Re: (ITS#6943) segfault in rwmmap in 2.4.25 - openldap-bugs

18 May 2011


      In regard to: Re: (ITS#6943) segfault in rwmmap in 2.4.25, masarati@aero.po...:
...
...
We don't have any definition for apple-group-nestedgroup in any of the
schemas that I have loaded.  It's not something we support.  We're also
not doing any proxying.  Note also that the search base it's using
(cn=groups,dc=ndsu,dc=nodak,dc=edu) isn't valid.  So, it's some Apple
system on campus that someone has set up to query our LDAP tree, looking
for things that the Mac OS X expects to find, but that we don't have or
support.
One thing that confuses me a little -- I set the rwm-rewriteContext to
"bindDN", which I perhaps incorrectly believed meant that rewriting would
only be done for authenticated binds (i.e. not anonymous binds), and
this client did not authenticate.  I was under the mistaken impression
that
rwm shouldn't even be called in cases like this.  I don't (currently) need
to
rewrite searches or results from searches, only the bind credentials, for
when we eventually enable support for ldap authentication.
Does that answer your question?  Would it be helpful to see either my
original slapd.conf or the slapd-config that results from the conversion?
Yes, either would be useful.  Thanks, p.
Here it is.
Thanks,
Tim
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#@
#@ TVM: this file is no longer used.  All slapd configuration is done via
#@ the LDAP/LDIF-based slapd-config(5) backend, using commands like ldapadd,
#@ ldapmodify, etc.
#@
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#
#
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# TVM: changed all paths from /etc/openldap/schema to
# /etc/local/openldap/schema.
# TVM: prior slapd.conf files based on earlier distributions of openldap
# had fewer default schemas included (the config file we used with 2.3.24
# on RH4 loaded only core, cosine, inetorgperson, misc, and our custom
# ndusEduPerson.schema).
# For the install on RHEL5, I started with the stock slapd.conf from openldap
# 2.4.21 and then removed the ones I didn't think we needed, e.g. corba,
# duaconf, dyngroup, java, nis, ppolicy, and collective.
#
#include		/etc/local/openldap/schema/corba.schema
include		/etc/local/openldap/schema/core.schema
include		/etc/local/openldap/schema/cosine.schema
#include		/etc/local/openldap/schema/duaconf.schema
#include		/etc/local/openldap/schema/dyngroup.schema
include		/etc/local/openldap/schema/inetorgperson.schema
#include		/etc/local/openldap/schema/java.schema
include		/etc/local/openldap/schema/misc.schema
#include		/etc/local/openldap/schema/nis.schema
include		/etc/local/openldap/schema/openldap.schema
#include		/etc/local/openldap/schema/ppolicy.schema
#include		/etc/local/openldap/schema/collective.schema
#
# TVM: custom NDUS schema
#
include		/etc/local/openldap/schema/ndusEduPerson.schema
# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
#
# TVM: the sizelimit and timelimits we've historically used for slapd
#
sizelimit  150
timelimit  180
# Load dynamic backend modules:
# modulepath	/usr/lib/openldap # or /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
#
# TVM: uncommented this, we need it for bindDN massaging
#
moduleload rwm.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
TLSCACertificateFile	/etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile	/etc/pki/tls/certs/ldap.NoDak.edu.crt
TLSCertificateKeyFile	/etc/pki/tls/certs/ldap.NoDak.edu.key
# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#
# TVM: FIXME: for testing just require encryption for simple_bind
# TVM: this can't be enabled until Dale's code to populate LDAP is ready
# for it.
#security simple_bind=64
# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
# TVM: added NDUS access controls (Note: these were at the bottom of
# the older slapd.conf file before, now they're in an earlier section).
#
# I think we should seriously revisit these
#
access to filter=(cn=anonymous) attrs=cn,sn
     by * none
#
# TVM: inserted this ACL between the two that have been present since
# the beginning.  This is to try prevent userPassword: from showing up
# in ldapsearch output, but still allow it to be used for auth
#
access to attrs=userPassword
     by anonymous auth
access to * by * read
#
# TVM: new with our OpenLDAP 2.4.x install: load the rwm overlay
# and add rules so that binds with the iid work.
#
overlay rwm
rwm-rewriteEngine	on
# define a rewriteMap function that returns the dn for a particular attr
# This is straight out of the first bindDN example in slapo-rwm(5)
rwm-rewriteMap	ldap attr2dn	"ldap://localhost/dc=nodak,dc=edu?dn?sub"
rwm-rewriteContext	bindDN
# and now the magic: parse out the IID and pass it to the attr2dn function.
# This is also almost exactly taken from slapo-rwm(5), though I'm using iid
# instead of mail and I'm not anchoring the regex and using $1, so it doesn't
# matter if it's qualified or not.
rwm-rewriteRule		"^(iid=[^, ]+).*"	"${attr2dn($1)}"	":@I"
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database	hdb
suffix		"dc=nodak,dc=edu"
checkpoint	1024 15
#
# TVM: I added these settings as part of the migration to 2.4.x.
# These are pure guesses.  If memory is still available, we should
# probably increase both.  Note section 21.4.3 of the guide, that indicates
# the idlcachesize should match cachesize when using bdb, but it should
# be 3*cachesize for hdb, which doesn't really make a lot
# of sense to me, but oh well...  See slapd-bdb for more info
#
cachesize	2048
idlcachesize	6144
#
# TVM: using System V shared memory is much faster for recent versions of
# the Linux kernel than using mmap(2) files, so we'll give it a try.
#
# shm_key can be anything, it just identifies a shared memory segment that
# BDB can use for its shared memory regions.
#
shm_key		41
rootdn		"cn=Someone Hidden, dc=ndsu, dc=nodak, dc=edu"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw		secret
# rootpw		{crypt}ijFYNcSNctBYg
rootpw		{SHA}ceHixPjpYAryAobGXZyzztpweto=
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/var/lib/ldap/data-1
#
# Indices to maintain for this database
#
# TVM: with openldap 2.3.24 on RHEL4 we just commented all of these out and
# added our own, some of which exactly duplicated these.  I'll keep the first
# two index lines and comment out the next three, then supplment with ours.
#
# Also, previously we maintained a presence (pres) index on *every* one of
# these.  Section 21.2.3 of the OpenLDAP admin guide makes it very clear
# that presence indexing is almost always a bad idea.  With that in mind,
# I've removed presence indexing from all of these.
#
index objectClass                       eq
index ou,cn,mail,surname,givenname      eq,sub
#index uidNumber,gidNumber,loginShell    eq
#index uid,memberUid                     eq,sub
#index nisMapName,nisMapEntry            eq,sub
#
# TVM: added indexes on all of these.
#
index mailLocalAddress,mailRoutingAddress,nid	eq
index iid,uid,services				eq,sub
index class,college,major			eq,sub
index group,department,institution,title	eq,sub
index physicalDeliveryOfficeName,telephoneNumber	eq,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM
#
# TVM: this is new with 2.4.x, we'll leave it enabled, see chapter 20 of
# the admin guide.
#
# enable monitoring
database monitor
rootdn		"cn=Someone Hidden, dc=ndsu, dc=nodak, dc=edu"
# allow only rootdn to read the monitor
access to *
         by * none