ppolicy and rwm/relay segfaulting

Hi,

This is weird - quite possible a config problem, I'm hoping someone can spot it :)

I have a minimal slapd server which works fine with either an rwm/relay section or a ppolicy section - but not both at once.

I'm happy to explain *why* I need to do this if asked, but for now it would just clutter this message. I do have a Really Good(TM) reason.

============ Actual problem ===================

We load slapd up with actual entries for the dc=new,dc=example,dc=com domain.

slapd is configured to map all records with rwm/relay to dc=old,dc=example,dc=com so clients with the old config still work.

ie

we load a real record:

1) dn: uid=testuser,ou=people,dc=new,dc=example,dc=com

and we want clients asking about

2) dn: uid=testuser,ou=people,dc=old,dc=example,dc=com

will be served from (1)

======== OK here's an example ================

=== Server ====

Running debian 6 server with debian slapd 2.4.23-7.2

/usr/sbin/slapd -d 4 -h "ldap:/// ldaps:/// ldapi:///" -g openldap -u openldap -f /etc/ldap/slapd.conf

=== Test client ===

Running test against the "old" realm:

ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com

# Enter the wrong password and it fails correctly and server runs OK.

# Enter the right password and the client says:

ldap_result: Can't contact LDAP server (-1)

Server says (last few lines from slapd): [rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" -> "uid=testuser,ou=people,dc=old,dc=example,dc=com" [rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" -> "uid=testuser,ou=people,dc=new,dc=example,dc=com" => ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com,0) <= ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" => bdb_entry_get: ndn: "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" ==> hdb_bind: dn: uid=testuser,ou=people,dc=new,dc=example,dc=com send_ldap_result: err=0 matched="" text="" => bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" Segmentation fault

However, queries against the "new" domain work:

ldapwhoami -x -W -D uid=testuser,ou=people,dc=new,dc=example,dc=com Enter LDAP Password: dn:uid=testuser,ou=people,dc=new,dc=example,dc=com

If I disable ppolicy in slapd.conf, queries agains the "old" domain work:

root@ldaptest1:/etc# ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com Enter LDAP Password: dn:uid=testuser,ou=people,dc=new,dc=example,dc=com

(the rewrite is not perfect - but that may not matter for my clients).

Almost certainly I have done something stupid - and it seems clear that ppolicy is being upset by the relay mappings. Any ideas how to fix would be *very* welcome - I have been all over Google and the man pages.

All the best!

Tim

OK - boring stuff:

slapd.conf ########################################### ####################################################################### # Global Directives:

# Features to permit allow bind_anon_cred bind_anon_dn update_anon

# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ppolicy.schema

pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel sync stats

sizelimit 5000 tool-threads 1

modulepath /usr/lib/ldap moduleload back_hdb moduleload back_relay moduleload rwm moduleload ppolicy

overlay rwm rwm-rewriteEngine on

backend hdb

####################################################################### # Global ACLs #

# Ensure read access to the base for things like # supportedSASLMechanisms. access to dn.base="" by * read

# The userPassword by default can be changed # by the entry owning it if they are authenticated. # This ACL must be first or password leakage will happen!!! access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" manage by dn="cn=admin,dc=new,dc=example,dc=com" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write by self write by * auth

# The admin dn has full write access, everyone else # can read everything. Local unix domain socket (root only) # Can do everything access to * by peername.path="/var/run/slapd/ldapi" manage by dn="cn=admin,dc=new,dc=example,dc=com" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write by * read

####################################################################### # Main new.example.com authoritative database #

database hdb suffix dc=new,dc=example,dc=com

rootdn "cn=admin,dc=new,dc=example,dc=com" rootpw "{SSHA}NoNoNooo..."

directory "/var/lib/ldap" dbconfig set_cachesize 0 134217728 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30

####################################################################### # # Password Policy # # overlay ppolicy ppolicy_default "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext

####################################################################### # Virtual maps - compatibility with old.example.com only # # map dc=old to dc=new # database relay suffix "dc=old,dc=example,dc=com" relay "dc=new,dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=new,dc=example,dc=com" ###########################################

Initial database loaded with slapadd from this ldif: ########################################### dn: dc=new,dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: new.example.com dc: new

dn: cn=admin,dc=new,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: NoNoNoooo...

dn: ou=people,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: people

dn: ou=groups,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: groups

dn: ou=pwpolicies,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: pwpolicies

# # # Standard policy for normal people #

dn: cn=default,ou=pwpolicies,dc=new,dc=example,dc=com objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 15811200 pwdExpireWarning: 1814400 pwdGraceAuthnLimit: 3 pwdInHistory: 6 pwdCheckQuality: 2 pwdMaxFailure: 5 pwdMinLength: 8 pwdLockout: TRUE pwdLockoutDuration: 300 pwdFailureCountInterval: 300 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE

dn: uid=testuser,ou=people,dc=new,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Test User employeeType: Staff gecos: Test User gidNumber: 1000 givenName: Test homeDirectory: /homes/testuser loginShell: /bin/bash mail: testuser@new.example.com sn: User uid: testuser uidNumber: 1000 userPassword: {SSHA}NoNoNoooo...

dn: cn=ddh-staff,ou=groups,dc=new,dc=example,dc=com objectClass: top objectClass: posixGroup cn: ddh-staff description: Test Group gidNumber: 1000 memberUid: testuser

dn: cn=sysadmin,ou=groups,dc=new,dc=example,dc=com objectClass: top objectClass: posixGroup cn: sysadmin description: Staff: System Admin Group gidNumber: 1001 memberUid: testuser

########################################### ########################################### ########################################### ########################################### ########################################### ###########################################