hallo ,
i'm not sure if I it is a configuration failure or a openldap error.
I have tested this with centos 7 , original RPM, SLES12SP3 and the ltb-project binäries. Every enviroment failed.
this is a setup consumer / provider with chain overlay and proxyauth.
a minimized slapd.conf global section
...
authz-policy to
overlay chain chain-uri "ldap://ldap1.example.test" chain-rebind-as-user FALSE chain-idassert-bind bindmethod="simple" binddn="cn=chainadmin,dc=example,dc=test" credentials="secret" mode=legacy flags=override
chain-return-error TRUE
...
the java code snipplet which makes a connection and then switch the proxyauth and make a password change.
--- try { LDAPConnection connection = openLDAPConnection();
BindRequest bindRequest = new SimpleBindRequest(modDN, oldPwd, new DraftBeheraLDAPPasswordPolicy10RequestControl()); BindResult bindResult = connection.bind(bindRequest); DraftBeheraLDAPPasswordPolicy10ResponseControl pwpResponse = DraftBeheraLDAPPasswordPolicy10ResponseControl.get(bindResult); DraftBeheraLDAPPasswordPolicy10WarningType warningType = pwpResponse.getWarningType();
System.out.println("Bind Result " + bindResult.toString());
System.out.println("PwdResponse " + pwpResponse.toString());
connection.close(); connection = openLDAPConnection();
Control[] controls = { new ProxiedAuthorizationV2RequestControl("dn:" + modDN) }; PasswordModifyExtendedRequest passwordModifyRequest = new PasswordModifyExtendedRequest(modDN, oldPwd, newPwd, controls); PasswordModifyExtendedResult passwordModifyResult = (PasswordModifyExtendedResult) connection .processExtendedOperation(passwordModifyRequest);
System.out.println("passwordModifyResult " + passwordModifyResult.toString());
connection.close(); connection = openLDAPConnection();
bindRequest = new SimpleBindRequest(modDN, newPwd, new DraftBeheraLDAPPasswordPolicy10RequestControl()); bindResult = connection.bind(bindRequest); pwpResponse = DraftBeheraLDAPPasswordPolicy10ResponseControl.get(bindResult); warningType = pwpResponse.getWarningType();
System.out.println("Bind Result " + bindResult.toString()); System.out.println("PwdResponse " + pwpResponse.toString());
}
the gdb output of the crash is here:
5a8c6d3d conn=1001 op=1 RESULT oid= err=123 text=not authorized to assume identity *** Error in `/usr/local/openldap/libexec/slapd': munmap_chunk(): invalid pointer: 0x00007f2b14100986 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7ada4)[0x7f2d8a9d7da4] /usr/local/openldap/libexec/slapd(ldap_back_controls_free+0xc1)[0x5181a1] /usr/local/openldap/libexec/slapd[0x522ba8] /usr/local/openldap/libexec/slapd[0x51a959] /usr/local/openldap/libexec/slapd[0x51c193] /usr/local/openldap/libexec/slapd[0x4a5118] /usr/local/openldap/libexec/slapd[0x44f286] /usr/local/openldap/libexec/slapd[0x44f787] /usr/local/openldap/libexec/slapd(slap_send_ldap_extended+0xc0)[0x450880] /usr/local/openldap/libexec/slapd(fe_extended+0xba)[0x46f26a] /usr/local/openldap/libexec/slapd(overlay_op_walk+0x92)[0x4a5c42] /usr/local/openldap/libexec/slapd[0x4a5d7e] /usr/local/openldap/libexec/slapd(do_extended+0x24e)[0x46efbe] /usr/local/openldap/libexec/slapd[0x4407ee] /usr/local/openldap/libexec/slapd[0x440aca] /usr/local/openldap/libexec/slapd[0x590769] /lib64/libpthread.so.0(+0x7dc5)[0x7f2d8be00dc5] /lib64/libc.so.6(clone+0x6d)[0x7f2d8aa5473d] ======= Memory map: ======== 00400000-00683000 r-xp 00000000 fd:00 68054818 /usr/local/openldap/libexec/slapd 00882000-00883000 r--p 00282000 fd:00 68054818 /usr/local/openldap/libexec/slapd 00883000-00893000 rw-p 00283000 fd:00 68054818 /usr/local/openldap/libexec/slapd 00893000-00939000 rw-p 00000000 00:00 0 022d2000-02768000 rw-p 00000000 00:00 0 [heap] 7f2b14000000-7f2b1411f000 rw-p 00000000 00:00 0 7f2b1411f000-7f2b18000000 ---p 00000000 00:00 0 7f2b1afff000-7f2b1c000000 rw-p 00000000 00:00 0 7f2b1c000000-7f2b1c021000 rw-p 00000000 00:00 0 7f2b1c021000-7f2b20000000 ---p 00000000 00:00 0 7f2b20000000-7f2b20117000 rw-p 00000000 00:00 0 7f2b20117000-7f2b24000000 ---p 00000000 00:00 0 7f2b24000000-7f2b24021000 rw-p 00000000 00:00 0
I'm not sure if it is a known bug or misconfiguration. If someone wants the java testprogram i'll can send it per pm or give a download link.
best regards Michael