[Date Prev][Date Next] [Chronological] [Thread] [Top]

Assertion failure -- using relay backend and translucent overlay

To: openldap-technical@openldap.org
Subject: Assertion failure -- using relay backend and translucent overlay
From: "Mattias Andersson" <mattias@centaurix.com>
Date: Sun, 29 Jan 2012 14:55:10 +0100
Organization: Centaurix Interactive Designs
User-agent: Opera Mail/11.60 (Win32)

Hi,

I have configured a proxy server with its own local database that is usedboth to override existing attributes of a remote database and to add itsown entries to the directory.

I have configured the local database as subordinate and I have configureda relay database that is also pointing to the local database, but it isusing the translucent overlay to connect to the remote ldap directory.


My slapd.conf configuration:

  backend           hdb
  backend           ldap

  database          hdb
  directory         /var/lib/ldap
  suffix            "dc=foo,dc=example,dc=com"
  rootdn            "cn=admin,dc=foo,dc=example,dc=com"
  rootpw            secret
  index             objectClass eq
  subordinate

  database          relay
  suffix            "dc=example,dc=com"
  overlay           rwm
  rwm-suffixmassage "dc=foo,dc=example,dc=com"
  overlay           translucent
  uri               ldap://ldap.example.com
  translucent_bind_local

This configuration actually does exactly what I have been trying toachieve. I can override user attributes and at the same time I can addadditional group entries without having root access to the remote server.

I have tested it with the ldap nss service in linux and it works withouterrors. The updated user accounts are correctly retrieved and the newgroups are added transparently. If I use ldapsearch, it will search boththe local and the remote server.

The problem that I've experienced is that when I'm using a different ldapclient, such as Softerra LDAP Administrator, then the daemon crashes whena search query is performed:


  slapd starting
  conn=1000 fd=11 ACCEPT from IP=X.X.X.X:61230 (IP=0.0.0.0:389)
  conn=1000 op=0 BIND dn="" method=128
  conn=1000 op=0 RESULT tag=97 err=0 text=

conn=1000 op=1 SRCH base="dc=example,dc=com" scope=0 deref=0filter="(objectClass=*)"

  conn=1000 op=1 SRCH attr=1.1
  conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self.

slapd: /build/buildd/openldap-2.4.25/servers/slapd/attr.c:236:attr_dup2: Assertion `j < i' failed.

  Aborted

The message that "back-relay would call itself" is also logged when usingldapsearch, but ldapsearch does not cause an assertion failure:


  slapd starting
  conn=1000 fd=11 ACCEPT from IP=127.0.0.1:36760 (IP=0.0.0.0:389)
  conn=1000 op=0 BIND dn="" method=128
  conn=1000 op=0 RESULT tag=97 err=0 text=

conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0filter="(objectClass=*)"

  conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self.
  PROXIED attributeDescription "ORCLNETDESCSTRING" inserted.
  conn=1000 op=1 SEARCH RESULT tag=101 err=4 nentries=300 text=
  conn=1000 op=2 UNBIND
  conn=1000 fd=11 closed

I'm happy with the proxy functionality that I've managed to configure(which is working), but it's definitely a security vulnerability whensimply using a different LDAP client causes the server to crash.

Is there any way I could avoid the assertion failure? Should I post a bugreport?


TIA,
Mattias

Follow-Ups:
- Re: Assertion failure -- using relay backend and translucent overlay
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: making a full replica: slapd -c "rid=xxx" doesn't seem to work
Next by Date: Re: Assertion failure -- using relay backend and translucent overlay
Index(es):
- Chronological
- Thread