[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd crashes with incomplete sasl config (ITS#2492)
This is a multi-part message in MIME format.
--------------020305030806050808050302
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi Howard
I'll check and see what I can do for you.
I noticed one more thing which probably could be helpful for you: I had
compiled openldap-2.1.17 with cyrus-sasl 1 libraries from the SuSE 8.1
distribution. then I found a security patch on SuSE support for
cyrus-sasl and installed it on rosetta. but this were cyrus-sasl 2
libraries. that was the situation when slapd crashed always when a
request was made.
find the slapd.conf as attach. the sasl-regexp might have changed from
the point when the crashed ocdured, but the rest is pretty much the same
as it was with the crashes.
this is an extract of /var/log/messages for a sequence of calls:
May 8 10:01:43 rosetta slapd[822]: conn=1 fd=7 ACCEPT from IP=::1 32837
(IP=:: 389)
May 8 10:01:43 rosetta slapd[2060]: conn=1 op=0 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:01:52 rosetta slapd[2060]: conn=1 op=1 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:01:52 rosetta slapd[2060]: conn=1 op=1 RESULT tag=97 err=80
text=no secret in database
May 8 10:01:52 rosetta slapd[822]: conn=1 fd=7 closed
May 8 10:04:17 rosetta slapd[822]: conn=2 fd=7 ACCEPT from IP=::1 32838
(IP=:: 389)
May 8 10:04:17 rosetta slapd[2060]: conn=2 op=0 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:04:32 rosetta slapd[2060]: conn=2 op=1 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:04:32 rosetta slapd[2060]: conn=2 op=1 RESULT tag=97 err=80
text=no secret in database
May 8 10:04:32 rosetta slapd[822]: conn=2 fd=7 closed
May 8 10:05:00 rosetta slapd[822]: conn=3 fd=7 ACCEPT from IP=::1 32839
(IP=:: 389)
May 8 10:05:00 rosetta slapd[2060]: conn=3 op=0 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:05:14 rosetta slapd[2060]: conn=3 op=1 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:05:14 rosetta slapd[2060]: conn=3 op=1 RESULT tag=97 err=80
text=no secret in database
May 8 10:05:14 rosetta slapd[822]: conn=3 fd=7 closed
May 8 10:08:12 rosetta slapd[822]: conn=4 fd=7 ACCEPT from IP=::1 32840
(IP=:: 389)
May 8 10:08:12 rosetta slapd[2060]: conn=4 op=0 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:08:20 rosetta slapd[2060]: conn=4 op=1 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:08:20 rosetta slapd[2060]: conn=4 op=1 RESULT tag=97 err=80
text=no secret in database
May 8 10:08:20 rosetta slapd[822]: conn=4 fd=7 closed
May 8 10:08:40 rosetta slapd[822]: conn=5 fd=7 ACCEPT from IP=::1 32841
(IP=:: 389)
May 8 10:08:40 rosetta slapd[2060]: conn=5 op=0 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:08:44 rosetta slapd[2060]: conn=5 op=1 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:08:44 rosetta slapd[2060]: conn=5 op=1 RESULT tag=97 err=80
text=no secret in database
May 8 10:08:44 rosetta slapd[822]: conn=5 fd=7 closed
May 8 10:09:06 rosetta slapd[822]: conn=6 fd=7 ACCEPT from IP=::1 32842
(IP=:: 389)
May 8 10:09:06 rosetta slapd[2060]: conn=6 op=0 SRCH base="" scope=0
filter="(objectClass=*)"
May 8 10:09:06 rosetta slapd[2060]: conn=6 op=0 SRCH
attr=supportedSASLMechanisms
May 8 10:09:06 rosetta slapd[2060]: conn=6 op=0 RESULT tag=101 err=0 text=
May 8 10:09:06 rosetta slapd[2060]: conn=6 op=1 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:09:20 rosetta slapd[2060]: conn=6 op=2 BIND
dn="cn=manager,dc=ayni,dc=com" method=163
May 8 10:09:20 rosetta slapd[2060]: conn=6 op=2 RESULT tag=97 err=80
text=unable to get user's secre
t
Howard Chu wrote:
>It would help to see the slapd.conf that produced this problem, as well as any
>error messages produced by slapd before it quit.
>
>
--
----------------------------------------
Ayni AG
Sternenstrasse 24
P.O.Box
CH-8027 Zurich
Switzerland, Europe
+41 1 280 22 44, Fax +41 1 280 22 49
E-mail: info@ayni.com
Web: http://www.ayni.com
--------------020305030806050808050302
Content-Type: text/plain;
name="slapd.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="slapd.conf"
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Global Directives
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/mailrecipient.schema
# permit version 2 bindings (e.g. from netscape mailer)
allow bind_v2
sizelimit 500
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral "ldap://dir.ayni.com/o=ayni ag,c=ch"
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#
# TLS specs
#
TLSCertificateFile /usr/local/openldap/cert/ldap.cert.pem
TLSCertificateKeyFile /usr/local/openldap/cert/ldap.cert.key
TLSVerifyClient never
#
#
# Backend Definition
#
# Load dynamic backend modules:
# modulepath /usr/lib/openldap/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
#access to attr=mobile,telephonenumber,facsimiletelephonenumber,l,postaladdress,streetaddress,pager,postalcode,description,homephone,homepostaladdress,businesscategory
# by self write
# by users read
# by * none
#
#access to dn="ou=addresses,dc=ayni,dc=com"
# by dn="uid=pmeier,ou=people,dc=ayni,dc=com" write
# by dn="uid=Suomi Hasler,ou=people,dc=ayni,dc=com" write
# by users none
# by anonymous none
#
#access to dn="ou=nabor.net,dc=ayni,dc=com"
# by dn="uid=pgilli,ou=nabor.net,dc=ayni,dc=com" write
# by dn="uid=Suomi Hasler,ou=people,dc=ayni,dc=com" write
# by self write
# by anonymous read
#
#access to dn="ou=ldif-test,dc=ayni,dc=com"
# by dn="uid=Suomi Hasler,ou=people,dc=ayni,dc=com" write
# by users none
# by anonymous none
#
access to dn="ou=pam-ldap,dc=ayni,dc=com"
by dn="uid=cellino,ou=pam-ldap,dc=ayni,dc=com" write
by self write
by users read
by anonymous read
access to attr=userPassword
by dn="cn=manager,dc=ayni,dc=com" write
by self write
by anonymous auth
access to *
by self write
by * read
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=ayni,dc=com"
rootdn "cn=Manager,dc=ayni,dc=com"
rootpw violina.
#rootpw {SASL}LDAPAdmin
directory /var/ldap
index cn,sn,uid pres,eq,sub
index objectClass eq
password-hash {SHA}
#password-hash {CLEARTEXT}
sasl-realm rosetta
sasl-host localhost
sasl-secprops none
sasl-regexp uid=(.*),cn=.*,cn=.*,cn=auth
uid=$1,ou=pam-ldap,dc=ayni,dc=com
--------------020305030806050808050302--