[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL Authentication Segfaults slapd: DoS

Note that the current release of 2.2 is 2.2.8; I sugest you upgrade and
see if the problem still occurs.  If it does, please provide details about
where it happens (e.g. logs and stack backtrace from gdb, as described in


> Hello everyone,
> I don't know what I've done wrong. If I use ldapsearch to query my
> OpenLDAP 2.2.5 server and I don't force simple authentication instead of
> SASL (-x), slapd crashes with a segmentation fault. I've obviously got
> security concerns over this because any schmoe with a shell account can
> crash my server just by using ldapsearch and omitting -x.
> OpenLDAP 2.2.5 (bdb) was compiled against a binary distribution of
> cyrus-sasl 2.1.15. Later on cyrus-sasl was upgraded (from source) to
> 2.1.18. I'm not sure if this problem existed prior to the upgrade of
> 2.1.18, but I wouldn't expect such a minor revision to cause slapd to
> die so violently as a result. Maybe that's a false assumption?
> bdb: ../dist/configure --with-pic --disable-shared
> --prefix=/usr/local/bdb --libdir=/usr/local/bdb/lib
> openldap: ./configure --with-slapd --with-slurpd --with-threads=posix
> --with-tls --with-cyrus-sasl --with-kerberos=k5only \
> 		--enable-static --enable-dynamic --disable-shared
> --enable-rlookups --enable-wrappers --enable-cleartext \
> 		--enable-crypt --enable-spasswd --enable-kpasswd
> --enable-modules --enable-bdb --bindir=/usr/bin \
> 		--sbindir=/usr/sbin --libexecdir=/usr/sbin --sysconfdir=/etc
> --datadir=/usr/share --localstatedir=/var/run \
> 		--libdir=/usr/lib --includedir=/usr/include
> --mandir=/usr/share/man --infodir=/usr/share/info
> cyrus-sasl: ./configure --with-sasl-authd=/var/run/saslauthd --with-ldap
> --bindir=/usr/bin --sbindir=/usr/sbin \
> 		--libexecdir=/usr/sbin --datadir=/usr/share
> --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib \
> 		--includedir=/usr/include --infodir=/usr/share/info
> --mandir=/usr/share/man
> slapd is invoked as: /usr/sbin/slapd -u ldap -h 'ldap://
> ldaps://' -l daemon -4
> If anybody has seen this or has any ideas please let me know. Thanks in
> advance!!!

Pierangelo Masarati