipping original sid 001
4f9165ba slap_graduate_commit_csn: removing 0x1b4a94f0
20120420133346.749007Z#000000#001#000000
4f9165ba syncrepl_entry: rid=001 be_modify olcDatabase={4}bdb,cn=config (0)
4f9165ba slap_queue_csn: queing 0x1b4b3e50
20120420133346.749007Z#000000#001#000000
4f9165ba slap_graduate_commit_csn: removing 0x1b4a8cd0
20120420133346.749007Z#000000#001#000000
4f9165ba conn=1005 fd=23 ACCEPT from IP=10.92.123.82:45250
(IP=10.21.206.102:33389)
4f9165ba conn=1005 op=0 BIND
dn="cn=syncuser,ou=automatons,ou=users,dc=global,dc=aep,dc=com" method=128
4f9165ba conn=1005 op=0 RESULT tag=97 err=49 text=
4f9165ba conn=1005 op=1 UNBIND
4f9165ba conn=1005 fd=23 closed
4f9165ba syncrepl_message_to_entry: rid=401 DN: dc=Global,dc=aep,dc=com, UUID:
750d95da-e7bb-483a-853b-9552466e3d0d
4f9165ba syncrepl_entry: rid=401 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
4f9165ba syncrepl_entry: rid=401 inserted UUID
750d95da-e7bb-483a-853b-9552466e3d0d
*** glibc detected *** /appl/openldap/libexec/slapd: free(): invalid pointer:
0x000000001b77f8a7 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3c82c7245f]
/lib64/libc.so.6(cfree+0x4b)[0x3c82c728bb]
/appl/openldap/libexec/slapd[0x5aa324]
/appl/openldap/libexec/slapd[0x46f36c]
/appl/openldap/libexec/slapd[0x43aca6]
/appl/openldap/libexec/slapd[0x4230fe]
/appl/openldap/libexec/slapd[0x560550]
/appl/openldap/libexec/slapd[0x560632]
/appl/openldap/libexec/slapd[0x55ce73]
/appl/openldap/libexec/slapd[0x483a7b]
/appl/openldap/libexec/slapd[0x483f9a]
/appl/openldap/libexec/slapd[0x4840ce]
/appl/openldap/libexec/slapd[0x480bd8]
/appl/openldap/libexec/slapd[0x48227f]
/appl/openldap/libexec/slapd[0x483a7b]
/appl/openldap/libexec/slapd[0x483f9a]
/appl/openldap/libexec/slapd[0x4840ce]
/appl/openldap/libexec/slapd[0x47a44a]
/appl/openldap/libexec/slapd[0x480667]
/appl/openldap/libexec/slapd[0x580b20]
/lib64/libpthread.so.0[0x3c8340673d]
/lib64/libc.so.6(clone+0x6d)[0x3c82cd44bd]
======= Memory map: ========
00400000-007ac000 r-xp 00000000 fd:00 933895                            
/appl/openldap/libexec/slapd
009ab000-009ca000 rw-p 003ab000 fd:00 933895                            
/appl/openldap/libexec/slapd
009ca000-00a73000 rw-p 009ca000 00:00 0 
1b3e3000-1b8bb000 rw-p 1b3e3000 00:00 0                                  [heap]
41be1000-41be2000 ---p 41be1000 00:00 0 
41be2000-423e2000 rw-p 41be2000 00:00 0 
423e2000-423e3000 ---p 423e2000 00:00 0 
423e3000-42be3000 rw-p 423e3000 00:00 0 
42be3000-42be4000 ---p 42be3000 00:00 0 
42be4000-433e4000 rw-p 42be4000 00:00 0 
3c82800000-3c8281c000 r-xp 00000000 fd:fa 65572                         
/lib64/ld-2.5.so
3c82a1c000-3c82a1d000 r--p 0001c000 fd:fa 65572                         
/lib64/ld-2.5.so
3c82a1d000-3c82a1e000 rw-p 0001d000 fd:fa 65572                         
/lib64/ld-2.5.so
3c82c00000-3c82d4e000 r-xp 00000000 fd:fa 65579                         
/lib64/libc-2.5.so
3c82d4e000-3c82f4e000 ---p 0014e000 fd:fa 65579                         
/lib64/libc-2.5.so
3c82f4e000-3c82f52000 r--p 0014e000 fd:fa 65579                         
/lib64/libc-2.5.so
3c82f52000-3c82f53000 rw-p 00152000 fd:fa 65579                         
/lib64/libc-2.5.so
3c82f53000-3c82f58000 rw-p 3c82f53000 00:00 0 
3c83000000-3c83002000 r-xp 00000000 fd:fa 65632                         
/lib64/libdl-2.5.so
3c83002000-3c83202000 ---p 00002000 fd:fa 65632                         
/lib64/libdl-2.5.so
3c83202000-3c83203000 r--p 00002000 fd:fa 65632                         
/lib64/libdl-2.5.so
3c83203000-3c83204000 rw-p 00003000 fd:fa 65632                         
/lib64/libdl-2.5.so
3c83400000-3c83416000 r-xp 00000000 fd:fa 65600                         
/lib64/libpthread-2.5.so
3c83416000-3c83615000 ---p 00016000 fd:fa 65600                         
/lib64/libpthread-2.5.so
3c83615000-3c83616000 r--p 00015000 fd:fa 65600                         
/lib64/libpthread-2.5.so
3c83616000-3c83617000 rw-p 00016000 fd:fa 65600                         
/lib64/libpthread-2.5.so
3c83617000-3c8361b000 rw-p 3c83617000 00:00 0 
3c84c00000-3c84c04000 r-xp 00000000 fd:fa 65883                         
/lib64/libuuid.so.1.2
3c84c04000-3c84e03000 ---p 00004000 fd:fa 65883                         
/lib64/libuuid.so.1.2
3c84e03000-3c84e04000 rw-p 00003000 fd:fa 65883                         
/lib64/libuuid.so.1.2
3c8ea00000-3c8ea11000 r-xp 00000000 fd:fa 65856                         
/lib64/libresolv-2.5.so
3c8ea11000-3c8ec11000 ---p 00011000 fd:fa 65856                         
/lib64/libresolv-2.5.so
3c8ec11000-3c8ec12000 r--p 00011000 fd:fa 65856                         
/lib64/libresolv-2.5.so
3c8ec12000-3c8ec13000 rw-p 00012000 fd:fa 65856                         
/lib64/libresolv-2.5.so
3c8ec130Aborted
Relevant configuration ldifs:
Database Build:
dn: olcDatabase={1}ldap,cn=configolcDbIDAssertBind: mode=self
flags=prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0
network-timeout=0 binddn="XXXXXXXXXXXXXXXXXXXXX" credentials="XXXXXXXX"
keepalive=0:0:0olcDbChaseReferrals: TRUEolcLastMod: FALSEolcAddContentAcl:
FALSEolcDatabase: {1}ldapolcSuffix:
ou=AD_Corp,ou=Employees,ou=Users,dc=Global,dc=aep,dc=comolcDbConnectionPoolMax:
16olcDbUseTemporaryConn: FALSEolcDbTFSupport: noolcDbCancel:
abandonolcDbProtocolVersion: 3olcReadOnly: FALSEolcSubordinate:
TRUEolcDbStartTLS: none  starttls=noolcDbNoRefs: FALSEolcDbProxyWhoAmI:
FALSEolcMaxDerefDepth: 15olcDbSingleConn: FALSEolcDbNoUndefFilter:
FALSEolcDbURI: "ldap://msad-corp.aepsc.com"olcMonitoring:
FALSEolcSyncUseSubentry: FALSEolcDbRebindAsUser: TRUEobjectClass:
olcDatabaseConfigobjectClass: olcLDAPConfigdn:
olcOverlay=rwm,olcDatabase={1}ldap,cn=configolcRwmNormalizeMapped:
FALSEobjectClass: olcOverlayConfigobjectClass: olcRwmConfigolcRwmMap:
objectclass inetOrgPerson userolcRwmMap: objectclass organizationalUnit
*olcRwmMap: attribute cn *olcRwmMap: attribute sn *olcRwmMap: attribute
telephoneNumber otherTelephoneolcRwmMap: attribute description *olcRwmMap:
attribute title *olcRwmMap: attribute postalCode *olcRwmMap: attribute
postalAddress streetAddressolcRwmMap: attribute physicalDeliveryOfficeName
*olcRwmMap: attribute st *olcRwmMap: attribute l *olcRwmMap: attribute
departmentNumber aepDepartmentIDolcRwmMap: attribute displayName *olcRwmMap:
attribute employeeNumber employeeIDolcRwmMap: attribute givenName *olcRwmMap:
attribute initials *olcRwmMap: attribute mail mailolcRwmMap: attribute manager
aepManagerIDolcRwmMap: attribute mobile *olcRwmMap: attribute o
aepFBUDescriptionolcRwmMap: attribute roomNumber aepFloorolcRwmMap: attribute
uid sAMAccountNameolcRwmMap: attribute ou aepBBUDescriptionolcRwmMap: attribute
*
olcRwmRewrite: rwm-suffixmassage
"ou=AD_Corp,ou=Employees,ou=Users,dc=Global,dc=aep,dc=com" "ou=LOB
Users,dc=corp,dc=aepsc,dc=com"olcRwmRewrite: rwm-suffixmassage
"ou=AD_Corp,ou=Groups,dc=Global,dc=aep,dc=com" "ou=Security
Groups,dc=corp,dc=aepsc,dc=com"olcRwmRewrite: rwm-suffixmassage
"ou=AD_Corp,ou=Automatons,ou=Users,dc=Global,dc=aep,dc=com" "ou=Service
Accounts,dc=corp,dc=aepsc,dc=com"olcRwmTFSupport: falseolcOverlay: rwmdn:
olcDatabase={2}ldap,cn=configolcDbIDAssertBind: mode=self
flags=prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0
network-timeout=0 binddn="XXXXXXXXXXXXXXXXXXXXX" credentials="XXXXXXXX"
keepalive=0:0:0olcDbChaseReferrals: TRUEolcLastMod: FALSEolcAddContentAcl:
FALSEolcDatabase: {2}ldapolcSuffix:
ou=AD_Corp,ou=Groups,dc=Global,dc=aep,dc=comolcDbConnectionPoolMax:
16olcDbUseTemporaryConn: FALSEolcDbTFSupport: noolcDbCancel:
abandonolcDbProtocolVersion: 3olcReadOnly: FALSEolcSubordinate:
TRUEolcDbStartTLS: none  starttls=noolcDbNoRefs: FALSEolcDbProxyWhoAmI:
FALSEolcMaxDerefDepth: 15olcDbSingleConn: FALSEolcDbNoUndefFilter:
FALSEolcDbURI: "ldap://msad-corp.aepsc.com"olcMonitoring:
FALSEolcSyncUseSubentry: FALSEolcDbRebindAsUser: TRUEobjectClass:
olcDatabaseConfigobjectClass: olcLDAPConfigdn:
olcOverlay=rwm,olcDatabase={2}ldap,cn=configolcRwmNormalizeMapped:
FALSEobjectClass: olcOverlayConfigobjectClass: olcRwmConfigolcRwmMap:
objectclass groupOfUniqueNames groupolcRwmMap: objectclass organizationalUnit
*olcRwmMap: attribute cn *olcRwmMap: attribute description *olcRwmMap: attribute
uniqueMember memberolcRwmMap: attribute o *olcRwmMap: attribute ou *olcRwmMap:
attribute *
olcRwmRewrite: rwm-suffixmassage
"ou=AD_Corp,ou=Employees,ou=Users,dc=Global,dc=aep,dc=com" "ou=LOB
Users,dc=corp,dc=aepsc,dc=com"olcRwmRewrite: rwm-suffixmassage
"ou=AD_Corp,ou=Groups,dc=Global,dc=aep,dc=com" "ou=Security
Groups,dc=corp,dc=aepsc,dc=com"olcRwmRewrite: rwm-suffixmassage
"ou=AD_Corp,ou=Automatons,ou=Users,dc=Global,dc=aep,dc=com" "ou=Service
Accounts,dc=corp,dc=aepsc,dc=com"olcRwmTFSupport: falseolcOverlay: rwmdn:
olcDatabase={3}ldap,cn=configolcDbIDAssertBind: mode=self
flags=prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0
network-timeout=0 binddn="XXXXXXXXXXXXXXXXXXXXX" credentials="XXXXXXXX"
keepalive=0:0:0olcDbChaseReferrals: TRUEolcLastMod: FALSEolcAddContentAcl:
FALSEolcDatabase: {3}ldapolcSuffix:
ou=AD_Corp,ou=Automatons,ou=Users,dc=Global,dc=aep,dc=comolcDbConnectionPoolMax:
16olcDbUseTemporaryConn: FALSEolcDbTFSupport: noolcDbCancel:
abandonolcDbProtocolVersion: 3olcReadOnly: FALSEolcSubordinate:
TRUEolcDbStartTLS: none  starttls=noolcDbNoRefs: FALSEolcDbProxyWhoAmI:
FALSEolcMaxDerefDepth: 15olcDbSingleConn: FALSEolcDbNoUndefFilter:
FALSEolcDbURI: "ldap://msad-corp.aepsc.com"olcMonitoring:
FALSEolcSyncUseSubentry: FALSEolcDbRebindAsUser: TRUEobjectClass:
olcDatabaseConfigobjectClass: olcLDAPConfigdn:
olcOverlay=rwm,olcDatabase={3}ldap,cn=configolcRwmNormalizeMapped:
FALSEobjectClass: olcOverlayConfigobjectClass: olcRwmConfigolcRwmMap:
objectclass inetOrgPerson userolcRwmMap: objectclass organizationalUnit
*olcRwmMap: attribute cn *olcRwmMap: attribute sn *olcRwmMap: attribute
telephoneNumber otherTelephoneolcRwmMap: attribute description *olcRwmMap:
attribute title *olcRwmMap: attribute postalCode *olcRwmMap: attribute
postalAddress streetAddressolcRwmMap: attribute physicalDeliveryOfficeName
*olcRwmMap: attribute st *olcRwmMap: attribute l *olcRwmMap: attribute
departmentNumber aepDepartmentIDolcRwmMap: attribute displayName *olcRwmMap:
attribute employeeNumber employeeIDolcRwmMap: attribute givenName *olcRwmMap:
attribute initials *olcRwmMap: attribute mail mailolcRwmMap: attribute manager
aepManagerIDolcRwmMap: attribute mobile *olcRwmMap: attribute o
aepFBUDescriptionolcRwmMap: attribute roomNumber aepFloorolcRwmMap: attribute
uid sAMAccountNameolcRwmMap: attribute ou aepBBUDescriptionolcRwmMap: attribute
*
olcRwmRewrite: rwm-suffixmassage
"ou=AD_Corp,ou=Employees,ou=Users,dc=Global,dc=aep,dc=com" "ou=LOB
Users,dc=corp,dc=aepsc,dc=com"olcRwmRewrite: rwm-suffixmassage
"ou=AD_Corp,ou=Groups,dc=Global,dc=aep,dc=com" "ou=Security
Groups,dc=corp,dc=aepsc,dc=com"olcRwmRewrite: rwm-suffixmassage
"ou=AD_Corp,ou=Automatons,ou=Users,dc=Global,dc=aep,dc=com" "ou=Service
Accounts,dc=corp,dc=aepsc,dc=com"olcRwmTFSupport: falseolcOverlay: rwmdn:
olcDatabase={4}bdb,cn=configolcDbSearchStack: 16olcDbIDLcacheSize:
0olcDbDNcacheSize: 0olcLastMod: TRUEolcAddContentAcl: FALSEolcDatabase:
{4}bdbolcSuffix: dc=Global,dc=aep,dc=comolcDbDirtyRead: FALSEolcDbCacheSize:
1000olcReadOnly: FALSEolcDbCacheFree: 1olcDbDirectory:
/appl/openldap/var/openldap-data/GlobalolcDbConfig::
ezh9Iwk8aHR0cDovL3d3dy5vcGVubGRhcC5vcmcvZmFxL2luZGV4LmNnaT9maWxlPTI+olcDbConfig::
ezI3fSMgc2xhcGFkZCg4KSBvciBzbGFwaW5kZXgoOCkgYWNjZXNzIChzZWUgdGhlaXIgLXEgb3B0aW9uKS4golcMaxDerefDepth:
15olcDbMode: 0600olcDbIndex: objectClass eqolcDbIndex: entryUUID eqolcDbIndex:
entryCSN eqolcDbIndex: cn pres,eq,approx,subolcDbIndex: uid
pres,eq,approx,subolcDbIndex: sn pres,eq,approx,subolcMonitoring:
TRUEolcDbNoSync: FALSEolcSyncUseSubentry: FALSEolcRootPW:
XXXXXXXXXXXXobjectClass: olcDatabaseConfigobjectClass: olcBdbConfigolcDbShmKey:
0olcDbLinearIndex: FALSEolcRootDN: cn=Directory
Manager,dc=Global,dc=aep,dc=comdn:
olcOverlay=glue,olcDatabase={4}bdb,cn=configchangetype: addobjectClass:
olcOverlayConfigolcOverlay: glue
Establish replication:
dn: olcOverlay=syncprov,olcDatabase={4}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcSpCheckpoint: 10 1
olcSpReloadHint: TRUE
olcOverlay: syncprov
dn: olcDatabase={4}bdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=401 provider=ldap://ctldapcop1.aepsc.com:33389
binddn="cn=syncuser,ou=Automatons,ou=Users,dc=global,dc=aep,dc=com"
bindmethod=simple credentials="XXXXXXXXXXX" searchbase="dc=global,dc=aep,dc=com"
filter="(&(!(entryDN:dnSubtreeMatch:=ou=AD_Corp,ou=Employees,ou=Users,dc=Global,dc=aep,dc=com))(!(entryDN:dnSubtreeMatch:=ou=AD_Corp,ou=Automatons,ou=Users,dc=Global,dc=aep,dc=com))(!(entryDN:dnSubtreeMatch:=ou=AD_Corp,ou=Groups,dc=Global,dc=aep,dc=com)))"
type=refreshAndPersist retry="5 5 300 +" timeout=1
olcSyncrepl: rid=402 provider=ldap://ctldaprop1.aepsc.com:33389
binddn="cn=syncuser,ou=Automatons,ou=Users,dc=global,dc=aep,dc=com"
bindmethod=simple credentials="XXXXXXXXXXX" searchbase="dc=global,dc=aep,dc=com"
filter="(&(!(entryDN:dnSubtreeMatch:=ou=AD_Corp,ou=Employees,ou=Users,dc=Global,dc=aep,dc=com))(!(entryDN:dnSubtreeMatch:=ou=AD_Corp,ou=Automatons,ou=Users,dc=Global,dc=aep,dc=com))(!(entryDN:dnSubtreeMatch:=ou=AD_Corp,ou=Groups,dc=Global,dc=aep,dc=com)))"
type=refreshAndPersist retry="5 5 300 +" timeout=1
-
replace: olcMirrorMode
olcMirrorMode: TRUE