[Date Prev][Date Next] [Chronological] [Thread] [Top]
(ITS#6958) slapd segmentation fault with TLSCRLCheck all

To: openldap-its@OpenLDAP.org
Subject: (ITS#6958) slapd segmentation fault with TLSCRLCheck all
From: alex.deiter@gmail.com
Date: Fri, 27 May 2011 06:43:36 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Alex Deiter
Version: 2.4.25
OS: FreeBSD
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (217.66.145.56)


FreeBSD x86 and amd64, OpenLDAP 2.4.25 configure option:

$ ./configure --with-threads=posix --with-tls=openssl
--disable-dependency-tracking --enable-dynamic --with-cyrus-sasl
--enable-modules --localstatedir=/var/db --enable-crypt --enable-lmpasswd
--enable-ldap=mod --enable-meta=mod --enable-rewrite --enable-null=mod
--enable-monitor=mod --enable-accesslog --enable-auditlog --enable-collect
--enable-constraint --enable-dds --enable-deref --enable-dyngroup
--enable-dynlist --enable-memberof --enable-ppolicy --enable-proxycache
--enable-refint --enable-retcode --enable-rwm --enable-seqmod --enable-sssvlv
--enable-syncprov --enable-translucent --enable-unique --enable-valsort
--enable-bdb=mod --enable-hdb=mod --enable-spasswd --enable-slapi
--enable-wrappers --prefix=/usr/local --mandir=/usr/local/man
--infodir=/usr/local/info/ --build=i386-portbld-freebsd9.0

slapindex segmentation fault when option TLSCRLCheck all is used in slapd.conf:

TLSCACertificatePath    /etc/ssl
TLSCACertificateFile    /etc/ssl/ca.crt
TLSCertificateKeyFile   /etc/ssl/server.key
TLSCertificateFile      /etc/ssl/server.crt
TLSVerifyClient         allow
TLSCRLCheck             all

# slapindex -v
Segmentation fault (core dumped)
# gdb /usr/local/libexec/slapd /var/tmp/slapd-49225.core 
...
(gdb) bt
#0  ldap_free_urllist (ludlist=0x2) at url.c:1515
#1  0x28c9b0b4 in ldap_int_destroy_global_options () at init.c:485
#2  0x28c7efc0 in __do_global_dtors_aux () from /usr/local/lib/libldap-2.4.so.8
#3  0x28cabf1c in _fini () from /usr/local/lib/libldap-2.4.so.8
#4  0x281d4538 in ?? () from /libexec/ld-elf.so.1
#5  0x281d4538 in ?? () from /libexec/ld-elf.so.1
#6  0xbfbfea38 in ?? ()
#7  0x281a9100 in dlinfo () from /libexec/ld-elf.so.1
#8  0x281a9260 in dlclose () from /libexec/ld-elf.so.1
#9  0x283a81b1 in _sasl_done_with_plugins () from /usr/local/lib/libsasl2.so.2
#10 0x283a18f0 in sasl_done () from /usr/local/lib/libsasl2.so.2
#11 0x080c7a3b in slap_sasl_destroy ()
#12 0x080a4d3d in slap_destroy ()
#13 0x080e4553 in slap_tool_destroy ()
#14 0x080e6147 in slapindex ()
#15 0x0805b665 in main ()
(gdb) f 0
#0  ldap_free_urllist (ludlist=0x2) at url.c:1515
1515                    next = ludp->lud_next;

also slapd segmentation fault when slapd service stopped:

(gdb) bt
#0  ldap_free_urllist (ludlist=0x2) at url.c:1515
#1  0x28c9b0b4 in ldap_int_destroy_global_options () at init.c:485
#2  0x28c7efc0 in __do_global_dtors_aux () from /usr/local/lib/libldap-2.4.so.8
#3  0x28cabf1c in _fini () from /usr/local/lib/libldap-2.4.so.8
#4  0x281d4538 in ?? () from /libexec/ld-elf.so.1
#5  0x281d4538 in ?? () from /libexec/ld-elf.so.1
#6  0xbfbfe9f8 in ?? ()
#7  0x281a9100 in dlinfo () from /libexec/ld-elf.so.1
#8  0x281a9260 in dlclose () from /libexec/ld-elf.so.1
#9  0x283a81b1 in _sasl_done_with_plugins () from /usr/local/lib/libsasl2.so.2
#10 0x283a18f0 in sasl_done () from /usr/local/lib/libsasl2.so.2
#11 0x080c7a3b in slap_sasl_destroy ()
#12 0x080a4d3d in slap_destroy ()
#13 0x0805bc92 in main ()
(gdb) f 0
#0  ldap_free_urllist (ludlist=0x2) at url.c:1515
1515                    next = ludp->lud_next;

without TLSCRLCheck all option in slapd.conf/ldap.conf slapd work fine, but
without the CRL we can't authenticate clients on their certificates ;-(

ldap.conf:
TLS_CACERT      /etc/ssl/ca.crt
TLS_CACERTDIR   /etc/ssl
TLS_REQCERT     demand
TLS_CRLCHECK    all
URI             ldaps://server.domain.ru
BASE            dc=domain,dc=ru
RESTART         yes
VERSION         3
SIZELIMIT       0
TIMELIMIT       0
TIMEOUT         30
NETWORK_TIMEOUT 30

slapd.conf:
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/dhcp.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/sendmail.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

TLSCACertificatePath    /etc/ssl
TLSCACertificateFile    /etc/ssl/ca.crt
TLSCertificateKeyFile   /etc/ssl/server.key
TLSCertificateFile      /etc/ssl/server.crt
TLSVerifyClient         allow
TLSCRLCheck             all

allow           bind_v2
sizelimit       -1
timelimit       -1

modulepath      /usr/local/libexec/openldap
moduleload      back_hdb

database        hdb
cachesize       1024
directory       /var/db/openldap-data
dbconfig        set_cachesize 0 67108864 1
dbconfig        set_lg_regionmax 262144
dbconfig        set_lg_bsize 2097152
suffix          "dc=domain,dc=ru"
rootdn          "cn=manager,dc=domain,dc=ru"
rootpw          "passwd"

index   objectClass                     eq

access to * by * read

sasl-authz-policy to

sasl-regexp gidNumber=(.*)\\+uidNumber=0,cn=peercred,cn=external,cn=auth
        "cn=manager,dc=domain,dc=ru"

sasl-regexp gidNumber=60\\+uidNumber=60,cn=peercred,cn=external,cn=auth
        "cn=manager,dc=domain,dc=ru"

sasl-regexp gidNumber=(.*)\\+uidNumber=(.*),cn=peercred,cn=external,cn=auth
        ldap:///dc=domain,dc=ru??sub?(&(gidNumber=$1)(uidNumber=$2))

sasl-regexp uid=(.*),cn=(.*),cn=auth
        ldap:///dc=domain,dc=ru??sub?(uid=$1)
Prev by Date: RE: Re: (ITS#6952)
Index(es):
- Chronological
- Thread