#7561 ldappasswd cause the IPA embedded Directory server to SIGSEGV
Closed: fixed a year ago Opened 2 years ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1553594

Description of problem:
ldappasswd cause the IPA embedded Directory server to SIGSEGV when changing a
sysaccount user's password. The issue doesn't happen if it was done via
ldapmodify.


Version-Release number of selected component (if applicable):
I have managed to reproduce the issue on two different versions of IPA:
Customer's version:
ipa-server-4.4.0-12.el7.x86_64
389-ds-base-libs-1.3.5.10-21.el7_3.x86_64


My test env:
ipa-server-4.5.0-22.el7_4.x86_64
389-ds-base-1.3.6.1-24.el7_4.x86_64


How reproducible:
The issue can be easily reproduced.


Steps to Reproduce:
1. Create a test sysaccount user:
# ldapsearch -x -H ldaps://dell-per510-3.linux.testrealm.local -D "cn=Directory
manager" -W -b "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local"
# extended LDIF
#
# LDAPv3
# base <uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# xxxxx, sysaccounts, etc, linux.testrealm.local
dn: uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local
uid: bnpsasle
objectClass: inetUser
objectClass: simpleSecurityObject
objectClass: account
objectClass: top
memberOf: cn=System: Change User password,cn=permissions,cn=pbac,cn=etc,dc=lin
 ux,dc=testrealm,dc=local
userPassword:: e1NTSEF9ZG5lUkdXV3JTeTc2ODJncHdNNGg5NzhQVmZ1cG5Uc1pBaEoyNGc9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

2. Attempt to change the user's password as herself/himself via ldapmodify
# ldapmodify -h dell-per510-3.linux.testrealm.local -p 389 -D
"uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" -W << EOF
dn: uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local
changetype: modify
replace: userpassword
userpassword: @\g/G8U;
EOF

3. "ps -ef |grep ns-slapd" shows that ns-slapd is still listening.

4. Change the
""uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" user's
password back to "password" as "cn=Directory manager":
# ldapmodify -D "cn=Directory manager" -W << EOF
dn: uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local
changetype: modify
replace: userpassword
userpassword: password
EOF

5. Verify that ns-slapd is still listening.

6. Attempt to change the user's password with ldappasswd:
# ldappasswd -H ldaps://dell-per510-3.linux.testrealm.local -D
"uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" -W -a password
-s "@\g/G8U;" "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local"
Enter LDAP Password:
ldap_result: Can't contact LDAP server (-1)


Corresponding /var/log/messages:
Mar  8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]:
dirsrv@LINUX-TESTREALM-LOCAL.service: main process exited, code=killed,
status=11/SEGV
Mar  8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]: Unit
dirsrv@LINUX-TESTREALM-LOCAL.service entered failed state.
Mar  8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]:
dirsrv@LINUX-TESTREALM-LOCAL.service failed.


stacktrace
#0  __strlen_sse2_pminub () at
../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
#1  0x00007f697dfcdcb1 in ipapwd_set_extradata (dn=0x7f68fc000f50
"uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local",
principal=0x0, unixtime=1520548630)
    at common.c:966
#2  0x00007f697dfd4c7c in ipapwd_chpwop (krbcfg=0x7f68fc004dd0,
pb=0x7f695aff4a90) at ipa_pwd_extop.c:589
#3  ipapwd_extop (pb=0x7f695aff4a90) at ipa_pwd_extop.c:1761
#4  0x00007f698bcd2ed4 in do_extended (pb=pb@entry=0x7f695aff4a90) at
ldap/servers/slapd/extendop.c:354
#5  0x00007f698bccbada in connection_dispatch_operation (pb=0x7f695aff4a90,
op=0x7f698cb0f710, conn=0x7f69740be710) at ldap/servers/slapd/connection.c:680
#6  connection_threadmain () at ldap/servers/slapd/connection.c:1759
#7  0x00007f69899c19bb in _pt_root (arg=0x7f698ca59260) at
../../../nspr/pr/src/pthreads/ptthread.c:216
#8  0x00007f6989361dc5 in start_thread (arg=0x7f695aff5700) at
pthread_create.c:308
#9  0x00007f698909073d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113


Actual results:
ldappasswd cause the IPA embedded Directory server to SIGSEGV

Expected results:
ldappasswd  should not cause the IPA embedded Directory server to SIGSEGV

Additional info:

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1553594

2 years ago

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.7 backlog)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.7)

2 years ago

master:

  • 45d776a Don't try to set Kerberos extradata when there is no principal
  • 7c5ecb8 Rename test class for testing simple commands, add test

Needs manual backport:

Aplying to ipa-4-5: Don't try to set Kerberos extradata when there is no principal
Aplying to ipa-4-5: Rename test class for testing simple commands, add test
Failed to apply patches onto origin/ipa-4-5. Manual backport is needed.
Cleaning up
Aplying to ipa-4-6: Don't try to set Kerberos extradata when there is no principal
Aplying to ipa-4-6: Rename test class for testing simple commands, add test
Failed to apply patches onto origin/ipa-4-6. Manual backport is needed.

ipa-4-5:

  • 4065b99 Don't try to set Kerberos extradata when there is no principal

ipa-4-6:

  • 92595cc Don't try to set Kerberos extradata when there is no principal

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @rcritten:
- Issue status updated to: Open (was: Closed)

a year ago

ipa-4-6:

  • 6652eb0 Rename test class for testing simple commands, add test

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata