#47704 invalid sizelimits in aci group evaluation
Closed: Fixed None Opened 5 years ago by lkrispen.

aci group evaluation fails in some cases because a negative search size limit is applied


Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1065971 (''Red Hat Enterprise Linux 7'')

Info from bugzilla, not the full content was copied --- Additional comment from Ludwig on 2014-02-17 03:35:22 EST --- I think the core of the failure is [13/Feb/2014:07:24:23 -0500] NSACLPlugin - GroupEval:Looked at too many entries:(0, 1) Evaluating groupd is limited to a specific number of members (for some reasons decided long,long ago) and it does a comparison: if (info.c_idx > max_memberlimit && max_memberlimit != -1 ) { slapi_log_error( SLAPI_LOG_ACL, plugin_name, "GroupEval:Looked at too many entries:(%d, %d)\n", info.c_idx, info.lu_idx); this means info.c_idx is 0 and greater max_memberlimit, which means max_meberlimit is < -1, which does not make sense. But max_memberlimit is derived from search_sizelimit, which is only correctly defined and set for search operations and we are in an add. So there could be problems of memory initialization, if it is 0 or gt 0 everything is fine, otherwise we get the failure. In my opinion there are two problems in DS: 1] the use of searchsizelinit to control the group evaluation 2] the use of a limit at all. If groups are used in acis then they should be evaluated independent of their size, it is the responsibility of the administrator --- Additional comment from Martin Kosek on 2014-02-17 04:50:23 EST --- Right, I also wondered about this line in Comment 45. It really seems that max_memberlimit is lower than -1. Ludwig, can you attach with gdb to this process and see what really happens? I can lend you my VMs to be able to quickly debug and see what happens. --- Additional comment from Ludwig on 2014-02-17 07:12:42 EST --- Running with gdb shows that the values for max_memberlimit vary: (gdb) p aclpb->aclpb_max_member_sizelimit $4 = 5000 (gdb) p aclpb->aclpb_max_member_sizelimit $5 = 100 (gdb) p aclpb->aclpb_max_member_sizelimit $6 = 100 (gdb) p aclpb->aclpb_max_member_sizelimit $7 = -1442862096 when it is negative it is related to an extended operation: #0 acllas__user_ismember_of_group (aclpb=<optimized out="">, groupDN=groupDN@entry=0x7f7acf0d8a08 "cn=Manage host keytab,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", clientDN=<optimized out="">, cache_status=cache_status@entry=3, clientCert=<optimized out="">) at ldap/servers/plugins/acl/acllas.c:2152 #1 0x00007f7ac45cc2c2 in acllas_eval_one_group (groupbuf=groupbuf@entry=0x7f7acf0d8a08 "cn=Manage host keytab,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", lasinfo=0x7f7aa9ff57d0, lasinfo=0x7f7aa9ff57d0) at ldap/servers/plugins/acl/acllas.c:4438 #2 0x00007f7ac45d014c in DS_LASGroupDnEval (errp=<optimized out="">, attr_name=<optimized out="">, comparator=CMP_OP_EQ, attr_pattern=<optimized out="">, cachable=<optimized out="">, LAS_cookie=<optimized out="">, subject=0x7f7acedc82d0, resource=0x0, auth_info=0x0, global_auth=0x0) at ldap/servers/plugins/acl/acllas.c:920 #3 0x00007f7ac438f495 in ACLEvalAce (errp=errp@entry=0x0, acleval=acleval@entry=0x7f7acef03000, ace=0x7f7acf0141d0, cachable=cachable@entry=0x7f7aa9ff7978, autharray=0x0, global_auth=global_auth@entry=0x0) at lib/libaccess/oneeval.cpp:254 #4 0x00007f7ac438ff59 in ACL_INTEvalTestRights (errp=errp@entry=0x0, acleval=acleval@entry=0x7f7acef03000, rights=0x7f7aa9ffa5b8, rights@entry=0x7f7aa9ffa5b0, map_generic=map_generic@entry=0x7f7ac47e0ad0 <ds_map_generic>, deny_type=deny_type@entry=0x7f7aa9ffa598, deny_response=deny_response@entry=0x7f7aa9ffa5a0, acl_tag=acl_tag@entry=0x7f7aa9ffa5a8, expr_num=expr_num@entry=0x7f7aa9ffa594, cachable=cachable@entry=0x7f7aa9ffa500) at lib/libaccess/oneeval.cpp:782 #5 0x00007f7ac4390496 in ACL_EvalTestRights (errp=errp@entry=0x0, acleval=acleval@entry=0x7f7acef03000, rights=rights@entry=0x7f7aa9ffa5b0, map_generic=map_generic@entry=0x7f7ac47e0ad0 <ds_map_generic>, deny_type=deny_type@entry=0x7f7aa9ffa598, deny_response=deny_response@entry=0x7f7aa9ffa5a0, acl_tag=acl_tag@entry=0x7f7aa9ffa5a8, expr_num=expr_num@entry=0x7f7aa9ffa594) at lib/libaccess/oneeval.cpp:992 #6 0x00007f7ac45c1049 in acl__TestRights (aclpb=aclpb@entry=0x7f7acef10d30, access=access@entry=8, right=right@entry=0x7f7aa9ffa688, result_reason=result_reason@entry=0x7f7aa9ffa690, map_generic=0x7f7ac47e0ad0 <ds_map_generic>) at ldap/servers/plugins/acl/acl.c:3102 #7 0x00007f7ac45c3c91 in acl_access_allowed (pb=<optimized out="">, e=e@entry=0x7f7acf2e8210, attr=attr@entry=0x7f7ac1ee64c3 "krbPrincipalKey", val=<optimized out="">, access=access@entry=8) at ldap/servers/plugins/acl/acl.c:593 #8 0x00007f7ac45d5f27 in acl_access_allowed_main (pb=<optimized out="">, e=0x7f7acf2e8210, attrs=<optimized out="">, val=<optimized out="">, access=8, flags=<optimized out="">, errbuf=0x0) at ldap/servers/plugins/acl/aclplugin.c:383 #9 0x00007f7acd1a0bec in plugin_call_acl_plugin (pb=pb@entry=0x7f7acf2e82f0, e=e@entry=0x7f7acf2e8210, attrs=attrs@entry=0x7f7aa9ffa7c0, val=val@entry=0x0, access=access@entry=8, flags=flags@entry=0, errbuf=errbuf@entry=0x0) at ldap/servers/slapd/plugin_acl.c:90 #10 0x00007f7acd1a10d7 in slapi_access_allowed (pb=pb@entry=0x7f7acf2e82f0, e=e@entry=0x7f7acf2e8210, attr=attr@entry=0x7f7ac1ee64c3 "krbPrincipalKey", val=val@entry=0x0, access=access@entry=8) at ldap/servers/slapd/plugin_acl.c:237 #11 0x00007f7ac1ee144f in ipapwd_setkeytab (pb=pb@entry=0x7f7acf2e82f0, krbcfg=0x7f7acf2f4bc0) at ipa_pwd_extop.c:803 #12 0x00007f7ac1ee20d4 in ipapwd_extop (pb=0x7f7acf2e82f0) at ipa_pwd_extop.c:1188 #13 0x00007f7acd19cda2 in plugin_call_exop_plugins (pb=pb@entry=0x7f7acf2e82f0, oid=0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1") at ldap/servers/slapd/plugin.c:467 #14 0x00007f7acd6649b9 in do_extended (pb=0x7f7acf2e82f0) at ldap/servers/slapd/extendop.c:364 #15 0x00007f7acd65f2f3 in connection_dispatch_operation (pb=<optimized out="">, op=0x7f7acf2e85a0, conn=0x7f7ab8a917a8) at ldap/servers/slapd/connection.c:650 #16 connection_threadmain () at ldap/servers/slapd/connection.c:2372 #17 0x00007f7acb781740 in _pt_root (arg=0x7f7acf031f60) at ../../../nspr/pr/src/pthreads/ptthread.c:204 #18 0x00007f7acb122df3 in start_thread (arg=0x7f7aa9ffb700) at pthread_create.c:308 #19 0x00007f7acae5039d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 The value used for the memberlimit comes from the search_sizelimot in the operation, but the structur is in a union and overlayed by the actual extende op. (gdb) p *(((Slapi_PBlock *)0x7f7acf2e82f0)->pb_op) $8 = {o_ber = 0x7f7acf2e81b0, o_msgid = 4, o_tag = 119, o_time = 1392634681, o_interval = 0, o_isroot = 0, o_sdn = {flag = 10 '\n', udn = 0x7f7acf0a9530 "uid=builduser,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", dn = 0x7f7acf2f3a80 "uid=builduser,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", ndn = 0x0, ndn_len = 72}, o_authtype = 0x7f7aceeacb70 "SASL GSSAPI", o_ssf = 56, o_opid = 3, o_connid = 16, o_handler_data = 0x0, o_result_handler = 0x0, o_search_entry_handler = 0x0, o_search_referral_handler = 0x0, o_csngen_handler = 0x0, o_replica_attr_handler = 0x0, o_next = 0x0, o_status = 0, o_searchattrs = 0x0, o_flags = 960, o_extension = 0x7f7acf1e4910, o_target_spec = 0x0, o_abandoned_op = 0, o_params = { operation_type = 512, target_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, csn = 0x0, request_controls = 0x0, p = {p_add = {target_entry = 0x7f7acf1c81a0, parentuniqueid = 0x7f7aa9ffabf0 "$\001"}, p_bind = {bind_method = -820215392, bind_creds = 0x7f7aa9ffabf0, bind_saslmechanism = 0x0, bind_ret_saslcreds = 0x0}, p_compare = {compare_ava = {ava_type = 0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1", ava_value = {bv_len = 140164814842864, bv_val = 0x0}, ava_private = 0x0}}, p_modify = {modify_mods = 0x7f7acf1c81a0}, p_modrdn = {modrdn_newrdn = 0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1", modrdn_deloldrdn = -1442862096, modrdn_newsuperior_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, modrdn_mods = 0x0}, p_search = {search_scope = -820215392, search_deref = 32634, search_sizelimit = -1442862096, search_timelimit = 32634, search_filter = 0x0, search_strfilter = 0x0, search_attrs = 0x0, search_attrsonly = 0, search_is_and = 0, search_gerattrs = 0x0}, p_abandon = { abandon_targetmsgid = -820215392}, p_extended = {exop_oid = 0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1", exop_value = 0x7f7aa9ffabf0}}}, o_results = {operation_type = 0, opreturn = 0, result_controls = 0x0, result_code = 0, result_text = 0x0, result_matched = 0x0, r = {r_bind = {bind_ret_saslcreds = 0x0}, r_search = {search_result_set = 0x0, search_result_entry = 0x0, opaque_backend_ptr = 0x0, nentries = 0, search_referrals = 0x0, estimate = 0}, r_extended = {exop_ret_oid = 0x0, exop_ret_value = 0x0}}}, o_pagedresults_sizelimit = -1} so part of a pointer is interpreted as int. If the group search should be limited this limit has to be defined independently from the search limit

git push origin 389-ds-base-1.3.1
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.13 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
b45fb44..377266e 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

git push origin 389-ds-base-1.3.1
Enter passphrase for key '/home/lkrispen/.ssh/id_rsa_fedora':
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.13 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
b45fb44..377266e 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

git push origin 389-ds-base-1.3.1
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.13 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
b45fb44..377266e 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

Pushed to 389-ds-base-1.2.11:
2786adb..e0092e3 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit e0092e3

fix was not committed to 1.3.2

$git cherry-pick e5b83f5
[389-ds-base-1.3.2 3e5c14a] Ticket 47704 - invalid sizelimits in aci group evaluation
1 file changed, 6 insertions(+)

$ git push origin 389-ds-base-1.3.2
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.14 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
4cdd7fd..3e5c14a 389-ds-base-1.3.2 -> 389-ds-base-1.3.2

Metadata Update from @lkrispen:
- Issue set to the milestone: 1.3.2.18

2 years ago

Login to comment on this ticket.

Metadata