Created attachment 753 [details] slapd debug -1 output When trying to authenticate against slapd, it exits with an assertion failure: `slapd: ppolicy.c:912: ctrls_cleanup: Assertion `rs->sr_ctrls != NULL' failed.` I have searched quite extensively, and have found multiple previous bug reports with similar symptoms, often to do with the ppolicy overlay. Most of these have been marked as closed and fixed, but I'm using the latest version and still getting the same problem. I have found one RedHat bug with similar symptoms that described it as a config error, but with no details of what the config error is - and the assert statement doesn't help me narrow it down. I have tested this on 2.4.46 and 2.4.50, same behaviour.
On Mon, Aug 10, 2020 at 09:24:36AM +0000, openldap-its@openldap.org wrote: > When trying to authenticate against slapd, it exits with an assertion failure: > > `slapd: ppolicy.c:912: ctrls_cleanup: Assertion `rs->sr_ctrls != NULL' failed.` > > I have searched quite extensively, and have found multiple previous bug reports > with similar symptoms, often to do with the ppolicy overlay. Most of these have > been marked as closed and fixed, but I'm using the latest version and still > getting the same problem. > > I have found one RedHat bug with similar symptoms that described it as a config > error, but with no details of what the config error is - and the assert > statement doesn't help me narrow it down. You suggest the crash is repeatable, please provide configuration (minus any credentials) and steps to reproduce so we can investigate. Thanks,
In the process of dumping and uploading my config, I noticed that I had added the ppolicy overlay twice - removing the duplicate fixed the issue. I am happy to close this as a bug, sorry - I expected it was a configuration issue on my end given the RedHat bug I mentioned but didn't know where! Is there a reason why either: - the ppolicy code couldn't handle a duplicate? - if the configuration is incorrect, it wasn't rejected? I have very little understanding of OpenLDAP internals, so sorry if those questions are naive.
Thank you for the feedback. This is a bug only when multiple ppolicy modules are attached, not sure how easy this one will be to fix. AFAIK there should be no reason to configure ppolicy multiple times (especially while we only support userPassword as the password attribute), but we don't currently have a way to check that either. Regards, Ondrej
(In reply to Ondřej Kuzník from comment #3) > Thank you for the feedback. This is a bug only when multiple ppolicy modules > are attached, not sure how easy this one will be to fix. > > AFAIK there should be no reason to configure ppolicy multiple times > (especially while we only support userPassword as the password attribute), > but we don't currently have a way to check that either. Not true. Just set SLAPO_BFLAG_SINGLE in the overlay bi_flags to prevent this.
master: Commits: • c8c39b84 by Howard Chu at 2020-08-10T16:07:39+01:00 ITS#9309 don't allow ppolicy to be configured more than once on a backend Commits: • 633d40b0 by Howard Chu at 2020-08-10T16:40:54+01:00 For ITS#9309 fix check for duplicate overlays and pass error message back to frontend RE24: Commits: • f244d985 by Howard Chu at 2020-08-10T15:49:35+00:00 ITS#9309 don't allow ppolicy to be configured more than once on a backend • 1c6031c2 by Howard Chu at 2020-08-10T16:06:07+00:00 For ITS#9309 fix check for duplicate overlays and pass error message back to frontend