Package: slapd
Version: 2.3.30-4
Severity: important
I test the latest egroupware trunk on Etch. When I apply the suggested
acl_addressbook.conf
to slapd.conf slapd segfaults (as do slapadd and possibly other slapd-tools)
$ slapd -g openldap -u openldap -d 16383
[...]
line 21 (access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson by
dn.regex="uid=$1,ou=accounts,o=$2,dc=iww-test,dc=local" write by users none)
Segmentation fault
I use Etch with linux-image-2.6.18-3-686 2.6.18-7 and libc6 2.3.6.ds1-11.
IMHO slapd shouldn't crash like this, no matter how ill-configured the ACL's
maybe.
My slapd.conf:
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/rfc2307bis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile/var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
databasebdb
suffix "dc=iww-test,dc=local"
rootdn "cn=admin,dc=iww-test,dc=local"
rootpw {MD5}verysecrethash
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
password-hash {MD5}
index default eq
index objectClass eq
index uidNumber pres,eq
lastmod on
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=iww-test,dc=local" write
by anonymous auth
by self write
by * none
include /etc/ldap/acl_addressbook.conf
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=iww-test,dc=local" write
by * read
The content of acl_addressbook.conf is:
# Access to users personal addressbooks
# allow read of addressbook by owner and egwadmin account
access to
dn.regex="^cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=entry
by dn.regex="uid=$1,ou=accounts,o=$2,dc=iww-test,dc=local" read
by dn.regex="cn=egwadmin,o=$2,dc=iww-test,dc=local" write
by users none
# allow user to create entries in own addressbook; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=children
by dn.regex="uid=$1,ou=accounts,o=$2,dc=iww-test,dc=local" write
by users none
# ... and the entries CHILDREN
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
by dn.regex="uid=$1,ou=accounts,o=$2,dc=iww-test,dc=local" write
by users none
# Access to groups addressbooks
# allow read of addressbook by members and egwadmin account
access to
dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=entry
by group.expand="cn=$1,ou=groups,o=$2,dc=iww-test,dc=local" read
by dn.regex="cn=egwadmin,o=$2,dc=iww-test,dc=local" write
by users none
# allow members to create entries in there group addressbooks; no-one else can
access it
# needs write access to the entries ENTRY attribute ...
access to
dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=children
by group.expand="cn=$1,ou=groups,o=$2,dc=iww-test,dc=local" write
by users none
# ... and the entries CHILDREN
access to
dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
by group.expand="cn=$1,ou=groups,o=$2,dc=iww-test,dc=local" write
by users none
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
