Needed to enable authentication on ldap server via the mail attribute.
I used the overlay rwm as documentation: * Http://www.openldap.org/doc/admin24/overlays.html # Rewrite / Remap * http://www.openldap.org/lists/openldap-software/200707/msg00487.html * http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&a...
I run the current version of OpenLDAP :
dpkg -l | grep openldap ii openldap-ltb 2.4.39-1 amd64 OpenLDAP server with addons from the LDAP Tool Box project ii openldap-ltb-check-password 2.4.39-1 amd64 check_password module for password policy ii openldap-ltb-contrib-overlays 2.4.39-1 amd64 Overlays contributed to OpenLDAP
My configuration snippet is shown below :
... backend hdb
moduleload rwm overlay rwm rwm-rewriteEngine on rwm-rewriteMap ldap attr2dn "ldaps:///dc=gov,dc=br?dn?sub?" rwm-rewriteContext bindDN rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
database hdb ...
Everything worked fine , but sometimes occurred a ' slapd segfault " there was no apparent cause .
A log analysis allowed us to identify the query that caused the "crash " was the folder containing " ** " as follows :
"(mail=*name**surname*)(mailAlternateAddress=*name**surname*)"
Redid several searches and this is really "crash " in some situations :
Normal ======= ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(uid=jarbas*peixoto)" mail dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br mail: jarbas.peixoto@dataprev.gov.br
Normal ======= ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(uid=jarbas**peixoto)" mail ldap_search_ext: Bad search filter (-7)
Normal ======= ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(mail=jarbas*peixoto@dataprev.gov.br)" mail dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br mail: jarbas.peixoto@dataprev.gov.br
Normal ======= ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(mail=jarbas**peixoto@dataprev.gov.br)" mail ldap_search_ext: Bad search filter (-7)
Segfault - Note that there is a space between the two asterisks ( "* *" ) ================================================================ ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(mail=jarbas* *peixoto@dataprev.gov.br)" mail Additional information: massaged filter parse error
The excerpts from server logs are:
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 ACCEPT from IP=10.82.0.22:46996 (IP=0.0.0.0:636) Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 TLS established tls_ssf=128 ssf=128 Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 BIND dn="" method=128 Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 RESULT tag=97 err=0 text= Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH base="dc=gov,dc=br" scope=2 deref=0 filter="(mail=jarbas**peixoto@dataprev.gov.br)" Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH attr=mail Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Feb 12 09:49:18 linuxprev kernel: [19683068.279488] slapd[27112] general protection ip:7f9c3520cac9 sp:7f9bc9eb2960 error:0 in libc-2.13.so[7f9c35191000+182000]
To work around this error I added the lines:
# Remove os '**" da pesquisa 'mail=**' evitando o segfault rwm-rewriteContext searchFilter rwm-rewriteRule "(.*)(\* ?\*)(.*)" "$1*$3" "@I"
This problem also occurs in other versions of slapd native Debian and Ubuntu.
Without the overlay rwm not occur this BUG . Can anyone confirm if it is really a bug in the " rwm overlay" ?
Regards, Jarbas
--On Wednesday, February 12, 2014 10:14 AM -0300 Jarbas Peixoto Júnior jarbas.junior@gmail.com wrote:
Without the overlay rwm not occur this BUG . Can anyone confirm if it is really a bug in the " rwm overlay" ?
The rwm overlay is known to have a number of issues.
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi!
As the bug seems to occur in a C library routine, it could be helpful to attach to slapd using "ltrace -p .." to see what the last call was. You could also attach gdb to the process, and try a backtrace when there was a segfault...
Ulrich
Jarbas Peixoto Júniorjarbas.junior@gmail.com schrieb am 12.02.2014 um
14:14 in Nachricht CAKJak0oDAi=REfJBH4KQS7_tW5HwU5HGLdbit50MH5+vpyucvg@mail.gmail.com:
Needed to enable authentication on ldap server via the mail attribute.
I used the overlay rwm as documentation:
http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&a...
manpath=OpenLDAP+2.4-Release
I run the current version of OpenLDAP :
dpkg -l | grep openldap ii openldap-ltb 2.4.39-1 amd64 OpenLDAP server with addons from the LDAP Tool Box project ii openldap-ltb-check-password 2.4.39-1 amd64 check_password module for password policy ii openldap-ltb-contrib-overlays 2.4.39-1 amd64 Overlays contributed to OpenLDAP
My configuration snippet is shown below :
... backend hdb
moduleload rwm overlay rwm rwm-rewriteEngine on rwm-rewriteMap ldap attr2dn "ldaps:///dc=gov,dc=br?dn?sub?" rwm-rewriteContext bindDN rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
database hdb ...
Everything worked fine , but sometimes occurred a ' slapd segfault " there was no apparent cause .
A log analysis allowed us to identify the query that caused the "crash " was the folder containing " ** " as follows :
"(mail=*name**surname*)(mailAlternateAddress=*name**surname*)"
Redid several searches and this is really "crash " in some situations :
Normal
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(uid=jarbas*peixoto)" mail dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br mail: jarbas.peixoto@dataprev.gov.br
Normal
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(uid=jarbas**peixoto)" mail ldap_search_ext: Bad search filter (-7)
Normal
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(mail=jarbas*peixoto@dataprev.gov.br)" mail dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br mail: jarbas.peixoto@dataprev.gov.br
Normal
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(mail=jarbas**peixoto@dataprev.gov.br)" mail ldap_search_ext: Bad search filter (-7)
Segfault - Note that there is a space between the two asterisks ( "* *" )
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(mail=jarbas* *peixoto@dataprev.gov.br)" mail Additional information: massaged filter parse error
The excerpts from server logs are:
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 ACCEPT from IP=10.82.0.22:46996 (IP=0.0.0.0:636) Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 TLS established tls_ssf=128 ssf=128 Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 BIND dn=""
method=128
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 RESULT tag=97 err=0 text= Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH base="dc=gov,dc=br" scope=2 deref=0 filter="(mail=jarbas**peixoto@dataprev.gov.br)" Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH attr=mail Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Feb 12 09:49:18 linuxprev kernel: [19683068.279488] slapd[27112] general protection ip:7f9c3520cac9 sp:7f9bc9eb2960 error:0 in libc-2.13.so[7f9c35191000+182000]
To work around this error I added the lines:
# Remove os '**" da pesquisa 'mail=**' evitando o segfault rwm-rewriteContext searchFilter rwm-rewriteRule "(.*)(\* ?\*)(.*)" "$1*$3" "@I"
This problem also occurs in other versions of slapd native Debian and Ubuntu.
Without the overlay rwm not occur this BUG . Can anyone confirm if it is really a bug in the " rwm overlay" ?
Regards, Jarbas
2014-02-12 11:28 GMT-03:00 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de:
Hi!
As the bug seems to occur in a C library routine, it could be helpful to attach to slapd using "ltrace -p .." to see what the last call was. You could also attach gdb to the process, and try a backtrace when there was a segfault...
Ulrich, when I run "ltrace -p PID-OF-SLAPD", I have:
13:26:16 root@linuxprev ~ # ltrace -p 28758 +++ killed by SIGTRAP +++
The process "slapd" crash again.
Regards, Jarbas
Ulrich
Jarbas Peixoto Júniorjarbas.junior@gmail.com schrieb am 12.02.2014 um
14:14 in Nachricht CAKJak0oDAi=REfJBH4KQS7_tW5HwU5HGLdbit50MH5+vpyucvg@mail.gmail.com:
Needed to enable authentication on ldap server via the mail attribute.
I used the overlay rwm as documentation:
http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&a...
manpath=OpenLDAP+2.4-Release
I run the current version of OpenLDAP :
dpkg -l | grep openldap ii openldap-ltb 2.4.39-1 amd64 OpenLDAP server with addons from the LDAP Tool Box project ii openldap-ltb-check-password 2.4.39-1 amd64 check_password module for password policy ii openldap-ltb-contrib-overlays 2.4.39-1 amd64 Overlays contributed to OpenLDAP
My configuration snippet is shown below :
... backend hdb
moduleload rwm overlay rwm rwm-rewriteEngine on rwm-rewriteMap ldap attr2dn "ldaps:///dc=gov,dc=br?dn?sub?" rwm-rewriteContext bindDN rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
database hdb ...
Everything worked fine , but sometimes occurred a ' slapd segfault " there was no apparent cause .
A log analysis allowed us to identify the query that caused the "crash " was the folder containing " ** " as follows :
"(mail=*name**surname*)(mailAlternateAddress=*name**surname*)"
Redid several searches and this is really "crash " in some situations :
Normal
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(uid=jarbas*peixoto)" mail dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br mail: jarbas.peixoto@dataprev.gov.br
Normal
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(uid=jarbas**peixoto)" mail ldap_search_ext: Bad search filter (-7)
Normal
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(mail=jarbas*peixoto@dataprev.gov.br)" mail dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br mail: jarbas.peixoto@dataprev.gov.br
Normal
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(mail=jarbas**peixoto@dataprev.gov.br)" mail ldap_search_ext: Bad search filter (-7)
Segfault - Note that there is a space between the two asterisks ( "* *" )
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br "(mail=jarbas* *peixoto@dataprev.gov.br)" mail Additional information: massaged filter parse error
The excerpts from server logs are:
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 ACCEPT from IP=10.82.0.22:46996 (IP=0.0.0.0:636) Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 TLS established tls_ssf=128 ssf=128 Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 BIND dn=""
method=128
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 RESULT tag=97 err=0 text= Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH base="dc=gov,dc=br" scope=2 deref=0 filter="(mail=jarbas**peixoto@dataprev.gov.br)" Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH attr=mail Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Feb 12 09:49:18 linuxprev kernel: [19683068.279488] slapd[27112] general protection ip:7f9c3520cac9 sp:7f9bc9eb2960 error:0 in libc-2.13.so[7f9c35191000+182000]
To work around this error I added the lines:
# Remove os '**" da pesquisa 'mail=**' evitando o segfault rwm-rewriteContext searchFilter rwm-rewriteRule "(.*)(\* ?\*)(.*)" "$1*$3" "@I"
This problem also occurs in other versions of slapd native Debian and Ubuntu.
Without the overlay rwm not occur this BUG . Can anyone confirm if it is really a bug in the " rwm overlay" ?
Regards, Jarbas
--On Wednesday, February 12, 2014 1:49 PM -0300 Jarbas Peixoto Júnior jarbas.junior@gmail.com wrote:
2014-02-12 11:28 GMT-03:00 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de:
Hi!
As the bug seems to occur in a C library routine, it could be helpful to attach to slapd using "ltrace -p .." to see what the last call was. You could also attach gdb to the process, and try a backtrace when there was a segfault...
Ulrich, when I run "ltrace -p PID-OF-SLAPD", I have:
13:26:16 root@linuxprev ~ # ltrace -p 28758 +++ killed by SIGTRAP +++
The process "slapd" crash again.
As I already noted, the rwm overlay is known to have numerous issues. I suggest you take a look at the ITS system. If you want to contribute useful debugging data, get a full gdb backtrace as noted in http://www.openldap.org/faq/data/cache/59.html
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Jarbas Peixoto Júnior -
Quanah Gibson-Mount -
Ulrich Windl