[Date Prev][Date Next] [Chronological] [Thread] [Top]
openldap-2.1.25 - SASL - DIGEST-MD5 slapd crash.

To: OpenLDAP-software@OpenLDAP.org
Subject: openldap-2.1.25 - SASL - DIGEST-MD5 slapd crash.
From: dennis <dennis@utiba.com>
Date: 03 Mar 2004 16:22:50 +1100
Organization:
Hi,

I have a problem with cyrus-SASL-1.5.28 digest-md5 and openldap-2.1.25
(compiled from source).

I am running all this on redhat ES3 kernel 2.4.21-9.EL

I can use gq to view ldap entries that I have added and use TLS.  I when
I do:

 ldapsearch -h doc1.cpc.net.au -s base -D "uid=dennis,ou=people,dc=cpc"
"objectClass=*" -Y DIGEST-MD5 -ZZ -d 1

the slapd crashes without error. The log details are below.

The interesting things are, that no matter what "uid" I use in the
search, it still picks up the "uid=dennis...".  I don't have dennis in
the sasldb (my understanding is that I shouldn't need to but I could be
wrong) but I have an admin user in the sasldb (which I can connect with
using the sasl-client-server test).

Are there any ideas?

Regards,

dennis

slapd.conf is:
***************************************************************
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/autofs.schema
#include        /etc/openldap/schema/redhat/kerberosobject.schema
include         /etc/openldap/schema/authldap.schema

TLSCertificateFile /usr/share/ssl/certs/slapd-cacert.pem
TLSCertificateKeyFile /usr/share/ssl/private/privkey.pem
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt

access to dn="" by * read
access to *     by self write
                by users read
                by anonymous auth
access to dn="" by dn="uid=dennis,ou=people,dc=cpc" write
access to dn="" by dn="uid=Manager,dc=cpc" write
access to dn=".*,ou=people,dc=cpc"
                attrs=userPassword
                by self write
                by * auth
                by dn="uid=dennis,ou=people,dc=cpc" write
                                                                                                              
#sasl-secprops noplain,noanonymous,minssf=128
sasl-regexp uid=(.*),cn=digest-md5,cn=auth uid=$1,ou=people,dc=cpc

database        bdb
suffix          "dc=cpc"
#suffix         "o=My Organization Name,c=US"
rootdn          "cn=Manager,dc=cpc"
#rootdn         "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg
rootpw                  {SSHA}bjhb5TQ9PLGLdHiCWM9FnD/KIkTDgwkY
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /data1/ldap/cpc
# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
***********************************************************


slapd log (-d -1)
*******************************************************
Mar  3 14:57:43 doc1 slapd[27278]: daemon: activity on 1 descriptors
Mar  3 14:57:43 doc1 slapd[27278]: daemon: new connection on 11
Mar  3 14:57:43 doc1 slapd[27278]: str2filter "(objectclass=*)"
Mar  3 14:57:43 doc1 slapd[27278]: begin get_filter
Mar  3 14:57:43 doc1 slapd[27278]: PRESENT
Mar  3 14:57:43 doc1 slapd[27278]: end get_filter 0
Mar  3 14:57:43 doc1 slapd[27278]: conn=0 fd=11 ACCEPT from
IP=192.168.0.30:38753 (IP=0.0.0.0:389)
Mar  3 14:57:45 doc1 slapd[27278]: connection_get(11)
Mar  3 14:57:45 doc1 slapd[27278]: connection_get(11): got connid=0
Mar  3 14:57:45 doc1 slapd[27278]: connection_read(11): checking for
input on id=0
Mar  3 14:57:45 doc1 slapd[27278]: ber_get_next on fd 11 failed errno=11
(Resource temporarily unavailable)
Mar  3 14:57:45 doc1 slapd[27278]: do_bind
Mar  3 14:57:45 doc1 slapd[27278]: >>> dnPrettyNormal:
<uid=dennis,ou=people,dc=cpc>
Mar  3 14:57:45 doc1 slapd[27278]: <<< dnPrettyNormal:
<uid=dennis,ou=people,dc=cpc>, <uid=dennis,ou=people,dc=cpc>
Mar  3 14:57:45 doc1 slapd[27278]: do_sasl_bind: dn
(uid=dennis,ou=people,dc=cpc) mech DIGEST-MD5
Mar  3 14:57:45 doc1 slapd[27278]: daemon: select: listen=6
active_threads=1 tvp=NULL
Mar  3 14:57:45 doc1 slapd[27278]: daemon: select: listen=7
active_threads=1 tvp=NULL
Mar  3 14:57:45 doc1 slapd[27278]: conn=0 op=1 BIND
dn="uid=dennis,ou=people,dc=cpc" method=163
Mar  3 14:57:45 doc1 slapd[27278]: ==> sasl_bind:
dn="uid=dennis,ou=people,dc=cpc" mech=DIGEST-MD5 datalen=0
Mar  3 14:57:45 doc1 slapd[27278]: SASL [conn=0] Debug: DIGEST-MD5
server step 1
Mar  3 14:57:45 doc1 slapd[27278]: send_ldap_sasl: err=14 len=188
Mar  3 14:57:45 doc1 slapd[27278]: send_ldap_response: msgid=2 tag=97
err=14
Mar  3 14:57:45 doc1 slapd[27278]: <== slap_sasl_bind: rc=14
Mar  3 14:57:51 doc1 slapd[27278]: daemon: activity on 1 descriptors
Mar  3 14:57:51 doc1 slapd[27278]: daemon: activity on:
Mar  3 14:57:51 doc1 slapd[27278]:  11r
Mar  3 14:57:51 doc1 slapd[27278]:
Mar  3 14:57:51 doc1 slapd[27278]: daemon: read activity on 11
Mar  3 14:57:51 doc1 slapd[27278]: connection_get(11)
Mar  3 14:57:51 doc1 slapd[27278]: connection_get(11): got connid=0
Mar  3 14:57:51 doc1 slapd[27278]: connection_read(11): checking for
input on id=0
Mar  3 14:57:51 doc1 slapd[27278]: ber_get_next on fd 11 failed errno=11
(Resource temporarily unavailable)
Mar  3 14:57:51 doc1 slapd[27278]: do_bind
Mar  3 14:57:51 doc1 slapd[27278]: >>> dnPrettyNormal:
<uid=dennis,ou=people,dc=cpc>
Mar  3 14:57:51 doc1 slapd[27278]: <<< dnPrettyNormal:
<uid=dennis,ou=people,dc=cpc>, <uid=dennis,ou=people,dc=cpc>
Mar  3 14:57:51 doc1 slapd[27278]: do_sasl_bind: dn
(uid=dennis,ou=people,dc=cpc) mech DIGEST-MD5
Mar  3 14:57:51 doc1 slapd[27278]: conn=0 op=2 BIND
dn="uid=dennis,ou=people,dc=cpc" method=163
Mar  3 14:57:51 doc1 slapd[27278]: ==> sasl_bind:
dn="uid=dennis,ou=people,dc=cpc" mech=<continuing> datalen=288
Mar  3 14:57:51 doc1 slapd[27278]: SASL [conn=0] Debug: DIGEST-MD5
server step 2
Mar  3 14:57:51 doc1 slapd[27278]: SASL Canonicalize [conn=0]:
authcid="dennis"
Mar  3 14:57:51 doc1 slapd[27278]: slap_sasl_getdn: id=dennis [len=6]
Mar  3 14:57:51 doc1 slapd[27278]: getdn: u:id converted to
uid=dennis,cn=DIGEST-MD5,cn=auth
Mar  3 14:57:51 doc1 slapd[27278]: >>> dnNormalize:
<uid=dennis,cn=DIGEST-MD5,cn=auth>
Mar  3 14:57:51 doc1 slapd[27278]: <<< dnNormalize:
<uid=dennis,cn=digest-md5,cn=auth>
Mar  3 14:57:51 doc1 slapd[27278]: ==>slap_sasl2dn: converting SASL name
uid=dennis,cn=digest-md5,cn=auth to a DN
Mar  3 14:57:51 doc1 slapd[27278]: slap_sasl_regexp: converting SASL
name uid=dennis,cn=digest-md5,cn=auth
Mar  3 14:57:51 doc1 slapd[27278]: slap_sasl_regexp: converted SASL name
to uid=dennis,ou=people,dc=cpc
Mar  3 14:57:51 doc1 slapd[27278]: slap_parseURI: parsing
uid=dennis,ou=people,dc=cpc
Mar  3 14:57:51 doc1 slapd[27278]: >>> dnNormalize:
<uid=dennis,ou=people,dc=cpc>
Mar  3 14:57:51 doc1 slapd[27278]: <<< dnNormalize:
<uid=dennis,ou=people,dc=cpc>
Mar  3 14:57:51 doc1 slapd[27278]: <==slap_sasl2dn: Converted SASL name
to uid=dennis,ou=people,dc=cpc
Mar  3 14:57:51 doc1 slapd[27278]: getdn: dn:id converted to
uid=dennis,ou=people,dc=cpc
Mar  3 14:57:51 doc1 slapd[27278]: SASL Canonicalize [conn=0]:
authcDN="uid=dennis,ou=people,dc=cpc"
************************************************************

ldapsearch log.

************************************************************
[dennis@blackops dennis]$ ldapsearch -h doc1.cpc.net.au -s base -D
"uid=dennis,ou=people,dc=cpc" "objectClass=*" -Y DIGEST-MD5 -ZZ -d 1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: doc1.cpc.net.au
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.4:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=doc1.cpc.net.au
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: doc1.cpc.net.au  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  3 15:08:15 2004
 
** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, subject:
/C=AU/ST=Victoria/L=Melbourne/O=Utiba Pty
Ltd/OU=Sysadmin/CN=doc1.cpc.net.au/emailAddress=sysadmin@utiba.com,
issuer: /C=AU/ST=Victoria/L=Melbourne/O=Utiba Pty
Ltd/OU=Sysadmin/CN=doc1.cpc.net.au/emailAddress=sysadmin@utiba.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_interactive_sasl_bind_s: user selected: DIGEST-MD5
ldap_int_sasl_bind: DIGEST-MD5
SASL/DIGEST-MD5 authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 53 bytes to sd 3
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: doc1.cpc.net.au  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  3 15:08:15 2004
 
** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 2, all 1
ber_get_next
ber_get_next: tag 0x30 len 204 contents:
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
sasl_client_step: 2
Please enter your password:
sasl_client_step: 1
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 351 bytes to sd 3
ldap_result msgid 3
ldap_chkResponseList for msgid=3, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 3
wait4msg continue, msgid 3, all 1
** Connections:
* host: doc1.cpc.net.au  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  3 15:08:18 2004
 
** Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=3, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 3, all 1
ber_get_next
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server
****************************************************

ldapsearch 
************************************
Please enter your password:
sasl_client_step: 1
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 324 bytes to sd 3
tls_write: want=394, written=394
ldap_write: want=324, written=324
ldap_result msgid 3
ldap_chkResponseList for msgid=3, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 3
wait4msg continue, msgid 3, all 1
** Connections:
* host: doc1.cpc.net.au  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  3 16:08:45 2004
 
** Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=3, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 3, all 1
ber_get_next
tls_read: want=5, got=0
 
ldap_read: want=1, got=0
 
ber_get_next failed.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server
*************************************************

Error log for:
ldapsearch -h doc1.cpc.net.au -s base -b "uid=admin,ou=people,dc=cpc"
"objectClass=*" -Y DIGEST-MD5 -ZZ -d 9

*************************************************************

Mar  3 16:13:34 doc1 slapd[27566]: daemon: read activity on 11
Mar  3 16:13:34 doc1 slapd[27566]: connection_get(11)
Mar  3 16:13:34 doc1 slapd[27566]: connection_get(11): got connid=0
Mar  3 16:13:34 doc1 slapd[27566]: connection_read(11): checking for
input on id=0
Mar  3 16:13:34 doc1 slapd[27566]: ber_get_next on fd 11 failed errno=11
(Resource temporarily unavailable)
Mar  3 16:13:34 doc1 slapd[27566]: do_bind
Mar  3 16:13:34 doc1 slapd[27566]: >>> dnPrettyNormal: <>
Mar  3 16:13:34 doc1 slapd[27566]: <<< dnPrettyNormal: <>, <>
Mar  3 16:13:34 doc1 slapd[27566]: do_sasl_bind: dn () mech DIGEST-MD5
Mar  3 16:13:34 doc1 slapd[27566]: daemon: select: listen=6
active_threads=1 tvp=NULL
Mar  3 16:13:34 doc1 slapd[27566]: daemon: select: listen=7
active_threads=1 tvp=NULL
Mar  3 16:13:34 doc1 slapd[27566]: daemon: activity on 1 descriptors
Mar  3 16:13:34 doc1 slapd[27566]: daemon: select: listen=6
active_threads=1 tvp=NULL
Mar  3 16:13:34 doc1 slapd[27566]: daemon: select: listen=7
active_threads=1 tvp=NULL
Mar  3 16:13:34 doc1 slapd[27566]: conn=0 op=1 BIND dn="" method=163
Mar  3 16:13:34 doc1 slapd[27566]: ==> sasl_bind: dn="" mech=DIGEST-MD5
datalen=0
Mar  3 16:13:34 doc1 slapd[27566]: SASL [conn=0] Debug: DIGEST-MD5
server step 1
Mar  3 16:13:34 doc1 slapd[27566]: send_ldap_sasl: err=14 len=188
Mar  3 16:13:34 doc1 slapd[27566]: send_ldap_response: msgid=2 tag=97
err=14
Mar  3 16:13:34 doc1 slapd[27566]: <== slap_sasl_bind: rc=14
Mar  3 16:13:39 doc1 slapd[27566]: daemon: activity on 1 descriptors
Mar  3 16:13:39 doc1 slapd[27566]: daemon: activity on:
Mar  3 16:13:39 doc1 slapd[27566]:  11r
Mar  3 16:13:39 doc1 slapd[27566]:
Mar  3 16:13:39 doc1 slapd[27566]: daemon: read activity on 11
Mar  3 16:13:39 doc1 slapd[27566]: connection_get(11)
Mar  3 16:13:39 doc1 slapd[27566]: connection_get(11): got connid=0
Mar  3 16:13:39 doc1 slapd[27566]: connection_read(11): checking for
input on id=0
Mar  3 16:13:39 doc1 slapd[27566]: ber_get_next on fd 11 failed errno=11
(Resource temporarily unavailable)
Mar  3 16:13:39 doc1 slapd[27566]: do_bind
Mar  3 16:13:39 doc1 slapd[27566]: >>> dnPrettyNormal: <>
Mar  3 16:13:39 doc1 slapd[27566]: <<< dnPrettyNormal: <>, <>
Mar  3 16:13:39 doc1 slapd[27566]: do_sasl_bind: dn () mech DIGEST-MD5
Mar  3 16:13:39 doc1 slapd[27566]: conn=0 op=2 BIND dn="" method=163
Mar  3 16:13:39 doc1 slapd[27566]: ==> sasl_bind: dn=""
mech=<continuing> datalen=288
Mar  3 16:13:39 doc1 slapd[27566]: SASL [conn=0] Debug: DIGEST-MD5
server step 2
Mar  3 16:13:39 doc1 slapd[27566]: SASL Canonicalize [conn=0]:
authcid="dennis"
Mar  3 16:13:39 doc1 slapd[27566]: slap_sasl_getdn: id=dennis [len=6]
Mar  3 16:13:39 doc1 slapd[27566]: getdn: u:id converted to
uid=dennis,cn=DIGEST-MD5,cn=auth
Mar  3 16:13:39 doc1 slapd[27566]: >>> dnNormalize:
<uid=dennis,cn=DIGEST-MD5,cn=auth>
Mar  3 16:13:39 doc1 slapd[27566]: <<< dnNormalize:
<uid=dennis,cn=digest-md5,cn=auth>
Mar  3 16:13:39 doc1 slapd[27566]: ==>slap_sasl2dn: converting SASL name
uid=dennis,cn=digest-md5,cn=auth to a DN
Mar  3 16:13:39 doc1 slapd[27566]: slap_sasl_regexp: converting SASL
name uid=dennis,cn=digest-md5,cn=auth
Mar  3 16:13:39 doc1 slapd[27566]: slap_sasl_regexp: converted SASL name
to uid=dennis,ou=people,dc=cpc
Mar  3 16:13:39 doc1 slapd[27566]: slap_parseURI: parsing
uid=dennis,ou=people,dc=cpc
Mar  3 16:13:39 doc1 slapd[27566]: >>> dnNormalize:
<uid=dennis,ou=people,dc=cpc>
Mar  3 16:13:39 doc1 slapd[27566]: <<< dnNormalize:
<uid=dennis,ou=people,dc=cpc>
Mar  3 16:13:39 doc1 slapd[27566]: <==slap_sasl2dn: Converted SASL name
to uid=dennis,ou=people,dc=cpc
Mar  3 16:13:39 doc1 slapd[27566]: getdn: dn:id converted to
uid=dennis,ou=people,dc=cpc
Mar  3 16:13:39 doc1 slapd[27566]: SASL Canonicalize [conn=0]:
authcDN="uid=dennis,ou=people,dc=cpc"

**********************************************************
-- 
dennis <dennis@utiba.com>
Follow-Ups:
- Re: openldap-2.1.25 - SASL - DIGEST-MD5 slapd crash.
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- RE: openldap-2.1.25 - SASL - DIGEST-MD5 slapd crash.
  - From: "Howard Chu" <hyc@highlandsun.com>
Prev by Date: Interactive LDAP
Next by Date: RE: Why can I bind twice w & w/o a password?
Index(es):
- Chronological
- Thread