Re: (ITS#7047) slapd crash on bad indexed translucent - openldap-bugs

28 Sep 2011


      On 09/21/2011 09:38 PM, Pierangelo Masarati wrote:
...
Can you reproduce with latest release/master?  Can you provide a minimal
configuration+data that allows to reproduce the issue?
p.
Hello Pierangelo,
We are in the middle of several migration processes and i don't have the 
time to dig further into this issue right now, particularly in regard to 
trying latest/master.
I can however serve you with some extra data.
our LDAP infrastructure is like this:
1 master (provider) ----- 2 slaves (consumer) ----- 2 proxys
But the problem is happening in another server, which as a translucent 
overlay and several other very small local databases.
that server configuration file is
--- snip ---
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include     /etc/ldap/schema/rfc2307bis.schema
include         /etc/ldap/schema/inetorgperson.schema
include        /etc/ldap/schema/unl.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/qmail.schema
include        /etc/ldap/schema/sudo.schema
include        /etc/ldap/schema/RADIUS-LDAPv3.schema
include         /etc/ldap/schema/dyngroup.schema
include         /etc/ldap/schema/hdb.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel 256
idletimeout 600
threads 8
modulepath    /usr/lib/ldap
moduleload    back_hdb
moduleload    memberof
moduleload    dynlist
moduleload    back_ldap
moduleload      translucent
TLSCertificateFile /etc/ssl/certs/ldap.fct.unl.pt-2010-01-12.crt
TLSCertificateKeyFile /etc/ssl/certs/ldap.fct.unl.pt-2010-01-12.key
TLSCACertificateFile /etc/ssl/certs/ca-bundle.crt
backend        ldap
sizelimit 100
timelimit unlimited
include /etc/ldap/cdstaff.conf
database        hdb
suffix        "dc=unl,dc=pt"
rootdn cn=cdstaff,dc=unl,dc=pt
directory       "/var/lib/ldap/dc=unl,dc=pt"
lastmod        on
include /etc/ldap/acls.conf
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
                 by dn.regex="cn=cpdunl,dc=unl,dc=pt" write
                 by dn.regex="cn=readercpdunl,dc=unl,dc=pt" read
         by dn.regex="cn=cdstaff,dc=unl,dc=pt" write
                 by self read
                 by anonymous auth
                 by * none
access to *
                 by dn.regex="cn=cpdunl,dc=unl,dc=pt" write
         by dn.regex="cn=cdstaff,dc=unl,dc=pt" write
                 by * read
index    entryCSN eq
index    entryUUID eq
index    objectClass eq
index    uniqueIdentifier eq
index    displayName eq
index    uidNumber eq
index    gidNumber eq
index    title eq
index    uid eq,pres,sub,subinitial,subany,subfinal
index    member eq,pres
index    memberOf eq,pres
index    cn eq,sub,subinitial
index    sambaSID eq,pres,sub
index    sambaPrimaryGroupSID eq,pres
index    sambaSIDList eq,pres
index    sambaGroupType eq
index    memberUid eq
index    uniqueMember eq
index    sambaDomainName eq,pres
index           qmailUID eq
index        qmailGID eq
index        accountStatus eq
index        modifytimestamp eq
index        mailForwardingAddress eq
index           mail pres,eq,approx,sub
index           mailAlternateAddress pres,eq,approx,sub
index           mailHost pres,eq
index           radiusGroupName eq
index           sudoUser eq
index   krb5PrincipalName       eq
overlay translucent
uri "ldap://ldap1.fct.unl.pt ldap://ldap2.fct.unl.pt"
acl-bind binddn="cn=readercpdunl,dc=unl,dc=pt" credentials="h2qev49%71"
translucent_strict
translucent_local    
sambaAcctFlags,sambaAlgorithmicRidBase,sambaBadPasswordCount,sambaBadPasswordTime,sambaDomainName,sambaGroupType,sambaHomeDrive,sambaHomePath,sambaKickoffTime,sambaLogoffTime,sambaLogonHours,sambaLogonScript,sambaLogonTime,sambaMungedDial,sambaNextGroupRid,sambaNextRid,sambaNextUserRid,sambaPasswordHistory,sambaPrimaryGroupSID,sambaProfilePath,sambaPwdCanChange,sambaPwdLastSet,sambaPwdMustChange,sambaSID,sambaSIDList,sambaUserWorkstations
--- snip ---
That /etc/ldap/cdstaff.conf file contains the definitions of several 
local databases, which use no other overlays or special configuration. 
Its content is
--- snip ---
database    hdb
suffix        "sambaDomainName=STAFF,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/sambaDomainName=STAFF,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,sambaDomainName,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base="sambaDomainName=STAFF,dc=fct,dc=unl,dc=pt" by * read
access to *
         by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
         by * read
subordinate
database    hdb
suffix        "ou=machines,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/ou=machines,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base="ou=machines,dc=fct,dc=unl,dc=pt"
     by * read
access to *
         by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
         by * read
subordinate
database    hdb
suffix        "cn=Administrator,ou=agentes,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Administrator,ou=agentes,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base="cn=Administrator,ou=agentes,dc=fct,dc=unl,dc=pt"
     by * read
access to *
         by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
         by * read
subordinate
database    hdb
suffix        "cn=Domain Admins,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Domain Admins,ou=grupos,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base="cn=Domain Admins,ou=grupos,dc=fct,dc=unl,dc=pt"
     by * read
access to *
         by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
         by * read
subordinate
database    hdb
suffix        "cn=Domain Users,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Domain Users,ou=grupos,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base=""
     by * read
access to *
     by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
     by * read
subordinate
database    hdb
suffix        "cn=Domain Guests,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Domain Guests,ou=grupos,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base=""
     by * read
access to *
     by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
     by * read
subordinate
database        hdb
suffix          "cn=Domain Computers,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Domain 
Computers,ou=grupos,dc=fct,dc=unl,dc=pt"
index           
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod         on
access to dn.base="cn=Domain Computers,ou=grupos,dc=fct,dc=unl,dc=pt"
     by * read
access to *
     by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
     by * read
subordinate
database    hdb
suffix        "cn=Administrators,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Administrators,ou=grupos,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod         on
access to dn.base="cn=Domain Guests,ou=grupos,dc=fct,dc=unl,dc=pt"
     by * read
access to *
     by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
     by * read
subordinate
database        hdb
suffix          "cn=Users,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Users,ou=grupos,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base=""
     by * read
access to *
     by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
     by * read
subordinate
database        hdb
suffix          "cn=Guests,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Guests,ou=grupos,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base=""
     by * read
access to *
     by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
     by * read
subordinate
database        hdb
suffix          "cn=Account Operators,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Account 
Operators,ou=grupos,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base=""
     by * read
access to *
     by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
     by * read
subordinate
database        hdb
suffix          "cn=Print Operators,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Print 
Operators,ou=grupos,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base=""
     by * read
access to *
     by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
     by * read
subordinate
database        hdb
suffix          "cn=Backup Operators,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Backup 
Operators,ou=grupos,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base=""
     by * read
access to *
     by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
     by * read
subordinate
database        hdb
suffix          "cn=Replicators,ou=grupos,dc=fct,dc=unl,dc=pt"
rootdn        "cn=cdstaff,dc=unl,dc=pt"
directory    "/var/lib/ldap/cn=Replicators,ou=grupos,dc=fct,dc=unl,dc=pt"
index        
objectClass,sambaSID,uid,uidNumber,gidNumber,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,displayName,cn 
eq
lastmod        on
access to dn.base=""
     by * read
access to *
     by dn="cn=cpdunl,dc=unl,dc=pt" write
     by dn="cn=readercpdunl,dc=unl,dc=pt" write
     by dn="cn=cdstaff,dc=unl,dc=pt" write
     by * read
subordinate
--- snip ---
Some entry examples follow
On the central LDAP infrastructure:
hm@DIVINF-PC15:~$ ldapsearch -b "ou=agentes,dc=fct,dc=unl,dc=pt" -x -h 
ldap.fct.unl.pt "uid=hmmm" -LL
version: 1
dn: uniqueIdentifier=15093,ou=agentes,dc=fct,dc=unl,dc=pt
mailQuotaSize: 10737418240
radiusGroupName: Adm
deliveryMode: noreply
mailReplyText:: TWVuc2FnZW0gZGUgYXV0by1yZXBseSBwYXJhIHRlc3RlLg0K
uid: hmmm
gidNumber: 1000
homeDirectory: /home/agentes/15093
loginShell: /bin/customshell
givenName: Hugo
sn: Monteiro
gecos: Hugo Miguel Marques Monteiro
cn: Hugo Monteiro
displayName: Hugo Monteiro
uidNumber: 15093
objectClass: top
objectClass: uidObject
objectClass: agenteUNL
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: qmailUser
objectClass: radiusprofile
uniqueIdentifier: 15093
title: Trabalhador FCT
title: Aluno LEI-FCT
accountStatus: active
mailHost: mailstrg2.ci.fct.unl.pt
qmailGID: 1000
qmailUID: 15093
mail: hmmm@fct.unl.pt
mailAlternateAddress: hmmm@students.fct.unl.pt
mailAlternateAddress: hugo.monteiro@fct.unl.pt
mailForwardingAddress: fctunl-teste@fct.unl.pt
krb5KDCFlags: 126
krb5PrincipalName: hmmm@FCT.UNL.PT
sambaSID: S-1-5-21-588362536-2687990616-3095848848-30186
sambaPrimaryGroupSID: S-1-5-21-588362536-2687990616-3095848848-513
sambaHomeDrive: H:
sambaLogonScript: logon.bat
sambaAcctFlags: [UX         ]
sambaPwdLastSet: 1317217397
krb5KeyVersionNumber: 11
that same entry after translucent
hm@DIVINF-PC15:~$ ldapsearch -b "ou=agentes,dc=fct,dc=unl,dc=pt" -x -h 
cdstaff.fct.unl.pt "uid=hmmm" -LL
version: 1
dn: uniqueIdentifier=15093,ou=agentes,dc=fct,dc=unl,dc=pt
mailQuotaSize: 10737418240
radiusGroupName: Adm
deliveryMode: noreply
mailReplyText:: TWVuc2FnZW0gZGUgYXV0by1yZXBseSBwYXJhIHRlc3RlLg0K
uid: hmmm
gidNumber: 1000
homeDirectory: /home/agentes/15093
loginShell: /bin/customshell
givenName: Hugo
sn: Monteiro
gecos: Hugo Miguel Marques Monteiro
cn: Hugo Monteiro
displayName: Hugo Monteiro
uidNumber: 15093
objectClass: top
objectClass: uidObject
objectClass: agenteUNL
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: qmailUser
objectClass: radiusprofile
objectClass: krb5Principal
objectClass: krb5KDCEntry
uniqueIdentifier: 15093
title: Trabalhador FCT
title: Aluno LEI-FCT
accountStatus: active
mailHost: mailstrg2.ci.fct.unl.pt
qmailGID: 1000
qmailUID: 15093
mail: hmmm@fct.unl.pt
mailAlternateAddress: hmmm@students.fct.unl.pt
mailAlternateAddress: hugo.monteiro@fct.unl.pt
mailForwardingAddress: fctunl-teste@fct.unl.pt
krb5KDCFlags: 126
krb5PrincipalName: hmmm@FCT.UNL.PT
sambaSID: S-1-5-21-1327543176-3185848629-1254536839-31186
sambaPrimaryGroupSID: S-1-5-21-1327543176-3185848629-1254536839-513
sambaHomeDrive: H:
sambaLogonScript: logon.bat
sambaAcctFlags: [UX         ]
sambaPwdLastSet: 1317217397
krb5KeyVersionNumber: 11
and finaly just the local part to the problematic server
dn: uniqueIdentifier=15093,ou=agentes,dc=fct,dc=unl,dc=pt
uidNumber: 15093
sambaSID: S-1-5-21-1327543176-3185848629-1254536839-31186
sambaHomeDrive: H:
sambaLogonScript: logon.bat
sambaAcctFlags: [UX         ]
sambaPrimaryGroupSID: S-1-5-21-1327543176-3185848629-1254536839-513
We noticed that the crash would also happen if the query was like 
(&(uid=*)(objectClass=sambaSamAccount)), BUT is does not happen every 
time. Happens mostly when there is more usage, but nothing like high 
loads or anything. We've had problems every morning, around 9am, when 
everyone would login to their workstation. I then gave the VM more 
resources and since 2 days ago there has been no problem (so far).
I would love to be able to help a bit more, perhaps with a core file, 
but i'm really lacking time atm. I will try to provide a core in a 
couple of days or so. Let me know if there is any special way to collect 
the information you need.
Best regards,
Hugo Monteiro.
-- 
fct.unl.pt:~# cat .signature

Hugo Monteiro
Email	 : hugo.monteiro@fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net

Divisão de Informática
Faculdade de Ciências e Tecnologia da
    	   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.fct.unl.pt                apoio@fct.unl.pt

fct.unl.pt:~# _