[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SLAPD deadlock (ITS#24)
Full_Name: Christian Forster
Version: 1.1.1
OS: Linux/i386
URL:
Submission from: (NULL) (131.188.2.7)
Hi!
I tried to control write access to the directory by using ACL GROUPS.
Unfortunately when I modify the group that is providing the
access rights for my DN, slapd freezes. (I needed "kill -9 <pid>" to
remove the process!)
An example should make things clear.
Here is the test database I used:
dn: o=Your Organization Name, c=US
objectclass: organization
o: Your Organization Name
dn: cn=rootUser, o=Your Organization Name, c=US
objectclass: person
cn: rootUser
sn: rootUser
userpassword: abc
dn: cn=normalUser, o=Your Organization Name, c=US
objectclass: person
cn: normalUser
sn: normalUser
userpassword: 123
dn: cn=roots, o=Your Organization Name, c=US
objectclass: groupOfNames
cn: roots
member: cn=rootUser,o=Your Organization Name,c=US
slapd.conf contains the following ACL:
access to *
by group="cn=roots, o=Your Organization Name, c=US" write
by * read
"cn=rootUser,..." has no other privileges. Especially the "rootdn=..."
statement in slapd.conf points to an other DN.
Now I tried the following LDAP modification:
./ldapmodify -D "cn=rootUser, o=Your Organization Name, c=US" -w abc
cn=roots, o=Your Organization Name, c=US
description=New description
At this point slapd freezes...
Here are "the last words" form the debug output (slapd -d 65535):
do_modify: dn (cn=roots,o=Your Organization Name,c=US)
modifications:
add: description
conn=0 op=1 MOD dn="cn=roots,o=Your Organization Name,c=US"
ldbm_back_modify:
dn2entry_w: dn: cn=roots, o=Your Organization Name, c=US
=> dn2id( "cn=roots, o=Your Organization Name, c=US" )
=> ldbm_cache_open( "/var/ldap/test/dn2id.dbb", 66, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id 4
=> id2entry_w( 4 )
=> ldbm_cache_open( "/var/ldap/test/id2entry.dbb", 66, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry 0x8076008
entry_rdwr_wlock: ID: 4
<= id2entry_w( 4 ) (disk)
=> acl_get: entry (cn=roots, o=Your Organization Name, c=US) attr (description)
=> acl_get: edn CN=ROOTS,O=YOUR ORGANIZATION NAME,C=US
=> dnpat: [1] .* nsub: 0
=> acl_get: [1] global ACL match
=> acl_get: [1] check attr
<= acl_get: [1] global acl cn=roots, o=Your Organization Name, c=US attr:
description
=> acl_access_allowed: write access to entry "cn=roots, o=Your Organization
Name, c=US"
=> acl_access_allowed: write access to value "New description" by
"cn=rootUser,o=Your Organization Name,c=US"
=> string_expand: pattern: CN=ROOTS, O=YOUR ORGANIZATION NAME, C=US
=> string_expand: expanded: CN=ROOTS, O=YOUR ORGANIZATION NAME, C=US
=> ldbm_back_group: bdn: CN=ROOTS, O=YOUR ORGANIZATION NAME, C=US
=> ldbm_back_group: edn: CN=ROOTUSER,O=YOUR ORGANIZATION NAME,C=US
=> ldbm_back_group: objectClass: groupOfNames attrName: member
dn2entry_r: dn: CN=ROOTS, O=YOUR ORGANIZATION NAME, C=US
=> dn2id( "CN=ROOTS, O=YOUR ORGANIZATION NAME, C=US" )
=> ldbm_cache_open( "/var/ldap/test/dn2id.dbb", 66, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id 4
=> id2entry_r( 4 )
====> cache_find_entry_dn2id: found id: 4 rw: 0
entry_rdwr_rlock: ID: 4
I used the following statements to build openldap:
configure --prefix=/opt/openldap-1.1.1 --libexecdir=/opt/openldap-1.1.1/sbin
--enable-debug --enable-dns --with-wrappers --enable-shared
--disable-static
Happy hacking,
Christian Forster