Hi! As the bug seems to occur in a C library routine, it could be helpful to attach to slapd using "ltrace -p .." to see what the last call was. You could also attach gdb to the process, and try a backtrace when there was a segfault...
Ulrich >>> Jarbas Peixoto Júnior<[email protected]> schrieb am 12.02.2014 um 14:14 in Nachricht <CAKJak0oDAi=refjbh4kqs7_tw5hwu5hgldbit50mh5+vpyu...@mail.gmail.com>: > Needed to enable authentication on ldap server via the mail attribute. > > I used the overlay rwm as documentation: > * http://www.openldap.org/doc/admin24/overlays.html # Rewrite / Remap > * http://www.openldap.org/lists/openldap-software/200707/msg00487.html > * > http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&apropos=0&; > manpath=OpenLDAP+2.4-Release > > I run the current version of OpenLDAP : > > dpkg -l | grep openldap > ii openldap-ltb 2.4.39-1 > amd64 OpenLDAP server with addons from the LDAP Tool Box > project > ii openldap-ltb-check-password 2.4.39-1 > amd64 check_password module for password policy > ii openldap-ltb-contrib-overlays 2.4.39-1 > amd64 Overlays contributed to OpenLDAP > > My configuration snippet is shown below : > > ... > backend hdb > > moduleload rwm > overlay rwm > rwm-rewriteEngine on > rwm-rewriteMap ldap attr2dn "ldaps:///dc=gov,dc=br?dn?sub?" > rwm-rewriteContext bindDN > rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I" > > database hdb > ... > > Everything worked fine , but sometimes occurred a ' slapd segfault " > there was no apparent cause . > > A log analysis allowed us to identify the query that caused the "crash > " was the folder containing " ** " as follows : > > "(mail=*name**surname*)(mailAlternateAddress=*name**surname*)" > > Redid several searches and this is really "crash " in some situations : > > Normal > ======= > ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br > "(uid=jarbas*peixoto)" mail > dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br > mail: [email protected] > > Normal > ======= > ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br > "(uid=jarbas**peixoto)" mail > ldap_search_ext: Bad search filter (-7) > > Normal > ======= > ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br > "(mail=jarbas*[email protected])" mail > dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br > mail: [email protected] > > Normal > ======= > ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br > "(mail=jarbas**[email protected])" mail > ldap_search_ext: Bad search filter (-7) > > Segfault - Note that there is a space between the two asterisks ( "* *" ) > ================================================================ > ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br > "(mail=jarbas* *[email protected])" mail > Additional information: massaged filter parse error > > The excerpts from server logs are: > > Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 ACCEPT from > IP=10.82.0.22:46996 (IP=0.0.0.0:636) > Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 TLS > established tls_ssf=128 ssf=128 > Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 BIND dn="" method=128 > Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 RESULT tag=97 err=0 > text= > Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH > base="dc=gov,dc=br" scope=2 deref=0 > filter="(mail=jarbas**[email protected])" > Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH attr=mail > Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SEARCH RESULT > tag=101 err=0 nentries=0 text=massaged filter parse error > Feb 12 09:49:18 linuxprev kernel: [19683068.279488] slapd[27112] > general protection ip:7f9c3520cac9 sp:7f9bc9eb2960 error:0 in > libc-2.13.so[7f9c35191000+182000] > > To work around this error I added the lines: > > # Remove os '**" da pesquisa 'mail=**' evitando o segfault > rwm-rewriteContext searchFilter > rwm-rewriteRule "(.*)(\\* ?\\*)(.*)" "$1*$3" "@I" > > This problem also occurs in other versions of slapd native Debian and > Ubuntu. > > Without the overlay rwm not occur this BUG . Can anyone confirm if it > is really a bug in the " rwm overlay" ? > > > Regards, > Jarbas
