Hi!
This is a bug in the Apache DLAP API 2.0.0 being used in ApacheDS
(https://issues.apache.org/jira/browse/DIRAPI-366?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&focusedCommentId=17286982#).
You can probabkly give one nightly build a test:
https://builds.apache.org/job/Directory/job/dir-server-pipeline/
On 25/02/2023 00:13, Matthew Melendy wrote:
Our test Apache Directory Server is having trouble with what should be a
simple operation, the lookup of which groups a user is a member of.
Here's what is happening:
- User 'user1' logs into ubuntu client using ssh
- Client connects to ADS server using libnss-ldapd
- Client sends user lookup request to ADS, this succeeds
- Client tries to find out which groups contain this user's memberUid
- Server connection crashes with Null Pointer Exception, protocol error
returned to client
- Client login succeeds, but no LDAP group info is available
This behavior is reproducible even with the simplest possible test
directory (LDIF and other info shown below).
Interesting point: the connection crash does not happen with a client
using the older LDAP client libraries libnss-ldap:amd64 v265-5ubuntu1
and libpam-ldap:amd64 v186-4ubuntu1 .
Has anyone else run into this kind of problem with libnss-ldapd?
Is there perhaps an early build of AM27 available we could try instead?
Matthew Melendy
IT Services Specialist
CS System Services Group
FEC 3550, University of New Mexico
--
getent.ldap passwd - properly shows user list pulled from LDAP
getent.ldap group - provokes same crash
getent.ldap group.bymember - provokes same crash
--
example error shown by nslcd from client request 'getent.ldap group'
nslcd: [8b4567] DEBUG: connection from pid=172510 uid=2001 gid=2000
nslcd: [8b4567] <group(all)> DEBUG:
myldap_search(base="dc=cs,dc=unm,dc=edu",
filter="(objectClass=posixGroup)")
nslcd: [8b4567] <group(all)> DEBUG:
ldap_initialize(ldap://xx.cs.unm.edu:389)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [8b4567] <group(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [8b4567] <group(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <group(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <group(all)> DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://xx.cs.unm.edu:389";)
nslcd: [8b4567] <group(all)> ldap_result() failed: Protocol error
nslcd: [8b4567] <group(all)> DEBUG: ldap_abandon()
nslcd: [8b4567] <group(all)> DEBUG: ldap_unbind()
-- error shown in apacheds.log
[13:06:40] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
Unexpected exception forcing session to close: sending disconnect notice
to client.
org.apache.mina.filter.codec.ProtocolDecoderException:
java.lang.NullPointerException (Hexdump: 30 81 9C 02 01 02 63 63 04 13
64 63 3D 63 73 2C 64 63 3D 75 6E 6D 2C 64 63 3D 65 64 75 0A 01 02 0A 01
00 02 01 00 02 01 00 01 01 00 A3 19 04 0B 6F 62 6A 65 63 74 43 6C 61 73
73 04 0A 70 6F 73 69 78 47 72 6F 75 70 30 22 04 06 6D 65 6D 62 65 72 04
02 63 6E 04 09 6D 65 6D 62 65 72 55 69 64 04 09 67 69 64 4E 75 6D 62 65
72 A0 32 30 30 04 19 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 34 32 30 33 2E
36 36 36 2E 35 2E 31 36 04 13 30 11 30 0F 04 06 6D 65 6D 62 65 72 30 05
04 03 75 69 64)
at
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:263)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.NullPointerException
at
org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue.action(StoreControlValue.java:81)
at
org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue.action(StoreControlValue.java:49)
at
org.apache.directory.api.asn1.ber.grammar.AbstractGrammar.executeAction(AbstractGrammar.java:136)
at
org.apache.directory.api.asn1.ber.Asn1Decoder.treatTLVDoneState(Asn1Decoder.java:604)
at
org.apache.directory.api.asn1.ber.Asn1Decoder.decode(Asn1Decoder.java:740)
at
org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolDecoder.decode(LdapProtocolDecoder.java:137)
at
org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolDecoder.decode(LdapProtocolDecoder.java:86)
at
org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:254)
... 15 more
---
Client configuration - Ubuntu 22.04.2 LTS x86_64
ii ldap-utils 2.5.13+dfsg-0ubuntu0.22.04.1 amd64
OpenLDAP utilities
ii libldap-2.5-0:amd64 2.5.13+dfsg-0ubuntu0.22.04.1 amd64
OpenLDAP libraries
ii libldap-common 2.5.13+dfsg-0ubuntu0.22.04.1 all
OpenLDAP common files for libraries
ii libnss-ldapd:amd64 0.9.12-2 amd64 NSS
module for using LDAP as a naming service
ii libpam-ldapd:amd64 0.9.12-2 amd64 PAM
module for using LDAP as an authentication service
ii nscd 2.35-0ubuntu3.1 amd64 GNU C
Library: Name Service Cache Daemon
---
client nslcd.conf
uid nslcd
gid nslcd
uri ldap://xx.cs.unm.edu:389
base dc=cs,dc=unm,dc=edu
ldap_version 3
tls_reqcert never
---
Server configuration
Ubuntu 22.04.2 LTS x86_64
Apache Directory Server 2.0.0.AM26
OpenJDK Runtime Environment (Temurin)(build 1.8.0_362-b09)
---
Directory structure LDIF:
version: 1
dn: uid=user1,ou=users,dc=cs,dc=unm,dc=edu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: user1
gidNumber: 2000
homeDirectory: /home/user1
sn: User
uid: user1
uidNumber: 2001
userPassword:: e01ENX1DNUhleFA2WUptb0RzVGExa2huUTFnPT0=
dn: dc=cs,dc=unm,dc=edu
objectclass: domain
objectclass: top
dc: cs
dn: ou=groups,dc=cs,dc=unm,dc=edu
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: cn=testgrp1,ou=groups,dc=cs,dc=unm,dc=edu
objectClass: posixGroup
objectClass: top
cn: testgrp1
gidNumber: 3000
dn: ou=users,dc=cs,dc=unm,dc=edu
objectClass: organizationalUnit
objectClass: top
ou: users
dn: cn=testgrp2,ou=groups,dc=cs,dc=unm,dc=edu
objectClass: posixGroup
objectClass: top
cn: testgrp2
gidNumber: 2000
memberUid: user1
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@directory.apache.org
For additional commands, e-mail: users-h...@directory.apache.org
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@directory.apache.org
For additional commands, e-mail: users-h...@directory.apache.org
