autofs-ldap's /etc/ldap/schema/autofs.schema crashes slapd

Bug #1891548 reported by msp3k on 2020-08-13
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
autofs (Debian)
Unknown
Unknown
autofs (Ubuntu)
Low
Unassigned
openldap (Ubuntu)
Low
Unassigned

Bug Description

Ubuntu Release:
# lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04

Version of packages in use:
# dpkg -l autofs autofs-ldap slapd | grep '^ii'
ii autofs 5.1.6-2ubuntu0.1 amd64 kernel-based automounter for Linux
ii autofs-ldap 5.1.6-2ubuntu0.1 amd64 LDAP map support for autofs
ii slapd 2.4.49+dfsg-2ubuntu1.3 amd64 OpenLDAP server (slapd)

Expected:
No errors from slaptest

Actual Output:
5f359370 /etc/ldap/schema/autofs.schema: line 14 attributetype: AttributeType inappropriate matching rule: "caseExactMatch"

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1891548/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
affects: ubuntu → autofs (Ubuntu)
msp3k (peek-nimbios) wrote :

Schemas included in slapd.conf:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/autofs.schema

msp3k (peek-nimbios) wrote :

Attempted to modify /etc/ldap/schema/autofs.scheme to replace "caseExactMatch" with "caseExactIA5Match". This fixed the problem with slaptest reporting an error. However, there are other problems that have arisen that may or may not be related. Attempts to add automount entries fail for "objectClass: automountMap" with "invalid per syntax" errors. Neither old, working entries from slapd running on an existing 18.04 server, nor new entries built using /usr/share/doc/autofs-ldap/examples/ldap-automount-auto.direct as a template, are accepted.

msp3k (peek-nimbios) wrote :

Example entry #1, using /usr/share/doc/autofs-ldap/examples/ldap-automount-auto.direct
------------------------------------
dn: ou=auto.master,dc=example,dc=org
ou: auto.master
objectClass: top
objectClass: automountMap
------------------------------------
Output:
adding new entry "ou=auto.master,dc=example,dc=org"
ldap_add: Invalid syntax (21)
 additional info: objectClass: value #1 invalid per syntax

Example entry #2 from an existing 18.04 slapd server (base replaced w/ dc=example,dc=org)
------------------------------------
dn: ou=automount,dc=example,dc=org
ou: automount
objectClass: top
objectClass: organizationalUnit

dn: ou=auto.master,ou=automount,dc=example,dc=org
ou: auto.master
objectClass: top
objectClass: automountMap
------------------------------------
Output:
adding new entry "ou=automount,dc=example,dc=org"

adding new entry "ou=auto.master,ou=automount,dc=example,dc=org"
ldap_add: Invalid syntax (21)
 additional info: objectClass: value #1 invalid per syntax

Adding slapd task since it is mentioned to break there.

Seems to be a regression from 18.04 -> 20.04 as far as a I read it, tagging as such for now.

@Andreas - any chance to recreate this on your side?

msp3k (peek-nimbios) wrote :
msp3k (peek-nimbios) wrote :

Attached is an example /etc/ldap/slapd.conf file that I'm working from. Maybe there's a problem in here somewhere that I'm not catching. Including it just in case. Database password is "superSecretPassword" -> "{MD5}Yy8s0xf5ONysHHbtpvA+ig==". The include for /etc/ldap/schema/autofs.schema has been replaced with /etc/ldap/schema/autofs-fixed.schema (see additional attachment below).

msp3k (peek-nimbios) wrote :

SORRY -- This is the correct autofs-fixed.schema. That last one was a file I was poking around with using a schema I found online. The only difference between this file and the one that ships with autofs-ldap is "caseExactMatch" -> "caseExactIA5Match".

Ryan Tandy (rtandy) wrote :

msp3k is correct. The bug is in autofs-ldap, not in slapd. slapd is correct to reject "caseExactMatch" since the attribute syntax is IA5 String. The correct fix is what msp3k said, fix the matching rule to be caseExactIA5Match like it was in the old one.

--- /etc/ldap/schema/autofs.schema 2020-08-14 15:50:36.678109301 +0000
+++ /etc/ldap/schema/autofs.schema 2020-08-14 15:50:46.506246431 +0000
@@ -10,7 +10,7 @@

 attributetype ( 1.3.6.1.4.1.2312.4.1.2 NAME 'automountInformation'
  DESC 'Information used by the autofs automounter'
- EQUALITY caseExactMatch
+ EQUALITY caseExactIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

 objectclass ( 1.3.6.1.4.1.2312.4.2.3 NAME 'automount' SUP top STRUCTURAL

As a follow-up, I figured out a workaround for the following error that
I reported earlier:

adding new entry "ou=auto.master,dc=example,dc=org"ldap_add: Invalid
syntax (21) additional info: objectClass: value #1 invalid per
syntax

Original steps:
1) Install /etc/ldap/slapd.conf (which includes the "caseExactIA5Match"
fixed version of the autofs schema)
2) Start slapd
3) Attempts to enter an automountMap entry causes an invalid syntax
error

Workaround:
1) Install /etc/ldap/slapd.conf (which includes the "caseExactIA5Match"
fixed version of the autofs schema)
2) start slapd
3) stop and restart slapd again
4) Attempts to enter automountMap entry now succeed

Why this is necessary I can't say but the behavior is consistent. This
extra restart was not necessary for versions of slapd+autofs that
shipped with 18.04 and previous Ubuntu versions.

Also I'm going to further show my ignorance here and say that I found
"caseExactMatch" in several other schema files too. I'm wondering why
other users haven't run into something similar?
# find /etc/ldap/schema/ -type f -exec grep -q caseExactMatch {} \;
-print/etc/ldap/schema/corba.schema/etc/ldap/schema/duaconf.ldif/etc/ld
ap/schema/core.schema <-- commented
out/etc/ldap/schema/duaconf.schema/etc/ldap/schema/java.schema/etc/ldap
/schema/core.ldif <-- commented
out/etc/ldap/schema/java.ldif/etc/ldap/schema/autofs.schema
Thank you again for your help on this.

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Since this affects an unusual end-user configuration, I'm setting Importance to Low, and I don't expect anyone to work on this soon. However if you can help definitively explain what needs adjusting to fix this correctly, then that would be helpful and we can try to help get that fix landed. Caveat: normally we'd expect an explanation and patch to be sent to Debian first.

I'm deferring a decision on whether or not this requires a fix in openldap until the above is clear.

Changed in autofs (Ubuntu):
importance: Undecided → Low
Changed in openldap (Ubuntu):
importance: Undecided → Low
msp3k (peek-nimbios) wrote :

I didn't realize that this was considered unusual. AutoFs integration
has been a critical part of our infrastructure across multiple
departments at our university for decades, starting with NIS/NIS+.
 Without AutoFS integration we would be ... very, very sad.

I have filed a bug report w/ Debian and included a patch against Debian
Sid's autofs-5.1.6 source package:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968675

Since this is the same source file as Ubuntu 20.04 uses I've included
the patch file for your use, on the off chance that it would make
things easier (attached).

Looking at the up-stream source from
https://mirrors.edge.kernel.org/pub/linux/daemons/autofs/v5/ it appears
that version 5.1.2's autofs.schema file was correct. The typo first
appears in 5.1.3, released in May 24th 2017, and has affected every
release of autofs since.

I have also submitted a bug report, including a patch file, to the
<email address hidden> mailing list for the autofs developers.

Michael Peek

On Tue, 2020-08-18 at 16:42 +0000, Robie Basak wrote:
> Thank you for taking the time to report this bug and helping to make
> Ubuntu better.
>
> Since this affects an unusual end-user configuration, I'm setting
> Importance to Low, and I don't expect anyone to work on this soon.
> However if you can help definitively explain what needs adjusting to fix
> this correctly, then that would be helpful and we can try to help get
> that fix landed. Caveat: normally we'd expect an explanation and patch
> to be sent to Debian first.
>
> I'm deferring a decision on whether or not this requires a fix in
> openldap until the above is clear.
>
> ** Changed in: autofs (Ubuntu)
> Importance: Undecided => Low
>
> ** Changed in: openldap (Ubuntu)
> Importance: Undecided => Low
>

The attachment "autofs-5.1.6-schema-fix.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Paride Legovini (paride) wrote :

Hi Michael and thanks for all the digging. If I understand correctly there are two issues here:

1. The slapd crash due to the caseExactMatch/caseExactIA5Match typo, for which you submitted a fix upstream [1].

2. The need to "start ; stop ; restart" the slapd service in order to avoid the "invalid per syntax" errors.

What I suggest is to:

A. Let's wait for upstream to comment on or pickup your patch. We'll then be able to cherry-pick the fix from the upstream repository. This makes things easier to manage and give us more confidence on the correctness on the patch (could be obvious for a ldap/autofs expert, I am not.)

B. File a separate bug for the "start ; stop ; restart" thing, which appears to be unrelated. If you do so, please make it clear it's a Bionic -> Focal regression. Having a minimal steps to reproduce the issue from a fresh Focal install would be the best.

What do you think?

Paride

[1] https://www.spinics.net/lists/autofs/msg02276.html

msp3k (peek-nimbios) wrote :

Will do, thanks.Michael Peek
On Thu, 2020-08-20 at 15:10 +0000, Paride Legovini wrote:
> Hi Michael and thanks for all the digging. If I understand
> correctlythere are two issues here:
> 1. The slapd crash due to the caseExactMatch/caseExactIA5Match typo,
> forwhich you submitted a fix upstream [1].
> 2. The need to "start ; stop ; restart" the slapd service in order
> toavoid the "invalid per syntax" errors.
> What I suggest is to:
> A. Let's wait for upstream to comment on or pickup your patch.
> We'llthen be able to cherry-pick the fix from the upstream
> repository. Thismakes things easier to manage and give us more
> confidence on thecorrectness on the patch (could be obvious for a
> ldap/autofs expert, Iam not.)
> B. File a separate bug for the "start ; stop ; restart" thing,
> whichappears to be unrelated. If you do so, please make it clear it's
> aBionic -> Focal regression. Having a minimal steps to reproduce
> theissue from a fresh Focal install would be the best.
> What do you think?
> Paride
> [1] https://www.spinics.net/lists/autofs/msg02276.html
>

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.