[Date Prev][Date Next] [Chronological] [Thread] [Top]

SLAPD deadlock (ITS#24)



Full_Name: Christian Forster
Version: 1.1.1
OS: Linux/i386
URL: 
Submission from: (NULL) (131.188.2.7)


Hi!

I tried to control write access to the directory by using ACL GROUPS.
Unfortunately when I modify the group that is providing the
access rights for my DN, slapd freezes. (I needed "kill -9 <pid>" to
remove the process!)
An example should make things clear.

Here is the test database I used:

dn: o=Your Organization Name, c=US
objectclass: organization
o: Your Organization Name

dn: cn=rootUser, o=Your Organization Name, c=US
objectclass: person
cn: rootUser
sn: rootUser
userpassword: abc

dn: cn=normalUser, o=Your Organization Name, c=US
objectclass: person
cn: normalUser
sn: normalUser
userpassword: 123

dn: cn=roots, o=Your Organization Name, c=US
objectclass: groupOfNames
cn: roots
member: cn=rootUser,o=Your Organization Name,c=US

slapd.conf contains the following ACL:

access to       *
 by             group="cn=roots, o=Your Organization Name, c=US" write
 by             * read

"cn=rootUser,..." has no other privileges. Especially the "rootdn=..."
statement in slapd.conf points to an other DN.

Now I tried the following LDAP modification:

./ldapmodify -D "cn=rootUser, o=Your Organization Name, c=US" -w abc
cn=roots, o=Your Organization Name, c=US
description=New description

At this point slapd freezes...
Here are "the last words" form the debug output (slapd -d 65535):

do_modify: dn (cn=roots,o=Your Organization Name,c=US)
modifications:
        add: description
conn=0 op=1 MOD dn="cn=roots,o=Your Organization Name,c=US"
ldbm_back_modify:
dn2entry_w: dn: cn=roots, o=Your Organization Name, c=US
=> dn2id( "cn=roots, o=Your Organization Name, c=US" )
=> ldbm_cache_open( "/var/ldap/test/dn2id.dbb", 66, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id 4
=> id2entry_w( 4 )
=> ldbm_cache_open( "/var/ldap/test/id2entry.dbb", 66, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry 0x8076008
entry_rdwr_wlock: ID: 4
<= id2entry_w( 4 ) (disk)

=> acl_get: entry (cn=roots, o=Your Organization Name, c=US) attr (description)
=> acl_get: edn CN=ROOTS,O=YOUR ORGANIZATION NAME,C=US
=> dnpat: [1] .* nsub: 0
=> acl_get: [1] global ACL match
=> acl_get: [1] check attr
<= acl_get: [1] global acl cn=roots, o=Your Organization Name, c=US attr:
description

=> acl_access_allowed: write access to entry "cn=roots, o=Your Organization
Name, c=US"

=> acl_access_allowed: write access to value "New description" by
"cn=rootUser,o=Your Organization Name,c=US"
=> string_expand: pattern:  CN=ROOTS, O=YOUR ORGANIZATION NAME, C=US
=> string_expand: expanded: CN=ROOTS, O=YOUR ORGANIZATION NAME, C=US
=> ldbm_back_group: bdn: CN=ROOTS, O=YOUR ORGANIZATION NAME, C=US
=> ldbm_back_group: edn: CN=ROOTUSER,O=YOUR ORGANIZATION NAME,C=US
=> ldbm_back_group: objectClass: groupOfNames attrName: member
dn2entry_r: dn: CN=ROOTS, O=YOUR ORGANIZATION NAME, C=US
=> dn2id( "CN=ROOTS, O=YOUR ORGANIZATION NAME, C=US" )
=> ldbm_cache_open( "/var/ldap/test/dn2id.dbb", 66, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id 4
=> id2entry_r( 4 )
====> cache_find_entry_dn2id: found id: 4 rw: 0
entry_rdwr_rlock: ID: 4 


I used the following statements to build openldap:
configure  --prefix=/opt/openldap-1.1.1 --libexecdir=/opt/openldap-1.1.1/sbin 
           --enable-debug --enable-dns --with-wrappers --enable-shared 
           --disable-static


Happy hacking,
Christian Forster