[Pkg-openldap-devel] Bug#412977: slapd segfaults with certain ACL's
Henry Jensen
hjensen at gmx.de
Thu Mar 1 13:45:45 CET 2007
Package: slapd
Version: 2.3.30-4
Severity: important
I test the latest egroupware trunk on Etch. When I apply the suggested acl_addressbook.conf
to slapd.conf slapd segfaults (as do slapadd and possibly other slapd-tools)
$ slapd -g openldap -u openldap -d 16383
[...]
line 21 (access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=iww-test,dc=local$" attrs=entry, at inetOrgPerson, at mozillaAbPersonAlpha, at evolutionPerson by dn.regex="uid=$1,ou=accounts,o=$2,dc=iww-test,dc=local" write by users none)
Segmentation fault
I use Etch with linux-image-2.6.18-3-686 2.6.18-7 and libc6 2.3.6.ds1-11.
IMHO slapd shouldn't crash like this, no matter how ill-configured the ACL's maybe.
My slapd.conf:
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/rfc2307bis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
database bdb
suffix "dc=iww-test,dc=local"
rootdn "cn=admin,dc=iww-test,dc=local"
rootpw {MD5}verysecrethash
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
password-hash {MD5}
index default eq
index objectClass eq
index uidNumber pres,eq
lastmod on
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=iww-test,dc=local" write
by anonymous auth
by self write
by * none
include /etc/ldap/acl_addressbook.conf
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=iww-test,dc=local" write
by * read
The content of acl_addressbook.conf is:
# Access to users personal addressbooks
# allow read of addressbook by owner and egwadmin account
access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=entry
by dn.regex="uid=$1,ou=accounts,o=$2,dc=iww-test,dc=local" read
by dn.regex="cn=egwadmin,o=$2,dc=iww-test,dc=local" write
by users none
# allow user to create entries in own addressbook; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=children
by dn.regex="uid=$1,ou=accounts,o=$2,dc=iww-test,dc=local" write
by users none
# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=entry, at inetOrgPerson, at mozillaAbPersonAlpha, at evolutionPerson
by dn.regex="uid=$1,ou=accounts,o=$2,dc=iww-test,dc=local" write
by users none
# Access to groups addressbooks
# allow read of addressbook by members and egwadmin account
access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=entry
by group.expand="cn=$1,ou=groups,o=$2,dc=iww-test,dc=local" read
by dn.regex="cn=egwadmin,o=$2,dc=iww-test,dc=local" write
by users none
# allow members to create entries in there group addressbooks; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=children
by group.expand="cn=$1,ou=groups,o=$2,dc=iww-test,dc=local" write
by users none
# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=iww-test,dc=local$"
attrs=entry, at inetOrgPerson, at mozillaAbPersonAlpha, at evolutionPerson
by group.expand="cn=$1,ou=groups,o=$2,dc=iww-test,dc=local" write
by users none
More information about the Pkg-openldap-devel
mailing list