You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Matthew Melendy <mm...@cs.unm.edu> on 2023/02/24 23:13:42 UTC
group lookup causing NPE crash on ADS
Our test Apache Directory Server is having trouble with what should be a simple operation, the lookup of which groups a user is a member of. Here's what is happening:
- User 'user1' logs into ubuntu client using ssh
- Client connects to ADS server using libnss-ldapd
- Client sends user lookup request to ADS, this succeeds
- Client tries to find out which groups contain this user's memberUid
- Server connection crashes with Null Pointer Exception, protocol error returned to client
- Client login succeeds, but no LDAP group info is available
This behavior is reproducible even with the simplest possible test directory (LDIF and other info shown below).
Interesting point: the connection crash does not happen with a client using the older LDAP client libraries libnss-ldap:amd64 v265-5ubuntu1 and libpam-ldap:amd64 v186-4ubuntu1 .
Has anyone else run into this kind of problem with libnss-ldapd?
Is there perhaps an early build of AM27 available we could try instead?
Matthew Melendy
IT Services Specialist
CS System Services Group
FEC 3550, University of New Mexico
--
getent.ldap passwd - properly shows user list pulled from LDAP
getent.ldap group - provokes same crash
getent.ldap group.bymember - provokes same crash
--
example error shown by nslcd from client request 'getent.ldap group'
nslcd: [8b4567] DEBUG: connection from pid=172510 uid=2001 gid=2000
nslcd: [8b4567] <group(all)> DEBUG: myldap_search(base="dc=cs,dc=unm,dc=edu", filter="(objectClass=posixGroup)")
nslcd: [8b4567] <group(all)> DEBUG: ldap_initialize(ldap://xx.cs.unm.edu:389)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <group(all)> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://xx.cs.unm.edu:389")
nslcd: [8b4567] <group(all)> ldap_result() failed: Protocol error
nslcd: [8b4567] <group(all)> DEBUG: ldap_abandon()
nslcd: [8b4567] <group(all)> DEBUG: ldap_unbind()
-- error shown in apacheds.log
[13:06:40] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client.
org.apache.mina.filter.codec.ProtocolDecoderException: java.lang.NullPointerException (Hexdump: 30 81 9C 02 01 02 63 63 04 13 64 63 3D 63 73 2C 64 63 3D 75 6E 6D 2C 64 63 3D 65 64 75 0A 01 02 0A 01 00 02 01 00 02 01 00 01 01 00 A3 19 04 0B 6F 62 6A 65 63 74 43 6C 61 73 73 04 0A 70 6F 73 69 78 47 72 6F 75 70 30 22 04 06 6D 65 6D 62 65 72 04 02 63 6E 04 09 6D 65 6D 62 65 72 55 69 64 04 09 67 69 64 4E 75 6D 62 65 72 A0 32 30 30 04 19 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 34 32 30 33 2E 36 36 36 2E 35 2E 31 36 04 13 30 11 30 0F 04 06 6D 65 6D 62 65 72 30 05 04 03 75 69 64)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:263)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.NullPointerException
at org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue.action(StoreControlValue.java:81)
at org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue.action(StoreControlValue.java:49)
at org.apache.directory.api.asn1.ber.grammar.AbstractGrammar.executeAction(AbstractGrammar.java:136)
at org.apache.directory.api.asn1.ber.Asn1Decoder.treatTLVDoneState(Asn1Decoder.java:604)
at org.apache.directory.api.asn1.ber.Asn1Decoder.decode(Asn1Decoder.java:740)
at org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolDecoder.decode(LdapProtocolDecoder.java:137)
at org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolDecoder.decode(LdapProtocolDecoder.java:86)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:254)
... 15 more
---
Client configuration - Ubuntu 22.04.2 LTS x86_64
ii ldap-utils 2.5.13+dfsg-0ubuntu0.22.04.1 amd64 OpenLDAP utilities
ii libldap-2.5-0:amd64 2.5.13+dfsg-0ubuntu0.22.04.1 amd64 OpenLDAP libraries
ii libldap-common 2.5.13+dfsg-0ubuntu0.22.04.1 all OpenLDAP common files for libraries
ii libnss-ldapd:amd64 0.9.12-2 amd64 NSS module for using LDAP as a naming service
ii libpam-ldapd:amd64 0.9.12-2 amd64 PAM module for using LDAP as an authentication service
ii nscd 2.35-0ubuntu3.1 amd64 GNU C Library: Name Service Cache Daemon
---
client nslcd.conf
uid nslcd
gid nslcd
uri ldap://xx.cs.unm.edu:389
base dc=cs,dc=unm,dc=edu
ldap_version 3
tls_reqcert never
---
Server configuration
Ubuntu 22.04.2 LTS x86_64
Apache Directory Server 2.0.0.AM26
OpenJDK Runtime Environment (Temurin)(build 1.8.0_362-b09)
---
Directory structure LDIF:
version: 1
dn: uid=user1,ou=users,dc=cs,dc=unm,dc=edu
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: user1
gidNumber: 2000
homeDirectory: /home/user1
sn: User
uid: user1
uidNumber: 2001
userPassword:: e01ENX1DNUhleFA2WUptb0RzVGExa2huUTFnPT0=
dn: dc=cs,dc=unm,dc=edu
objectclass: domain
objectclass: top
dc: cs
dn: ou=groups,dc=cs,dc=unm,dc=edu
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: cn=testgrp1,ou=groups,dc=cs,dc=unm,dc=edu
objectClass: posixGroup
objectClass: top
cn: testgrp1
gidNumber: 3000
dn: ou=users,dc=cs,dc=unm,dc=edu
objectClass: organizationalUnit
objectClass: top
ou: users
dn: cn=testgrp2,ou=groups,dc=cs,dc=unm,dc=edu
objectClass: posixGroup
objectClass: top
cn: testgrp2
gidNumber: 2000
memberUid: user1
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org
Re: Configuring Directory Server AM27 snapshot
Posted by Matthew Melendy <mm...@cs.unm.edu>.
Emmanuel,
I found the .ApacheDirectoryStudio/.metadata/.plugins/org.apache.directory.studio.ldapservers/servers directory you mentioned on my client computer (a Mac), but it is empty.
I should maybe have mentioned that we are testing Directory Server as a standalone server, not as an embedded server launched from inside Directory Studio. Would that make a difference?
Here's our setup:
Server computer (headless)
- OS - Ubuntu 22 LTS (x64)
- Java - Temurin JDK 11.0.18+10
- Apache Directory Server - snapshot build #118 (August 13 2021), default installation, so far unchanged
Client computer (used for management)
- OS - MacOS 12.6.3 (JavaM1)
- Java - Temurin JDK 11.0.18+10
- Apache Directory Studio - snapshot build #214 (Dec 16 2022)
We do not use Kerberos at our site.
My Directory Studio build #214 instance is able to configure our AM26 Directory Server installations without any issues. It just gives the "Index 0 out of bounds for length 0" when connecting to our test AM27 Directory Server.
I will email you the server configuration that I have, from /var/lib/apacheds-2.0.0.AM27-SNAPSHOT/default/conf/ , along with my best guess as the client Directory Studio configurations (with passwords masked).
Thanks for offering to take a look, I appreciate it.
Sincerely,
Matthew Melendy
IT Services Specialist
CS System Services Group
FEC 3550, University of New Mexico
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org
Re: Configuring Directory Server AM27 snapshot
Posted by Emmanuel Lécharny <el...@gmail.com>.
Hi Matthew,
this error is an indication that the Kerberos server is wrongly configured.
Can you post the server configuration file ?
(Note: the configuration is stored in
.ApacheDirectoryStudio/.metadata/.plugins/org.apache.directory.studio.ldapservers/servers/<some
long identifier>/conf. This is a directory with lots of sub-dirs and
files, I would need all of them. PS: don't try to post a mail to the
mailing list with an attachement, it won't pass through. Eventually,
send it to me directly)
On 02/03/2023 18:02, Matthew Melendy wrote:
> To anyone who is testing Directory Server AM27 snapshot (build 118 or
> other)
>
> Could you share how you are configuring and accessing it?
>
> I've tried several builds of Directory Studio for Mac (build 214 Dec 16
> 2022, build 219 Jan 20 2023), but they all give me the same error "Index
> 0 out of bounds for length 0" whenever I bring up the configuration
> page. Full error from log is shown below.
>
> Sincerely,
>
> Matthew Melendy
>
> IT Services Specialist
> CS System Services Group
> FEC 3550, University of New Mexico
>
> ---
>
>
> !SESSION 2023-03-02 09:45:04.446
> -----------------------------------------------
> eclipse.buildId=unknown
> java.version=11.0.18
> java.vendor=Eclipse Adoptium
> BootLoader constants: OS=macosx, ARCH=x86_64, WS=cocoa, NL=en_US
> Framework arguments: /studio-rcp/resources/icons/linux/studio.xpm
> -keyring /Users/username/.eclipse_keyring
> Command-line arguments: -os macosx -ws cocoa -arch x86_64
> /studio-rcp/resources/icons/linux/studio.xpm -keyring
> /Users/username/.eclipse_keyring
>
> !ENTRY org.eclipse.ui.workbench 4 2 2023-03-02 09:45:42.251
> !MESSAGE Problems occurred when invoking code from plug-in:
> "org.eclipse.ui.workbench".
> !STACK 0
> java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for
> length 0
> at
> org.apache.directory.studio.apacheds.configuration.editor.OverviewPage.refreshUI(OverviewPage.java:713)
> at
> org.apache.directory.studio.apacheds.configuration.editor.ServerConfigurationEditor.pageChanged(ServerConfigurationEditor.java:124)
> at
> org.eclipse.ui.part.MultiPageEditorPart$5.run(MultiPageEditorPart.java:1231)
> at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
> at org.eclipse.jface.util.SafeRunnable.run(SafeRunnable.java:174)
> at
> org.eclipse.ui.part.MultiPageEditorPart.firePageChanged(MultiPageEditorPart.java:1228)
> at
> org.eclipse.ui.part.MultiPageEditorPart.pageChange(MultiPageEditorPart.java:834)
> at
> org.eclipse.ui.forms.editor.FormEditor.pageChange(FormEditor.java:501)
> at
> org.eclipse.ui.part.MultiPageEditorPart.setActivePage(MultiPageEditorPart.java:1032)
> at
> org.eclipse.ui.forms.editor.FormEditor.setActivePage(FormEditor.java:612)
> at
> org.apache.directory.studio.apacheds.configuration.editor.ServerConfigurationEditor.hideLoadingPageAndDisplayConfigPages(ServerConfigurationEditor.java:421)
> at
> org.apache.directory.studio.apacheds.configuration.editor.ServerConfigurationEditor.configurationLoaded(ServerConfigurationEditor.java:370)
> at
> org.apache.directory.studio.apacheds.configuration.jobs.LoadConfigurationRunnable$1.run(LoadConfigurationRunnable.java:144)
> at org.eclipse.swt.widgets.RunnableLock.run(RunnableLock.java:40)
> at
> org.eclipse.swt.widgets.Synchronizer.runAsyncMessages(Synchronizer.java:185)
> at org.eclipse.swt.widgets.Display.runAsyncMessages(Display.java:4181)
> at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3841)
> at
> org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$5.run(PartRenderingEngine.java:1157)
> at
> org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
> at
> org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1046)
> at
> org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:155)
> at org.eclipse.ui.internal.Workbench.lambda$3(Workbench.java:644)
> at
> org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
> at
> org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:551)
> at
> org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:156)
> at org.apache.directory.studio.Application.start(Application.java:51)
> at
> org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:203)
> at
> org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:134)
> at
> org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:104)
> at
> org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:401)
> at
> org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:255)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:653)
> at org.eclipse.equinox.launcher.Main.basicRun(Main.java:590)
> at org.eclipse.equinox.launcher.Main.run(Main.java:1461)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
> For additional commands, e-mail: users-help@directory.apache.org
>
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecharny@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org
Configuring Directory Server AM27 snapshot
Posted by Matthew Melendy <mm...@cs.unm.edu>.
To anyone who is testing Directory Server AM27 snapshot (build 118 or other)
Could you share how you are configuring and accessing it?
I've tried several builds of Directory Studio for Mac (build 214 Dec 16 2022, build 219 Jan 20 2023), but they all give me the same error "Index 0 out of bounds for length 0" whenever I bring up the configuration page. Full error from log is shown below.
Sincerely,
Matthew Melendy
IT Services Specialist
CS System Services Group
FEC 3550, University of New Mexico
---
!SESSION 2023-03-02 09:45:04.446 -----------------------------------------------
eclipse.buildId=unknown
java.version=11.0.18
java.vendor=Eclipse Adoptium
BootLoader constants: OS=macosx, ARCH=x86_64, WS=cocoa, NL=en_US
Framework arguments: /studio-rcp/resources/icons/linux/studio.xpm -keyring /Users/username/.eclipse_keyring
Command-line arguments: -os macosx -ws cocoa -arch x86_64 /studio-rcp/resources/icons/linux/studio.xpm -keyring /Users/username/.eclipse_keyring
!ENTRY org.eclipse.ui.workbench 4 2 2023-03-02 09:45:42.251
!MESSAGE Problems occurred when invoking code from plug-in: "org.eclipse.ui.workbench".
!STACK 0
java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
at org.apache.directory.studio.apacheds.configuration.editor.OverviewPage.refreshUI(OverviewPage.java:713)
at org.apache.directory.studio.apacheds.configuration.editor.ServerConfigurationEditor.pageChanged(ServerConfigurationEditor.java:124)
at org.eclipse.ui.part.MultiPageEditorPart$5.run(MultiPageEditorPart.java:1231)
at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
at org.eclipse.jface.util.SafeRunnable.run(SafeRunnable.java:174)
at org.eclipse.ui.part.MultiPageEditorPart.firePageChanged(MultiPageEditorPart.java:1228)
at org.eclipse.ui.part.MultiPageEditorPart.pageChange(MultiPageEditorPart.java:834)
at org.eclipse.ui.forms.editor.FormEditor.pageChange(FormEditor.java:501)
at org.eclipse.ui.part.MultiPageEditorPart.setActivePage(MultiPageEditorPart.java:1032)
at org.eclipse.ui.forms.editor.FormEditor.setActivePage(FormEditor.java:612)
at org.apache.directory.studio.apacheds.configuration.editor.ServerConfigurationEditor.hideLoadingPageAndDisplayConfigPages(ServerConfigurationEditor.java:421)
at org.apache.directory.studio.apacheds.configuration.editor.ServerConfigurationEditor.configurationLoaded(ServerConfigurationEditor.java:370)
at org.apache.directory.studio.apacheds.configuration.jobs.LoadConfigurationRunnable$1.run(LoadConfigurationRunnable.java:144)
at org.eclipse.swt.widgets.RunnableLock.run(RunnableLock.java:40)
at org.eclipse.swt.widgets.Synchronizer.runAsyncMessages(Synchronizer.java:185)
at org.eclipse.swt.widgets.Display.runAsyncMessages(Display.java:4181)
at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3841)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$5.run(PartRenderingEngine.java:1157)
at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1046)
at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:155)
at org.eclipse.ui.internal.Workbench.lambda$3(Workbench.java:644)
at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:551)
at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:156)
at org.apache.directory.studio.Application.start(Application.java:51)
at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:203)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:134)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:104)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:401)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:255)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:653)
at org.eclipse.equinox.launcher.Main.basicRun(Main.java:590)
at org.eclipse.equinox.launcher.Main.run(Main.java:1461)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org
Re: group lookup causing NPE crash on ADS
Posted by Matthew Melendy <mm...@cs.unm.edu>.
Emmanuel,
Thanks for the response. This morning I have tried last stable snapshot AM27 build #118 (Aug 13, 2021, 5:26:00 AM) (linux x64 deb version). I was able to install it, but now Studio M17 is no longer able to make configuration changes due to "Index 0 out of bounds for length 0" error. Got the same error with Apache Directory Studio nightly version 2.0.0.v20221216 .
Does apacheds now require Java 11 instead of Java 8?
Is there a combination of Server AM27 snapshot and Studio that is known to work?
Sincerely,
Matthew Melendy
IT Services Specialist
CS System Services Group
FEC 3550, University of New Mexico
On 2/24/23 9:47 PM, Emmanuel Lécharny wrote:
> Hi!
>
> This is a bug in the Apache DLAP API 2.0.0 being used in ApacheDS (https://issues.apache.org/jira/browse/DIRAPI-366?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&focusedCommentId=17286982#).
>
> You can probabkly give one nightly build a test: https://builds.apache.org/job/Directory/job/dir-server-pipeline/
>
> On 25/02/2023 00:13, Matthew Melendy wrote:
>> Our test Apache Directory Server is having trouble with what should be a simple operation, the lookup of which groups a user is a member of. Here's what is happening:
>>
>> - User 'user1' logs into ubuntu client using ssh
>> - Client connects to ADS server using libnss-ldapd
>> - Client sends user lookup request to ADS, this succeeds
>> - Client tries to find out which groups contain this user's memberUid
>> - Server connection crashes with Null Pointer Exception, protocol error returned to client
>> - Client login succeeds, but no LDAP group info is available
>>
>> This behavior is reproducible even with the simplest possible test directory (LDIF and other info shown below).
>>
>> Interesting point: the connection crash does not happen with a client using the older LDAP client libraries libnss-ldap:amd64 v265-5ubuntu1 and libpam-ldap:amd64 v186-4ubuntu1 .
>>
>> Has anyone else run into this kind of problem with libnss-ldapd?
>>
>> Is there perhaps an early build of AM27 available we could try instead?
>>
>> Matthew Melendy
>>
>> IT Services Specialist
>> CS System Services Group
>> FEC 3550, University of New Mexico
>>
>>
>>
>> --
>>
>> getent.ldap passwd - properly shows user list pulled from LDAP
>> getent.ldap group - provokes same crash
>> getent.ldap group.bymember - provokes same crash
>>
>> --
>>
>> example error shown by nslcd from client request 'getent.ldap group'
>>
>> nslcd: [8b4567] DEBUG: connection from pid=172510 uid=2001 gid=2000
>> nslcd: [8b4567] <group(all)> DEBUG: myldap_search(base="dc=cs,dc=unm,dc=edu", filter="(objectClass=posixGroup)")
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_initialize(ldap://xx.cs.unm.edu:389)
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_rebind_proc()
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://xx.cs.unm.edu:389")
>> nslcd: [8b4567] <group(all)> ldap_result() failed: Protocol error
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_abandon()
>> nslcd: [8b4567] <group(all)> DEBUG: ldap_unbind()
>>
>> -- error shown in apacheds.log
>>
>> [13:06:40] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client.
>> org.apache.mina.filter.codec.ProtocolDecoderException: java.lang.NullPointerException (Hexdump: 30 81 9C 02 01 02 63 63 04 13 64 63 3D 63 73 2C 64 63 3D 75 6E 6D 2C 64 63 3D 65 64 75 0A 01 02 0A 01 00 02 01 00 02 01 00 01 01 00 A3 19 04 0B 6F 62 6A 65 63 74 43 6C 61 73 73 04 0A 70 6F 73 69 78 47 72 6F 75 70 30 22 04 06 6D 65 6D 62 65 72 04 02 63 6E 04 09 6D 65 6D 62 65 72 55 69 64 04 09 67 69 64 4E 75 6D 62 65 72 A0 32 30 30 04 19 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 34 32 30 33 2E 36 36 36 2E 35 2E 31 36 04 13 30 11 30 0F 04 06 6D 65 6D 62 65 72 30 05 04 03 75 69 64)
>> at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:263)
>> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
>> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
>> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
>> at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
>> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
>> at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
>> at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
>> at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
>> at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222)
>> at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211)
>> at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
>> at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>> at java.lang.Thread.run(Thread.java:750)
>> Caused by: java.lang.NullPointerException
>> at org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue.action(StoreControlValue.java:81)
>> at org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue.action(StoreControlValue.java:49)
>> at org.apache.directory.api.asn1.ber.grammar.AbstractGrammar.executeAction(AbstractGrammar.java:136)
>> at org.apache.directory.api.asn1.ber.Asn1Decoder.treatTLVDoneState(Asn1Decoder.java:604)
>> at org.apache.directory.api.asn1.ber.Asn1Decoder.decode(Asn1Decoder.java:740)
>> at org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolDecoder.decode(LdapProtocolDecoder.java:137)
>> at org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolDecoder.decode(LdapProtocolDecoder.java:86)
>> at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:254)
>> ... 15 more
>>
>>
>> ---
>>
>> Client configuration - Ubuntu 22.04.2 LTS x86_64
>>
>> ii ldap-utils 2.5.13+dfsg-0ubuntu0.22.04.1 amd64 OpenLDAP utilities
>> ii libldap-2.5-0:amd64 2.5.13+dfsg-0ubuntu0.22.04.1 amd64 OpenLDAP libraries
>> ii libldap-common 2.5.13+dfsg-0ubuntu0.22.04.1 all OpenLDAP common files for libraries
>> ii libnss-ldapd:amd64 0.9.12-2 amd64 NSS module for using LDAP as a naming service
>> ii libpam-ldapd:amd64 0.9.12-2 amd64 PAM module for using LDAP as an authentication service
>> ii nscd 2.35-0ubuntu3.1 amd64 GNU C Library: Name Service Cache Daemon
>>
>> ---
>>
>> client nslcd.conf
>>
>> uid nslcd
>> gid nslcd
>> uri ldap://xx.cs.unm.edu:389
>> base dc=cs,dc=unm,dc=edu
>> ldap_version 3
>> tls_reqcert never
>>
>>
>> ---
>>
>> Server configuration
>>
>> Ubuntu 22.04.2 LTS x86_64
>> Apache Directory Server 2.0.0.AM26
>> OpenJDK Runtime Environment (Temurin)(build 1.8.0_362-b09)
>>
>> ---
>>
>> Directory structure LDIF:
>>
>> version: 1
>>
>> dn: uid=user1,ou=users,dc=cs,dc=unm,dc=edu
>> objectClass: inetOrgPerson
>> objectClass: organizationalPerson
>> objectClass: person
>> objectClass: posixAccount
>> objectClass: top
>> cn: user1
>> gidNumber: 2000
>> homeDirectory: /home/user1
>> sn: User
>> uid: user1
>> uidNumber: 2001
>> userPassword:: e01ENX1DNUhleFA2WUptb0RzVGExa2huUTFnPT0=
>>
>> dn: dc=cs,dc=unm,dc=edu
>> objectclass: domain
>> objectclass: top
>> dc: cs
>>
>> dn: ou=groups,dc=cs,dc=unm,dc=edu
>> objectClass: organizationalUnit
>> objectClass: top
>> ou: groups
>>
>> dn: cn=testgrp1,ou=groups,dc=cs,dc=unm,dc=edu
>> objectClass: posixGroup
>> objectClass: top
>> cn: testgrp1
>> gidNumber: 3000
>>
>> dn: ou=users,dc=cs,dc=unm,dc=edu
>> objectClass: organizationalUnit
>> objectClass: top
>> ou: users
>>
>> dn: cn=testgrp2,ou=groups,dc=cs,dc=unm,dc=edu
>> objectClass: posixGroup
>> objectClass: top
>> cn: testgrp2
>> gidNumber: 2000
>> memberUid: user1
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
>> For additional commands, e-mail: users-help@directory.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org
Re: group lookup causing NPE crash on ADS
Posted by Emmanuel Lécharny <el...@gmail.com>.
Hi!
This is a bug in the Apache DLAP API 2.0.0 being used in ApacheDS
(https://issues.apache.org/jira/browse/DIRAPI-366?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&focusedCommentId=17286982#).
You can probabkly give one nightly build a test:
https://builds.apache.org/job/Directory/job/dir-server-pipeline/
On 25/02/2023 00:13, Matthew Melendy wrote:
> Our test Apache Directory Server is having trouble with what should be a
> simple operation, the lookup of which groups a user is a member of.
> Here's what is happening:
>
> - User 'user1' logs into ubuntu client using ssh
> - Client connects to ADS server using libnss-ldapd
> - Client sends user lookup request to ADS, this succeeds
> - Client tries to find out which groups contain this user's memberUid
> - Server connection crashes with Null Pointer Exception, protocol error
> returned to client
> - Client login succeeds, but no LDAP group info is available
>
> This behavior is reproducible even with the simplest possible test
> directory (LDIF and other info shown below).
>
> Interesting point: the connection crash does not happen with a client
> using the older LDAP client libraries libnss-ldap:amd64 v265-5ubuntu1
> and libpam-ldap:amd64 v186-4ubuntu1 .
>
> Has anyone else run into this kind of problem with libnss-ldapd?
>
> Is there perhaps an early build of AM27 available we could try instead?
>
> Matthew Melendy
>
> IT Services Specialist
> CS System Services Group
> FEC 3550, University of New Mexico
>
>
>
> --
>
> getent.ldap passwd - properly shows user list pulled from LDAP
> getent.ldap group - provokes same crash
> getent.ldap group.bymember - provokes same crash
>
> --
>
> example error shown by nslcd from client request 'getent.ldap group'
>
> nslcd: [8b4567] DEBUG: connection from pid=172510 uid=2001 gid=2000
> nslcd: [8b4567] <group(all)> DEBUG:
> myldap_search(base="dc=cs,dc=unm,dc=edu",
> filter="(objectClass=posixGroup)")
> nslcd: [8b4567] <group(all)> DEBUG:
> ldap_initialize(ldap://xx.cs.unm.edu:389)
> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_rebind_proc()
> nslcd: [8b4567] <group(all)> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [8b4567] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
> nslcd: [8b4567] <group(all)> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
> nslcd: [8b4567] <group(all)> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [8b4567] <group(all)> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [8b4567] <group(all)> DEBUG: ldap_simple_bind_s(NULL,NULL)
> (uri="ldap://xx.cs.unm.edu:389")
> nslcd: [8b4567] <group(all)> ldap_result() failed: Protocol error
> nslcd: [8b4567] <group(all)> DEBUG: ldap_abandon()
> nslcd: [8b4567] <group(all)> DEBUG: ldap_unbind()
>
> -- error shown in apacheds.log
>
> [13:06:40] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] -
> Unexpected exception forcing session to close: sending disconnect notice
> to client.
> org.apache.mina.filter.codec.ProtocolDecoderException:
> java.lang.NullPointerException (Hexdump: 30 81 9C 02 01 02 63 63 04 13
> 64 63 3D 63 73 2C 64 63 3D 75 6E 6D 2C 64 63 3D 65 64 75 0A 01 02 0A 01
> 00 02 01 00 02 01 00 01 01 00 A3 19 04 0B 6F 62 6A 65 63 74 43 6C 61 73
> 73 04 0A 70 6F 73 69 78 47 72 6F 75 70 30 22 04 06 6D 65 6D 62 65 72 04
> 02 63 6E 04 09 6D 65 6D 62 65 72 55 69 64 04 09 67 69 64 4E 75 6D 62 65
> 72 A0 32 30 30 04 19 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 34 32 30 33 2E
> 36 36 36 2E 35 2E 31 36 04 13 30 11 30 0F 04 06 6D 65 6D 62 65 72 30 05
> 04 03 75 69 64)
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:263)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
> at
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
> at
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:750)
> Caused by: java.lang.NullPointerException
> at
> org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue.action(StoreControlValue.java:81)
> at
> org.apache.directory.api.ldap.codec.actions.controls.StoreControlValue.action(StoreControlValue.java:49)
> at
> org.apache.directory.api.asn1.ber.grammar.AbstractGrammar.executeAction(AbstractGrammar.java:136)
> at
> org.apache.directory.api.asn1.ber.Asn1Decoder.treatTLVDoneState(Asn1Decoder.java:604)
> at
> org.apache.directory.api.asn1.ber.Asn1Decoder.decode(Asn1Decoder.java:740)
> at
> org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolDecoder.decode(LdapProtocolDecoder.java:137)
> at
> org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolDecoder.decode(LdapProtocolDecoder.java:86)
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:254)
> ... 15 more
>
>
> ---
>
> Client configuration - Ubuntu 22.04.2 LTS x86_64
>
> ii ldap-utils 2.5.13+dfsg-0ubuntu0.22.04.1 amd64
> OpenLDAP utilities
> ii libldap-2.5-0:amd64 2.5.13+dfsg-0ubuntu0.22.04.1 amd64
> OpenLDAP libraries
> ii libldap-common 2.5.13+dfsg-0ubuntu0.22.04.1 all
> OpenLDAP common files for libraries
> ii libnss-ldapd:amd64 0.9.12-2 amd64 NSS
> module for using LDAP as a naming service
> ii libpam-ldapd:amd64 0.9.12-2 amd64 PAM
> module for using LDAP as an authentication service
> ii nscd 2.35-0ubuntu3.1 amd64 GNU C
> Library: Name Service Cache Daemon
>
> ---
>
> client nslcd.conf
>
> uid nslcd
> gid nslcd
> uri ldap://xx.cs.unm.edu:389
> base dc=cs,dc=unm,dc=edu
> ldap_version 3
> tls_reqcert never
>
>
> ---
>
> Server configuration
>
> Ubuntu 22.04.2 LTS x86_64
> Apache Directory Server 2.0.0.AM26
> OpenJDK Runtime Environment (Temurin)(build 1.8.0_362-b09)
>
> ---
>
> Directory structure LDIF:
>
> version: 1
>
> dn: uid=user1,ou=users,dc=cs,dc=unm,dc=edu
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: posixAccount
> objectClass: top
> cn: user1
> gidNumber: 2000
> homeDirectory: /home/user1
> sn: User
> uid: user1
> uidNumber: 2001
> userPassword:: e01ENX1DNUhleFA2WUptb0RzVGExa2huUTFnPT0=
>
> dn: dc=cs,dc=unm,dc=edu
> objectclass: domain
> objectclass: top
> dc: cs
>
> dn: ou=groups,dc=cs,dc=unm,dc=edu
> objectClass: organizationalUnit
> objectClass: top
> ou: groups
>
> dn: cn=testgrp1,ou=groups,dc=cs,dc=unm,dc=edu
> objectClass: posixGroup
> objectClass: top
> cn: testgrp1
> gidNumber: 3000
>
> dn: ou=users,dc=cs,dc=unm,dc=edu
> objectClass: organizationalUnit
> objectClass: top
> ou: users
>
> dn: cn=testgrp2,ou=groups,dc=cs,dc=unm,dc=edu
> objectClass: posixGroup
> objectClass: top
> cn: testgrp2
> gidNumber: 2000
> memberUid: user1
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
> For additional commands, e-mail: users-help@directory.apache.org
>
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecharny@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org