Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1553594
Description of problem: ldappasswd cause the IPA embedded Directory server to SIGSEGV when changing a sysaccount user's password. The issue doesn't happen if it was done via ldapmodify. Version-Release number of selected component (if applicable): I have managed to reproduce the issue on two different versions of IPA: Customer's version: ipa-server-4.4.0-12.el7.x86_64 389-ds-base-libs-1.3.5.10-21.el7_3.x86_64 My test env: ipa-server-4.5.0-22.el7_4.x86_64 389-ds-base-1.3.6.1-24.el7_4.x86_64 How reproducible: The issue can be easily reproduced. Steps to Reproduce: 1. Create a test sysaccount user: # ldapsearch -x -H ldaps://dell-per510-3.linux.testrealm.local -D "cn=Directory manager" -W -b "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" # extended LDIF # # LDAPv3 # base <uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # xxxxx, sysaccounts, etc, linux.testrealm.local dn: uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local uid: bnpsasle objectClass: inetUser objectClass: simpleSecurityObject objectClass: account objectClass: top memberOf: cn=System: Change User password,cn=permissions,cn=pbac,cn=etc,dc=lin ux,dc=testrealm,dc=local userPassword:: e1NTSEF9ZG5lUkdXV3JTeTc2ODJncHdNNGg5NzhQVmZ1cG5Uc1pBaEoyNGc9PQ= = # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 2. Attempt to change the user's password as herself/himself via ldapmodify # ldapmodify -h dell-per510-3.linux.testrealm.local -p 389 -D "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" -W << EOF dn: uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local changetype: modify replace: userpassword userpassword: @\g/G8U; EOF 3. "ps -ef |grep ns-slapd" shows that ns-slapd is still listening. 4. Change the ""uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" user's password back to "password" as "cn=Directory manager": # ldapmodify -D "cn=Directory manager" -W << EOF dn: uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local changetype: modify replace: userpassword userpassword: password EOF 5. Verify that ns-slapd is still listening. 6. Attempt to change the user's password with ldappasswd: # ldappasswd -H ldaps://dell-per510-3.linux.testrealm.local -D "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" -W -a password -s "@\g/G8U;" "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" Enter LDAP Password: ldap_result: Can't contact LDAP server (-1) Corresponding /var/log/messages: Mar 8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]: dirsrv@LINUX-TESTREALM-LOCAL.service: main process exited, code=killed, status=11/SEGV Mar 8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]: Unit dirsrv@LINUX-TESTREALM-LOCAL.service entered failed state. Mar 8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]: dirsrv@LINUX-TESTREALM-LOCAL.service failed. stacktrace #0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38 #1 0x00007f697dfcdcb1 in ipapwd_set_extradata (dn=0x7f68fc000f50 "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local", principal=0x0, unixtime=1520548630) at common.c:966 #2 0x00007f697dfd4c7c in ipapwd_chpwop (krbcfg=0x7f68fc004dd0, pb=0x7f695aff4a90) at ipa_pwd_extop.c:589 #3 ipapwd_extop (pb=0x7f695aff4a90) at ipa_pwd_extop.c:1761 #4 0x00007f698bcd2ed4 in do_extended (pb=pb@entry=0x7f695aff4a90) at ldap/servers/slapd/extendop.c:354 #5 0x00007f698bccbada in connection_dispatch_operation (pb=0x7f695aff4a90, op=0x7f698cb0f710, conn=0x7f69740be710) at ldap/servers/slapd/connection.c:680 #6 connection_threadmain () at ldap/servers/slapd/connection.c:1759 #7 0x00007f69899c19bb in _pt_root (arg=0x7f698ca59260) at ../../../nspr/pr/src/pthreads/ptthread.c:216 #8 0x00007f6989361dc5 in start_thread (arg=0x7f695aff5700) at pthread_create.c:308 #9 0x00007f698909073d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 Actual results: ldappasswd cause the IPA embedded Directory server to SIGSEGV Expected results: ldappasswd should not cause the IPA embedded Directory server to SIGSEGV Additional info:
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1553594
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.7 backlog)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.7)
https://github.com/freeipa/freeipa/pull/1956
master:
Needs manual backport:
Aplying to ipa-4-5: Don't try to set Kerberos extradata when there is no principal Aplying to ipa-4-5: Rename test class for testing simple commands, add test Failed to apply patches onto origin/ipa-4-5. Manual backport is needed. Cleaning up Aplying to ipa-4-6: Don't try to set Kerberos extradata when there is no principal Aplying to ipa-4-6: Rename test class for testing simple commands, add test Failed to apply patches onto origin/ipa-4-6. Manual backport is needed.
ipa-4-5:
ipa-4-6:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
PR https://github.com/freeipa/freeipa/pull/2082 to backport test to ipa-4-6 branch.
Metadata Update from @rcritten: - Issue status updated to: Open (was: Closed)
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.