#47704 invalid sizelimits in aci group evaluation
Closed: wontfix None Opened 10 years ago by lkrispen.

aci group evaluation fails in some cases because a negative search size limit is applied


Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1065971 (''Red Hat Enterprise Linux 7'')

Info from bugzilla, not the full content was copied --- Additional comment from Ludwig on 2014-02-17 03:35:22 EST --- I think the core of the failure is [13/Feb/2014:07:24:23 -0500] NSACLPlugin - GroupEval:Looked at too many entries:(0, 1) Evaluating groupd is limited to a specific number of members (for some reasons decided long,long ago) and it does a comparison: if (info.c_idx > max_memberlimit && max_memberlimit != -1 ) { slapi_log_error( SLAPI_LOG_ACL, plugin_name, "GroupEval:Looked at too many entries:(%d, %d)\n", info.c_idx, info.lu_idx); this means info.c_idx is 0 and greater max_memberlimit, which means max_meberlimit is < -1, which does not make sense. But max_memberlimit is derived from search_sizelimit, which is only correctly defined and set for search operations and we are in an add. So there could be problems of memory initialization, if it is 0 or gt 0 everything is fine, otherwise we get the failure. In my opinion there are two problems in DS: 1] the use of searchsizelinit to control the group evaluation 2] the use of a limit at all. If groups are used in acis then they should be evaluated independent of their size, it is the responsibility of the administrator --- Additional comment from Martin Kosek on 2014-02-17 04:50:23 EST --- Right, I also wondered about this line in Comment 45. It really seems that max_memberlimit is lower than -1. Ludwig, can you attach with gdb to this process and see what really happens? I can lend you my VMs to be able to quickly debug and see what happens. --- Additional comment from Ludwig on 2014-02-17 07:12:42 EST --- Running with gdb shows that the values for max_memberlimit vary: (gdb) p aclpb->aclpb_max_member_sizelimit $4 = 5000 (gdb) p aclpb->aclpb_max_member_sizelimit $5 = 100 (gdb) p aclpb->aclpb_max_member_sizelimit $6 = 100 (gdb) p aclpb->aclpb_max_member_sizelimit $7 = -1442862096 when it is negative it is related to an extended operation: #0 acllas__user_ismember_of_group (aclpb=<optimized out>, groupDN=groupDN@entry=0x7f7acf0d8a08 "cn=Manage host keytab,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", clientDN=<optimized out>, cache_status=cache_status@entry=3, clientCert=<optimized out>) at ldap/servers/plugins/acl/acllas.c:2152 #1 0x00007f7ac45cc2c2 in acllas_eval_one_group (groupbuf=groupbuf@entry=0x7f7acf0d8a08 "cn=Manage host keytab,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", lasinfo=0x7f7aa9ff57d0, lasinfo=0x7f7aa9ff57d0) at ldap/servers/plugins/acl/acllas.c:4438 #2 0x00007f7ac45d014c in DS_LASGroupDnEval (errp=<optimized out>, attr_name=<optimized out>, comparator=CMP_OP_EQ, attr_pattern=<optimized out>, cachable=<optimized out>, LAS_cookie=<optimized out>, subject=0x7f7acedc82d0, resource=0x0, auth_info=0x0, global_auth=0x0) at ldap/servers/plugins/acl/acllas.c:920 #3 0x00007f7ac438f495 in ACLEvalAce (errp=errp@entry=0x0, acleval=acleval@entry=0x7f7acef03000, ace=0x7f7acf0141d0, cachable=cachable@entry=0x7f7aa9ff7978, autharray=0x0, global_auth=global_auth@entry=0x0) at lib/libaccess/oneeval.cpp:254 #4 0x00007f7ac438ff59 in ACL_INTEvalTestRights (errp=errp@entry=0x0, acleval=acleval@entry=0x7f7acef03000, rights=0x7f7aa9ffa5b8, rights@entry=0x7f7aa9ffa5b0, map_generic=map_generic@entry=0x7f7ac47e0ad0 <ds_map_generic>, deny_type=deny_type@entry=0x7f7aa9ffa598, deny_response=deny_response@entry=0x7f7aa9ffa5a0, acl_tag=acl_tag@entry=0x7f7aa9ffa5a8, expr_num=expr_num@entry=0x7f7aa9ffa594, cachable=cachable@entry=0x7f7aa9ffa500) at lib/libaccess/oneeval.cpp:782 #5 0x00007f7ac4390496 in ACL_EvalTestRights (errp=errp@entry=0x0, acleval=acleval@entry=0x7f7acef03000, rights=rights@entry=0x7f7aa9ffa5b0, map_generic=map_generic@entry=0x7f7ac47e0ad0 <ds_map_generic>, deny_type=deny_type@entry=0x7f7aa9ffa598, deny_response=deny_response@entry=0x7f7aa9ffa5a0, acl_tag=acl_tag@entry=0x7f7aa9ffa5a8, expr_num=expr_num@entry=0x7f7aa9ffa594) at lib/libaccess/oneeval.cpp:992 #6 0x00007f7ac45c1049 in acl__TestRights (aclpb=aclpb@entry=0x7f7acef10d30, access=access@entry=8, right=right@entry=0x7f7aa9ffa688, result_reason=result_reason@entry=0x7f7aa9ffa690, map_generic=0x7f7ac47e0ad0 <ds_map_generic>) at ldap/servers/plugins/acl/acl.c:3102 #7 0x00007f7ac45c3c91 in acl_access_allowed (pb=<optimized out>, e=e@entry=0x7f7acf2e8210, attr=attr@entry=0x7f7ac1ee64c3 "krbPrincipalKey", val=<optimized out>, access=access@entry=8) at ldap/servers/plugins/acl/acl.c:593 #8 0x00007f7ac45d5f27 in acl_access_allowed_main (pb=<optimized out>, e=0x7f7acf2e8210, attrs=<optimized out>, val=<optimized out>, access=8, flags=<optimized out>, errbuf=0x0) at ldap/servers/plugins/acl/aclplugin.c:383 #9 0x00007f7acd1a0bec in plugin_call_acl_plugin (pb=pb@entry=0x7f7acf2e82f0, e=e@entry=0x7f7acf2e8210, attrs=attrs@entry=0x7f7aa9ffa7c0, val=val@entry=0x0, access=access@entry=8, flags=flags@entry=0, errbuf=errbuf@entry=0x0) at ldap/servers/slapd/plugin_acl.c:90 #10 0x00007f7acd1a10d7 in slapi_access_allowed (pb=pb@entry=0x7f7acf2e82f0, e=e@entry=0x7f7acf2e8210, attr=attr@entry=0x7f7ac1ee64c3 "krbPrincipalKey", val=val@entry=0x0, access=access@entry=8) at ldap/servers/slapd/plugin_acl.c:237 #11 0x00007f7ac1ee144f in ipapwd_setkeytab (pb=pb@entry=0x7f7acf2e82f0, krbcfg=0x7f7acf2f4bc0) at ipa_pwd_extop.c:803 #12 0x00007f7ac1ee20d4 in ipapwd_extop (pb=0x7f7acf2e82f0) at ipa_pwd_extop.c:1188 #13 0x00007f7acd19cda2 in plugin_call_exop_plugins (pb=pb@entry=0x7f7acf2e82f0, oid=0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1") at ldap/servers/slapd/plugin.c:467 #14 0x00007f7acd6649b9 in do_extended (pb=0x7f7acf2e82f0) at ldap/servers/slapd/extendop.c:364 #15 0x00007f7acd65f2f3 in connection_dispatch_operation (pb=<optimized out>, op=0x7f7acf2e85a0, conn=0x7f7ab8a917a8) at ldap/servers/slapd/connection.c:650 #16 connection_threadmain () at ldap/servers/slapd/connection.c:2372 #17 0x00007f7acb781740 in _pt_root (arg=0x7f7acf031f60) at ../../../nspr/pr/src/pthreads/ptthread.c:204 #18 0x00007f7acb122df3 in start_thread (arg=0x7f7aa9ffb700) at pthread_create.c:308 #19 0x00007f7acae5039d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 The value used for the memberlimit comes from the search_sizelimot in the operation, but the structur is in a union and overlayed by the actual extende op. (gdb) p *(((Slapi_PBlock *)0x7f7acf2e82f0)->pb_op) $8 = {o_ber = 0x7f7acf2e81b0, o_msgid = 4, o_tag = 119, o_time = 1392634681, o_interval = 0, o_isroot = 0, o_sdn = {flag = 10 '\n', udn = 0x7f7acf0a9530 "uid=builduser,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", dn = 0x7f7acf2f3a80 "uid=builduser,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", ndn = 0x0, ndn_len = 72}, o_authtype = 0x7f7aceeacb70 "SASL GSSAPI", o_ssf = 56, o_opid = 3, o_connid = 16, o_handler_data = 0x0, o_result_handler = 0x0, o_search_entry_handler = 0x0, o_search_referral_handler = 0x0, o_csngen_handler = 0x0, o_replica_attr_handler = 0x0, o_next = 0x0, o_status = 0, o_searchattrs = 0x0, o_flags = 960, o_extension = 0x7f7acf1e4910, o_target_spec = 0x0, o_abandoned_op = 0, o_params = { operation_type = 512, target_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, csn = 0x0, request_controls = 0x0, p = {p_add = {target_entry = 0x7f7acf1c81a0, parentuniqueid = 0x7f7aa9ffabf0 "$\001"}, p_bind = {bind_method = -820215392, bind_creds = 0x7f7aa9ffabf0, bind_saslmechanism = 0x0, bind_ret_saslcreds = 0x0}, p_compare = {compare_ava = {ava_type = 0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1", ava_value = {bv_len = 140164814842864, bv_val = 0x0}, ava_private = 0x0}}, p_modify = {modify_mods = 0x7f7acf1c81a0}, p_modrdn = {modrdn_newrdn = 0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1", modrdn_deloldrdn = -1442862096, modrdn_newsuperior_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, modrdn_mods = 0x0}, p_search = {search_scope = -820215392, search_deref = 32634, search_sizelimit = -1442862096, search_timelimit = 32634, search_filter = 0x0, search_strfilter = 0x0, search_attrs = 0x0, search_attrsonly = 0, search_is_and = 0, search_gerattrs = 0x0}, p_abandon = { abandon_targetmsgid = -820215392}, p_extended = {exop_oid = 0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1", exop_value = 0x7f7aa9ffabf0}}}, o_results = {operation_type = 0, opreturn = 0, result_controls = 0x0, result_code = 0, result_text = 0x0, result_matched = 0x0, r = {r_bind = {bind_ret_saslcreds = 0x0}, r_search = {search_result_set = 0x0, search_result_entry = 0x0, opaque_backend_ptr = 0x0, nentries = 0, search_referrals = 0x0, estimate = 0}, r_extended = {exop_ret_oid = 0x0, exop_ret_value = 0x0}}}, o_pagedresults_sizelimit = -1} so part of a pointer is interpreted as int. If the group search should be limited this limit has to be defined independently from the search limit

git push origin 389-ds-base-1.3.1
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.13 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
b45fb44..377266e 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

git push origin 389-ds-base-1.3.1
Enter passphrase for key '/home/lkrispen/.ssh/id_rsa_fedora':
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.13 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
b45fb44..377266e 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

git push origin 389-ds-base-1.3.1
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.13 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
b45fb44..377266e 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

Pushed to 389-ds-base-1.2.11:
2786adb..e0092e3 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit e0092e3

fix was not committed to 1.3.2

$git cherry-pick e5b83f5
[389-ds-base-1.3.2 3e5c14a] Ticket 47704 - invalid sizelimits in aci group evaluation
1 file changed, 6 insertions(+)

$ git push origin 389-ds-base-1.3.2
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.14 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
4cdd7fd..3e5c14a 389-ds-base-1.3.2 -> 389-ds-base-1.3.2

Metadata Update from @lkrispen:
- Issue set to the milestone: 1.3.2.18

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1039

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Login to comment on this ticket.

Metadata