[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ppolicy and rwm/relay segfaulting
Hi,
This is weird - quite possible a config problem, I'm hoping someone can
spot it :)
I have a minimal slapd server which works fine with either an rwm/relay
section or a ppolicy section - but not both at once.
I'm happy to explain *why* I need to do this if asked, but for now it
would just clutter this message. I do have a Really Good(TM) reason.
============ Actual problem ===================
We load slapd up with actual entries for the dc=new,dc=example,dc=com
domain.
slapd is configured to map all records with rwm/relay to
dc=old,dc=example,dc=com so clients with the old config still work.
ie
we load a real record:
1) dn: uid=testuser,ou=people,dc=new,dc=example,dc=com
and we want clients asking about
2) dn: uid=testuser,ou=people,dc=old,dc=example,dc=com
will be served from (1)
======== OK here's an example ================
=== Server ====
Running debian 6 server with debian slapd 2.4.23-7.2
/usr/sbin/slapd -d 4 -h "ldap:/// ldaps:/// ldapi:///" -g openldap -u
openldap -f /etc/ldap/slapd.conf
=== Test client ===
Running test against the "old" realm:
ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com
# Enter the wrong password and it fails correctly and server runs OK.
# Enter the right password and the client says:
ldap_result: Can't contact LDAP server (-1)
Server says (last few lines from slapd):
[rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" ->
"uid=testuser,ou=people,dc=old,dc=example,dc=com"
[rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" ->
"uid=testuser,ou=people,dc=new,dc=example,dc=com"
=> ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com,0)
<= ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0
=> bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
=> bdb_entry_get: ndn: "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
==> hdb_bind: dn: uid=testuser,ou=people,dc=new,dc=example,dc=com
send_ldap_result: err=0 matched="" text=""
=> bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
Segmentation fault
However, queries against the "new" domain work:
ldapwhoami -x -W -D uid=testuser,ou=people,dc=new,dc=example,dc=com
Enter LDAP Password:
dn:uid=testuser,ou=people,dc=new,dc=example,dc=com
If I disable ppolicy in slapd.conf, queries agains the "old" domain work:
root@ldaptest1:/etc# ldapwhoami -x -W -D
uid=testuser,ou=people,dc=old,dc=example,dc=com
Enter LDAP Password:
dn:uid=testuser,ou=people,dc=new,dc=example,dc=com
(the rewrite is not perfect - but that may not matter for my clients).
Almost certainly I have done something stupid - and it seems clear that
ppolicy is being upset by the relay mappings. Any ideas how to fix would
be *very* welcome - I have been all over Google and the man pages.
All the best!
Tim
OK - boring stuff:
slapd.conf
###########################################
#######################################################################
# Global Directives:
# Features to permit
allow bind_anon_cred bind_anon_dn update_anon
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel sync stats
sizelimit 5000
tool-threads 1
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_relay
moduleload rwm
moduleload ppolicy
overlay rwm
rwm-rewriteEngine on
backend hdb
#######################################################################
# Global ACLs
#
# Ensure read access to the base for things like
# supportedSASLMechanisms.
access to dn.base="" by * read
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# This ACL must be first or password leakage will happen!!!
access to attrs=userPassword,shadowLastChange
by peername.path="/var/run/slapd/ldapi" manage
by dn="cn=admin,dc=new,dc=example,dc=com" manage
by set="user/uid &
[cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write
by self write
by * auth
# The admin dn has full write access, everyone else
# can read everything. Local unix domain socket (root only)
# Can do everything
access to *
by peername.path="/var/run/slapd/ldapi" manage
by dn="cn=admin,dc=new,dc=example,dc=com" manage
by set="user/uid &
[cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write
by * read
#######################################################################
# Main new.example.com authoritative database
#
database hdb
suffix dc=new,dc=example,dc=com
rootdn "cn=admin,dc=new,dc=example,dc=com"
rootpw "{SSHA}NoNoNooo..."
directory "/var/lib/ldap"
dbconfig set_cachesize 0 134217728 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
#######################################################################
#
# Password Policy
#
#
overlay ppolicy
ppolicy_default "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
#######################################################################
# Virtual maps - compatibility with old.example.com only
#
# map dc=old to dc=new
#
database relay
suffix "dc=old,dc=example,dc=com"
relay "dc=new,dc=example,dc=com"
overlay rwm
rwm-suffixmassage "dc=new,dc=example,dc=com"
###########################################
Initial database loaded with slapadd from this ldif:
###########################################
dn: dc=new,dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: new.example.com
dc: new
dn: cn=admin,dc=new,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: NoNoNoooo...
dn: ou=people,dc=new,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=new,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: ou=pwpolicies,dc=new,dc=example,dc=com
objectClass: organizationalUnit
ou: pwpolicies
#
#
# Standard policy for normal people
#
dn: cn=default,ou=pwpolicies,dc=new,dc=example,dc=com
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 15811200
pwdExpireWarning: 1814400
pwdGraceAuthnLimit: 3
pwdInHistory: 6
pwdCheckQuality: 2
pwdMaxFailure: 5
pwdMinLength: 8
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdFailureCountInterval: 300
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
dn: uid=testuser,ou=people,dc=new,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Test User
employeeType: Staff
gecos: Test User
gidNumber: 1000
givenName: Test
homeDirectory: /homes/testuser
loginShell: /bin/bash
mail: testuser@new.example.com
sn: User
uid: testuser
uidNumber: 1000
userPassword: {SSHA}NoNoNoooo...
dn: cn=ddh-staff,ou=groups,dc=new,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: ddh-staff
description: Test Group
gidNumber: 1000
memberUid: testuser
dn: cn=sysadmin,ou=groups,dc=new,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: sysadmin
description: Staff: System Admin Group
gidNumber: 1001
memberUid: testuser
###########################################
###########################################
###########################################
###########################################
###########################################
###########################################
--
Tim Watts
Personal Blog:
http://www.dionic.net/tim/
"A fanatic is one who can't change his mind and won't change the subject."