[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7118) [PATCH] Improve SASL plugin handling



Full_Name: Thomas Koeller
Version: 2.4.28
OS: Linux x86_64
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (80.171.14.55)


I had a problem with slapd always segfaulting. A little debugging revealed that
slapd allocated the thread-safe version of 'struct ldapoptions', since it is
linked with libldap_r.so. However, the destructor function
ldap_int_destroy_global_options() invoked during cleanup seemed to be the
non-threadsafe version which assumes a different layout of 'struct ldapoptions'
(the ldo_mutex field is missing). I noticed that that SASL loaded all its
plugins, including the 'ldapdb' module which is present in my SASL installation,
and that ldapdb.so was linked against the non-threadsafe libldap.so. I still do
not quite understand the exact reason why this confusion arose, because AFAIK
theoretically both libraries should be able to co-exist. However, I did not
investigate that problem any further, because I think that loading all sasl
plugins is just wrong, because slapd only uses its own internal auxprop module
and does not need any of them. I tried the proposed method of excluding ldapdb
by having a slapd.conf file containing 'pwcheck_method: auxprop' and
'auxprop_plugin: slapd',but that did not improve anything. I therefore changed
slapd to no longer load any sasl plugins whatsoever. With this change,
everything works fine.

Btw., my SASL installation is cyrus-sasl-2.1.25.

Here is the patch I created, along with the required legalese:

The inlined patch below is derived from OpenLDAP Software. All of the
modifications to OpenLDAP Software represented in the following patch(es) were
developed by Thomas Koeller <thomas@koeller.dyndns.org>. I have not assigned
rights and/or interest in this work to any party.

I, Thomas Koeller, hereby place the following modifications to OpenLDAP Software
(and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.

diff -brpu openldap-2.4.28-orig/servers/slapd/sasl.c
openldap-2.4.28/servers/slapd/sasl.c
--- openldap-2.4.28-orig/servers/slapd/sasl.c	2011-11-25 19:52:29.000000000
+0100
+++ openldap-2.4.28/servers/slapd/sasl.c	2011-12-26 15:40:14.000000000 +0100
@@ -67,6 +67,16 @@ char *slap_sasl_auxprops;

 #ifdef HAVE_CYRUS_SASL

+/* Do not load any plugin modules, only use internal auxprop */
+static int
+slap_sasl_verifyfile(
+	void *context,
+	const char *file,
+	sasl_verify_type_t type)
+{
+	return type == SASL_VRFY_PLUGIN ? SASL_CONTINUE : SASL_OK;
+}
+
 /* Just use our internal auxprop by default */
 static int
 slap_sasl_getopt(
@@ -1111,6 +1121,7 @@ int slap_sasl_init( void )
 	static sasl_callback_t server_callbacks[] = {
 		{ SASL_CB_LOG, &slap_sasl_log, NULL },
 		{ SASL_CB_GETOPT, &slap_sasl_getopt, NULL },
+		{ SASL_CB_VERIFYFILE, &slap_sasl_verifyfile, NULL },
 		{ SASL_CB_LIST_END, NULL, NULL }
 	};
 #endif