[ http://issues.apache.org/jira/browse/DIREVE-274?page=all ]
Alex Karasulu updated DIREVE-274:
---------------------------------
Priority: Blocker (was: Major)
Real serious problem. However the fix is easy. Looks like the group cache
bombs on restart because of a bad group member. Really the DnParser is choking
on a bad attribute that is not recognized. We just need to not freak out as
bad as we do - catch the exception and warn on the log about a bad group
member. This solves the serious problem.
The first problem worries me more actually. It's probably caused by the same
thing: the satisfaction attribute is not recognized when the entry is being
added to the cache. This is done after the entry is added to the partition.
We should not be freaking out like this if there is bad data for uniqueMember
or member attributes.
The problem with our approach is that we are parsing the member value with a
normalizing parser. Attempts to access the OID registry for attributes in a
name that do not exist are raising an exception. Perhaps normalizing parsers
should leave unrocognized attributes as-is. This would only partially fix this
problem. We still need to protect group cache management operations from bad
values in member attributes.
> Adding a group with invalid member DN corrupts the server
> ---------------------------------------------------------
>
> Key: DIREVE-274
> URL: http://issues.apache.org/jira/browse/DIREVE-274
> Project: Directory Server
> Type: Bug
> Reporter: Stefan Zoerner
> Assignee: Alex Karasulu
> Priority: Blocker
> Fix For: 0.9.3
>
> If you add an entry like this to the server
> dn: cn=myGroup,dc=apache,dc=org
> cn: myGroup
> objectclass: top
> objectclass: groupOfUniqueNames
> uniqueMember: satisfaction=guaranteed
> e.g. with this command
> $ ldapadd -D uid=admin,ou=system -w ***** -h magritte -p 10389 -f
> addEntry.ldif
> the clients gets an error:
> ldap_add: Loop detected
> ldap_add: additional info: failed to add entry cn=myGroup,dc=apache,dc=org:
> javax.naming.NamingException: OID for name 'satisfaction' was not found
> within the OID registry
> stack trace omitted
> I am not sure whether this is correct behavior, other servers let me do that
> (i.e. add a DN value with unknown attribute names). But this is another story.
> Problem 1: Actually, the entry is created:
> $ ldapsearch -h magritte -p 10389 -b dc=apache,dc=org -s one "(objectClass=*)"
> cn=myGroup,dc=apache,dc=org
> cn=myGroup
> objectclass=groupOfUniqueNames
> objectclass=top
> uniqueMember=satisfaction=guaranteed
> $
> Therefore, the error above does not tell the truth ("failed to add entry").
> It is even possible to delete this entry without any errors. And is is highly
> recommended to do this, because
> Problem 2: (this is the major problem)
> After stopping the server, you can't restart it because of this illegal
> entry. Here is the stacktrace.
> Exception in thread "main" javax.naming.NamingException: OID for name
> 'satisfaction' was not found within the OID registry
> at
> org.apache.ldap.server.schema.GlobalOidRegistry.getOid(GlobalOidRegistry.java:188)
> at
> org.apache.ldap.server.schema.GlobalAttributeTypeRegistry.lookup(GlobalAttributeTypeRegistry.java:124)
> at
> org.apache.ldap.server.schema.ConcreteNameComponentNormalizer.lookup(ConcreteNameComponentNormalizer.java:85)
> at
> org.apache.ldap.server.schema.ConcreteNameComponentNormalizer.normalizeByName(ConcreteNameComponentNormalizer.java:59)
> at
> org.apache.ldap.common.name.antlrValueParser.value(antlrValueParser.java:128)
> at
> org.apache.ldap.common.name.antlrNameParser.attributeTypeAndValue(antlrNameParser.java:189)
> at
> org.apache.ldap.common.name.antlrNameParser.nameComponent(antlrNameParser.java:120)
> at
> org.apache.ldap.common.name.antlrNameParser.name(antlrNameParser.java:69)
> at org.apache.ldap.common.name.DnParser.parse(DnParser.java:178)
> at org.apache.ldap.common.name.DnParser.parse(DnParser.java:219)
> at
> org.apache.ldap.server.authz.GroupCache.addMembers(GroupCache.java:177)
> at
> org.apache.ldap.server.authz.GroupCache.initialize(GroupCache.java:111)
> at org.apache.ldap.server.authz.GroupCache.<init>(GroupCache.java:79)
> at
> org.apache.ldap.server.authz.AuthorizationService.init(AuthorizationService.java:95)
> at
> org.apache.ldap.server.interceptor.InterceptorChain.register0(InterceptorChain.java:400)
> at
> org.apache.ldap.server.interceptor.InterceptorChain.register(InterceptorChain.java:359)
> at
> org.apache.ldap.server.interceptor.InterceptorChain.init(InterceptorChain.java:231)
> at
> org.apache.ldap.server.DefaultDirectoryService.initialize(DefaultDirectoryService.java:672)
> at
> org.apache.ldap.server.DefaultDirectoryService.startup(DefaultDirectoryService.java:204)
> at
> org.apache.ldap.server.jndi.AbstractContextFactory.getInitialContext(AbstractContextFactory.java:102)
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
> at javax.naming.InitialContext.init(InitialContext.java:223)
> at javax.naming.InitialContext.<init>(InitialContext.java:197)
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
> at org.apache.ldap.server.ServerMain.main(ServerMain.java:76)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
