Adding a filtered role that includes a filter similar to the one below will result in a segfault upon a subsequent search of the directory that requests the nsrole attribute from any entry.
'(!(nsrole=cn=This_Is_An_Empty_Managed_NsRoleDefinition,o=Intra,dc=mycorp,dc=com)'
Example:
[root@98efc6936cc6 ~]# time ldapsearch -x -LLL -h localhost -s sub -b dc=mycorp,dc=com -D"cn=directory manager" -wpassword uid=jfinn nsrole dn: uid=jfinn,ou=People,o=Intra,dc=mycorp,dc=com nsrole: cn=adm-approved-email,o=intra,dc=mycorp,dc=com nsrole: cn=adm-approved-mycorp,o=intra,dc=mycorp,dc=com nsrole: cn=arb-user,o=intra,dc=mycorp,dc=com nsrole: cn=ldap-adm-tools,o=intra,dc=mycorp,dc=com nsrole: cn=ldap-dsts,o=intra,dc=mycorp,dc=com nsrole: cn=myc-myc-assoc,o=intra,dc=mycorp,dc=com nsrole: cn=myc-myc-corp,o=intra,dc=mycorp,dc=com nsrole: cn=myc-sys-it,o=intra,dc=mycorp,dc=com nsrole: cn=sig-preview,o=intra,dc=mycorp,dc=com nsrole: cn=sys-has-email,o=intra,dc=mycorp,dc=com nsrole: cn=sys-has-mycorp,o=intra,dc=mycorp,dc=com nsrole: cn=unix-admins,o=intra,dc=mycorp,dc=com nsrole: cn=unix-solaris-admins,o=intra,dc=mycorp,dc=com nsrole: cn=vpn-remoteaccess,o=intra,dc=mycorp,dc=com
real 0m0.035s user 0m0.002s sys 0m0.003s
[root@98efc6936cc6 ~]# cat /tmp/filtered_role_that_includes_empty_role.ldif dn: cn=Filtered_Role_That_Includes_Empty_Role,o=Intra,dc=mycorp,dc=com nsRoleFilter: (|(!(nsrole=cn=This_Is_An_Empty_Managed_NsRoleDefinition,o=Intra,dc=mycorp,dc=com))) description: A filtered role with filter that will crash the server objectClass: top objectClass: ldapsubentry objectClass: nsroledefinition objectClass: nscomplexroledefinition objectClass: nsfilteredroledefinition cn: Filtered_Role_That_Includes_Empty_Role
[root@98efc6936cc6 ~]# ldapadd -x -h localhost -D"cn=directory manager" -wpassword -f /tmp/filtered_role_that_includes_empty_role.ldif adding new entry "cn=Filtered_Role_That_Includes_Empty_Role,o=Intra,dc=mycorp,dc=com"
[root@98efc6936cc6 ~]# time ldapsearch -x -LLL -h localhost -s sub -b dc=mycorp,dc=com -D"cn=directory manager" -wpassword uid=jfinn nsrole ldap_result: Can't contact LDAP server (-1)
real 0m12.590s user 0m13.091s sys 0m0.184s
This has been tested on versions ranging from 1.2.11.32 up to 1.3.5.10
When the problematic role is written to a master that isn't immediately queried, it has the ability to replicate to all other servers and result in a wide-spread outage.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1419162
I have created a Docker container that can be used to easily demo & reproduce the bug.
https://github.com/jamespfinn/389Bug49122
Metadata Update from @jamespfinn: - Issue set to the milestone: 1.2.11.33
Metadata Update from @mreynolds: - Issue assigned to mreynolds
@jamespfinn Are you successfully using other filtered roles that use nsrole in the filter?
The problem is that since nsrole is in the filter its causing a stack overflow as it keeps re-evaluating nsrole over and over and over.
Metadata Update from @mreynolds: - Custom field component reset - Issue close_status updated to: None
Turns out virtual attributes (like COS attributes) are supposed to be ignored in role filters. This includes nsrole as it is a virtual attribute as well.
The fix is to ignore filters that use nsrole, and log a message to the errors log
<img alt="0001-Issue-49122-Filtered-nsrole-that-uses-nsrole-crashes.patch" src="/389-ds-base/issue/raw/files/7c7228186b8171c9a2bfb3fa84a31483fed7bfa2401c52be3c7c88a444e589a7-0001-Issue-49122-Filtered-nsrole-that-uses-nsrole-crashes.patch" />
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to review
CI Test
<img alt="0001-Issue-49122-add-ci-test.patch" src="/389-ds-base/issue/raw/files/12ca60e5d0ba7c0ea02133c22540f628aa0f777c0f209c444e404b7237a2865e-0001-Issue-49122-add-ci-test.patch" />
Looks good to me.
Just wondering this change (replacing a tab with white spaces) does not break the indentation? ;)
56 static int roles_cache_create_object_from_entry(Slapi_Entry role_entry, role_object result, int hint) 57 { 58 -» int rc = 0; 59 -» int type = 0; 60 -» role_object this_role = NULL; 61 - char rolescopeDN = NULL; 62 + int rc = 0; 63 + int type = 0; 64 + role_object this_role = NULL; 65 + char *rolescopeDN = NULL; 66 67 » slapi_log_err(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM,
Metadata Update from @nhosoi: - Custom field reviewstatus adjusted to ack (was: review)
Actually I started fixing indentation then realized the entire function is completely mismatched. So I stopped . So yes there are still existing mismatches. I'll fix the entire function for the final push.
c46822a..a95889d master -> master
8fcda3d..d589950 389-ds-base-1.3.5 -> 389-ds-base-1.3.5
56a24df..75cde2c 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
960ad68..a96eee0 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
Metadata Update from @mreynolds: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Bytecompiling .py files below /builddir/build/BUILDROOT/389-ds-base-1.3.6.1-20170301gitb2c6545.fc25.x86_64/usr/lib/python3.5 using /usr/bin/python3.5 *** Error compiling '/builddir/build/BUILDROOT/389-ds-base-1.3.6.1-20170301gitb2c6545.fc25.x86_64/usr/lib/python3.5/site-packages/dirsrvtests/tests/tickets/ticket49122_test.py'... File "/usr/lib/python3.5/ticket49122_test.py", line 55 print "Attach gdb" ^ SyntaxError: Missing parentheses in call to 'print'
<img alt="0001-Issue-49122-Fix-rpm-build.patch" src="/389-ds-base/issue/raw/files/07e70f3f62cb8eb08186b7538aec5be6e6b465121cd03d46c7d3a3b16730e29b-0001-Issue-49122-Fix-rpm-build.patch" />
Metadata Update from @vashirov: - Custom field reviewstatus adjusted to review (was: ack) - Issue status updated to: Open (was: Closed)
ack
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to ack (was: review)
commit 15ddba9 To ssh://pagure.io/389-ds-base.git b2c6545..15ddba9 master -> master
Metadata Update from @vashirov: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2181
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.