Needed to enable authentication on ldap server via the mail attribute.
I used the overlay rwm as documentation:
* Http://www.openldap.org/doc/admin24/overlays.html # Rewrite / Remap
* http://www.openldap.org/lists/openldap-software/200707/msg00487.html
*
http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release
I run the current version of OpenLDAP :
dpkg -l | grep openldap
ii openldap-ltb 2.4.39-1
amd64 OpenLDAP server with addons from the LDAP Tool Box
project
ii openldap-ltb-check-password 2.4.39-1
amd64 check_password module for password policy
ii openldap-ltb-contrib-overlays 2.4.39-1
amd64 Overlays contributed to OpenLDAP
My configuration snippet is shown below :
...
backend hdb
moduleload rwm
overlay rwm
rwm-rewriteEngine on
rwm-rewriteMap ldap attr2dn "ldaps:///dc=gov,dc=br?dn?sub?"
rwm-rewriteContext bindDN
rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
database hdb
...
Everything worked fine , but sometimes occurred a ' slapd segfault "
there was no apparent cause .
A log analysis allowed us to identify the query that caused the "crash
" was the folder containing " ** " as follows :
"(mail=*name**surname*)(mailAlternateAddress=*name**surname*)"
Redid several searches and this is really "crash " in some situations :
Normal
=======
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
"(uid=jarbas*peixoto)" mail
dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br
mail: [email protected]
Normal
=======
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
"(uid=jarbas**peixoto)" mail
ldap_search_ext: Bad search filter (-7)
Normal
=======
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
"(mail=jarbas*[email protected])" mail
dn: uid=jarbas.peixoto,ou=URMS,ou=SUAT,ou=DRD,ou=DATAPREV,dc=gov,dc=br
mail: [email protected]
Normal
=======
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
"(mail=jarbas**[email protected])" mail
ldap_search_ext: Bad search filter (-7)
Segfault - Note that there is a space between the two asterisks ( "* *" )
================================================================
ldapsearch -xLLL -H ldaps://www-linuxprev -b dc=gov,dc=br
"(mail=jarbas* *[email protected])" mail
Additional information: massaged filter parse error
The excerpts from server logs are:
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 ACCEPT from
IP=10.82.0.22:46996 (IP=0.0.0.0:636)
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 fd=19 TLS
established tls_ssf=128 ssf=128
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 BIND dn="" method=128
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=0 RESULT tag=97 err=0 text=
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH
base="dc=gov,dc=br" scope=2 deref=0
filter="(mail=jarbas**[email protected])"
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SRCH attr=mail
Feb 12 09:49:18 linuxprev slapd[27108]: conn=1004 op=1 SEARCH RESULT
tag=101 err=0 nentries=0 text=massaged filter parse error
Feb 12 09:49:18 linuxprev kernel: [19683068.279488] slapd[27112]
general protection ip:7f9c3520cac9 sp:7f9bc9eb2960 error:0 in
libc-2.13.so[7f9c35191000+182000]
To work around this error I added the lines:
# Remove os '**" da pesquisa 'mail=**' evitando o segfault
rwm-rewriteContext searchFilter
rwm-rewriteRule "(.*)(\\* ?\\*)(.*)" "$1*$3" "@I"
This problem also occurs in other versions of slapd native Debian and Ubuntu.
Without the overlay rwm not occur this BUG . Can anyone confirm if it
is really a bug in the " rwm overlay" ?
Regards,
Jarbas
