objectclass filter bug in rwm overlay module of slapd 2.4.9

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Could you provide specific steps to recreate this bug?

This will help us to find and resolve the problem.

On Mon, Oct 27, 2008 at 11:56:42AM -0000, Mathias Gug wrote:
> Thank you for taking the time to report this bug and helping to make
> Ubuntu better.
>
> Could you provide specific steps to recreate this bug?
>
> This will help us to find and resolve the problem.
>
> ** Changed in: openldap (Ubuntu)
> Status: New => Incomplete

1.) Configure libnss-ldap on a Linux Client to use LDAP as NSS Source
for group, passwd and shadow

2.) On the server try this config:

    -- start --
    database ldap
    suffix "dc=example,dc=org"
    uri "ldap://realldapserver.example.org"
    overlay rwm
    rwm-rewriteEngine on
    rwm-normalize-mapped-attrs yes

    rwm-map attribute cn *
    rwm-map attribute uid *
    rwm-map attribute uidnumber *
    rwm-map attribute loginshell *
    rwm-map attribute gidnumber *
    rwm-map attribute userpassword *
    rwm-map attribute gecos *
    rwm-map attribute shadowlastchange *
    rwm-map attribute shadowexpire *
    rwm-map attribute homedirectory *
    rwm-map attribute shadowMin *
    rwm-map attribute shadowMax *
    rwm-map attribute shadowWarning *
    rwm-map attribute shadowInactive *
    rwm-map attribute shadowFlag *
    rwm-map attribute memberUid *
    rwm-map attribute uniqueMember *
    rwm-map attribute description *
    rwm-map attribute sn *
    rwm-map attribute givenname *
    rwm-map attribute mail *
    rwm-map attribute *
    -- end --

    all other attributes are hidden ( objectclass attribute inclusive
    ;-(( ).

    The nss ldap client is now unable to find a user since the ldap
    filter (&(uid=xyz)(objectclass=posixaccount)) allways returns null
    entries.

    If you comment out the last line ( rwm-map attribute * ) then
    everything works OK, but all attributes are delivered to the
    client! We have more attributes on the "realldapserver" but we only
    want to provide the attributes needed for nss.

I have compiled the version 2.4.12 from source and the bug is gone. So I
think it would be nice to backport the patch which is in 2.4.12 to 2.4.9
( Ubuntu Version ) or to update the openldap package to 2.4.12.

Regards,

Konrad

--
Konrad Mauz
Rechenzentrum
Hochschule Technik, Wirtschaft und Gestaltung
Braunegger-Strasse 55, D 78462 Konstanz
e-mail: <email address hidden>
Tel.: +49 7531 206-472
Fax.: +49 7531 206-153

Thanks for providing a testcase. The next step is to isolate the patch in upstream repository so that we can see if it fits the criteria for a Stable Release Update.

On Wed, Oct 29, 2008 at 12:03:23PM -0000, Mathias Gug wrote:
> Thanks for providing a testcase. The next step is to isolate the patch
> in upstream repository so that we can see if it fits the criteria for a
> Stable Release Update.
>
> ** Changed in: openldap (Ubuntu)
> Status: Incomplete => Confirmed
>

Ok... the bug is confirmed. And now? Will there ( when? ) a fix or not?
I doesn't know the criteria for such updates, but I think it has to be
fixed, since it is a LTS ubuntu release - and ubuntu do not want 5 years
with a bug in the openldap package!?! If I can help ( testing ) let me
know.

Regards,

Konrad

--
Konrad Mauz
Rechenzentrum
Hochschule Technik, Wirtschaft und Gestaltung
Braunegger-Strasse 55, D 78462 Konstanz
e-mail: <email address hidden>
Tel.: +49 7531 206-472
Fax.: +49 7531 206-153

On Mon, Nov 24, 2008 at 10:07:44AM -0000, Konrad Mauz wrote:
> Ok... the bug is confirmed. And now? Will there ( when? ) a fix or not?

The next step is to find the patch that addresses this specific bug in
upstream CVS.

> I doesn't know the criteria for such updates, but I think it has to be
> fixed, since it is a LTS ubuntu release - and ubuntu do not want 5 years
> with a bug in the openldap package!?! If I can help ( testing ) let me
> know.
>

The criteria for Stable Release Updates can be found here:
https://wiki.ubuntu.com/StableReleaseUpdates

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

On Thu, Nov 27, 2008 at 11:17:20PM -0000, Mathias Gug wrote:
> On Mon, Nov 24, 2008 at 10:07:44AM -0000, Konrad Mauz wrote:
> > Ok... the bug is confirmed. And now? Will there ( when? ) a fix or not?
>
> The next step is to find the patch that addresses this specific bug in
> upstream CVS.
>
> > I doesn't know the criteria for such updates, but I think it has to be
> > fixed, since it is a LTS ubuntu release - and ubuntu do not want 5 years
> > with a bug in the openldap package!?! If I can help ( testing ) let me
> > know.
> >
>
> The criteria for Stable Release Updates can be found here:
> https://wiki.ubuntu.com/StableReleaseUpdates
>

Hello Mathias,

the patch in CVS can be found in:

http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/overlays/rwmconf.c?hideattic=1&sortbydate=0
( search for ITS#5647 ).

I read through the Stable Release Updates... seems like I have to build
openldap from source ;-(.

Regards,

Konrad

--
Konrad Mauz
Rechenzentrum
Hochschule Technik, Wirtschaft und Gestaltung
Braunegger-Strasse 55, D 78462 Konstanz
e-mail: <email address hidden>
Tel.: +49 7531 206-472
Fax.: +49 7531 206-153

Thank you for taking the time to report this bug and helping to make Ubuntu better. However, I am closing it because the bug has been fixed in the latest development version of Ubuntu - the Jaunty Jackalope. It won't be fixed in previous versions of Ubuntu because the package doesn't fit the requirements for backporting. See https://help.ubuntu.com/community/UbuntuBackports for more information.