autofs-ldap's /etc/ldap/schema/autofs.schema crashes slapd

Bug #1891548 reported by msp3k
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
autofs (Debian)
Fix Released
Unknown
autofs (Ubuntu)
Fix Released
Low
Unassigned
openldap (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Ubuntu Release:
# lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04

Version of packages in use:
# dpkg -l autofs autofs-ldap slapd | grep '^ii'
ii autofs 5.1.6-2ubuntu0.1 amd64 kernel-based automounter for Linux
ii autofs-ldap 5.1.6-2ubuntu0.1 amd64 LDAP map support for autofs
ii slapd 2.4.49+dfsg-2ubuntu1.3 amd64 OpenLDAP server (slapd)

Expected:
No errors from slaptest

Actual Output:
5f359370 /etc/ldap/schema/autofs.schema: line 14 attributetype: AttributeType inappropriate matching rule: "caseExactMatch"

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1891548/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
affects: ubuntu → autofs (Ubuntu)
Revision history for this message
msp3k (peek-nimbios) wrote :

Schemas included in slapd.conf:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/autofs.schema

Revision history for this message
msp3k (peek-nimbios) wrote :

Attempted to modify /etc/ldap/schema/autofs.scheme to replace "caseExactMatch" with "caseExactIA5Match". This fixed the problem with slaptest reporting an error. However, there are other problems that have arisen that may or may not be related. Attempts to add automount entries fail for "objectClass: automountMap" with "invalid per syntax" errors. Neither old, working entries from slapd running on an existing 18.04 server, nor new entries built using /usr/share/doc/autofs-ldap/examples/ldap-automount-auto.direct as a template, are accepted.

Revision history for this message
msp3k (peek-nimbios) wrote :

Example entry #1, using /usr/share/doc/autofs-ldap/examples/ldap-automount-auto.direct
------------------------------------
dn: ou=auto.master,dc=example,dc=org
ou: auto.master
objectClass: top
objectClass: automountMap
------------------------------------
Output:
adding new entry "ou=auto.master,dc=example,dc=org"
ldap_add: Invalid syntax (21)
 additional info: objectClass: value #1 invalid per syntax

Example entry #2 from an existing 18.04 slapd server (base replaced w/ dc=example,dc=org)
------------------------------------
dn: ou=automount,dc=example,dc=org
ou: automount
objectClass: top
objectClass: organizationalUnit

dn: ou=auto.master,ou=automount,dc=example,dc=org
ou: auto.master
objectClass: top
objectClass: automountMap
------------------------------------
Output:
adding new entry "ou=automount,dc=example,dc=org"

adding new entry "ou=auto.master,ou=automount,dc=example,dc=org"
ldap_add: Invalid syntax (21)
 additional info: objectClass: value #1 invalid per syntax

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Adding slapd task since it is mentioned to break there.

Seems to be a regression from 18.04 -> 20.04 as far as a I read it, tagging as such for now.

@Andreas - any chance to recreate this on your side?

Revision history for this message
msp3k (peek-nimbios) wrote :
Revision history for this message
msp3k (peek-nimbios) wrote :

Attached is an example /etc/ldap/slapd.conf file that I'm working from. Maybe there's a problem in here somewhere that I'm not catching. Including it just in case. Database password is "superSecretPassword" -> "{MD5}Yy8s0xf5ONysHHbtpvA+ig==". The include for /etc/ldap/schema/autofs.schema has been replaced with /etc/ldap/schema/autofs-fixed.schema (see additional attachment below).

Revision history for this message
msp3k (peek-nimbios) wrote :
Revision history for this message
msp3k (peek-nimbios) wrote :

SORRY -- This is the correct autofs-fixed.schema. That last one was a file I was poking around with using a schema I found online. The only difference between this file and the one that ships with autofs-ldap is "caseExactMatch" -> "caseExactIA5Match".

Revision history for this message
Ryan Tandy (rtandy) wrote :

msp3k is correct. The bug is in autofs-ldap, not in slapd. slapd is correct to reject "caseExactMatch" since the attribute syntax is IA5 String. The correct fix is what msp3k said, fix the matching rule to be caseExactIA5Match like it was in the old one.

--- /etc/ldap/schema/autofs.schema 2020-08-14 15:50:36.678109301 +0000
+++ /etc/ldap/schema/autofs.schema 2020-08-14 15:50:46.506246431 +0000
@@ -10,7 +10,7 @@

 attributetype ( 1.3.6.1.4.1.2312.4.1.2 NAME 'automountInformation'
  DESC 'Information used by the autofs automounter'
- EQUALITY caseExactMatch
+ EQUALITY caseExactIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

 objectclass ( 1.3.6.1.4.1.2312.4.2.3 NAME 'automount' SUP top STRUCTURAL

Revision history for this message
msp3k (peek-nimbios) wrote : Re: [Bug 1891548] Re: autofs-ldap's /etc/ldap/schema/autofs.schema crashes slapd

As a follow-up, I figured out a workaround for the following error that
I reported earlier:

adding new entry "ou=auto.master,dc=example,dc=org"ldap_add: Invalid
syntax (21) additional info: objectClass: value #1 invalid per
syntax

Original steps:
1) Install /etc/ldap/slapd.conf (which includes the "caseExactIA5Match"
fixed version of the autofs schema)
2) Start slapd
3) Attempts to enter an automountMap entry causes an invalid syntax
error

Workaround:
1) Install /etc/ldap/slapd.conf (which includes the "caseExactIA5Match"
fixed version of the autofs schema)
2) start slapd
3) stop and restart slapd again
4) Attempts to enter automountMap entry now succeed

Why this is necessary I can't say but the behavior is consistent. This
extra restart was not necessary for versions of slapd+autofs that
shipped with 18.04 and previous Ubuntu versions.

Also I'm going to further show my ignorance here and say that I found
"caseExactMatch" in several other schema files too. I'm wondering why
other users haven't run into something similar?
# find /etc/ldap/schema/ -type f -exec grep -q caseExactMatch {} \;
-print/etc/ldap/schema/corba.schema/etc/ldap/schema/duaconf.ldif/etc/ld
ap/schema/core.schema <-- commented
out/etc/ldap/schema/duaconf.schema/etc/ldap/schema/java.schema/etc/ldap
/schema/core.ldif <-- commented
out/etc/ldap/schema/java.ldif/etc/ldap/schema/autofs.schema
Thank you again for your help on this.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Since this affects an unusual end-user configuration, I'm setting Importance to Low, and I don't expect anyone to work on this soon. However if you can help definitively explain what needs adjusting to fix this correctly, then that would be helpful and we can try to help get that fix landed. Caveat: normally we'd expect an explanation and patch to be sent to Debian first.

I'm deferring a decision on whether or not this requires a fix in openldap until the above is clear.

Changed in autofs (Ubuntu):
importance: Undecided → Low
Changed in openldap (Ubuntu):
importance: Undecided → Low
Revision history for this message
msp3k (peek-nimbios) wrote :

I didn't realize that this was considered unusual. AutoFs integration
has been a critical part of our infrastructure across multiple
departments at our university for decades, starting with NIS/NIS+.
 Without AutoFS integration we would be ... very, very sad.

I have filed a bug report w/ Debian and included a patch against Debian
Sid's autofs-5.1.6 source package:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968675

Since this is the same source file as Ubuntu 20.04 uses I've included
the patch file for your use, on the off chance that it would make
things easier (attached).

Looking at the up-stream source from
https://mirrors.edge.kernel.org/pub/linux/daemons/autofs/v5/ it appears
that version 5.1.2's autofs.schema file was correct. The typo first
appears in 5.1.3, released in May 24th 2017, and has affected every
release of autofs since.

I have also submitted a bug report, including a patch file, to the
<email address hidden> mailing list for the autofs developers.

Michael Peek

On Tue, 2020-08-18 at 16:42 +0000, Robie Basak wrote:
> Thank you for taking the time to report this bug and helping to make
> Ubuntu better.
>
> Since this affects an unusual end-user configuration, I'm setting
> Importance to Low, and I don't expect anyone to work on this soon.
> However if you can help definitively explain what needs adjusting to fix
> this correctly, then that would be helpful and we can try to help get
> that fix landed. Caveat: normally we'd expect an explanation and patch
> to be sent to Debian first.
>
> I'm deferring a decision on whether or not this requires a fix in
> openldap until the above is clear.
>
> ** Changed in: autofs (Ubuntu)
> Importance: Undecided => Low
>
> ** Changed in: openldap (Ubuntu)
> Importance: Undecided => Low
>

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "autofs-5.1.6-schema-fix.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Paride Legovini (paride) wrote :

Hi Michael and thanks for all the digging. If I understand correctly there are two issues here:

1. The slapd crash due to the caseExactMatch/caseExactIA5Match typo, for which you submitted a fix upstream [1].

2. The need to "start ; stop ; restart" the slapd service in order to avoid the "invalid per syntax" errors.

What I suggest is to:

A. Let's wait for upstream to comment on or pickup your patch. We'll then be able to cherry-pick the fix from the upstream repository. This makes things easier to manage and give us more confidence on the correctness on the patch (could be obvious for a ldap/autofs expert, I am not.)

B. File a separate bug for the "start ; stop ; restart" thing, which appears to be unrelated. If you do so, please make it clear it's a Bionic -> Focal regression. Having a minimal steps to reproduce the issue from a fresh Focal install would be the best.

What do you think?

Paride

[1] https://www.spinics.net/lists/autofs/msg02276.html

Revision history for this message
msp3k (peek-nimbios) wrote :

Will do, thanks.Michael Peek
On Thu, 2020-08-20 at 15:10 +0000, Paride Legovini wrote:
> Hi Michael and thanks for all the digging. If I understand
> correctlythere are two issues here:
> 1. The slapd crash due to the caseExactMatch/caseExactIA5Match typo,
> forwhich you submitted a fix upstream [1].
> 2. The need to "start ; stop ; restart" the slapd service in order
> toavoid the "invalid per syntax" errors.
> What I suggest is to:
> A. Let's wait for upstream to comment on or pickup your patch.
> We'llthen be able to cherry-pick the fix from the upstream
> repository. Thismakes things easier to manage and give us more
> confidence on thecorrectness on the patch (could be obvious for a
> ldap/autofs expert, Iam not.)
> B. File a separate bug for the "start ; stop ; restart" thing,
> whichappears to be unrelated. If you do so, please make it clear it's
> aBionic -> Focal regression. Having a minimal steps to reproduce
> theissue from a fresh Focal install would be the best.
> What do you think?
> Paride
> [1] https://www.spinics.net/lists/autofs/msg02276.html
>

Changed in autofs (Debian):
status: Unknown → Fix Released
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hiya,

This was fixed in Debian via 5.1.6-4, which is merged in Hirsute release (5.1.6-4ubuntu1). Therefore, I am marking this as "Fix Released" for Hirsute. Should you have any questions or problems wrt this, let me know!

Thanks.

Changed in autofs (Ubuntu):
status: New → Fix Released
Revision history for this message
Bryce Harrington (bryce) wrote :

Since this appears to have just required a fix to autofs, I'm closing the openldap task. If there actually is any followup work needed for openldap please reopen with additional detail of what needs done.

Changed in openldap (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.