[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4180) slapd (back-sql) hangs/segfaults on SASL bind



On 17 Nov 2005 at 19:05, Pierangelo Masarati wrote:

> On Thu, 2005-11-17 at 16:38 +0000, nels@maei.ca wrote:
> > Full_Name: Nels Lindquist
> > Version: 2.3.11
> > OS: Linux (CentOS 3.6)
> > URL: 
> > Submission from: (NULL) (66.225.146.217)
> 
> I cannot reproduce this issue, using SASL bind with DIGEST-MD5; can you
> provide further details on the offending operation and on the sasl/authz
> related configuration of slapd?  Do you store credentials in the
> database?

Yes, the credentials are stored in the database.  The problem seems 
to occur with any SASL2 method; I've tried PLAIN, DIGEST-MD5, CRAM-
MD5 and NTLM.  If I switch pwcheck_method to saslauthd then PLAIN and 
LOGIN work fine.  The error occurs whether the SASL store is 
PostgreSQL or MySQL.  However, when back-sql uses our old MySQL setup 
everything works fine.  Strange!

> > CentOS 3.6 (RHEL rebuild)
> > OpenLDAP 2.3.11 (built from source)
> > Cyrus SASL 2.1.20
> > PostgreSQL 8.1.0
> > unixODBC 2.2.8
> > 
> > Using back-sql with PostgreSQL, slapd hangs indefinitely (when running in the
> > background) or segfaults (when run with -d 1) whenever a SASLv2 bind is
> > attempted.  Simple bind works fine.
> > 
> > Here are the last few lines from the slapd debug output:
> > 
> > <==backsql_search()
> > <==slap_sasl2dn: Converted SASL name to cn=nels lindquist,o=maei,c=ca
> > slap_sasl_getdn: dn:id converted to cn=nels lindquist,o=maei,c=ca
> > SASL Canonicalize [conn=7]: slapAuthcDN="cn=nels lindquist,o=maei,c=ca"
> > SASL Canonicalize [conn=7]: authzid="nels"
> > SASL proxy authorize [conn=7]: authcid="nels" authzid="nels"
> > 
> > I also managed to get a backtrace from gdb:
> > 
> > [Switching to Thread -1228420176 (LWP 17259)]
> > 0x0018977b in strlen () from /lib/tls/libc.so.6
> > (gdb) bt
> > #0  0x0018977b in strlen () from /lib/tls/libc.so.6
> > #1  0x00157611 in vfprintf () from /lib/tls/libc.so.6
> > #2  0x00178d14 in vsnprintf () from /lib/tls/libc.so.6
> > #3  0x080f4e58 in lutil_debug (debug=7, level=1191210597, 
> > fmt=0x810ce5c "==>slap_sasl_authorized: can %s become %s?\n") at     
> > debug.c:83  
> 
> Can you print the values of authcDN=0xb6c7c678, authzDN=0xb6c7c670
> below?

I'm not all that familiar with the operation of gdb... how would I go 
about doing that?  I'll check the man pages and see what I can find.

> > #4  0x0808fb77 in slap_sasl_authorized (op=0x9777138,     
> > authcDN=0xb6c7c678, authzDN=0xb6c7c670) at saslauthz.c:2074  
> > #5  0x08093889 in slap_sasl_authorize (sconn=0x9776370,     
> > context=0xb7580a18, requested_user=0x9776c80 "nels", rlen=4, 
> > auth_identity=0x9776d81 "nels", alen=4, def_realm=0x0, urlen=0, 
> > props=0x97775f8) at sasl.c:697  
> > #6  0x00b7283e in sasl_server_new () from /usr/lib/libsasl2.so.2
> > #7  0x00b72e3f in sasl_server_step () from /usr/lib/libsasl2.so.2
> > #8  0x0809450b in slap_sasl_bind (op=0x0, rs=0x9776370) at 
> > sasl.c:1380
> > #9  0x08072718 in fe_op_bind (op=0x9777138, rs=0xb6c7c870) at 
> > bind.c:276
> > #10 0x08071d99 in do_bind (op=0x9777138, rs=0xb6c7c870) at bind.c:200
> > #11 0x0805bd4c in connection_operation (ctx=0xb6c7c8f0, 
> > arg_v=0x9777138) at connection.c:1061  
> > #12 0x080d71a2 in ldap_int_thread_pool_wrapper (xpool=0x97246b0) at 
> > tpool.c:485
> > #13 0x00960dd8 in start_thread () from /lib/tls/libpthread.so.0
> > #14 0x001edd2a in clone () from /lib/tls/libc.so.6

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.