[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Crash during SASL canonicalization

Digant C Kasundra wrote:

I'm running RHEL AS 3.0 with cyrus-sasl-2.1.18, db-4.2.52, heimdal-0.6, openldap-2.2.17, openssl-0.9.7c. When I try to bind
using SASL, slapd crashes. Here is the log with loglevel -1.

Nov 12 13:10:22 husky slapd[23177]: SASL Canonicalize [conn=0]:
authcid="digant"
Nov 12 13:10:22 husky slapd[23177]: slap_sasl_getdn: id=digant [len=6]
Nov 12 13:10:22 husky slapd[23177]: slap_sasl_getdn: u:id converted to
uid=digant,cn=CEDAR.UTA.EDU,cn=GSSAPI,cn=auth
Nov 12 13:10:22 husky slapd[23177]: >>> dnNormalize:
<uid=digant,cn=CEDAR.UTA.EDU,cn=GSSAPI,cn=auth>
Nov 12 13:10:22 husky slapd[23177]: <<< dnNormalize:
<uid=digant,cn=cedar.uta.edu,cn=gssapi,cn=auth>
Nov 12 13:10:22 husky slapd[23177]: ==>slap_sasl2dn: converting SASL
name uid=digant,cn=cedar.uta.edu,cn=gssapi,cn=auth to a DN
Nov 12 13:10:22 husky slapd[23177]: slap_sasl_regexp: converting SASL
name uid=digant,cn=cedar.uta.edu,cn=gssapi,cn=auth
Nov 12 13:10:23 husky slapd[23177]: slap_sasl_regexp: converted SASL
name to ldaps:///uid=digant,cn=accounts,dc=uta,dc=edu
Nov 12 13:10:23 husky slapd[23177]: slap_parseURI: parsing
ldaps:///uid=digant,cn=accounts,dc=uta,dc=edu
Nov 12 13:10:23 husky slapd[23177]: >>> dnNormalize:
<uid=digant,cn=accounts,dc=uta,dc=edu>
Nov 12 13:10:23 husky slapd[23177]: <<< dnNormalize:
<uid=digant,cn=accounts,dc=uta,dc=edu>
Nov 12 13:10:23 husky slapd[23177]: slap_sasl2dn: performing internal
search (base=uid=digant,cn=accounts,dc=uta,dc=edu, scope=0)
Nov 12 13:10:23 husky slapd[23177]: => bdb_search
Nov 12 13:10:23 husky slapd[23177]:
bdb_dn2entry("uid=digant,cn=accounts,dc=uta,dc=edu")
Nov 12 13:10:23 husky slapd[23177]: => bdb_dn2id( "dc=uta,dc=edu" )
Nov 12 13:10:23 husky slapd[23177]: <= bdb_dn2id: got id=0x00000001
Nov 12 13:10:23 husky slapd[23177]: => bdb_dn2id(
"cn=accounts,dc=uta,dc=edu" )
Nov 12 13:10:23 husky slapd[23177]: <= bdb_dn2id: got id=0x00000003
Nov 12 13:10:23 husky slapd[23177]: => bdb_dn2id(
"uid=digant,cn=accounts,dc=uta,dc=edu" )
Nov 12 13:10:23 husky slapd[23177]: <= bdb_dn2id: got id=0x00018212
Nov 12 13:10:23 husky slapd[23177]: entry_decode:
"uid=digant,cn=accounts,dc=uta,dc=edu"
Nov 12 13:10:23 husky slapd[23177]: <=
entry_decode(uid=digant,cn=accounts,dc=uta,dc=edu)
Nov 12 13:10:23 husky slapd[23177]: base_candidates: base:
"uid=digant,cn=accounts,dc=uta,dc=edu" (0x00018212)
Nov 12 13:10:23 husky slapd[23177]: => test_filter

Here is the sasl part of my config file:

sasl-secprops none
sasl-realm "CEDAR.UTA.EDU"
sasl-host husky.cedar.uta.edu
sasl-regexp uid=service/nss/(.*),cn=CEDAR.UTA.EDU,cn=gssapi,cn=auth
ldaps:///cn=$1,cn=nss,cn=services,dc=uta,dc=edusasl-regexp
uid=service/(.*),cn=CEDAR.UTA.EDU,cn=gssapi,cn=auth
ldaps:///cn=$1,cn=services,dc=uta,dc=edu
sasl-regexp uid=(.*),cn=CEDAR.UTA.EDU,cn=gssapi,cn=auth
ldaps:///uid=$1,cn=accounts,dc=uta,dc=edu



This may be unrelated with your problem, but the first field of the sasl-regexp directive must be a regex(7), so you need to escape the dots ('.') in the realm, otherwise you risk false positives. The third filed can be an URL for its capability to express searches, but it has to be "ldap:///"; since the protocol and the host/port portions are not honored, and strict checks might be enforced at some point.

For your problem, I suggest you file an ITS, following instructions at http://www.openldap.org/faq/data/cache/59.html

p.



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497