Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openldap crash when checkRDN=1 and username contains too short parts #16

Closed
davidcoutadeur opened this issue Aug 1, 2019 · 4 comments
Closed

openldap crash when checkRDN=1 and username contains too short parts #16

davidcoutadeur opened this issue Aug 1, 2019 · 4 comments
Assignees
@davidcoutadeur
Labels
bug
Milestone
1.8

Comments

@davidcoutadeur
Copy link
Collaborator

When username are containing - (dash), and checkRDN is set, ppm crashes and makes OpenLDAP crash.

To be reproduced, debuged and fixed.
@davidcoutadeur davidcoutadeur self-assigned this Aug 1, 2019
This was referenced Aug 1, 2019
Closed
Closed
@davidcoutadeur davidcoutadeur added this to the 1.8 milestone Aug 1, 2019
@eric-couasnet
Copy link

hello
I have same problem with
openldap-ltb: 2.4.47.1
openldap-ltb-check-password - check_password module for password policy
openldap-ltb-contrib-overlays - Overlays contributed to OpenLDAP
openldap-ltb-dbg - Debugging symbols for openldap-ltb
openldap-ltb-explockout - OpenLDAP exponential time password lockout overlay
openldap-ltb-mdb-utils - utilities for mdb
openldap-ltb-ppm: Installé : 2.4.47.1

when checkRDN=1 in ppm.conf and the user by example with uid = ihsane.el-example try to change password, slapd daemon crash (logfile below)
I have try with many username are containing - (dash) and same result = slapd crash

For now, and because a lot of username in our company containing "-", I have changed checkRDN=1 to checkRDN=0

Jul3 15:21:25 openldap-master1 slapd[27844]: conn=1080 op=1 MOD
attr=userPassword

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: entry cn=ihsane
el-example,ou=evglobal,dc=xxxxx,dc=local

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: reading config file
from /usr/local/openldap/etc/openldap/ppm.conf

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Opening file
/usr/local/openldap/etc/openldap/ppm.conf

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Param = minQuality,
value = 3, min = (null), minForPoint= (null)

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm:Accepted replaced value: 3

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Param = maxLength,
value = 0, min = (null), minForPoint= (null)

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm:Accepted replaced value: 0

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Param = checkRDN,
value = 1, min = (null), minForPoint= (null)

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm:Accepted replaced value: 1

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Param =
maxConsecutivePerClass, value = 0, min = (null), minForPoint= (null)

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm:Accepted replaced value: 0

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Param = useCracklib,
value = 0, min = (null), minForPoint= (null)

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm:Accepted replaced value: 0

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Param = cracklibDict,
value = /var/cache/cracklib/cracklib_dict, min = (null), minForPoint= (null)

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm:Accepted replaced
value: /var/cache/cracklib/cracklib_dict

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Param =
class-upperCase, value = ABCDEFGHIJKLMNOPQRSTUVWXYZ, min = 0, minForPoint= 1

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm:Accepted replaced
value: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Param =
class-lowerCase, value = abcdefghijklmnopqrstuvwxyz, min = 0, minForPoint= 1

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm:Accepted replaced
value: abcdefghijklmnopqrstuvwxyz

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Param = class-digit,
value = 0123456789, min = 0, minForPoint= 1

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm:Accepted replaced
value: 0123456789

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: Param = class-special,
value = <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+, min = 0,
minForPoint= 1

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm:Accepted replaced
value: <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: 1 point granted for
class class-upperCase

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: 1 point granted for
class class-lowerCase

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: 1 point granted for
class class-digit

Jul3 15:21:25 openldap-master1 slapd[27844]: ppm: 1 point granted for
class class-special

Jul3 15:21:25 openldap-master1 slapd-cli[27897]: [INFO] Using
/usr/local/openldap/etc/openldap/slapd-cli.conf for configuration

Jul3 15:21:25 openldap-master1 slapd-cli[27902]: [INFO] Halting OpenLDAP...

Jul3 15:21:25 openldap-master1 slapd-cli[27904]: [OK] OpenLDAP stopped
after 0 seconds

@davidcoutadeur
Copy link
Collaborator Author

Reproduced successfully with ppm_test and latest ppm recompiled from master branch:

PPM_CONFIG_FILE=/usr/local/openldap/etc/openldap/ppm.conf LD_LIBRARY_PATH=. ./ppm_test "cn=ihsane el-example,ou=evglobal,dc=xxxxx,dc=local" "secret" && echo OK
Testing password : 'secret' for user cn=ihsane el-example,ou=evglobal,dc=xxxxx,dc=local
ppm: entry cn=ihsane el-example,ou=evglobal,dc=xxxxx,dc=local
ppm: reading config file from /usr/local/openldap/etc/openldap/ppm.conf
ppm: Opening file /usr/local/openldap/etc/openldap/ppm.conf
ppm: Param = minQuality, value = 1, min = (null), minForPoint= (null)
ppm:  Accepted replaced value: 1
ppm: Param = maxLength, value = 0, min = (null), minForPoint= (null)
ppm:  Accepted replaced value: 0
ppm: Param = checkRDN, value = 1, min = (null), minForPoint= (null)
ppm:  Accepted replaced value: 1
ppm: Param = forbiddenChars, value = , min = (null), minForPoint= (null)
ppm:  Accepted replaced value: 
ppm: Param = maxConsecutivePerClass, value = 0, min = (null), minForPoint= (null)
ppm:  Accepted replaced value: 0
ppm: Param = useCracklib, value = 0, min = (null), minForPoint= (null)
ppm:  Accepted replaced value: 0
ppm: Param = cracklibDict, value = /var/cache/cracklib/cracklib_dict, min = (null), minForPoint= (null)
ppm:  Accepted replaced value: /var/cache/cracklib/cracklib_dict
ppm: Param = class-upperCase, value = ABCDEFGHIJKLMNOPQRSTUVWXYZ, min = 0, minForPoint= 1
ppm:  Accepted replaced value: ABCDEFGHIJKLMNOPQRSTUVWXYZ
ppm: Param = class-lowerCase, value = abcdefghijklmnopqrstuvwxyz, min = 0, minForPoint= 1
ppm:  Accepted replaced value: abcdefghijklmnopqrstuvwxyz
ppm: Param = class-digit, value = 0123456789, min = 0, minForPoint= 1
ppm:  Accepted replaced value: 0123456789
ppm: Param = class-special, value = <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+, min = 0, minForPoint= 1
ppm:  Accepted replaced value: <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+
ppm: 1 point granted for class class-lowerCase
Erreur de segmentation

ppm.conf:

minQuality 1
checkRDN 1

davidcoutadeur added a commit that referenced this issue Aug 20, 2019
@davidcoutadeur
fix openldap crash when checkRDN=1 and username contains dash #16
ff79469
@davidcoutadeur
Copy link
Collaborator Author

The bug was not really linked to dashes (-), but to the too short part of RDN (< 3 characters) which leaded to uncompiled regex.

@davidcoutadeur
Copy link
Collaborator Author

Fixed in ff79469

@davidcoutadeur davidcoutadeur changed the title openldap crash when checkRDN=1 and username contains dash openldap crash when checkRDN=1 and username contains too short parts Aug 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@davidcoutadeur davidcoutadeur

Labels
bug
Projects
None yet
Milestone
1.8
Development

No branches or pull requests
2 participants
@davidcoutadeur @eric-couasnet