[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#4847) slapd segfaults on startup
Full_Name: Michael Heep
Version: 2.3.34
OS: RHES21
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.113.101.1)
Since version 2.3.34 slapd simply segfaults during startup on a Red Hat
Enterprise 2.1 system. I've been building a customized OpenLDAP RPM for our
purposes (installs to /opt/openldap) for over a year now and never encountered
any problems like this before.
+ CPPFLAGS= -I/usr/src/redhat/BUILD/openldap-2.3.34/db-instroot/include
-I/usr/include/sasl2
+ LDFLAGS= -L/usr/src/redhat/BUILD/openldap-2.3.34/db-instroot/lib
+ CFLAGS= -O2 -march=i386 -mcpu=i686 -D_REENTRANT -fPIC
-I/usr/src/redhat/BUILD/openldap-2.3.34/db-instroot/include -I/usr/include/sasl2
-g -O2
+ ./configure --prefix=/opt/openldap --exec_prefix=/opt/openldap
--bindir=/opt/openldap/bin --sbindir=/opt/openldap/sbin
--sysconfdir=/opt/openldap/etc --datadir=/opt/openldap/share
--includedir=/opt/openldap/include --libdir=/opt/openldap/lib
--libexecdir=/opt/openldap/sbin --localstatedir=/var/run
--sharedstatedir=/usr/com --mandir=/opt/openldap/man
--infodir=/opt/openldap/info --enable-debug --enable-bdb --enable-hdb
--enable-ldap --enable-monitor --disable-ldbm --enable-slapd --disable-slurpd
--enable-syncprov --enable-accesslog --enable-ppolicy --enable-unique
--enable-proxycache --enable-dynlist --enable-valsort --enable-refint
--with-threads --enable-shared --enable-static --enable-local --disable-rlookups
--with-tls --with-cyrus-sasl --disable-wrappers --disable-ipv6 --enable-passwd
--enable-crypt --enable-cleartext --enable-spasswd --enable-syslog
--enable-modules --disable-sql --disable-shell
Here is the stacktrace when run under gdb:
(gdb) file ./slapd
Load new symbol table from "./slapd"? (y or n) y
Reading symbols from ./slapd...done.
(gdb) run -u ldap -f /opt/openldap/etc/slapd.conf -h "ldap:/// ldaps:///
ldaps://192.168.128.204:80/"
Starting program: /usr/src/redhat/BUILD/openldap-2.3.34/servers/slapd/slapd -u
ldap -f /opt/openldap/etc/slapd.conf -h "ldap:/// ldaps:///
ldaps://192.168.128.204:80/"
[Thread debugging using libthread_db enabled]
[New Thread 8192 (LWP 30130)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 8192 (LWP 30130)]
0x08092364 in LDAPDN_rewrite (dn=0x833f618, flags=0, ctx=0x0) at dn.c:519
519 validf =
ad->ad_type->sat_syntax->ssyn_validate;
(gdb) bt full
#0 0x08092364 in LDAPDN_rewrite (dn=0x833f618, flags=0, ctx=0x0) at dn.c:519
validf = (slap_syntax_validate_func *) 0
transf = (slap_syntax_transform_func *) 0
bv = {bv_len = 0, bv_val = 0x0}
ava = (LDAPAVA *) 0x833e3a8
ad = (AttributeDescription *) 0x833e418
normf = (slap_mr_normalize_func *) 0
mr = (MatchingRule *) 0x0
do_sort = 1
iAVA = 0
iRDN = 0
rc = 2
#1 0x08092615 in dnNormalize (use=0, syntax=0x0, mr=0x0, val=0xbffeac18,
out=0x833e804, ctx=0x0) at dn.c:619
val = (struct berval *) 0xbffeac18
dn = 0x833f618
rc = 137623037
#2 0x08140898 in unique_config (be=0x833f810, fname=0x82a8230
"/opt/openldap/etc/slapd.conf", lineno=168, argc=2, argv=0x833cef8)
at unique.c:151
bv = {bv_len = 17, bv_val = 0x833f5fd "dc=o2online,dc=de"}
be = (BackendDB *) 0x7530
on = (slap_overinst *) 0x2
ud = (unique_data *) 0x833e7f8
up = (unique_attrs *) 0xbffeac18
text = 0x101b <Address 0x101b out of bounds>
ad = (AttributeDescription *) 0xbffead9c
i = 137003568
#3 0x080d5c95 in over_db_config (be=0x833f810, fname=0x82a8230
"/opt/openldap/etc/slapd.conf", lineno=168, argc=2, argv=0x833cef8)
at backover.c:157
oi = (slap_overinfo *) 0x833e210
on = (slap_overinst *) 0x8355c98
be_cf_ocs = (struct ConfigOCs *) 0x827f2b4
ca = {argc = 2, argv = 0x833cef8, argv_size = 0, line = 0x0, tline =
0x0,
fname = 0x82a8230 "/opt/openldap/etc/slapd.conf", lineno = 168,
log = "/opt/openldap/etc/slapd.conf: line 168", '\0' <repeats 4084 times>, msg
= '\0' <repeats 255 times>, depth = 0, valx = 0,
values = {v_int = 0, v_long = 0, v_ber_t = 0, v_string = 0x0, v_bv = {bv_len =
0, bv_val = 0x0}, v_dn = {vdn_dn = {bv_len = 0,
bv_val = 0x0}, vdn_ndn = {bv_len = 0, bv_val = 0x0}}}, rvalue_vals =
0x0, rvalue_nvals = 0x0, op = 0, type = 0,
be = 0x833f810, bi = 0x0, ca_entry = 0x0, private = 0x0, cleanup = 0}
rc = -1026
#4 0x08078bbf in read_config_file (fname=0x82a8230
"/opt/openldap/etc/slapd.conf", depth=0, cf=0x0, cft=0x827a5f4) at config.c:807
fp = (FILE *) 0x833d700
ct = (ConfigTable *) 0x2
c = (ConfigArgs *) 0x833bd80
rc = -1026
s = {st_dev = 26632, __pad1 = 0, st_ino = 229391, st_mode = 33184,
st_nlink = 1, st_uid = 0, st_gid = 55, st_rdev = 0,
__pad2 = 0, st_size = 6040, st_blksize = 4096, st_blocks = 16, st_atime =
1172155110, __unused1 = 0, st_mtime = 1170837817,
__unused2 = 0, st_ctime = 1171879479, __unused3 = 0, __unused4 = 0, __unused5
= 0}
#5 0x080731fd in read_config (fname=0x82a8230 "/opt/openldap/etc/slapd.conf",
dir=0x0) at bconfig.c:3077
dir = 0x82a8230 "/opt/openldap/etc/slapd.conf"
be = (BackendDB *) 0x833bac8
cfb = (CfBackInfo *) 0x833bbd0
cfdir = 0x7530 <Address 0x7530 out of bounds>
cfname = 0x82a8230 "/opt/openldap/etc/slapd.conf"
rc = 137607880
#6 0x0806c33d in main (argc=7, argv=0xbffec1a4) at main.c:667
i = 137003568
no_detach = 0
rc = 0
urls = 0x82a8258 "ldap:/// ldaps:/// ldaps://192.168.128.204:80/"
username = 0x82a8220 "HÏ,@Àò.@\020"
groupname = 0x0
sandbox = 0x0
syslogUser = 160
configfile = 0x82a8230 "/opt/openldap/etc/slapd.conf"
configdir = 0x0
serverName = 0xbffedbd0 "slapd"
scp = (struct sync_cookie *) 0x0
scp_entry = (struct sync_cookie *) 0x2
debug_unknowns = (char **) 0x0
syslog_unknowns = (char **) 0x0
serverNamePrefix = 0x2 <Address 0x2 out of bounds>
slapd_pid_file_unlink = 0
slapd_args_file_unlink = 0
(gdb)
(gdb) thread apply all bt
Thread 1 (Thread 8192 (LWP 30130)):
#0 0x08092364 in LDAPDN_rewrite (dn=0x833f618, flags=0, ctx=0x0) at dn.c:519
#1 0x08092615 in dnNormalize (use=0, syntax=0x0, mr=0x0, val=0xbffeac18,
out=0x833e804, ctx=0x0) at dn.c:619
#2 0x08140898 in unique_config (be=0x833f810, fname=0x82a8230
"/opt/openldap/etc/slapd.conf", lineno=168, argc=2, argv=0x833cef8)
at unique.c:151
#3 0x080d5c95 in over_db_config (be=0x833f810, fname=0x82a8230
"/opt/openldap/etc/slapd.conf", lineno=168, argc=2, argv=0x833cef8)
at backover.c:157
#4 0x08078bbf in read_config_file (fname=0x82a8230
"/opt/openldap/etc/slapd.conf", depth=0, cf=0x0, cft=0x827a5f4) at config.c:807
#5 0x080731fd in read_config (fname=0x82a8230 "/opt/openldap/etc/slapd.conf",
dir=0x0) at bconfig.c:3077
#6 0x0806c33d in main (argc=7, argv=0xbffec1a4) at main.c:667
(gdb)
I hope this helps, since I'm not that experienced in gdb/strace usage and thus
cannot make much of the output ;)
OpenLDAP 2.3.33 (or lower) worked flawlessly.
This is the slapd.conf we use, which hasn't changed since 2.3.32. I kept all
comments, etc. to provide accurate data. Just censored the passwords:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/openldap/etc/schema/core.schema
include /opt/openldap/etc/schema/cosine.schema
include /opt/openldap/etc/schema/sudo.schema
include /opt/openldap/etc/schema/nis.schema
include /opt/openldap/etc/schema/openssh-lpk.schema
include /opt/openldap/etc/schema/dyngroup.schema
include /opt/openldap/etc/schema/ppolicy.schema
# Put those into the 'ldap' user's homedir (/var/lib/ldap) because
# user 'ldap' has no write permissions in /var/run
pidfile /var/lib/ldap/slapd.pid
argsfile /var/lib/ldap/slapd.args
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 112-bit encryption for simple bind
#security ssf=1 update_ssf=112 simple_bind=112
security ssf=128 update_ssf=128 simple_bind=128
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
access to dn.subtree="cn=accesslog"
by dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" read
access to *
by dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" write
by dn.exact="cn=syncreader,dc=o2online,dc=de" read
by * break
access to attrs=userPassword
by self write
by anonymous auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
# Logging
loglevel 256
# Remove idle connections after 5 minutes
idletimeout 300
# SSL/TLS Stuff
TLSCACertificateFile /opt/openldap/etc/ssl-certs/cno-ldc_ca.cert
TLSCertificateFile /opt/openldap/etc/ssl-certs/sgmldaptest02.cert
TLSCertificateKeyFile /opt/openldap/etc/ssl-keys/sgmldaptest02.key
TLSCipherSuite HIGH
TLSVerifyClient try
## Chainig overlay for automatic referral chasing (global so it affects
updateref entries!)
## chain-uri must be EXACTLY the same as updateref (ip/host, port), otherwise it
wont't work!
#overlay chain
#chain-uri "ldap://192.168.128.205"
#chain-idassert-bind bindmethod=sasl binddn="cn=syncreader,dc=o2online,dc=de"
saslmech=external mode=self
#chain-tls start
#######################################################################
# BDB database definitions
#######################################################################
# Database for access logging
database bdb
suffix cn=accesslog
rootdn "cn=root,cn=accesslog"
rootpw {SSHA}FORBIDDEN
directory /var/lib/ldap/openldap-accesslog
#Iindices to maintain
index objectClass eq
index reqStart eq
# Checkpointing & caching
checkpoint 256 5
cachesize 1000
idlcachesize 3000
# Main database definitions
database bdb
suffix "dc=o2online,dc=de"
rootdn "cn=root,dc=o2online,dc=de"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap/openldap-data
# Accesslog overlay - Keep logs for 30 days and purge old entries once a day
overlay accesslog
logdb cn=accesslog
logops writes
logold (objectclass=*)
logpurge 30+00:00 01+00:00
# Indices to maintain
# WARNING: If you add indices stop slapd, run slapindex, then start slapd!
# Otherwise you'll experience problems like searches returning improper
results.
index objectClass eq
index entryCSN eq
index entryUUID eq
index sudoUser pres,eq,sub
index uid,cn pres,eq,sub
index uidNumber eq
index gidNumber eq
index memberUid eq
index uniqueMember eq
index host eq
# Syncrepl provider settings
overlay syncprov
syncprov-checkpoint 50 5
syncprov-sessionlog 1000
## Syncrepl consumer settings
## Set attrs="*,+" or don't configure it at all to also replicate all
operational attributes
## (createTimestamp, creatorsName, modifiersName, modifyTimestamp, etc.)
#syncrepl rid=100
# provider=ldap://sgmldaptest01
# type=refreshAndPersist
# interval=00:00:00:10
# retry="60 10 300 +"
# searchbase="dc=o2online,dc=de"
# filter="(objectclass=*)"
# scope=sub
# attrs="*,+"
# schemachecking=on
# starttls=critical
# bindmethod=sasl
# saslmech="external"
#
## URL to return to clients which submit update requests
#updateref ldap://192.168.128.205
# No limits for the "syncreader" account
limits dn.exact="cn=syncreader,dc=o2online,dc=de" size=unlimited
time=unlimited
# Caches & Checkpointing (see slapd-bdb(5) manual)
cachesize 10000
idlcachesize 30000
checkpoint 1024 5
# Attribute uniqueness overlay for POSIX accounts
overlay unique
unique_base "dc=o2online,dc=de"
unique_attributes uid uidNumber
# 2 gleiche overlays gehen nicht. Tja, was tun mit gidNumber?
#overlay unique
#unique_base "ou=Groups,dc=o2online,dc=de"
#unique_attributes gidNumber
# Dynlist overlay to dynamically add members to groups through memberURLs
overlay dynlist
dynlist-attrset extensibleObject memberURL uniqueMember
# Valsort overlay
overlay valsort
valsort-attr uniqueMember dc=o2online,dc=de alpha-ascend
valsort-attr host dc=o2online,dc=de alpha-ascend
# Password policy configuration
overlay ppolicy
#ppolicy_default "cn=Standard,ou=Password_Policies,dc=o2online,dc=de"
#ppolicy_hash_cleartext
ppolicy_use_lockout
# Allow Proxy Authorization
authz-policy to
# SASL rewrite rules
authz-regexp
email=[we want no spam],cn=sgmldaptest([0-9]*),ou=cno-ldc,o=o2\
germany,l=frankfurt,st=hessen,c=de
cn=syncreader,dc=o2online,dc=de
With kind regards
Michael Heep