-
Bug
-
Resolution: Unresolved
-
Minor
-
rhel-9.4
-
None
Description of problem:
RHDS is crashing when using the nsRole filter rewriter with a filtered role that has an invalid filter.
Version-Release number of selected component (if applicable):
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 9.4 (Plow)
$
$ rpm -qa | grep 389-ds
389-ds-base-libs-2.4.5-3.module+el9dsrv+21615+bdf90ebc.x86_64
389-ds-base-2.4.5-3.module+el9dsrv+21615+bdf90ebc.x86_64
cockpit-389-ds-2.4.5-3.module+el9dsrv+21615+bdf90ebc.noarch
389-ds-base-debugsource-2.4.5-3.module+el9dsrv+21615+bdf90ebc.x86_64
389-ds-base-debuginfo-2.4.5-3.module+el9dsrv+21615+bdf90ebc.x86_64
$
How reproducible:
Always.
Steps to Reproduce:
1. Create a filtered role with an invalid filter ( note the extra parenthesis right after the AND operator ):
$ ldapmodify -x -D "cn=Directory Manager" -W -H ldaps://localhost:7636 -a
Enter LDAP Password:
dn: cn=TestFilteredRole,ou=people,dc=example,dc=com
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: TestFilteredRole
nsRoleFilter: (&((objectClass=top)(objectClass=nsPerson))
Description: Test crash issue
adding new entry "cn=TestFilteredRole,ou=people,dc=example,dc=com"
$
2. Add the nsRole filter rewriter:
$ ldapmodify -x -D "cn=Directory Manager" -W -H ldaps://localhost:7636 -a
Enter LDAP Password:
dn: cn=roles,cn=rewriters,cn=config
objectClass: top
objectClass: extensibleObject
cn: roles
nsslapd-libPath: libroles-plugin
nsslapd-filterrewriter: role_nsRole_filter_rewriter
adding new entry "cn=roles,cn=rewriters,cn=config"
$
3. Restart the instance:
$ dsctl <INSTANCE> restart
4. A search using the filtered role will trigger the crash:
$ ldapsearch -xLLL -D "cn=Directory Manager" -W -H ldaps://localhost:7636 -b "dc=example,dc=com" "nsRole=cn=TestFilteredRole,ou=people,dc=example,dc=com"
Enter LDAP Password:
ldap_result: Can't contact LDAP server (-1)
$
5. No crash when using a valid filter:
$ ldapmodify -x -D "cn=Directory Manager" -W -H ldaps://localhost:7636
Enter LDAP Password:
dn: cn=TestFilteredRole,ou=people,dc=example,dc=com
changetype: modify
replace: nsRoleFilter
nsRoleFilter: (&(objectClass=top)(objectClass=nsPerson))
modifying entry "cn=TestFilteredRole,ou=people,dc=example,dc=com"
$
$ ldapsearch -xLLL -D "cn=Directory Manager" -W -H ldaps://localhost:7636 -b "dc=example,dc=com" "nsRole=cn=TestFilteredRole,ou=people,dc=example,dc=com" 1.1
Enter LDAP Password:
dn: uid=demo_user,ou=people,dc=example,dc=com
$
Actual results:
RHDS is crashing.
Expected results:
No crash.
Additional info:
I can reproduce with RHDS 11.8 ( RHEL 8.9 ) too.
