Re: Re[2]: Cyrus-IMAPD and LDAP

[Julio Sanchez Fernandez <j_sanchez@stl.es>]

"Kevin J. Menard, Jr." <kmenard@wpi.edu> writes:

> Pretty much.  But Cyrus Imapd 2.0.x and pam_ldap and OpenLDAP 2.0.x
> do not mix well together at all.

There is a conflict in the memory allocation policy for cyrus-sasl.
Well, cyrus-imapd uses cyrus-sasl.  The latter uses PAM, that uses
libldap.  But libldap in 2.0 uses cyrus-sasl as well and, moreover, it
redefines the memory allocation routines so that all memory needed by
the sasl library comes from the BER allocators.  The problem is that
the cyrus-sasl API does not provide a clean way for libldap to restore
the prior allocators properly.  As a consequence, when libldap returns
to PAM, the allocators in libsasl are left dangling, i.e. pointing at
the no longer existing liblber routines.

When cyrus-imapd keeps on using libsasl, it crashes.

There is no clean solution for that.  Depending on the OS (seems to
work on RedHat Linux, probably all unixen work as well), you can look
in cyrus.c in libldap and disable the call to sasl_set_alloc or
somesuch.

Apparently, the new test versions of cyrus-sasl change the allocation
policy so that the thing can work cleanly.  But the API is
incompatible and I have not looked into this.

More irritating is that if you are using nss_ldap on the machine as
well, every login will require a full trip for all posixgroup's in the
directory.  This happens to all applications that require to simulate
a call to initgroups without doing it.

Julio