[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL parsing getting incorrect data from connection (ITS#985)



Full_Name: Jim Dutton
Version: 2.0.7
OS: FreeBSD-4.1 (Solaris-2.8, NetBSD-1.2.4)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.230.6.142)


It appears that ACL regex parsing is using the "(IP=:: 389)" port indicator
from a connection instead of the IP address:


[SLAPD log]
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
 daemon: conn=0 fd=9 connection from IP=131.230.6.141:58522 (IP=:: 389)
accepted. 
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
 conn=0 op=0 BIND dn="CN=LDAPSEARCH,OU=SIUC,CN=DUTTON2,DS=OPENLDAP-2.0.7"
method=128 
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
 conn=0 op=0 RESULT tag=97 err=0 text= 
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
 conn=0 op=1 SRCH base="o=siuc,c=us" scope=2 filter="(cn=Dutton4 Samba Users)" 
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
 conn=0 op=1 SEARCH RESULT tag=101 err=0 text= 
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
 conn=0 op=2 UNBIND 
Jan 23 16:09:08 <local4.debug> dutton3 slapd[98022]:
 conn=-1 fd=9 closed


[SLAPD ACL clause]
access to filter="cn=Dutton4 Samba Users"
  by self write
  by dn="cn=Manager,o=SIUC,c=US" write
  by sockname=131.230.6.142 read
  by sockname=131.230.6.141 read
  by sockname=131.230.6.182 read
  by * none



[SLAPD debug trace]
daemon: activity on 1 descriptors
daemon: new connection on 9
daemon: added 9r
daemon: activity on:
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
connection_get(9)
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ldap_read: want=1, got=1
  0000:  30                                                 0                 
ldap_read: want=1, got=1
  0000:  3e                                                 >                 
ldap_read: want=62, got=62
  0000:  02 01 01 60 39 02 01 03  04 32 63 6e 3d 4c 44 41   ...`9....2cn=LDA  
  0010:  50 53 45 41 52 43 48 2c  6f 75 3d 73 69 75 63 2c   PSEARCH,ou=siuc,  
  0020:  63 6e 3d 64 75 74 74 6f  6e 32 2c 64 73 3d 6f 70   cn=dutton2,ds=op  
  0030:  65 6e 6c 64 61 70 2d 32  2e 30 2e 37 80 00         enldap-2.0.7..    
ber_get_next: tag 0x30 len 62 contents:
ber_dump: buf=0x080a1880 ptr=0x080a1880 end=0x080a18be len=62
  0000:  02 01 01 60 39 02 01 03  04 32 63 6e 3d 4c 44 41   ...`9....2cn=LDA  
  0010:  50 53 45 41 52 43 48 2c  6f 75 3d 73 69 75 63 2c   PSEARCH,ou=siuc,  
  0020:  63 6e 3d 64 75 74 74 6f  6e 32 2c 64 73 3d 6f 70   cn=dutton2,ds=op  
  0030:  65 6e 6c 64 61 70 2d 32  2e 30 2e 37 80 00         enldap-2.0.7..    
ber_get_next
ldap_read: want=1 error=Resource temporarily unavailable
do_bind
ber_get_next on fd 9 failed errno=35 (Resource temporarily unavailable)
ber_scanf fmt ({iat) ber:
ber_dump: buf=0x080a1880 ptr=0x080a1883 end=0x080a18be len=59
  0000:  60 39 02 01 03 04 32 63  6e 3d 4c 44 41 50 53 45   `9....2cn=LDAPSE  
  0010:  41 52 43 48 2c 6f 75 3d  73 69 75 63 2c 63 6e 3d   ARCH,ou=siuc,cn=  
  0020:  64 75 74 74 6f 6e 32 2c  64 73 3d 6f 70 65 6e 6c   dutton2,ds=openl  
  0030:  64 61 70 2d 32 2e 30 2e  37 80 00                  dap-2.0.7..       
ber_scanf fmt (o}) ber:
ber_dump: buf=0x080a1880 ptr=0x080a18bc end=0x080a18be len=2
  0000:  80 00                                              ..                
do_bind: version=3 dn="cn=LDAPSEARCH,ou=siuc,cn=dutton2,ds=openldap-2.0.7"
method=128
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: 0::
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 9
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........    
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........    
do_bind: v3 anonymous bind
daemon: select: listen=8 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
connection_get(9)
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ldap_read: want=1, got=1
  0000:  30                                                 0                 
ldap_read: want=1, got=1
  0000:  3e                                                 >                 
ldap_read: want=62, got=62
  0000:  02 01 02 63 39 04 0b 6f  3d 73 69 75 63 2c 63 3d   ...c9..o=siuc,c=  
  0010:  75 73 0a 01 02 0a 01 00  02 01 00 02 01 00 01 01   us..............  
  0020:  00 a3 19 04 02 63 6e 04  13 44 75 74 74 6f 6e 34   .....cn..Dutton4  
  0030:  20 53 61 6d 62 61 20 55  73 65 72 73 30 00          Samba Users0.    
ber_get_next: tag 0x30 len 62 contents:
ber_dump: buf=0x080a1840 ptr=0x080a1840 end=0x080a187e len=62
  0000:  02 01 02 63 39 04 0b 6f  3d 73 69 75 63 2c 63 3d   ...c9..o=siuc,c=  
  0010:  75 73 0a 01 02 0a 01 00  02 01 00 02 01 00 01 01   us..............  
  0020:  00 a3 19 04 02 63 6e 04  13 44 75 74 74 6f 6e 34   .....cn..Dutton4  
  0030:  20 53 61 6d 62 61 20 55  73 65 72 73 30 00          Samba Users0.    
ber_get_next
ldap_read: want=1 error=Resource temporarily unavailable
do_search
ber_scanf fmt ({aiiiib) ber:
ber_get_next on fd 9 failed errno=35 (Resource temporarily unavailable)
ber_dump: buf=0x080a1840 ptr=0x080a1843 end=0x080a187e len=59
  0000:  63 39 04 0b 6f 3d 73 69  75 63 2c 63 3d 75 73 0a   c9..o=siuc,c=us.  
  0010:  01 02 0a 01 00 0  0020:  04 02 63 6e 04 13 44 75  74 74 6f 6e 34 20 53
61   ..cn..Dutton4 Sa  
  0030:  6d 62 61 20 55 73 65 72  73 30 00                  mba Users0.       
SRCH "o=siuc,c=us" 2 0    0 0 0
begin get_filter
EQUALITY
ber_scanf fmt ({oo}) ber:
ber_dump: buf=0x080a1840 ptr=0x080a1861 end=0x080a187e len=29
  0000:  a3 19 04 02 63 6e 04 13  44 75 74 74 6f 6e 34 20   ....cn..Dutton4   
  0010:  53 61 6d 62 61 20 55 73  65 72 73 30 00            Samba Users0.     
end get_filter 0
    filter: (cn=Dutton4 Samba Users)
ber_scanf fmt ({v}}) ber:
ber_dump: buf=0x080a1840 ptr=0x080a187c end=0x080a187e len=2
  0000:  30 00                                              0.                
    attrs:
=> ldbm_back_search
dn2entry_r: dn: "O=SIUC,C=US"
=> dn2id( "O=SIUC,C=US" )
=> ldbm_cache_open( "/usr/tmp/openldap/dn2id.dbb", 514, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 5)
<= ldbm_cache_open (opened 0)
<= dn2id 1
=> id2entry_r( 1 )
=> ldbm_cache_open( "/usr/tmp/openldap/id2entry.dbb", 514, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 5)
<= ldbm_cache_open (opened 1)
=> str2entry
<= str2entry(o=SIUC,c=US) -> -1 (0x80bd960)
entry_rdwr_rlock: ID: 1
<= id2entry_r( 1 ) 0x80bd960 (disk)
search_candidates: base="O=SIUC,C=US" s=2 d=0
=> filter_candidates
        AND
=> list_candidates 0xa0
=> filter_candidates
        DN SUBTREE
=> dn2idl( "@O=SIUC,C=US" )
=> ldbm_cache_open( "/usr/tmp/openldap/dn2id.dbb", 514, 600 )
<= ldbm_cache_open (cache 0)
<= filter_candidates 599
=> filter_candidates
        OR
2 01 00  02 01 00 01 01 00 a3 19   ................  
=> list_candidates 0xa1
=> filter_candidates
        EQUALITY
=> equality_candidates
=> ldbm_cache_open( "/usr/tmp/openldap/nextid.dbb", 514, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 5)
<= ldbm_cache_open (opened 2)
=> ldbm_cache_open( "/usr/tmp/openldap/objectClass.dbb", 0, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 5)
<= ldbm_cache_open (opened 3)
=> key_read
<= index_read 0 candidates
<= equality_candidates NULL
daemon: select: listen=8 active_threads=1 tvp=NULL
<= equality_candidates 0
<= filter_candidates 0
=> filter_candidates
        EQUALITY
=> equality_candidates
=> ldbm_cache_open( "/usr/tmp/openldap/cn.dbb", 0, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 5)
<= ldbm_cache_open (opened 4)
=> key_read
<= index_read 2 candidates
<= equality_candidates 2
<= filter_candidates 2
<= list_candidates 2
<= filter_candidates 2
<= list_candidates 2
<= filter_candidates 2
entry_rdwr_runlock: ID: 1
====> cache_return_entry_r( 1 ): created (0)
=> id2entry_r( 505 )
=> ldbm_cache_open( "/usr/tmp/openldap/id2entry.dbb", 514, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry(cn=Samba
Users,cn=Samba,ou=Services,cn=dutton4.it.siu.edu,ou=Network Hosts,ou=Information
Technology,o=Departments,o=SIUC,c=US) -> -1 (0x80bda60)
entry_rdwr_rlock: ID: 505
<= id2entry_r( 505 ) 0x80bda60 (disk)
=> test_filter
    EQUALITY
=> access_allowed: search access to "cn=Samba
Users,cn=Samba,ou=Services,cn=dutton4.it.siu.edu,ou=Networ
k Hosts,ou=Information Technology,o=Departments,o=SIUC,c=US" "cn" requested
=> dnpat: [1] .*,dc=siu,dc=edu,o=SIUC,d=US nsub: 0
=> dnpat: [2] .*,dc=AppleTalk,o=SIUC,c=US nsub: 0
=> test_filter
    EQUALITY
<= test_filter 6
=> acl_get: [3] check attr cn
<= acl_get: [3] acl cn=Samba
Users,cn=Samba,ou=Services,cn=dutton4.it.siu.edu,ou=Network Hosts,ou=Information
Technology,o=Departments,o=SIUC,c=US attr: cn
=> acl_mask: access to entry "cn=Samba
Users,cn=Samba,ou=Services,cn=dutton4.it.siu.edu,ou=Network Hosts,ou=Information
Technology,o=Departments,o=SIUC,c=US", attr "cn" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=Manager,o=SIUC,c=US
=> string_expand: pattern:  cn=Manager,o=SIUC,c=US
=> string_expand: expanded: cn=Manager,o=SIUC,c=US
=> regex_matches: string:   
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.142
=> string_expand: pattern:  131.230.6.142
=> string_expand: expanded: 131.230.6.142
=> regex_matches: string:   IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.141
=> string_expand: pattern:  131.230.6.141
=> string_expand: expanded: 131.230.6.141
=> regex_matches: string:   IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.182
=> string_expand: pattern:  131.230.6.182
=> string_expand: expanded: 131.230.6.182
=> regex_matches: string:   IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: *
<= acl_mask: [6] applying none (=n) (stop)
<= acl_mask: [6] mask: none (=n)
=> access_allowed: search access denied by none (=n)
<= test_filter 50
ldbm_search: candidate 505 does not match filter
entry_rdwr_runlock: ID: 505
====> cache_return_entry_r( 505 ): created (0)
=> id2entry_r( 509 )
=> ldbm_cache_open( "/usr/tmp/openldap/id2entry.dbb", 514, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry(cn=Dutton4 Samba Users,ou=Groups,o=SIUC,c=US) -> -1 (0x80bdbe0)
entry_rdwr_rlock: ID: 509
<= id2entry_r( 509 ) 0x80bdbe0 (disk)
=> test_filter
    EQUALITY
=> access_allowed: search access to "cn=Dutton4 Samba
Users,ou=Groups,o=SIUC,c=US" "cn" requested
=> dnpat: [1] .*,dc=siu,dc=edu,o=SIUC,d=US nsub: 0
=> dnpat: [2] .*,dc=AppleTalk,o=SIUC,c=US nsub: 0
=> test_filter
    EQUALITY
<= test_filter 6
=> acl_get: [3] check attr cn
<= acl_get: [3] acl cn=Dutton4 Samba Users,ou=Groups,o=SIUC,c=US attr: cn
=> acl_mask: access to entry "cn=Dutton4 Samba Users,ou=Groups,o=SIUC,c=US",
attr "cn" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=Manager,o=SIUC,c=US
=> string_expand: pattern:  cn=Manager,o=SIUC,c=US
=> string_expand: expanded: cn=Manager,o=SIUC,c=US
=> regex_matches: string:   
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.142
=> string_expand: pattern:  131.230.6.142
=> string_expand: expanded: 131.230.6.142
=> regex_matches: string:   IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.141
=> string_expand: pattern:  131.230.6.141
=> string_expand: expanded: 131.230.6.141
=> regex_matches: string:   IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_sockname_path: 131.230.6.182
=> string_expand: pattern:  131.230.6.182
=> string_expand: expanded: 131.230.6.182
=> regex_matches: string:   IP=:: 389
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: *
<= acl_mask: [6] applying none (=n) (stop)
<= acl_mask: [6] mask: none (=n)
=> access_allowed: search access denied by none (=n)
<= test_filter 50
ldbm_search: candidate 509 does not match filter
entry_rdwr_runlock: ID: 509
====> cache_return_entry_r( 509 ): created (0)
send_ldap_search_result 0::
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 9
  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00         0....e........    
ldap_write: want=14, written=14
  0000:  30 0c 02 01 02 65 07 0a  01 00 04 00 04 00         0....e........