(ITS#7262) ppolicy overlay cannot use a policy stored in a different backend from the account that it controls - openldap-bugs

2 May 2012


      Full_Name: Andrew Findlay
Version: 2.4.26
OS: OpenSuSE 11.4
URL: ftp://ftp.openldap.org/incoming/andrew-findlay-2012050201.tar
Submission from: (NULL) (2a01:348:28c:1::94)
I have a setup where several OUs share a server, with one backend database per
OU.
Config data like password policies and service accounts is in another backend
DB.
The password policies do not work unless they are copied into each backend DB.
The attached tar contains a full test to demonstrate the problem.
Here is a summary of the README:
There are two databases, for suffixes dc=a,dc=example,dc=org and
dc=zzz,dc=example,dc=org (note different length, which helps later)
There are two accounts - a1 and zzz1 - each stored in a different backend
database.
Both accounts are locked with 'pwdAccountLockedTime: 00000101000000Z'
Each database uses the ppolicy overlay, and both have
cn=ppol-a,dc=a,dc=example,dc=org
as the default policy.
The run-test script does this:
echo "Binding as a1"
        ldapwhoami -x -D uid=a1,dc=a,dc=example,dc=org  -w "secret"
echo "Binding as zzz1"
        ldapwhoami -x -D uid=zzz1,dc=zzz,dc=example,dc=org  -w "secret"
Both accounts are locked so both should fail to bind.
In practice a1 fails correctly, but zzz1 binds.
If you run slapd with debug:
./start-slapd -d 65535
you can see some clues:
=> bdb_entry_get: found entry: "uid=zzz1,dc=zzz,dc=example,dc=org"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=ppol-a,dc=a,dc=example,dc=org"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=ppol-a,dc=a,dc=example,dc=org")
=> hdb_dn2id("a,dc=a,dc=example,dc=org")
--------------^^
INVALID DN
<= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
=> bdb_entry_get: cannot find entry: "cn=ppol-a,dc=a,dc=example,dc=org"
The corresponding lines for a1 are:
=> bdb_entry_get: found entry: "uid=a1,dc=a,dc=example,dc=org"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=ppol-a,dc=a,dc=example,dc=org"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=ppol-a,dc=a,dc=example,dc=org")
=> hdb_dn2id("cn=ppol-a,dc=a,dc=example,dc=org")
The big clue here is this line:
=> hdb_dn2id("a,dc=a,dc=example,dc=org")
The invalid DN has the same length as the suffix of the other DB:
a,dc=a,dc=example,dc=org
dc=zzz,dc=example,dc=org
I think the overlay is looking for cn=ppol-a,dc=a,dc=example,dc=org in the DB
containing dc=zzz,dc=example,dc=org
Andrew