[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: slapd crashes with incomplete sasl config (ITS#2492)

To: openldap-its@OpenLDAP.org
Subject: Re: slapd crashes with incomplete sasl config (ITS#2492)
From: hasler@ayni.com
Date: Fri, 9 May 2003 04:57:31 GMT
This is a multi-part message in MIME format.
--------------020305030806050808050302
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi Howard
I'll check and see what I can do for you.
I noticed one more thing which probably could be helpful for you: I had 
compiled openldap-2.1.17 with cyrus-sasl 1 libraries from the SuSE 8.1 
distribution. then I found a security patch on SuSE support for 
cyrus-sasl and installed it on rosetta. but this were cyrus-sasl 2 
libraries. that was the situation when slapd crashed always when a 
request was made.

find the slapd.conf as attach. the sasl-regexp might have changed from 
the point when the crashed ocdured, but the rest is pretty much the same 
as it was with the crashes.

this is an extract of /var/log/messages for a sequence of calls:

May  8 10:01:43 rosetta slapd[822]: conn=1 fd=7 ACCEPT from IP=::1 32837 
(IP=:: 389)
May  8 10:01:43 rosetta slapd[2060]: conn=1 op=0 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:01:52 rosetta slapd[2060]: conn=1 op=1 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:01:52 rosetta slapd[2060]: conn=1 op=1 RESULT tag=97 err=80 
text=no secret in database
May  8 10:01:52 rosetta slapd[822]: conn=1 fd=7 closed
May  8 10:04:17 rosetta slapd[822]: conn=2 fd=7 ACCEPT from IP=::1 32838 
(IP=:: 389)
May  8 10:04:17 rosetta slapd[2060]: conn=2 op=0 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:04:32 rosetta slapd[2060]: conn=2 op=1 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:04:32 rosetta slapd[2060]: conn=2 op=1 RESULT tag=97 err=80 
text=no secret in database
May  8 10:04:32 rosetta slapd[822]: conn=2 fd=7 closed
May  8 10:05:00 rosetta slapd[822]: conn=3 fd=7 ACCEPT from IP=::1 32839 
(IP=:: 389)
May  8 10:05:00 rosetta slapd[2060]: conn=3 op=0 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:05:14 rosetta slapd[2060]: conn=3 op=1 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:05:14 rosetta slapd[2060]: conn=3 op=1 RESULT tag=97 err=80 
text=no secret in database
May  8 10:05:14 rosetta slapd[822]: conn=3 fd=7 closed
May  8 10:08:12 rosetta slapd[822]: conn=4 fd=7 ACCEPT from IP=::1 32840 
(IP=:: 389)
May  8 10:08:12 rosetta slapd[2060]: conn=4 op=0 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:08:20 rosetta slapd[2060]: conn=4 op=1 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:08:20 rosetta slapd[2060]: conn=4 op=1 RESULT tag=97 err=80 
text=no secret in database
May  8 10:08:20 rosetta slapd[822]: conn=4 fd=7 closed
May  8 10:08:40 rosetta slapd[822]: conn=5 fd=7 ACCEPT from IP=::1 32841 
(IP=:: 389)
May  8 10:08:40 rosetta slapd[2060]: conn=5 op=0 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:08:44 rosetta slapd[2060]: conn=5 op=1 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:08:44 rosetta slapd[2060]: conn=5 op=1 RESULT tag=97 err=80 
text=no secret in database
May  8 10:08:44 rosetta slapd[822]: conn=5 fd=7 closed
May  8 10:09:06 rosetta slapd[822]: conn=6 fd=7 ACCEPT from IP=::1 32842 
(IP=:: 389)
May  8 10:09:06 rosetta slapd[2060]: conn=6 op=0 SRCH base="" scope=0 
filter="(objectClass=*)"
May  8 10:09:06 rosetta slapd[2060]: conn=6 op=0 SRCH 
attr=supportedSASLMechanisms
May  8 10:09:06 rosetta slapd[2060]: conn=6 op=0 RESULT tag=101 err=0 text=
May  8 10:09:06 rosetta slapd[2060]: conn=6 op=1 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:09:20 rosetta slapd[2060]: conn=6 op=2 BIND 
dn="cn=manager,dc=ayni,dc=com" method=163
May  8 10:09:20 rosetta slapd[2060]: conn=6 op=2 RESULT tag=97 err=80 
text=unable to get user's secre
t


Howard Chu wrote:

>It would help to see the slapd.conf that produced this problem, as well as any
>error messages produced by slapd before it quit.
>  
>

-- 
----------------------------------------
Ayni AG
Sternenstrasse 24
P.O.Box
CH-8027 Zurich
Switzerland, Europe
+41  1 280 22 44, Fax +41  1  280 22 49
E-mail: info@ayni.com
Web:    http://www.ayni.com


--------------020305030806050808050302
Content-Type: text/plain;
 name="slapd.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="slapd.conf"

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Global Directives
#
include		/usr/local/openldap/etc/openldap/schema/core.schema
include		/usr/local/openldap/etc/openldap/schema/cosine.schema
include		/usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include		/usr/local/openldap/etc/openldap/schema/nis.schema
include		/usr/local/openldap/etc/openldap/schema/mailrecipient.schema

# permit version 2 bindings (e.g. from netscape mailer)
allow bind_v2
sizelimit 500

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	"ldap://dir.ayni.com/o=ayni ag,c=ch"

pidfile		/var/run/slapd.pid
argsfile	/var/run/slapd.args
#
# TLS specs
#
TLSCertificateFile /usr/local/openldap/cert/ldap.cert.pem
TLSCertificateKeyFile /usr/local/openldap/cert/ldap.cert.key
TLSVerifyClient never
#
# 
# Backend Definition
#
# Load dynamic backend modules:
# modulepath	/usr/lib/openldap/openldap
# moduleload	back_ldap.la
# moduleload	back_ldbm.la
# moduleload	back_passwd.la
# moduleload	back_shell.la

#
# Sample Access Control
#	Allow read access of root DSE
#	Allow self write access
#	Allow authenticated users read access
#	Allow anonymous users to authenticate
#
#
# if no access controls are present, the default is:
#	Allow read by all
#
# rootdn can always write!

#access to attr=mobile,telephonenumber,facsimiletelephonenumber,l,postaladdress,streetaddress,pager,postalcode,description,homephone,homepostaladdress,businesscategory
#	by self write
#	by users read
#	by * none
#
#access to dn="ou=addresses,dc=ayni,dc=com"
#       by dn="uid=pmeier,ou=people,dc=ayni,dc=com" write
#       by dn="uid=Suomi Hasler,ou=people,dc=ayni,dc=com" write
#       by users none
#       by anonymous none
#
#access to dn="ou=nabor.net,dc=ayni,dc=com"
#       by dn="uid=pgilli,ou=nabor.net,dc=ayni,dc=com" write
#       by dn="uid=Suomi Hasler,ou=people,dc=ayni,dc=com" write
#       by self write
#       by anonymous read
#
#access to dn="ou=ldif-test,dc=ayni,dc=com"
#       by dn="uid=Suomi Hasler,ou=people,dc=ayni,dc=com" write
#       by users none
#       by anonymous none
#

access to dn="ou=pam-ldap,dc=ayni,dc=com"
	by dn="uid=cellino,ou=pam-ldap,dc=ayni,dc=com" write
	by self write
	by users read
	by anonymous read

access to attr=userPassword
	by dn="cn=manager,dc=ayni,dc=com" write
	by self write
	by anonymous auth

access to *
	by self write
	by * read

#######################################################################
# ldbm database definitions
#######################################################################

database	ldbm
suffix		"dc=ayni,dc=com"
rootdn		"cn=Manager,dc=ayni,dc=com"
rootpw		violina.
#rootpw		{SASL}LDAPAdmin
directory	/var/ldap
index cn,sn,uid pres,eq,sub
index objectClass eq
password-hash     {SHA}
#password-hash     {CLEARTEXT}

sasl-realm      rosetta
sasl-host	localhost
sasl-secprops	none

sasl-regexp	uid=(.*),cn=.*,cn=.*,cn=auth
		uid=$1,ou=pam-ldap,dc=ayni,dc=com


--------------020305030806050808050302--
Prev by Date: Bug In RfcFilter.java prohibits escaped filters (ITS#2500)
Next by Date: Re: slapd crashes with incomplete sasl config (ITS#2492)
Index(es):
- Chronological
- Thread