Bug 745389

Summary: ldapsearch without binddn coredumps during user lookup on a server with suffix referral enabled.
Product: Red Hat Directory Server Reporter: Kaushik Banerjee <kbanerje>
Component: Command Line UtilitiesAssignee: Nathan Kinder <nkinder>
Status: CLOSED WONTFIX QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: benl, rmeggins, sramling
Target Milestone: DS9.0   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-12 15:05:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kaushik Banerjee 2011-10-12 08:39:27 UTC 
Description of problem:
ldapsearch without binddn crashes during user lookup  on a server with suffix referral enabled.

Version-Release number of selected component (if applicable):
mozldap-tools-6.0.5-6.2.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure suffix referral on a 389-ds(ver: 389-ds-base-1.2.9.13-1.el6.x86_64).
2. Do a ldapsearch with binddn against the server:

# /usr/lib64/mozldap/ldapsearch -v -h kungfupanda.lab.eng.pnq.redhat.com -D "cn=Directory Manager" -w Secret123 -b "ou=pnq,ou=People,dc=example,dc=com" uid=kau1
ldapsearch: started Wed Oct 12 04:24:50 2011

ldap_init( kungfupanda.lab.eng.pnq.redhat.com, 389 )
filter pattern: uid=kau1
returning: ALL
filter is: (uid=kau1)
version: 1
dn: uid=kau1,ou=pnq,ou=People,dc=example,dc=com
uidNumber: 9876543
gidNumber: 9876543
objectClass: top
objectClass: posixAccount
objectClass: person
uid: kau1
cn: kau1
homeDirectory: /home/kau1
sn: kau1
userPassword: XXXX
1 matches


3. Now perform the search without binddn:

# /usr/lib64/mozldap/ldapsearch -h kungfupanda.lab.eng.pnq.redhat.com -b "ou=pnq,ou=People,dc=example,dc=com" uid=kau1
Segmentation fault (core dumped)

  
Actual results:
ldapsearch crashes with the following coredump backtrace:

# gdb --core /var/spool/abrt/ccpp-2011-10-12-04\:13\:49-13584/coredump /usr/lib64/mozldap/ldapsearch --quiet -ex "thread apply all bt full" -ex "quit"
Reading symbols from /usr/lib64/mozldap/ldapsearch...Reading symbols from /usr/lib/debug/usr/lib64/mozldap/ldapsearch.debug...done.
done.
[New Thread 13584]
Missing separate debuginfo for 
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/a4/d2906aec2b8215b54d204db777231d708fb610
Reading symbols from /usr/lib64/libssldap60.so...Reading symbols from /usr/lib/debug/usr/lib64/libssldap60.so.debug...done.
done.
Loaded symbols for /usr/lib64/libssldap60.so
Reading symbols from /usr/lib64/libprldap60.so...Reading symbols from /usr/lib/debug/usr/lib64/libprldap60.so.debug...done.
done.
Loaded symbols for /usr/lib64/libprldap60.so
Reading symbols from /usr/lib64/libldap60.so...Reading symbols from /usr/lib/debug/usr/lib64/libldap60.so.debug...done.
done.
Loaded symbols for /usr/lib64/libldap60.so
Reading symbols from /usr/lib64/libldif60.so...Reading symbols from /usr/lib/debug/usr/lib64/libldif60.so.debug...done.
done.
Loaded symbols for /usr/lib64/libldif60.so
Reading symbols from /usr/lib64/libsvrcore.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libsvrcore.so.0
Reading symbols from /usr/lib64/libssl3.so...Reading symbols from /usr/lib/debug/usr/lib64/libssl3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libssl3.so
Reading symbols from /usr/lib64/libsmime3.so...Reading symbols from /usr/lib/debug/usr/lib64/libsmime3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libsmime3.so
Reading symbols from /usr/lib64/libnss3.so...Reading symbols from /usr/lib/debug/usr/lib64/libnss3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libnss3.so
Reading symbols from /usr/lib64/libnssutil3.so...Reading symbols from /usr/lib/debug/usr/lib64/libnssutil3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libnssutil3.so
Reading symbols from /usr/lib64/libsoftokn3.so...Reading symbols from /usr/lib/debug/usr/lib64/libsoftokn3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libsoftokn3.so
Reading symbols from /lib64/libplds4.so...Reading symbols from /usr/lib/debug/lib64/libplds4.so.debug...done.
done.
Loaded symbols for /lib64/libplds4.so
Reading symbols from /lib64/libplc4.so...Reading symbols from /usr/lib/debug/lib64/libplc4.so.debug...done.
done.
Loaded symbols for /lib64/libplc4.so
Reading symbols from /lib64/libnspr4.so...Reading symbols from /usr/lib/debug/lib64/libnspr4.so.debug...done.
done.
Loaded symbols for /lib64/libnspr4.so
Reading symbols from /lib64/libpthread-2.12.so...Reading symbols from /usr/lib/debug/lib64/libpthread-2.12.so.debug...done.
[Thread debugging using libthread_db enabled]
done.
Loaded symbols for /lib64/libpthread-2.12.so
Reading symbols from /lib64/libdl-2.12.so...Reading symbols from /usr/lib/debug/lib64/libdl-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libdl-2.12.so
Reading symbols from /usr/lib64/libsasl2.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/libsasl2.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/libsasl2.so.2.0.23
Reading symbols from /lib64/libresolv-2.12.so...Reading symbols from /usr/lib/debug/lib64/libresolv-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libresolv-2.12.so
Reading symbols from /usr/lib64/libstdc++.so.6.0.13...Reading symbols from /usr/lib/debug/usr/lib64/libstdc++.so.6.0.13.debug...done.
done.
Loaded symbols for /usr/lib64/libstdc++.so.6.0.13
Reading symbols from /lib64/libm-2.12.so...Reading symbols from /usr/lib/debug/lib64/libm-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libm-2.12.so
Reading symbols from /lib64/libgcc_s-4.4.6-20110824.so.1...Reading symbols from /usr/lib/debug/lib64/libgcc_s-4.4.6-20110824.so.1.debug...done.
done.
Loaded symbols for /lib64/libgcc_s-4.4.6-20110824.so.1
Reading symbols from /lib64/libc-2.12.so...Reading symbols from /usr/lib/debug/lib64/libc-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libc-2.12.so
Reading symbols from /lib64/libz.so.1.2.3...Reading symbols from /usr/lib/debug/lib64/libz.so.1.2.3.debug...done.
done.
Loaded symbols for /lib64/libz.so.1.2.3
Reading symbols from /usr/lib64/libsqlite3.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libsqlite3.so.0
Reading symbols from /lib64/ld-2.12.so...Reading symbols from /usr/lib/debug/lib64/ld-2.12.so.debug...done.
done.
Loaded symbols for /lib64/ld-2.12.so
Reading symbols from /lib64/libcrypt-2.12.so...Reading symbols from /usr/lib/debug/lib64/libcrypt-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libcrypt-2.12.so
Reading symbols from /lib64/libfreebl3.so...Reading symbols from /usr/lib/debug/lib64/libfreebl3.so.debug...done.
done.
Loaded symbols for /lib64/libfreebl3.so
Reading symbols from /usr/lib64/sasl2/libsasldb.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libsasldb.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libsasldb.so.2.0.23
Reading symbols from /lib64/libdb-4.7.so...Reading symbols from /usr/lib/debug/lib64/libdb-4.7.so.debug...done.
done.
Loaded symbols for /lib64/libdb-4.7.so
Reading symbols from /usr/lib64/sasl2/liblogin.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/liblogin.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/liblogin.so.2.0.23
Reading symbols from /usr/lib64/sasl2/libdigestmd5.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libdigestmd5.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so.2.0.23
Reading symbols from /usr/lib64/libcrypto.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libcrypto.so.10
Reading symbols from /usr/lib64/sasl2/libcrammd5.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libcrammd5.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libcrammd5.so.2.0.23
Reading symbols from /usr/lib64/sasl2/libgssapiv2.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libgssapiv2.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libgssapiv2.so.2.0.23
Reading symbols from /lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libgssapi_krb5.so.2
Reading symbols from /lib64/libkrb5.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib64/libkrb5.so.3
Reading symbols from /lib64/libk5crypto.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib64/libk5crypto.so.3
Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libcom_err.so.2
Reading symbols from /lib64/libkrb5support.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib64/libkrb5support.so.0
Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libkeyutils.so.1
Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libselinux.so.1
Reading symbols from /usr/lib64/sasl2/libplain.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libplain.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libplain.so.2.0.23
Reading symbols from /usr/lib64/sasl2/libanonymous.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libanonymous.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libanonymous.so.2.0.23
Reading symbols from /lib64/libnss_files-2.12.so...Reading symbols from /usr/lib/debug/lib64/libnss_files-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libnss_files-2.12.so
Reading symbols from /lib64/libnss_dns-2.12.so...Reading symbols from /usr/lib/debug/lib64/libnss_dns-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libnss_dns-2.12.so
Core was generated by `/usr/lib64/mozldap/ldapsearch -h kungfupanda.lab.eng.pnq.redhat.com -b ou=pnq,o'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000003cfa47a1dc in __libc_free (mem=0x3cf9c14615) at malloc.c:3724
3724	  ar_ptr = arena_for_chunk(p);

Thread 1 (Thread 0x7f9f8e903720 (LWP 13584)):
#0  0x0000003cfa47a1dc in __libc_free (mem=0x3cf9c14615) at malloc.c:3724
        ar_ptr = <value optimized out>
        p = 0x3cf9c14605
        hook = <value optimized out>
#1  0x000000000040718d in get_rebind_credentials (ld=<value optimized out>, whop=0x7fff7af46458, 
    credp=0x7fff7af46450, methodp=0x7fff7af4646c, freeit=<value optimized out>, arg=<value optimized out>)
    at common.c:2110
No locals.
#2  0x00007f9f8ef6f995 in nsldapi_new_connection (ld=0x2176640, srvlistp=<value optimized out>, use_ldsb=0, 
    connect=<value optimized out>, bind=<value optimized out>) at request.c:745
        err = -1
        lderr = <value optimized out>
        freepasswd = 1
        passwd = 0x2176e60 "\001"
        authmethod = 128
        binddn = 0x3cf9c14615 "I\211\303L\213L$0L\213D$(H\213|$ H\213t$\030H\213T$\020H\213L$\bH\213\004$H\203\304HA\377\343ffffff.\017\037\204"
        savedefconn = 0x2176da0
        rc = <value optimized out>
        lc = 0x217bcc0
        prevsrv = <value optimized out>
        srv = <value optimized out>
        sb = <value optimized out>
Missing separate debuginfos, use: debuginfo-install keyutils-libs-1.4-3.el6.x86_64 krb5-libs-1.9-21.el6.x86_64 libcom_err-1.41.12-11.el6.x86_64 libselinux-2.0.94-5.1.el6.x86_64 openssl-1.0.0-19.el6.x86_64 sqlite-3.6.20-1.el6.x86_64 svrcore-4.0.4-5.1.el6.x86_64
---Type <return> to continue, or q <return> to quit---
#3  0x00007f9f8ef700ac in nsldapi_send_server_request (ld=0x2176640, ber=<value optimized out>, msgid=2, 
    parentreq=0x2176e60, srvlist=0x0, lc=<value optimized out>, bindreqdn=<value optimized out>, 
    bind=<value optimized out>) at request.c:211
        lr = <value optimized out>
        err = <value optimized out>
        incparent = <value optimized out>
        res_rc = 0
        epipe_err = 0
        ext_res_rc = 0
        ext_oid = 0x0
        ext_data = 0x0
        ext_res = 0x0
#4  0x00007f9f8ef70f47 in chase_one_referral (ld=0x2176640, lr=0x2176e60, origreq=0x2176e60, 
    refurl=<value optimized out>, desc=<value optimized out>, unknownp=<value optimized out>, 
    is_reference=<value optimized out>) at request.c:1335
        rc = <value optimized out>
        tmprc = <value optimized out>
        srv = 0x2179aa0
        ber = 0x217b6a0
        ludp = 0x217ae00
#5  0x00007f9f8ef7111a in nsldapi_chase_v3_refs (ld=0x2176640, lr=0x2176e60, v3refs=<value optimized out>, 
    is_reference=0, totalcountp=<value optimized out>, chasingcountp=<value optimized out>) at request.c:1213
        rc = <value optimized out>
        i = <value optimized out>
        unknown = 0
        origreq = 0x2176e60
#6  0x00007f9f8ef728c0 in check_for_refs (ld=0x2176640, msgid=<value optimized out>, all=<value optimized out>, 
    sb=<value optimized out>, lcp=<value optimized out>, result=<value optimized out>) at result.c:1019
        err = 0
---Type <return> to continue, or q <return> to quit---
        errstr = 0x2176d20 ""
        origerr = 10
        matcheddn = 0x2176e30 "ou=pnq,ou=People,dc=example,dc=com"
        v3refs = 0x2179a10
#7  read1msg (ld=0x2176640, msgid=<value optimized out>, all=<value optimized out>, sb=<value optimized out>, 
    lcp=<value optimized out>, result=<value optimized out>) at result.c:655
        refchasing = 0
        reftotal = 1
        simple_request = 0
        ctrls = 0x0
        ber = 0x217aff0
        new = <value optimized out>
        l = <value optimized out>
        prev = <value optimized out>
        chainprev = <value optimized out>
        tmp = <value optimized out>
        id = 1
        tag = 101
        len = 127
        terrno = <value optimized out>
        lderr = <value optimized out>
        foundit = 0
        lr = 0x2176e60
        rc = -2
        message_can_be_returned = 1
        manufactured_result = 0
        lc = <value optimized out>
#8  0x00007f9f8ef736cf in wait4msg (ld=0x2176640, msgid=-1, all=<value optimized out>, 
    unlock_permitted=<value optimized out>, timeout=<value optimized out>, result=0x7fff7af46868) at result.c:476
---Type <return> to continue, or q <return> to quit---
        err = <value optimized out>
        lc = 0x2176da0
        lr = <value optimized out>
        msgfound = <value optimized out>
        tvp = 0x0
        nextlc = 0x0
        rc = <value optimized out>
        tv = {tv_sec = 0, tv_usec = 261888230933}
        start_time = <value optimized out>
        tmp_time = <value optimized out>
#9  nsldapi_result_nolock (ld=0x2176640, msgid=-1, all=<value optimized out>, 
    unlock_permitted=<value optimized out>, timeout=<value optimized out>, result=0x7fff7af46868) at result.c:144
        rc = <value optimized out>
#10 0x00007f9f8ef73dca in ldap_result (ld=0x2176640, msgid=-1, all=0, timeout=0x0, result=0x7fff7af46868)
    at result.c:111
        rc = -1
#11 0x0000000000404c94 in dosearch (ld=<value optimized out>, base=<value optimized out>, 
    scope=<value optimized out>, attrs=<value optimized out>, attrsonly=<value optimized out>, 
    filtpatt=<value optimized out>, value=<value optimized out>) at ldapsearch.c:770
        refs = 0x0
        filter = "\000\210\364z\377\177\000\000\030\000\000\000\000\000\000\000\220\206\220\216\237\177\000\000\346\316\300\371<\000\000\000\000\260\220\216\237\177\000\000\000\220\220\216\237\177\000\000\000\000\000\000\000\000\000\000χ\364z\377\177\000\000`\302\300\371<\000\000\000\220\207\364z\377\177", '\000' <repeats 26 times>"\370, }\240\375<\000\000\000\000\000\000\020\351\365\376\377\001\000\000\000\000\000\000\000\340i\364z\377\177\000\000:\a\200\375<\000\000\000\220\206\220\216\237\177\000\000\000\000`\321\350\365\376\377\000\000\326\301\201\363y\000{8\300\372<\000\000\000Ф\220\216\237\177\000\000B\202\300\371<", '\000' <repeats 21 times>"\200, \375<\000\000\000\220\207\364z\377\177\000\000\000\210\364z\377\177\000\000\002\000\000\000\000\000\000\000\340j\364z\377\177\000\000\065/\000\002\070\000\000\000\000\200\220\216\237\177\000\000\210\177\240\375<\000\000\000\000\210\364z\377\177\000\000t\312\300\371<\000\000\000\001\000\000\000<\000\000\000\000p\220\216\237\177", '\000' <repeats 18 times>"\370---Type <return> to continue, or q <return> to quit---
, }\240\375<\000\000\000\205\311\300\371<\000\000\000\000\220"...
        filterp = 0x2175730 "uid=kau1"
        rc = 32671
        first = <value optimized out>
        matches = <value optimized out>
        res = 0x0
        e = 0x0
        ldctrl = 0x0
        ctrl_response_array = 0x0
        vlv_data = {ldvlist_before_count = 1, ldvlist_after_count = 32, ldvlist_attrvalue = 0x0, 
          ldvlist_index = 0, ldvlist_size = 0, ldvlist_extradata = 0x200000001f}
        msgid = 1
        length = <value optimized out>
        mallocd_filter = 0
#12 0x000000000040592b in main (argc=<value optimized out>, argv=<value optimized out>) at ldapsearch.c:276
        conv = <value optimized out>
        filtpattern = 0x2175730 "uid=kau1"
        free_filtpattern = 1
        attrs = 0x0
        rc = <value optimized out>
        optind = <value optimized out>
        i = <value optimized out>
        first = <value optimized out>
        ld = 0x2176640

Expected results:
ldapsearch should not crash.

Additional info:
Comment 2 RHEL Program Management 2011-10-12 09:09:16 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 3 Kaushik Banerjee 2011-10-12 14:07:37 UTC 
This is not just limited to suffix referral only. I was able to dupe this with smart referrals too.
Comment 4 Rich Megginson 2011-10-12 14:35:33 UTC 
(In reply to comment #3)
> This is not just limited to suffix referral only. I was able to dupe this with
> smart referrals too.

mozldap was removed from RHEL6.  How are you using a RHEL6 mozldap package?????
Comment 5 Kaushik Banerjee 2011-10-12 15:03:27 UTC 
(In reply to comment #4)
> mozldap was removed from RHEL6.  How are you using a RHEL6 mozldap package?????

I use http://download.devel.redhat.com/nightly/latest-RHEL6.2-DSRV-9.0/9.0/Server/x86_64/os/Packages/ to download and install DS. Got the mozldap packages from there.