back-ldap & rewrite engine - openldap-devel

27 Oct 2007


      Hi,
I am testing REL_ENG_2_4 and HEAD  back-ldap and rw with the same
slapd.conf, and a sasl bind. While RE_2.4 just crashes with segfault,
HEAD is not rewriting the sasl ID, that is
proxy ID: cn=Dieter Kluenter,ou=partner,dc=dkluenter,dc=de
master ID: cn=Dieter Kluenter,ou=partner,o=avci,c=de
Based on this configuration earlier HEAD versions had rewriten sasl
identity properly. 
My searchstring for back-ldap is:
ldapsearch -Y digest-md5 -U dieter -w xxxx-H ldap://localhost:9004 -b "cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de" -s sub "*"
,----[ slapd.conf back-ldap ]
| modulepath /opt/openldap/libexec/openldap
| moduleload      back_meta.la
| moduleload      back_ldap.la
| moduleload      pcache.la
| moduleload      rwm.la
| authz-regexp uid=(.*),cn=.*,cn=auth
|              ldap:///dc=dkluenter,dc=de??sub?uid=$1
| 
| access to * by * read
| database        ldap
| suffix          dc=dkluenter,dc=de
| rootdn          cn=admin,dc=dkluenter,dc=de
| uri             ldap://localhost:389
| acl-bind 
|         bindmethod=sasl
|         saslmech=digest-md5
|         authcId=admanager
|         credentials=xxxxx
| idassert-bind 
|         bindmethod=sasl
|         saslmech=digest-md5
|         authcId=admanager
|         credentials=xxxx
|         mode=self
| overlay rwm
| rwm-rewriteEngine on
| rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de"
| overlay pcache
| proxycache bdb 10000 22 50 3600
| ...
`----
,----[  back trace of RE_2.4 ]
| <= ldap_dn2bv(cn=dieter kluenter,ou=partner,o=avci,c=de)=0 
| <<< dnPrettyNormal: <cn=Dieter Kluenter,ou=Partner,o=avci,c=de>, <cn=dieter kluenter,ou=partner,o=avc
| ,c=de>
| ber_scanf fmt ({xx) ber:
| Program received signal SIGSEGV, Segmentation fault.
| [Switching to Thread 0xb6d2fb90 (LWP 12590)]
| 0x00000000 in ?? ()
|
| (gdb) bt
| #0  0x00000000 in ?? ()
| #1  0xb7826a2c in ldap_back_search (op=0xb6d2eadc, rs=0xb6d2ebb0) at search.c:338
| #2  0x080d51c0 in overlay_op_walk (op=0xb6d2eadc, rs=0xb6d2ebb0, which=op_search, oi=0x8251b80, 
|     on=0x8253970) at backover.c:652
| #3  0x080d56ee in over_op_func (op=0xb6d2eadc, rs=0xb6d2ebb0, which=op_search) at backover.c:704
| #4  0x080b92b5 in slap_sasl2dn (opx=0x82ba8a0, saslname=0xb6d2ed70, sasldn=0xb6d2ece4, flags=2)
|     at saslauthz.c:2005
| #5  0x080bf2e3 in slap_sasl_getdn (conn=0xb753264c, op=0x82ba8a0, id=0xb6d2ed68, user_realm=0x0, 
|     dn=0xb6d2ed70, flags=<value optimized out>) at sasl.c:2035
| #6  0x080c0725 in slap_sasl_canonicalize (sconn=0x82b8f70, context=0xb753264c, 
|     in=0x82ba158 "dieter", inlen=6, flags=1, user_realm=0x0, out=0x82b9c81 "", out_max=1024, 
|     out_len=0x82b97e0) at sasl.c:624
| #7  0xb7d4f2b8 in _sasl_canon_user () from /usr/lib/libsasl2.so.2
| #8  0xb7a20576 in ?? () from /usr/lib/sasl2/libdigestmd5.so
| #9  0x082b8f70 in ?? ()
| #10 0x082ba158 in ?? ()
| #11 0x00000006 in ?? ()
| #12 0x00000001 in ?? ()
| #13 0x082b97d0 in ?? ()
| #14 0xb7f92ee0 in ?? () from /lib/ld-linux.so.2
| #15 0xb7f36161 in ber_flush2 (sb=0x113, ber=0xb6d2edd0, freeit=-1227689916) at io.c:256
| #16 0xb7d58b07 in sasl_server_step () from /usr/lib/libsasl2.so.2
| #17 0x080c0208 in slap_sasl_bind (op=0x0, rs=0x82b8f70) at sasl.c:1654
| #18 0x08091790 in fe_op_bind (op=0x82ba8a0, rs=0xb6d2f144) at bind.c:280
| #19 0x08092191 in do_bind (op=0x82ba8a0, rs=0xb6d2f144) at bind.c:205
| ---Type <return> to continue, or q <return> to quit---
| #20 0x08074431 in connection_operation (ctx=0xb6d2f238, arg_v=0x82ba8a0) at connection.c:1145
| #21 0x08074ace in connection_read_thread (ctx=0xb6d2f238, argv=0xf) at connection.c:1271
| #22 0xb7f4a2b2 in ldap_int_thread_pool_wrapper (xpool=0x821a7b8) at tpool.c:619
| #23 0xb7d67192 in start_thread () from /lib/libpthread.so.0
| #24 0xb7b3902e in clone () from /lib/libc.so.6
| (gdb) 
`----
,----[ slapd-log on master with HEAD ]
| slapd[3832]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci,c=de", attr "entry" requested
| slapd[3832]: => acl_mask: to all values by "cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de", (=0) 
| slapd[3832]: <= check a_dn_pat: cn=$1,ou=Partner,o=avci,c=de
| slapd[3832]: <= check a_group_pat: cn=administratoren,o=avci,c=de
| slapd[3832]: => bdb_entry_get: found entry: "cn=administratoren,o=avci,c=de"
| slapd[3832]: <= check a_dn_pat: *
| slapd[3832]: <= acl_mask: [3] applying auth(=xd) (stop)
| slapd[3832]: <= acl_mask: [3] mask: auth(=xd)
| [3832]: => slap_access_allowed: search access denied by auth(=xd)
| slapd[3832]: => access_allowed: no more rules
`----
Is there anything wrong with my slapd.conf? Or is this a bug?
-Dieter
-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6