Hello openldap-technical,
I found that slapd 2.5.11 w/slapo-translucent will crash when queried with a
wildcard search. It looks like any wildcard search on any attribute specified
in "translucent_local" will cause the SIGSEGV on the latest version of Symas
OpenLDAP slapd, 2.5.11, MDB databases, running on CentOS7.
It seems that the SIGSEGV problem does not occur w the 2.4.44 from the RHEL7
distribution, and so the problem may have be a regression. I have not tested
any other versions but have verified that, with the exact same config, the
problem does not happen on the RHEL7 2.4.44 version, but does happen w/Symas
OpenLDAP 2.5.11.
It's an interesting config here. There are two database+suffixes defined in the
instance. The first one is subordinate (ou=someorg,dc=corp,dc=com) to the
second one (dc=corp,dc=com). The "subordinate" option is set to "True". The
second database section loads the translucent overlay which is pointed to the
upstream Active Directory instance and has the same suffix of AD.
The problem is administrative. The group want their admins who manage LDAP data
to be able to search using wildcard "cn=xyx*" filters. Besides crashing, we
have noticed that these work, but only when setting the basedn of the
subordinate database. I tried a few things in a test lab and was able to
reproduce the issue.
with "cn" in "translucent_local" and sublevel search of translucent superior
basedn dc=corp,dc=com
"(cn=jed)" filter returns subordinate database entry
"(cn=je*)" filter crashes slapd
with "cn" not in "translucent_local" and sublevel search of translucent
superior basedn dc=corp,dc=com
"(cn=jed)" filter return referrals from upstream Active Directory
"(cn=je*)" filter return referrals from upstream Active Directory
with "cn" in "translucent_local" and sublevel search of subordinate basedn
ou=someorg,dc=corp,dc=com
"(cn=jed)" filter returns subordinate database entry from ou=someorg
"(cn=je*)" filter returns subordinate database entry(ies) from ou=someorg
with "cn" not in "translucent_local" and sublevel search of subordinate dbasedn
ou=someorg,dc=corp,dc=com
"(cn=jed)" filter returns subordinate database entry from ou=someorg
"(cn=je*)" filter returns subordinate database entry(ies) from ou=someorg
Here's what the crash looks like:
622eb2f7.0393c4d6 0x7fcf15e89880 slapd starting
622eb2fd.32371976 0x7fce8d9f3700 slap_listener_activate(8):
622eb2fd.323bb364 0x7fce8d1f2700 >>> slap_listener(ldap:///)
622eb2fd.3247761c 0x7fce8d1f2700 connection_get(15): got connid=1000
622eb2fd.3247962c 0x7fce8d1f2700 connection_read(15): checking for input on
id=1000
622eb2fd.3247b177 0x7fce8d1f2700 ber_get_next
622eb2fd.3247e0b8 0x7fce8d1f2700 ber_get_next: tag 0x30 len 12 contents:
622eb2fd.3247f6f1 0x7fce8d1f2700 op tag 0x60, time 1647227645
622eb2fd.32480615 0x7fce8d1f2700 ber_get_next
622eb2fd.32484eca 0x7fce8d1f2700 conn=1000 op=0 do_bind
622eb2fd.324861e8 0x7fce8d1f2700 ber_scanf fmt ({imt) ber:
622eb2fd.324871c1 0x7fce8d1f2700 ber_scanf fmt (m}) ber:
622eb2fd.32488890 0x7fce8d1f2700 >>> dnPrettyNormal: <>
622eb2fd.32489324 0x7fce8d1f2700 <<< dnPrettyNormal: <>, <>
622eb2fd.3248ce51 0x7fce8d1f2700 do_bind: version=3 dn="" method=128
622eb2fd.3248efc7 0x7fce8d1f2700 send_ldap_result: conn=1000 op=0 p=3
622eb2fd.324906be 0x7fce8d1f2700 send_ldap_response: msgid=1 tag=97 err=0
622eb2fd.32492605 0x7fce8d1f2700 ber_flush2: 14 bytes to sd 15
622eb2fd.324ab763 0x7fce8d1f2700 do_bind: v3 anonymous bind
622eb2fd.325dc3b4 0x7fce8d1f2700 connection_get(15): got connid=1000
622eb2fd.325de12a 0x7fce8d1f2700 connection_read(15): checking for input on
id=1000
622eb2fd.325dec44 0x7fce8d1f2700 ber_get_next
622eb2fd.325e0856 0x7fce8d1f2700 ber_get_next: tag 0x30 len 63 contents:
622eb2fd.325e1663 0x7fce8d1f2700 op tag 0x63, time 1647227645
622eb2fd.325e22e8 0x7fce8d1f2700 ber_get_next
622eb2fd.325e500c 0x7fce8d1f2700 conn=1000 op=1 do_search
622eb2fd.325e5ae0 0x7fce8d1f2700 ber_scanf fmt ({miiiib) ber:
622eb2fd.325e69ea 0x7fce8d1f2700 >>> dnPrettyNormal: <dc=corp,dc=com>
622eb2fd.325e98bd 0x7fce8d1f2700 <<< dnPrettyNormal: <dc=corp,dc=com>,
<dc=corp,dc=com>
622eb2fd.325eaad7 0x7fce8d1f2700 ber_scanf fmt ({m) ber:
622eb2fd.325ebce5 0x7fce8d1f2700 ber_scanf fmt (m) ber:
622eb2fd.325eddcb 0x7fce8d1f2700 ber_scanf fmt ({M}}) ber:
622eb2fd.325f334c 0x7fce8d1f2700 ==> limits_get: conn=1000 op=1
self="[anonymous]" this="dc=corp,dc=com"
622eb2fd.325f4dcc 0x7fce8d1f2700 ==> translucent_search: <dc=corp,dc=com>
(cn=jed*)
Segmentation fault
Thanks!
Jeremy Diaz | Rex Consulting | https://www.rexconsulting.net
