Improve slapd postinst error message in case database directory can't be determined for a given LDAP suffix

Bug #632051 reported by mike Bernson on 2010-09-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Ryan Tandy

Bug Description

Bug is due to buggy configuration, but we could have a better error message. See comment 5 for details.

Original description:
When doing a apt-get dist-upgrade going from slapd_2.4.15-1ubuntu3_amd64.deb to slapd_2.4.15-1ubuntu3.1_amd64.deb
I get the following output:
batch@work-isp:/tmp$ sudo apt-get dist-upgrade
[sudo] password for batch:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Setting up slapd (2.4.15-1ubuntu3.1) ...
  Backing up /etc/ldap/slapd.conf in /var/backups/slapd-2.4.15-1ubuntu3... done.
chown: invalid argument: `'
dpkg: error processing slapd (--configure):
 subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
E: Sub-process /usr/bin/dpkg returned an error code (1)

output of lsb_release -rd:
batch@work-isp:/tmp$ lsb_release -rd
Description: Ubuntu 9.04
Release: 9.04

output of apt-cache policy slapd:
batch@work-isp:/tmp$ apt-cache policy slapd
  Installed: 2.4.15-1ubuntu3.1
  Candidate: 2.4.15-1ubuntu3.1
  Version table:
 *** 2.4.15-1ubuntu3.1 0
        500 jaunty-updates/main Packages
        500 jaunty-security/main Packages
        100 /var/lib/dpkg/status
     2.4.15-1ubuntu3 0
        500 jaunty/main Packages

I except the package to install without error.

The package did not install correct leaves the sysem with
1 not fully installed or removed

CVE References

mike Bernson (mike-mlb) on 2010-09-06
visibility: private → public
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no

This is a security problem because it stop an package which has security problems from being updated.

Package: slapd (2.4.15-1ubuntu3.1) [security]

from package changelog:

openldap (2.4.15-1ubuntu3.1) jaunty-security; urgency=low

  * SECURITY UPDATE: null ptr deref, free uninitialized data in modrdn calls
    - openldap-2.4.22-CVE-2010-0211-modrdn_check_error.patch:
      - check return for errors and clean up uninitialized data
    - openldap-2.4.22-CVE-2010-0212-modrdn_null_deref.patch:
      - return error on 0-length or binary RDNs
    - CVE-2010-0211, CVE-2010-0212

 -- Steve Beattie <email address hidden> Wed, 28 Jul 2010 23:28:31 -0700

I wonder if the cause of this "chown" error is at all related to the one discussed in bug #450645 ....

If you can post the output of the following commands it might provide enough information to figure out what exactly is triggering the bug:

  $ sudo sh -c "ls -l /etc/ldap/slapd.d/cn=config/olcDatabase*"

  $ sudo sh -c "grep olcSuffix: /etc/ldap/slapd.d/cn=config/olcDatabase*"
  $ sudo sh -c "grep olcDbDirectory: /etc/ldap/slapd.d/cn=config/olcDatabase*"

mike Bernson (mike-mlb) wrote :
Download full text (5.4 KiB)

batch@work-isp:~$ sudo sh -c "ls -l /etc/ldap/slapd.d/cn=config/olcDatabase*"
ls: cannot access /etc/ldap/slapd.d/cn=config/olcDatabase*: No such file or directory

batch@work-isp:~$ sudo sh -c "grep olcSuffix: /etc/ldap/slapd.d/cn=config/olcDatabase*"
grep: /etc/ldap/slapd.d/cn=config/olcDatabase*: No such file or directory

batch@work-isp:~$ sudo sh -c "grep olcDbDirectory: /etc/ldap/slapd.d/cn=config/olcDatabase*"
grep: /etc/ldap/slapd.d/cn=config/olcDatabase*: No such file or directory

batch@work-isp:~$ ls /etc/ldap
data ldap.conf ldap.doc sasl2 schema slapd.conf

batch@work-isp:~$ ls -R /etc/ldap
data ldap.conf ldap.doc sasl2 schema slapd.conf

aa data.ldif.try1 data.ldif.try3 intervivaz.ldif
data.ldif data.ldif.try2 data.ldif.try4 reload


amavis.schema core.schema inetorgperson.schema nis.schema
authldap.schema cosine.ldif java.schema openldap.ldif
authldap.schema.orig cosine.schema misc.ldif openldap.schema
collective.schema duaconf.schema misc.schema pmi.schema
corba.schema dyngroup.schema nadf.schema ppolicy.schema
core.ldif inetorgperson.ldif nis.ldif README

# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap:// ldap://

#DEREF never

include /etc/ldap/schema/core.schema
##include /etc/ldap/schema/collective.schema
##include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
##include /etc/ldap/schema/duaconf.schema
##include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
##include /etc/ldap/schema/java.schema
#include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
##include /etc/ldap/schema/openldap.schema
##include /etc/ldap/schema/ppolicy.schema
##include /etc/ldap/schema/pmi.schema
#include /usr/local/etc/ldap/samba.schema
#include /usr/local/etc/ldap/sq_prefs.schema
#include /usr/local/etc/ldap/squirrelmail.schema.OpenLDAP-2.1.x
include /etc/ldap/schema/authldap.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/

# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
#loglevel none
#loglevel filter stats
loglevel stats
#loglevel 32767

# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload syncprov

# The maximum number of entries that is returned for a search operation
sizelimit 5000

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

# specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
database hdb
suffix "dc="domain"
rootdn "cn=admin,dc...


Ah, okay, you are still using the slapd.conf file, rather than the slapd.d configuration directory, so your error and the one in #450645 are more like cousins than siblings :)

> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> database hdb
> suffix "dc="domain"
> rootdn "cn=admin,dc=domain"
> rootpw "{SSHA}<some text for a password>"
> directory "/var/lib/ldap"

Does the "suffix' line in our slapd.conf file really have three double-quote characters in it? If so, I suspect that's the trigger in your case...

Specifically, when the postinst script builds the list of suffixes to process, it looks for lines that start with "suffix" and then removes *all* the " characters from the value string found -- so when it goes back to find the directory whose permissions need to be updated, it is looking for a line that says:
   suffix "dc=domain"

This doesn't match the actual existing line,
   suffix "dc="domain"
, and so the search fails. In this case, the get_directory() function call would return an empty string, and when "chown" is called with that empty string as the target path, it would return the
   invalid argument: `'
error message.

Mathias Gug (mathiaz) on 2010-09-07
Changed in openldap (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
mike Bernson (mike-mlb) wrote :

changing suffix "dc="domain" to suffix "dc=domain" fixed the problem.

Not sure why nothing in ldap/slapd thinks this is a problem but thing look
to be working.

It occured to me that when the postinst script is unable to determine the database directory associated with a particular suffix (for whatever reason), simply producing the error message "chown: invalid argument: `'" and then aborting isn't very helpful to the system administrator.

Here's a patch that checks the result of the get_directory function call, and if no directory is returned prints a descriptive warning rather than trying to set permissions on <nothing>.

The patch only changes the update_database_permissions() function, so it should be an improvement regardless of whether slapd.conf or slapd.d-style configuration is in use.

This version of the patch simply prints a warning message and continues processing the rest of the postinst run, on the theory the there's a good chance that everything will still work fine even if we don't run this particular "missing" chown command -- but if there is actually a need to abort the installation in that situation, the patch could easily be tweaked to print an appropriate message and then exit with an error status instead.

tags: added: patch
Thierry Carrez (ttx) on 2010-09-09
summary: - slapd dist-upgrade chown: invalid argument: `'
+ Improve error message in case suffix is incorrect
description: updated
Changed in openldap (Ubuntu):
importance: Low → Wishlist
status: Incomplete → Triaged
description: updated
summary: - Improve error message in case suffix is incorrect
+ Improve slapd postinst error message in case database directory can't be
+ determined for a given LDAP suffix
Ryan Tandy (rtandy) on 2014-08-29
Changed in openldap (Ubuntu):
assignee: nobody → Ryan Tandy (rtandy)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers