[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: seg fault with TLS syncrepl ?



Thanks Rich,

> You should make sure the openldap-debuginfo

On track : I rolled back to simple bindmethod at this
stage and have created a dedicated proxyuser for
replication.

Once I can get this package (internal procedures...),
I'll check and come back on that issue.

Thanks,

---
Olivier


On Fri, Aug 12, 2011 at 4:14 PM, Rich Megginson
<rich.megginson@gmail.com> wrote:
> On 08/12/2011 07:17 AM, Olivier wrote:
>>
>> My N-WAY replication works properly with a
>> "bindmethod=simple".
>>
>> However, I don't like keeping a password in clear in
>> a configuration file, then I tryed this :
>>
>> On server "ldap-master1.example.fr" :
>>
>> TLSVerifyClient allow
>>
>> syncrepl rid=101
>>     provider=ldap://ldap-master2.example.fr:389
>>     searchbase="dc=example,dc=fr"
>>     schemachecking=on
>>     type=refreshOnly
>>     interval=00:00:01:00
>>     retry="10 +"
>>     bindmethod=sasl
>>     saslmech=EXTERNAL
>>     starttls=critical
>>     tls_cert=/etc/openldap/cacerts/master1/server.crt
>>     tls_key=/etc/openldap/cacerts/master1/server.key
>>     tls_cacert=/etc/openldap/cacerts/CA.crt
>>     tls_reqcert=demand
>>
>> On server "ldap-master2.example.fr" :
>>
>> TLSVerifyClient allow
>>
>> syncrepl rid=201
>>     provider=ldap://ldap-master1.example.fr:389
>>     searchbase="dc=example,dc=fr"
>>     schemachecking=on
>>     type=refreshOnly
>>     interval=00:00:01:00
>>     retry="10 +"
>>     bindmethod=sasl
>>     saslmech=EXTERNAL
>>     starttls=critical
>>     tls_cert=/etc/openldap/cacerts/master2/server.crt
>>     tls_key=/etc/openldap/cacerts/master2/server.key
>>     tls_cacert=/etc/openldap/cacerts/CA.crt
>>
>> I get a segmentation fault :
>>
>> ldap-master1 #$ /usr/sbin/slapd -h  ldap:/// -u ldap -d256
>>
>> @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
>>
>>  mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
>> bdb_monitor_db_open: monitoring disabled; configure monitor database to
>> enable
>> <= bdb_inequality_candidates: (entryCSN) not indexed
>> slapd starting
>> slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error,
>> ldap_start_tls failed (-1)
>> do_syncrepl: rid=101 rc -1 retrying
>> conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389)
>> conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
>> conn=1000 op=0 STARTTLS
>> conn=1000 op=0 RESULT oid= err=0 text=
>> conn=1000 fd=12 TLS established tls_ssf=256 ssf=256
>> conn=1000 op=1 BIND dn="" method=163
>> conn=1000 op=1 BIND
>>
>> authcid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
>>
>> authzid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
>> conn=1000 op=1 BIND
>>
>> dn="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
>> mech=EXTERNAL sasl_ssf=0 ssf=256
>> conn=1000 op=1 RESULT tag=97 err=0 text=
>> conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0
>> filter="(objectClass=*)"
>> conn=1000 op=2 SRCH attr=* +
>> conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
>> conn=1000 op=3 UNBIND
>> conn=1000 fd=12 closed
>> Erreur de segmentation
>>
>> The segfault happened when the second server tried to sync with the first
>> one :
>>
>> [root@ldap-master2 cacerts]# /usr/sbin/slapd -h  ldap:/// -u ldap -d256
>> @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
>>
>>  mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
>> bdb_monitor_db_open: monitoring disabled; configure monitor database to
>> enable
>> slapd starting
>> conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389)
>> conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
>> conn=1000 op=0 STARTTLS
>> conn=1000 op=0 RESULT oid= err=0 text=
>> TLS: error: accept - force handshake failure: errno 2 - moznss error -5938
>> TLS: can't accept: TLS error -5938:Encountered end of file.
>> conn=1000 fd=12 closed (TLS negotiation failure)
>> ^C
>> daemon: shutdown requested and initiated.
>> slapd shutdown: waiting for 0 operations/tasks to finish
>> slapd stopped.
>>
>> Any idea ?
>
> Can you get a core file and a stack trace from the server that gets the seg
> fault?
> I'm assuming from the build that you are running on Fedora 14 or later, or
> RHEL6.1.  You should make sure the openldap-debuginfo package is installed
> (e.g. debuginfo-install openldap) and install abrt.  This will collect the
> core files in /var/spool/abrt
>>
>> NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that
>> produce the seg fault.
>>
>> ---
>> Olivier
>>
>
>