slapo-translucent overlay crashes during wildcard search with subordinate
by jeremy.diaz@rexconsulting.net
Hello openldap-technical,
I found that slapd 2.5.11 w/slapo-translucent will crash when queried with a wildcard search. It looks like any wildcard search on any attribute specified in "translucent_local" will cause the SIGSEGV on the latest version of Symas OpenLDAP slapd, 2.5.11, MDB databases, running on CentOS7.
It seems that the SIGSEGV problem does not occur w the 2.4.44 from the RHEL7 distribution, and so the problem may have be a regression. I have not tested any other versions but have verified that, with the exact same config, the problem does not happen on the RHEL7 2.4.44 version, but does happen w/Symas OpenLDAP 2.5.11.
It's an interesting config here. There are two database+suffixes defined in the instance. The first one is subordinate (ou=someorg,dc=corp,dc=com) to the second one (dc=corp,dc=com). The "subordinate" option is set to "True". The second database section loads the translucent overlay which is pointed to the upstream Active Directory instance and has the same suffix of AD.
The problem is administrative. The group want their admins who manage LDAP data to be able to search using wildcard "cn=xyx*" filters. Besides crashing, we have noticed that these work, but only when setting the basedn of the subordinate database. I tried a few things in a test lab and was able to reproduce the issue.
with "cn" in "translucent_local" and sublevel search of translucent superior basedn dc=corp,dc=com
"(cn=jed)" filter returns subordinate database entry
"(cn=je*)" filter crashes slapd
with "cn" not in "translucent_local" and sublevel search of translucent superior basedn dc=corp,dc=com
"(cn=jed)" filter return referrals from upstream Active Directory
"(cn=je*)" filter return referrals from upstream Active Directory
with "cn" in "translucent_local" and sublevel search of subordinate basedn ou=someorg,dc=corp,dc=com
"(cn=jed)" filter returns subordinate database entry from ou=someorg
"(cn=je*)" filter returns subordinate database entry(ies) from ou=someorg
with "cn" not in "translucent_local" and sublevel search of subordinate dbasedn ou=someorg,dc=corp,dc=com
"(cn=jed)" filter returns subordinate database entry from ou=someorg
"(cn=je*)" filter returns subordinate database entry(ies) from ou=someorg
Here's what the crash looks like:
622eb2f7.0393c4d6 0x7fcf15e89880 slapd starting
622eb2fd.32371976 0x7fce8d9f3700 slap_listener_activate(8):
622eb2fd.323bb364 0x7fce8d1f2700 >>> slap_listener(ldap:///)
622eb2fd.3247761c 0x7fce8d1f2700 connection_get(15): got connid=1000
622eb2fd.3247962c 0x7fce8d1f2700 connection_read(15): checking for input on id=1000
622eb2fd.3247b177 0x7fce8d1f2700 ber_get_next
622eb2fd.3247e0b8 0x7fce8d1f2700 ber_get_next: tag 0x30 len 12 contents:
622eb2fd.3247f6f1 0x7fce8d1f2700 op tag 0x60, time 1647227645
622eb2fd.32480615 0x7fce8d1f2700 ber_get_next
622eb2fd.32484eca 0x7fce8d1f2700 conn=1000 op=0 do_bind
622eb2fd.324861e8 0x7fce8d1f2700 ber_scanf fmt ({imt) ber:
622eb2fd.324871c1 0x7fce8d1f2700 ber_scanf fmt (m}) ber:
622eb2fd.32488890 0x7fce8d1f2700 >>> dnPrettyNormal: <>
622eb2fd.32489324 0x7fce8d1f2700 <<< dnPrettyNormal: <>, <>
622eb2fd.3248ce51 0x7fce8d1f2700 do_bind: version=3 dn="" method=128
622eb2fd.3248efc7 0x7fce8d1f2700 send_ldap_result: conn=1000 op=0 p=3
622eb2fd.324906be 0x7fce8d1f2700 send_ldap_response: msgid=1 tag=97 err=0
622eb2fd.32492605 0x7fce8d1f2700 ber_flush2: 14 bytes to sd 15
622eb2fd.324ab763 0x7fce8d1f2700 do_bind: v3 anonymous bind
622eb2fd.325dc3b4 0x7fce8d1f2700 connection_get(15): got connid=1000
622eb2fd.325de12a 0x7fce8d1f2700 connection_read(15): checking for input on id=1000
622eb2fd.325dec44 0x7fce8d1f2700 ber_get_next
622eb2fd.325e0856 0x7fce8d1f2700 ber_get_next: tag 0x30 len 63 contents:
622eb2fd.325e1663 0x7fce8d1f2700 op tag 0x63, time 1647227645
622eb2fd.325e22e8 0x7fce8d1f2700 ber_get_next
622eb2fd.325e500c 0x7fce8d1f2700 conn=1000 op=1 do_search
622eb2fd.325e5ae0 0x7fce8d1f2700 ber_scanf fmt ({miiiib) ber:
622eb2fd.325e69ea 0x7fce8d1f2700 >>> dnPrettyNormal: <dc=corp,dc=com>
622eb2fd.325e98bd 0x7fce8d1f2700 <<< dnPrettyNormal: <dc=corp,dc=com>, <dc=corp,dc=com>
622eb2fd.325eaad7 0x7fce8d1f2700 ber_scanf fmt ({m) ber:
622eb2fd.325ebce5 0x7fce8d1f2700 ber_scanf fmt (m) ber:
622eb2fd.325eddcb 0x7fce8d1f2700 ber_scanf fmt ({M}}) ber:
622eb2fd.325f334c 0x7fce8d1f2700 ==> limits_get: conn=1000 op=1 self="[anonymous]" this="dc=corp,dc=com"
622eb2fd.325f4dcc 0x7fce8d1f2700 ==> translucent_search: <dc=corp,dc=com> (cn=jed*)
Segmentation fault
Thanks!
Jeremy Diaz | Rex Consulting | https://www.rexconsulting.net
11 months, 4 weeks
Official symas docker image? Or what others do?
by Dave Macias
Hello,
Wondering if there is a plan to do an official image.
Also what others in the community doing?
Finally, there is this project that seems to be updated/supported but obviously not official https://github.com/bitnami/bitnami-docker-openldap anyone here used/seen this?
Why am i asking?
We simply looking to dockerize our infra and want to see what people here have experienced.
Our ldap env:
3-way MMR (syncrepl) on v2.6.1
Thank you,
Dave
11 months, 4 weeks
openldap-ltb segmentation fault
by Aaron Bennett
Hi,
I've got a new openldlap-ltb 2.5 system (running on rocky 8), and when I try to start it with "slapt-cli start", it dumps core:
[root@kt-ldap-01 slapd.d]$ journalctl -xe
Mar 28 16:13:06 kt-ldap-01 systemd-coredump[54716]: Resource limits disable core dumping for process 54714 (slapd).
Mar 28 16:13:06 kt-ldap-01 systemd-coredump[54716]: Process 54714 (slapd) of user 0 dumped core.
-- Subject: Process 54714 (slapd) dumped core
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- Documentation: man:core(5)
--
-- Process 54714 (slapd) crashed and dumped core.
--
-- This usually indicates a programming error in the crashing program and
-- should be reported to its vendor as a bug.
Mar 28 16:13:06 kt-ldap-01 slapd-cli[54688]: /usr/local/openldap/sbin/slapd-cli: line 350: 54714 Segmentation fault (core dumped) $SLA>
Mar 28 16:13:06 kt-ldap-01 systemd[1]: systemd-coredump(a)13-54715-0.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
From debugging the shell script it looks like it's running slapd with these arguments:
SLAPD_PARAMS='-h ldaps://kt-ldap-01-665.test.clarku.edu -F /usr/local/openldap/etc/openldap/slapd.d -u ldap -g ldap -l local4'
So if I run:
/usr/local/openldap/libexec/slapd -h ldaps://kt-ldap-01-665.test.clarku.edu -F /usr/local/openldap/etc/openldap/slapd.d -u ldap -g ldap -l local4
It works -- no segfault, no nothing. I can pretty easily write a systemd script that runs that command instead of wasting time with the slapd-cli stuff if that's a better approach.
-Aaron
---
Aaron Bennett
Manager of Systems Administration
Clark University ITS
11 months, 4 weeks
Re: OpenLDAP and Oracle backend
by Julián Sosa
** I wrote erroneously about working versions. Up to OpenLDAP 2.4.23 it
works great with Oracle DB as backend. From version 2.4.25 onwards
integration does not work.
El lun, 28 mar 2022 a las 15:33, Julián Sosa (<docldap(a)gmail.com>) escribió:
> Hi all. As a demand from some client, we have to implement the Oracle
> backend, with idea of using an existing schema for authenticating users
> using some mfa tool that only supports ldap.
>
> I began for last version at this date (2.6.1), but have this error:
>
> 6241cb6b backsql_oc_get_attr_mapping(): error executing at_query
> "SELECT
> name,sel_expr,from_tbls,join_where,add_proc,delete_proc,param_order,expect_return,sel_expr_u
> FROM ldap_attr_mappings WHERE oc_map_id=?"
> for objectClass "organization"
> with param oc_id=3
> 6241cb6b Return code: -1
> 6241cb6b <==backsql_load_schema_map()
>
> In order for doing some debugging, I changed slapd and unixodbc to point
> to an mysql, and works fine. So I found some entry on internet from a
> person who had it working on some version, but when changing it does not
> work. Also, I monitored with sys user last queries on v$sql. and last query
> that reached DB was , so it appears that error occurs at preparing the
> attribute mapping query, and code breaks before sending the query.
>
> I found another entry about this, where someone told that he have it
> working on version 2.3.24 and he could not make it work on other version.
> So I begin installing several OpenLDAP versions since mentioned one, and
> from there to version 2.3.24 I found that Oracle backend is working fine.
> Beginning 2.4.24, and onwards versions, it starts to show mentioned error.
> I tried both on my Mint 20.3 personal machine, and with client's server
> which is a CentOS 7.8.
>
> For tests, I used same Oracle DB instance. Only copy the slapd.conf from
> working OpenLDAP/Oracle to the version I tested.
>
>
11 months, 4 weeks
Response Ordering
by thomaswilliampritchard@gmail.com
I'm looking to better understand the relationship in packet ordering when it comes to bind requests. As far as I've learned so far I can send a few ldap requests and potentially get responses in an order that doesn't match what i've sent.
When it comes to, for example, sending a bind, a search, a bind (different user), and a search, when I send those serially without waiting for a response, are there any guarantees around getting successful bind responses before search results? Is it guaranteed that I would get a bind result from the second bind before search results from the second search? Is it guaranteed the second bind result would come after the end of the first search results, or might I receive the second bind result before the end of the first set of search results (or even in the middle of the second set of search results)?
Then when it comes to server side processing, is it guaranteed that the first search is executed with the authorization of the first bind, and second search executed with the authorization of the second bind? Or is there a way the second search is processed before the second bind?
How does openldap manage changing authorization in the middle of an executing search? If the first search is in flight and the second bind request comes in, does the first search continue to execute and finish with the authorization of the first bind?
Are you aware of clients or tools that leverage that multi request (without waiting for a response) capacity of ldap? In what types of applications might a client send many requests without waiting for any responses?
Thanks for the consideration
Tom
11 months, 4 weeks
ACL deny list anonymous
by beren beren
Hi,
Sorry for the trivial question.
How can I prevent a user who has not authenticated from viewing ? That is,
the query ldapsearch -x -H ldap://infra-ldap.wildberries.ru -b
"dc=test,dc=com" shows everything.
12 months
ldap bind response
by Gustavo Rios
Hi folks ?
I am writing an ldap library for accessing openldap server.
I have written a function that implements an ldap bind request and decode
the openldap response.
The program output is given below.
sioux@etosha:~/msc/it/cnf/ldap/programs/ldp$ ./ldp 127.0.0.1.389
30 c 2 1 3 61 7 a 1 0 4 0 4 0
Tag: 48, Length: 12
Left: 12 bytes
================================
Tag: 2, Length: 1
Left: 10 bytes
Value: 3
================================
Tag: 97, Length: 7
Left: 7 bytes
My question is: how to "read" de last seven bytes ? I have read the ldap
rfc but it is still confusing.
May you help me ?
Thanks a lot!
--
The lion and the tiger may be more powerful, but the wolves do not perform
in the circus
12 months
slapi plug-in does not work after update of OpenLDAP from 2.4 to 2.6.1
by Matthias Apitz
Hello,
We're running since ages with an OpenLDAP server 2.4 a plugin which publishes
changes (add, modify, delete) in LDAP to an Identity Management Server (IDM).
The plugin is written in C and configured in slpad.conf as a shared lib:
plugin postoperation /opt/openldap-2.6.1/lib64/idm.so idm_init "IDM Plugin" 10.23.33.52 3001
The function idm_init() registers static C functions the supposed way:
int idm_init(Slapi_PBlock * pb)
{
int rc = LDAP_SUCCESS;
log("idm-plugin:","now in idm_init()\n");
// first call, create new list and register the functions
...
rc |=
slapi_pblock_set( /* Plug-in API version */ pb,
SLAPI_PLUGIN_VERSION,
SLAPI_PLUGIN_CURRENT_VERSION);
rc |=
slapi_pblock_set( /* Plug-in description */ pb,
SLAPI_PLUGIN_DESCRIPTION, (void *) &desc);
rc |=
slapi_pblock_set( /* Modify function */ pb,
SLAPI_PLUGIN_POST_MODIFY_FN,
(void *) modify_user);
...
// read arguments and add list entry
rc |= read_arguments(pb);
log("idm-plugin", "idm_init() return rc:%d\n", rc);
return rc;
}
The function for modify_user() will later publish the change via
network and without going into the details the start of the function
looks like this:
static int modify_user(Slapi_PBlock * pb)
{
Slapi_Entry *entry;
log("idm-plugin:", "now in modify_user\n");
if (slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &entry) != LDAP_SUCCESS) {
log("IDM-Connector Plugin",
"entry modified, but couldn't get entry");
return -1;
}
...
The problem is, that after an update in LDAP this function is not called. The log
shows only the attach and initialisation of the plugin but no further actions:
03/16/22 10:52:26 idm-plugin:: now in idm_init()
03/16/22 10:52:26 IDM-Connector Plugin: idm_init: Initializing plugin
03/16/22 10:52:26 idm-plugin:: now in read_arguments()
03/16/22 10:52:26 IDM Plugin: added idm connector: ip=10.23.33.52, port=3001
03/16/22 10:52:26 idm-plugin: idm_init() returns rc:0
03/16/22 10:52:26 plugin_pblock_new: Registered plugin OCLC-IDM-Connector-Notifier 1.0 [OCLC.org] (Notify the OCLC IDM-Connector of changes)
As I said, with OpenLDAP 2.4 this works fine. It does not work anymore with 2.6.1.
Is there some change in the slapi interface of which we are not aware off?
What could be done as debugging/logging to nail this down?
Thanks in advance and Regards
matthias
--
Matthias Apitz, ✉ guru(a)unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
12 months
Re: RE26 testing call #1 (OpenLDAP 2.6.2)
by Nick Folino
Looking good on Fedora 35
On Tue, Mar 22, 2022 at 1:21 PM Quanah Gibson-Mount <quanah(a)fast-mail.org>
wrote:
> This is the first testing call for OpenLDAP 2.6.2. Depending on the
> results, this may be the only testing call.
>
> Generally, get the code for RE26:
>
> <
> https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6...
> >
>
> Extract, configure, and build.
>
> Execute the test suite (via make test) after it is built. Optionally, cd
> tests && make its to run through the regression suite.
>
> Thanks!
>
> OpenLDAP 2.6.2 Engineering
> Added libldap support for OpenSSL 3.0 (ITS#9436)
> Added slapd support for OpenSSL 3.0 (ITS#9436)
> Fixed ldapdelete to prune LDAP subentries (ITS#9737)
> Fixed libldap to drop connection when non-LDAP data is received
> (ITS#9803)
> Fixed libldap to allow newlines at end of included file (ITS#9811)
> Fixed slapd slaptest conversion of olcLastBind (ITS#9808)
> Fixed slapd to correctly init global_host earlier (ITS#9787)
> Fixed slapd bconfig locking for cn=config replication (ITS#9584)
> Fixed slapd usage of thread local counters (ITS#9789)
> Fixed slapd to clear runqueue task correctly (ITS#9785)
> Fixed slapd syncrepl handling of new sessions (ITS#9584)
> Fixed slapd to clear connections on bind (ITS#9799)
> Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801)
> Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802)
> Fixed slapd-ldap memory leak in keepalive setting (ITS#9802)
> Fixed slapd-meta SEGV on config rewrite (ITS#9802)
> Fixed slapd-meta ordering on config rewrite (ITS#9802)
> Fixed slapd-meta memory leak in keepalive setting (ITS#9802)
> Fixed slapd-monitor SEGV on shutdown (ITS#9809)
> Added slapo-autoca support for OpenSSL 3.0 (ITS#9436)
> Added slapo-otp support for OpenSSL 3.0 (ITS#9436)
> Fixed slapo-pcache SEGV on shutdown (ITS#9809)
> Fixed slapo-ppolicy operation handling to be consistent (ITS#9794)
> Build Enviornment
> Add ability to override default compile time paths (ITS#9675)
> Fix compiliation with certain versions of gcc (ITS#9790)
> Fix compilation with openssl exclusions (ITS#9791)
> Fix warnings from make jobserver (ITS#9788)
> Documentation
> admin26 Document new lloadd features (ITS#9780)
> Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit
> documentation (ITS#9804)
> Fixed slapd-sock(5) to clarify "sockresps result" behavior
> (ITS#8255)
>
>
>
> Regards,
> Quanah
>
12 months
OpenLDAP proxy for samba-usage
by lists@zxt10d.de
Hello :)
Hopefully I'm not completly wrong on this ml, as its not only ldap
related, but also samba related.
I work at a Chair of a german university.
University uses a central LDAP-system for all students, employees,
scientists, scientific guests, etc., providing an unique UID for all
these peoples, plus many more information.
My idea was: setting-up a local OpenLDAP-proxy, so that people of our
Chair get access to ressources (eg. via samba) using their unique UID
and password, but without setting-up an AD.
Many system here are owned by the Chair or University, but lots of
students are using their own laptop, so using a AD (and adding them) is
not very handy for them ... so, something like a stand-alone
samba-server with authentification versus ldap.
Is there a chance to get this running? There is no chance to add the
schema on a proxy?
What I did so far:
- I can establish a connection to the central LDAP-system using
/etc/pam_ldap.conf
uri ldaps://ldap.DOMAIN.de
host ldap.DOMAIN.de
base ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de
ldap_version 3
binddn cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de
bindpw PASSWORD
pam_password crypt
ssl start_tls
ssl on
- I configured /etc/libnss-ldap.conf, and a 'getent passwd' shows all
local users plus the members
uri ldaps://ldap.DOMAIN.de
host ldap.DOMAIN.de
base ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de
ldap_version 3
binddn cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de
bindpw PASSWORD
- I also configured /etc/ldap/slapd.conf for proxy usage (I think I did
...), but I learned 2 days ago I can't add any schemata on a proxy ...
# Schema includes
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
#
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/openldap.schema
#
#
# Module
modulepath /usr/lib/ldap
moduleload back_ldap.la
moduleload back_hdb.la
moduleload back_mdb
moduleload rwm
moduleload pcache.la
moduleload memberof.la
#
# Main settings
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
conn_max_pending 1000
sockbuf_max_incoming 4194303
logfile /var/log/ldap/logfile.log
#loglevel stats conns filter
loglevel any
sizelimit unlimited
limits * size.pr=0 size.prtotal=none
tool-threads 1
#
readonly on
access to *
by * read
#
# Database defs (proxy to AD)
database ldap
chase-referrals no
rootdn ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de
suffix "dc=DOMAIN,dc=de"
uri ldap://localhost/
uri ldap://ldap.DOMAIN.de/
uri ldaps://ldap.DOMAIN.de/
acl-bind bindmethod=simple
binddn="cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de" credentials="PASSWORD"
starttls=yes
idassert-bind bindmethod=simple
binddn="cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de" credentials="PASSWORD"
starttls=yes
#cancel abandon
overlay pcache
#proxycache hdb 100000 3 1000 100
proxycache mdb 100000 3 1000 100
pcachePersist TRUE
proxyAttrset 0 mail uid gecos
proxyTemplate (sn=) 0 3600
proxyTemplate (&(sn=)(givenName=)) 0 3600
#cachesize 20
index objectClass eq
index cn,sn,uid,mail pres,eq,sub
pcacheAttrset 0 1.1
pcacheTemplate (&(|(objectClass=))) 0 3600
pcacheTemplate (objectClass=*) 0 3600
pcacheAttrset 1 displayname
pcacheTemplate (objectClass=*) 1 3600
pcacheAttrset 2 memberOf
pcacheTemplate (objectClass=*) 2 3600
conn-ttl 3600
#
directory /var/lib/ldap
Testing the config works:
root@ldap:~# /usr/sbin/slapd -Tt -f /etc/ldap/slapd.conf
config file testing succeeded
62398f56 mdb_opinfo_get: err Permission denied(13)
root@ldap:~#
(I have no idea which Permission is denied)
slapd can be started via
/usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf
ldapsearch works fine using '-h localhost' or '-H
ldap://ldap.DOMAIN.de', so I think the basic config is not bad at all ...
Thanks in advance!
Cheers,
Torsten
1 year
