(ITS#7277) Slapadd segfaults if binddn contains ou or dc statements - openldap-bugs

19 May 2012


      Full_Name: Oliver Loch
Version: 2.4.31
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (88.134.36.68)
Hello,
first of all some basic information:
OpenLDAP Version:
[root@ls1 slapd.d]# slapd -V
@(#) $OpenLDAP: slapd 2.4.31 (Apr 24 2012 01:06:25) $
        nobody@ovide:/build/src/openldap-2.4.31/servers/slapd
[root@ls1 slapd.d]#
OS:
Linux ls1 3.3.6-1-ARCH #1 SMP PREEMPT Sun May 13 10:52:32 CEST 2012 x86_64
GNU/Linux
Distribution:
ArchLinux
What I'm doing:
I have a Master/Master setup with actually two masters. To roll out the second
master I created a small configuration that is added to the OpenLDAP database
via slapadd.
The config:
======>8========SNIP========================
dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 1 ldap://server1.foo.bar
olcServerID: 2 ldap://server2.foo.bar
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}back_bdb.la
olcModuleLoad: {1}back_hdb.la
olcModuleLoad: {2}accesslog
olcModuleLoad: {3}memberof
olcModuleLoad: {4}refint
olcModuleLoad: {5}unique
olcModuleLoad: {6}syncprov
olcModulePath: /usr/lib/openldap
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=master,cn=config
olcRootPW: {SSHA}5e/wtWWZVQPCNf+92o8jYiO56wvh5cRQ
olcSyncrepl: rid=001 provider=ldap://server1.foo.bar bindmethod=simple timeout=0
network-timeout=0 binddn="cn=syncer1,ou=users,cn=foo,cn=bar"
credentials="supersecret" keepalive=0:0:0 starttls=no searchbase="cn=config"
scope=sub schemachecking=off type=refreshAndPersist retry="5 +"
olcMirrorMode: TRUE
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
===========SNAP========8<====================
When adding the configuration to the - empty - slapd.d configuration directory
via:
slapadd -F /etc/openldap/slapd.d -n 0 -l /root/base.ldif
"slapadd" segfaults as soon as the "binddn" parameter inside the olcSyncrepl
attribute contains things like "ou" or "dc". So using
"cn=syncer1,ou=users,dc=foo,dc=bar" as binddn is not possible:
=========SNIP=======>8=======================
[root@ls1 slapd.d]# slapadd -F /etc/openldap/slapd.d/ -n 0 -l /root/base.ldif
4fb89a89 invalid bind config value binddn=cn=syncer1,ou=users,dc=foo,dc=bar
4fb89a89 olcSyncrepl: value #0: Error: parse_syncrepl_line: unable to parse
"binddn=cn=syncer1,ou=users,dc=foo,dc=bar"
.
4fb89a89 failed to add syncinfo
slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=19): 
_#################     86.13% eta   none elapsed            none spd 313.2 k/s 
Closing DB...Segmentation fault
[root@ls1 slapd.d]#
===========SNAP========8<====================
But using "cn=syncer1,cn=users,cn=foo,cn=bar" is:
========>8==================SNIP==============
[root@ls1 slapd.d]# slapadd -F /etc/openldap/slapd.d/ -n 0 -l /root/base.ldif
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
[root@ls1 slapd.d]#
======SNAP================8<=================
I played with it a bit and as soon as one adds "ou=..." or "dc=..." to the
binddn it raises an error. In this example config and in the "real world".
Imho there aren't any limitations to the binddn option?
If you need further information feel free to contact me.
Thanks!
Kr,
Oliver Loch