Hi,
I have configured a proxy server with its own local database that is used both to override existing attributes of a remote database and to add its own entries to the directory.
I have configured the local database as subordinate and I have configured a relay database that is also pointing to the local database, but it is using the translucent overlay to connect to the remote ldap directory.
My slapd.conf configuration:
backend hdb backend ldap
database hdb directory /var/lib/ldap suffix "dc=foo,dc=example,dc=com" rootdn "cn=admin,dc=foo,dc=example,dc=com" rootpw secret index objectClass eq subordinate
database relay suffix "dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=foo,dc=example,dc=com" overlay translucent uri ldap://ldap.example.com translucent_bind_local
This configuration actually does exactly what I have been trying to achieve. I can override user attributes and at the same time I can add additional group entries without having root access to the remote server.
I have tested it with the ldap nss service in linux and it works without errors. The updated user accounts are correctly retrieved and the new groups are added transparently. If I use ldapsearch, it will search both the local and the remote server.
The problem that I've experienced is that when I'm using a different ldap client, such as Softerra LDAP Administrator, then the daemon crashes when a search query is performed:
slapd starting conn=1000 fd=11 ACCEPT from IP=X.X.X.X:61230 (IP=0.0.0.0:389) conn=1000 op=0 BIND dn="" method=128 conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 SRCH base="dc=example,dc=com" scope=0 deref=0 filter="(objectClass=*)" conn=1000 op=1 SRCH attr=1.1 conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self. slapd: /build/buildd/openldap-2.4.25/servers/slapd/attr.c:236: attr_dup2: Assertion `j < i' failed. Aborted
The message that "back-relay would call itself" is also logged when using ldapsearch, but ldapsearch does not cause an assertion failure:
slapd starting conn=1000 fd=11 ACCEPT from IP=127.0.0.1:36760 (IP=0.0.0.0:389) conn=1000 op=0 BIND dn="" method=128 conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self. PROXIED attributeDescription "ORCLNETDESCSTRING" inserted. conn=1000 op=1 SEARCH RESULT tag=101 err=4 nentries=300 text= conn=1000 op=2 UNBIND conn=1000 fd=11 closed
I'm happy with the proxy functionality that I've managed to configure (which is working), but it's definitely a security vulnerability when simply using a different LDAP client causes the server to crash.
Is there any way I could avoid the assertion failure? Should I post a bug report?
TIA, Mattias
On Sun, 29 Jan 2012 14:55:10 +0100, "Mattias Andersson" mattias@centaurix.com wrote:
conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self.
That may be because of 'subordinate'. Does it still work if you remove it? If not, maybe it helps to use glue instead, as described in the 'subordinate' description in man slapd.conf.
Probably not relatead to the crash though.
Is there any way I could avoid the assertion failure? Should I post a bug report?
Yes, please - unless it helps to upgrade OpenLDAP.
Does this crash slapd?
ldapsearch -x -h localhost -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1
That's what Softerra does.
Hallvard
On Sun, 29 Jan 2012 16:43:28 +0100, Hallvard B Furuseth h.b.furuseth@usit.uio.no wrote:
On Sun, 29 Jan 2012 14:55:10 +0100, "Mattias Andersson" mattias@centaurix.com wrote:
conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self.
That may be because of 'subordinate'. Does it still work if you remove it? If not, maybe it helps to use glue instead, as described in the 'subordinate' description in man slapd.conf.
No, if I remove subordinate then it does not find the new group entries in the local database. I'll take a look at glue.
Probably not relatead to the crash though.
It's not related; if I remove it I still get the crash.
Is there any way I could avoid the assertion failure? Should I post a bug report?
Yes, please - unless it helps to upgrade OpenLDAP.
Does this crash slapd?
ldapsearch -x -h localhost -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1
That's what Softerra does.
Ok, here's the debug output from the above ldapsearch query:
slapd starting conn=1000 fd=11 ACCEPT from IP=127.0.0.1:36795 (IP=0.0.0.0:389) conn=1000 op=0 BIND dn="" method=128 conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 SRCH base="dc=chalmers,dc=se" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=1 SRCH attr=1.1 conn=1000 op=1: back-relay for DN="dc=chalmers,dc=se" would call self. PROXIED attributeDescription "ORCLNETDESCSTRING" inserted. conn=1000 op=1: back-relay for DN="dc=chalmers,dc=se" would call self. conn=1000 op=1: back-relay for DN="dc=chalmers,dc=se" would call self. conn=1000 op=1: back-relay for DN="dc=chalmers,dc=se" would call self. conn=1000 op=1: back-relay for DN="dc=chalmers,dc=se" would call self. conn=1000 op=1: back-relay for DN="dc=chalmers,dc=se" would call self.
(repeated 300 times -- ldapsearch returns all the entries correctly though without the error.)
Mattias
openldap-technical@openldap.org
-
Hallvard B Furuseth -
Mattias Andersson