[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#9023) crash using ppolicy chaining from slave to master
Full_Name: JPh Ayanides
Version: 2.4.47
OS: Linux Debian
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (195.46.216.78)
Hello, I cannot succeed in making the following configuration to work. Instead
of that, openldap crashes.
I have 2 openldap servers in master-slave: the slave is installed on a machine
named rada, and a master is installed on another machine named simby. The
ppolicy is activated on rada and simby, and I use chain and updateref in order
to sync failures in ppolicy coming from rada back to simby. When I test that
feature, with trying a bind with a wrong password, openldap on the slave
crashes. I failed in understanding why, even with gdb.
Here is the configuration of rada:
---------------------------
allow bind_v2
sizelimit size.hard=10000
sizelimit size.soft=500
# Schema and objectClass definitions
include /appli/openldap/etc/openldap/schema/core.schema
include /appli/openldap/etc/openldap/schema/cosine.schema
include /appli/openldap/etc/openldap/schema/nis.schema
include /appli/openldap/etc/openldap/schema/inetorgperson.schema
include /appli/openldap/etc/openldap/schema/ppolicy.schema
pidfile /appli/openldap-preprod/var/run/slapd.pid
argsfile /appli/openldap-preprod/var/run/slapd.args
loglevel -1
conn_max_pending 250
idletimeout 600
timelimit time.soft=60
timelimit time.hard=60
modulepath /appli/openldap/libexec/openldap
moduleload back_bdb
moduleload ppolicy
moduleload back_ldap
moduleload pw-sha2
password-hash {SSHA512}
TLSVerifyClient never
TLSCertificateKeyFile /appli/openldap-preprod/etc/private/auth.gdr.key
TLSCertificateFile /appli/openldap-preprod/etc/certs/auth.gdr.crt
TLSCACertificatePath /appli/openldap-preprod/etc/ca/
overlay chain
chain-uri ldaps://simby.example:637
chain-idassert-bind bindmethod="simple"
binddn="uid=mirrormode,dc=example"
credentials="secret"
mode="self"
tls_reqcert=allow
chain-tls none
chain-return-error TRUE
database bdb
suffix "dc=example"
rootdn "cn=admin,dc=example"
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXX
dbconfig set_cachesize 0 128000000 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
directory "/appli/openldap-preprod/var/openldap-data"
index objectClass,entryCSN,entryUUID eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
overlay ppolicy
ppolicy_default "cn=pwdDefault,ou=policies,dc=example"
ppolicy_hash_cleartext
ppolicy_use_lockout
ppolicy_forward_updates
lastmod on
syncrepl rid=002
provider=ldap://simby.example:390
binddn="uid=mirrormode,dc=example"
credentials=secret
bindmethod=simple
searchbase="dc=example"
schemachecking=off
type=refreshAndPersist
retry="60 +"
tls_cacert="/appli/openldap-preprod/etc/ca/CADSI.pem"
tls_reqcert=allow
starttls=yes
updateref ldaps://simby.example:637
access to attrs=userPassword
by dn="cn=admin,dc=example" write
by dn="cn=acadmin,dc=example" write
by dn="uid=mirrormode,dc=example" read
by dn="uid=rsasecureid,dc=example" auth
by anonymous auth
by dn="uid=test,ou=People,dc=example" none
by * none
access to attrs=shadowLastChange
by dn="cn=admin,dc=example" write
by dn="uid=mirrormode,dc=example" read
by dn="uid=test,ou=People,dc=example" none
by * read
access to dn="uid=test,ou=People,dc=example"
by dn="cn=admin,dc=example" write
by * read
database monitor
access to * by * read
-----------------------------
and here is the configuration file on the master:
----------------------------
allow bind_v2
sizelimit size.hard=10000
sizelimit size.soft=500
include /appli/openldap/etc/openldap/schema/core.schema
include /appli/openldap/etc/openldap/schema/cosine.schema
include /appli/openldap/etc/openldap/schema/nis.schema
include /appli/openldap/etc/openldap/schema/inetorgperson.schema
include /appli/openldap/etc/openldap/schema/ppolicy.schema
pidfile /appli/openldap-preprod/var/run/slapd.pid
argsfile /appli/openldap-preprod/var/run/slapd.args
loglevel -1
modulepath /appli/openldap/libexec/openldap
moduleload back_bdb
moduleload syncprov
moduleload ppolicy
moduleload pw-sha2
password-hash {SSHA512}
TLSCertificateKeyFile /appli/openldap-preprod/etc/private/simby.example.key
TLSCertificateFile /appli/openldap-preprod/etc/certs/simby.example.pem
TLSCACertificatePath /appli/openldap-preprod/etc/ca
TLSverifyClient never
database bdb
suffix "dc=example"
rootdn "cn=admin,dc=example"
rootpw {SSHA}XXXXXXXXXXXXXXXXXXX
directory "/appli/openldap-preprod/var/openldap-data"
index objectclass,entryCSN,entryUUID eq
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
overlay ppolicy
ppolicy_default "cn=pwdDefault,ou=policies,dc=example"
ppolicy_use_lockout
ppolicy_hash_cleartext
lastmod on
access to attrs=userPassword
by dn="cn=admin,dc=example" write
by dn="uid=mirrormode,dc=example" read
by dn="cn=acadmin,dc=example" write
by dn="cn=rsasecureid,dc=example" auth
by anonymous auth
by dn="uid=test,ou=People,dc=example" none
by dn="cn=iam,dc=example" write
by * none
access to attrs=shadowLastChange
by dn="cn=admin,dc=example" write
by dn="uid=mirrormode,dc=example" read
by dn="cn=acadmin,dc=example" write
by dn="uid=test,ou=People,dc=example" none
by dn="cn=iam,dc=example" write
by * read
access to dn="uid=test,ou=People,dc=example"
by dn="cn=admin,dc=example" write
by * read
access to *
by dn="uid=test,ou=People,dc=example" none
by dn="uid=mirrormode,dc=example" read
by dn="cn=admin,dc=example" write
by dn="cn=acadmin,dc=example" write
by dn="cn=iam,dc=example" write
by * read
access to dn="ou=People,dc=example"
by dn="cn=acadmin,dc=example" write
by * read
database monitor
access to * by * read
---------------------------
In the log of the slave, I get at the end:
May 17 16:37:12 rada slapd[546]: ==> bdb_bind: dn:
uid=user1,ou=People,dc=example
May 17 16:37:12 rada slapd[546]: bdb_dn2entry("uid=user1,ou=people,dc=example")
May 17 16:37:12 rada slapd[546]: => access_allowed: result not in cache
(userPassword)
May 17 16:37:12 rada slapd[546]: => access_allowed: auth access to
"uid=user1,ou=People,dc=example" "userPassword" requested
May 17 16:37:12 rada slapd[546]: => acl_get: [1] attr userPassword
May 17 16:37:12 rada slapd[546]: => acl_mask: access to entry
"uid=user1,ou=People,dc=example", attr "userPassword" requested
May 17 16:37:12 rada slapd[546]: => acl_mask: to value by "", (=0)
May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: cn=admin,dc=example
May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: cn=acadmin,dc=example
May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: uid=mirrormode,dc=example
May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: uid=rsasecureid,dc=example
May 17 16:37:12 rada slapd[546]: <= check a_dn_pat:
ou=capge002,ou=application,dc=example
May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: anonymous
May 17 16:37:12 rada slapd[546]: <= acl_mask: [6] applying auth(=xd) (stop)
May 17 16:37:12 rada slapd[546]: <= acl_mask: [6] mask: auth(=xd)
May 17 16:37:12 rada slapd[546]: => slap_access_allowed: auth access granted by
auth(=xd)
May 17 16:37:12 rada slapd[546]: => access_allowed: auth access granted by
auth(=xd)
May 17 16:37:12 rada slapd[546]: send_ldap_result: conn=1000 op=0 p=3
May 17 16:37:12 rada slapd[546]: send_ldap_result: err=49 matched="" text=""
May 17 16:37:12 rada slapd[546]: => bdb_entry_get: ndn:
"uid=user1,ou=people,dc=example"
May 17 16:37:12 rada slapd[546]: => bdb_entry_get: oc: "(null)", at: "(null)"
May 17 16:37:12 rada slapd[546]: bdb_dn2entry("uid=user1,ou=people,dc=example")
May 17 16:37:12 rada slapd[546]: => bdb_entry_get: found entry:
"uid=user1,ou=people,dc=example"
May 17 16:37:12 rada slapd[546]: bdb_entry_get: rc=0
May 17 16:37:12 rada slapd[546]: bdb_dn2entry("uid=user1,ou=people,dc=example")
May 17 16:37:12 rada slapd[546]: send_ldap_result: conn=1000 op=0 p=3
May 17 16:37:12 rada slapd[546]: send_ldap_result: err=10 matched="" text=""
May 17 16:37:12 rada slapd[546]: send_ldap_result:
referral="ldaps://simby.example:637/uid=user1,ou=People,dc=example"
May 17 16:37:12 rada slapd[546]: >>> dnPrettyNormal:
<uid=user1,ou=People,dc=example>
May 17 16:37:12 rada slapd[546]: <<< dnPrettyNormal:
<uid=user1,ou=People,dc=example>, <uid=user1,ou=people,dc=example>
May 17 16:37:12 rada slapd[546]: conn=1000 op=0 ldap_chain_op:
ref="ldaps://simby.example:637/uid=user1,ou=People,dc=example" ->
"ldaps://simby.example:637"
May 17 16:37:12 rada slapd[546]: conn=1000 op=0 ldap_chain_op:
ref="ldaps://simby.example:637/uid=user1,ou=People,dc=example":
URI="ldaps://simby.example:637" found in cache
May 17 16:37:12 rada slapd[546]: =>ldap_back_getconn: conn=1000 op=0:
lc=0x838b4a8 inserted refcnt=1 rc=0
May 17 16:37:12 rada slapd[546]: daemon: activity on 1 descriptor
May 17 16:37:12 rada slapd[546]: daemon: activity on:
May 17 16:37:12 rada slapd[546]:
May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=7 active_threads=1
tvp=zero
May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=8 active_threads=1
tvp=zero
May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=9 active_threads=1
tvp=zero
May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=10 active_threads=1
tvp=zero
and then the slave crashes with a code 0177
In the log of the master, I get:
May 17 16:37:12 simby slapd[18544]: => slap_access_allowed: auth access granted
by auth(=xd)
May 17 16:37:12 simby slapd[18544]: => access_allowed: auth access granted by
auth(=xd)
May 17 16:37:12 simby slapd[18544]: conn=1001 op=0 BIND
dn="uid=mirrormode,dc=example" mech=SIMPLE ssf=0
May 17 16:37:12 simby slapd[18544]: do_bind: v3 bind:
"uid=mirrormode,dc=example" to "uid=mirrormode,dc=example"
May 17 16:37:12 simby slapd[18544]: send_ldap_result: conn=1001 op=0 p=3
May 17 16:37:12 simby slapd[18544]: send_ldap_result: err=0 matched="" text=""
May 17 16:37:12 simby slapd[18544]: => bdb_entry_get: ndn:
"uid=mirrormode,dc=example"
May 17 16:37:12 simby slapd[18544]: => bdb_entry_get: oc: "(null)", at:
"(null)"
May 17 16:37:12 simby slapd[18544]: bdb_dn2entry("uid=mirrormode,dc=example")
May 17 16:37:12 simby slapd[18544]: => bdb_entry_get: found entry:
"uid=mirrormode,dc=example"
May 17 16:37:12 simby slapd[18544]: bdb_entry_get: rc=0
May 17 16:37:12 simby slapd[18544]: send_ldap_response: msgid=1 tag=97 err=0
May 17 16:37:12 simby slapd[18544]: conn=1001 op=0 RESULT tag=97 err=0 text=
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=7 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=8 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=9 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=10 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: activity on 3 descriptors
May 17 16:37:12 simby slapd[18544]: daemon: activity on:
May 17 16:37:12 simby slapd[18544]: 12r
May 17 16:37:12 simby slapd[18544]: 15r
May 17 16:37:12 simby slapd[18544]:
May 17 16:37:12 simby slapd[18544]: daemon: read active on 12
May 17 16:37:12 simby slapd[18544]: connection_get(12)
May 17 16:37:12 simby slapd[18544]: connection_get(12): got connid=1000
May 17 16:37:12 simby slapd[18544]: connection_read(12): checking for input on
id=1000
May 17 16:37:12 simby slapd[18544]: ber_get_next on fd 12 failed errno=0
(Success)
May 17 16:37:12 simby slapd[18544]: connection_read(12): input error=-2 id=1000,
closing.
May 17 16:37:12 simby slapd[18544]: connection_closing: readying conn=1000 sd=12
for close
May 17 16:37:12 simby slapd[18544]: connection_close: conn=1000 sd=12
May 17 16:37:12 simby slapd[18544]: daemon: removing 12
May 17 16:37:12 simby slapd[18544]: conn=1000 fd=12 closed (connection lost)
May 17 16:37:12 simby slapd[18544]: daemon: read active on 15
May 17 16:37:12 simby slapd[18544]: connection_get(15)
May 17 16:37:12 simby slapd[18544]: connection_get(15): got connid=1001
May 17 16:37:12 simby slapd[18544]: connection_read(15): checking for input on
id=1001
May 17 16:37:12 simby slapd[18544]: ber_get_next on fd 15 failed errno=0
(Success)
May 17 16:37:12 simby slapd[18544]: connection_read(15): input error=-2 id=1001,
closing.
May 17 16:37:12 simby slapd[18544]: connection_closing: readying conn=1001 sd=15
for close
May 17 16:37:12 simby slapd[18544]: connection_close: conn=1001 sd=15
May 17 16:37:12 simby slapd[18544]: daemon: removing 15
May 17 16:37:12 simby slapd[18544]: conn=1001 fd=15 closed (connection lost)
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=7 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=8 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=9 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=10 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: activity on 1 descriptor
May 17 16:37:12 simby slapd[18544]: daemon: activity on:
May 17 16:37:12 simby slapd[18544]:
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=7 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=8 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=9 active_threads=0
tvp=NULL
May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=10 active_threads=0
tvp=NULL
-----------------------------
I am not sure to using the right configuration, but anyway, openldap should not
crash.