[Issue 9265] New: modifying a schema beneath an overlay hits assert

[openldap-its]

https://bugs.openldap.org/show_bug.cgi?id=9265

          Issue ID: 9265
           Summary: modifying a schema beneath an overlay hits assert
           Product: OpenLDAP
           Version: 2.4.50
          Hardware: x86_64
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: slapd
          Assignee: b...@openldap.org
          Reporter: ratn...@gmail.com
  Target Milestone: ---

I'm doing to demo this on debian-unstable so it's on 2.4.50, but I've also been
able to achieve the following failure with CentOS7's package
(openldap-servers-2.4.44-21.el7_6.x86_64), so I don't think it's
packager-related.  I apologize that I don't have a gdb run with this report,
but I've been having poor luck compiling it or getting a non-stripped binary.


Steps to reproduce:
* grab a vm/droplet/whatever of debian, convert source to unstable, apt update
/ apt full-upgrade
* apt-get install slapd ldap-utils
* reboot

* Add the ppolicy schema:
** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif

* Add the ppolicy module:
**
```
cat >/tmp/moduleadd <<EOF
dn: cn=module{0},cn=config
add: olcModuleLoad
olcModuleLoad: ppolicy
EOF
```
** /usr/bin/ldapmodify -cQY EXTERNAL -H ldapi:/// -f /tmp/moduleadd

* Add a super boring ppolicy overlay:
```
cat >/tmp/overlayadd <<EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
EOF
```
** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/overlayadd

* Halt slapd, and then start it up in debug mode:
** service slapd stop
** /usr/sbin/slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F
/etc/ldap/slapd.d -d any

* now, the weird one.  Run an attempted 'replace' ldif against the ppolicy
schema that would result in no net change to it.
```
cat >/tmp/trauma <<EOF
dn: cn={4}ppolicy,cn=schema,cn=config
changetype: modify
replace: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY
objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit'
EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY
booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration'
EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval'
EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUALITY
booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange'
EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUALITY
booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailure'
EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
-
replace: olcObjectClasses
olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top
AUXILIARY MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $
pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $
pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) )
-
EOF
```
** /usr/bin/ldapadd -cQY EXTERNAL -H ldapi:/// -f /tmp/trauma

The client comes back with:
modifying entry "cn={4}ppolicy,cn=schema,cn=config"
ldap_result: Can't contact LDAP server (-1)

The server, however, has failed on an assertion.  The tail of the debug stream
is:
5ec71e94 => access_allowed: add access granted by manage(=mwrscxd)
5ec71e94 slap_queue_csn: queueing 0x7facb8105700
20200522003636.287264Z#000000#000#000000
5ec71e94 oc_check_required entry (cn={4}ppolicy,cn=schema,cn=config),
objectClass "olcSchemaConfig"
5ec71e94 oc_check_allowed type "objectClass"
5ec71e94 oc_check_allowed type "cn"
5ec71e94 oc_check_allowed type "structuralObjectClass"
5ec71e94 oc_check_allowed type "entryUUID"
5ec71e94 oc_check_allowed type "creatorsName"
5ec71e94 oc_check_allowed type "createTimestamp"
5ec71e94 oc_check_allowed type "olcAttributeTypes"
5ec71e94 oc_check_allowed type "olcObjectClasses"
5ec71e94 oc_check_allowed type "entryCSN"
5ec71e94 oc_check_allowed type "modifiersName"
5ec71e94 oc_check_allowed type "modifyTimestamp"
slapd: ../../../../servers/slapd/at.c:277: at_clean: Assertion `a->sat_syntax
!= NULL' failed.
Aborted


"Why do you have an overlay there?"
Beats me.  It was like that when I got here, and since it's enforcing password
policies, I don't think I can change it.

"Why would you ever run such a silly modify!?"
I wouldn't.  This stems from a Puppet module where any time it spots the
timestamp of /etc/path/to/ldap/schema/foo.schema is newer than the
'modifyTimestamp' of schema 'foo' in slapd, it kicks off a modify so slapd will
be timestamp-newer than what's on disk.  It just happens that if you ever do
something as simple as `touch /etc/ldap/slapd.d/ppolicy.schema`, it triggers
this update process and crashes the server on the next Puppet run.  And I bet
most people don't have an overlay and so this is probably a not-often-seen edge
case.  But unfortunately I'm not a good C person so I don't see the issue well
enough to offer a PR.

Thanks for reading.

-- 
You are receiving this mail because:
You are on the CC list for the issue.