[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7687) slapd with chaining dies on ManageDsaIT control

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7687) slapd with chaining dies on ManageDsaIT control
From: ck@cksoft.de
Date: Tue, 10 Sep 2013 19:14:09 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--4178219828-1091139785-1378839346=:6609
Content-Type: TEXT/PLAIN; CHARSET=UTF-8; FORMAT=flowed
Content-Transfer-Encoding: 8BIT
Content-ID: <alpine.BSF.2.00.1309102056121.6609@pohjola.cksoft.de>

Hi,

On Tue, 10 Sep 2013, Michael StrÃ¶der wrote:

> ck@cksoft.de wrote:
>> we have a java application using JNDI that uses the password modify extended
>> operation to change user passwords.
>> [..]
>> When running slapd with heavy logging we save the only difference to ldappasswd
>> which works fine against our masters is that JNDI sets the ManageDsaIT by
>> default.
>
> Of course slapd should never crash.

yes of course not.  This opens an attack vector for shooting down the slapd to at least anyone who has bind access which is concerning me.

Apart from that the customers problem is solved.  We just stopped sending the control.  A bit like Dr. Dr. it hurts when I Do this. Then why don't you stop doing it.

> But strictly speaking the semantics of using ManageDsaIT control along with
> password modify ext.op. is not specified - at least not in RFC 3062.

yes. jndi sets the control by default.

>From looking at the assert

   slapd: chain.c:199: chaining_control_remove: Assertion `op->o_ctrls != ((void *)0)' failed.

the comment in chain.c seems to hint at an overly simple assumption. But in understand too little of slapd internals and code flow:

  188 static int
  189 chaining_control_remove(
  190                 Operation       *op,
  191                 LDAPControl     ***oldctrlsp )
  192 {
  193         LDAPControl     **oldctrls = *oldctrlsp;
  194
  195         /* we assume that the first control is the chaining control
  196          * added by the chain overlay, so it's the only one we explicitly
  197          * free */
  198         if ( op->o_ctrls != oldctrls ) {
  199                 assert( op->o_ctrls != NULL );
  200                 assert( op->o_ctrls[ 0 ] != NULL );
  201
  202                 free( op->o_ctrls );
  203
  204                 op->o_chaining = 0;
  205                 op->o_ctrls = oldctrls;
  206         }
  207
  208         *oldctrlsp = NULL;
  209
  210         return 0;
  211 }


Could it be as simple as walking the linked list and just removing the chaining control.

Of course another strategy might be to filter anything but the chaining control up front.

Greetings
Christian

>
> Ciao, Michael.
>
>

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer
--4178219828-1091139785-1378839346=:6609--

Prev by Date: (ITS#7690) OpenLDAP 2.4.36 crashing with MDB
Next by Date: Re: (ITS#7687) slapd with chaining dies on ManageDsaIT control
Index(es):
- Chronological
- Thread