Adding a group with invalid member DN corrupts the server
---------------------------------------------------------
Key: DIREVE-274
URL: http://issues.apache.org/jira/browse/DIREVE-274
Project: Directory Server
Type: Bug
Reporter: Stefan Zoerner
Assigned to: Alex Karasulu
Fix For: 0.9.3
If you add an entry like this to the server
dn: cn=myGroup,dc=apache,dc=org
cn: myGroup
objectclass: top
objectclass: groupOfUniqueNames
uniqueMember: satisfaction=guaranteed
e.g. with this command
$ ldapadd -D uid=admin,ou=system -w ***** -h magritte -p 10389 -f addEntry.ldif
the clients gets an error:
ldap_add: Loop detected
ldap_add: additional info: failed to add entry cn=myGroup,dc=apache,dc=org:
javax.naming.NamingException: OID for name 'satisfaction' was not found within
the OID registry
stack trace omitted
I am not sure whether this is correct behavior, other servers let me do that
(i.e. add a DN value with unknown attribute names). But this is another story.
Problem 1: Actually, the entry is created:
$ ldapsearch -h magritte -p 10389 -b dc=apache,dc=org -s one "(objectClass=*)"
cn=myGroup,dc=apache,dc=org
cn=myGroup
objectclass=groupOfUniqueNames
objectclass=top
uniqueMember=satisfaction=guaranteed
$
Therefore, the error above does not tell the truth ("failed to add entry"). It
is even possible to delete this entry without any errors. And is is highly
recommended to do this, because
Problem 2: (this is the major problem)
After stopping the server, you can't restart it because of this illegal entry.
Here is the stacktrace.
Exception in thread "main" javax.naming.NamingException: OID for name
'satisfaction' was not found within the OID registry
at
org.apache.ldap.server.schema.GlobalOidRegistry.getOid(GlobalOidRegistry.java:188)
at
org.apache.ldap.server.schema.GlobalAttributeTypeRegistry.lookup(GlobalAttributeTypeRegistry.java:124)
at
org.apache.ldap.server.schema.ConcreteNameComponentNormalizer.lookup(ConcreteNameComponentNormalizer.java:85)
at
org.apache.ldap.server.schema.ConcreteNameComponentNormalizer.normalizeByName(ConcreteNameComponentNormalizer.java:59)
at
org.apache.ldap.common.name.antlrValueParser.value(antlrValueParser.java:128)
at
org.apache.ldap.common.name.antlrNameParser.attributeTypeAndValue(antlrNameParser.java:189)
at
org.apache.ldap.common.name.antlrNameParser.nameComponent(antlrNameParser.java:120)
at
org.apache.ldap.common.name.antlrNameParser.name(antlrNameParser.java:69)
at org.apache.ldap.common.name.DnParser.parse(DnParser.java:178)
at org.apache.ldap.common.name.DnParser.parse(DnParser.java:219)
at
org.apache.ldap.server.authz.GroupCache.addMembers(GroupCache.java:177)
at
org.apache.ldap.server.authz.GroupCache.initialize(GroupCache.java:111)
at org.apache.ldap.server.authz.GroupCache.<init>(GroupCache.java:79)
at
org.apache.ldap.server.authz.AuthorizationService.init(AuthorizationService.java:95)
at
org.apache.ldap.server.interceptor.InterceptorChain.register0(InterceptorChain.java:400)
at
org.apache.ldap.server.interceptor.InterceptorChain.register(InterceptorChain.java:359)
at
org.apache.ldap.server.interceptor.InterceptorChain.init(InterceptorChain.java:231)
at
org.apache.ldap.server.DefaultDirectoryService.initialize(DefaultDirectoryService.java:672)
at
org.apache.ldap.server.DefaultDirectoryService.startup(DefaultDirectoryService.java:204)
at
org.apache.ldap.server.jndi.AbstractContextFactory.getInitialContext(AbstractContextFactory.java:102)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at org.apache.ldap.server.ServerMain.main(ServerMain.java:76)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
