Full_Name: Alex Deiter
Version: 2.4.25
OS: FreeBSD
URL:
ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (217.66.145.56)
FreeBSD x86 and amd64, OpenLDAP 2.4.25 configure option:
$ ./configure --with-threads=posix --with-tls=openssl
--disable-dependency-tracking --enable-dynamic --with-cyrus-sasl
--enable-modules --localstatedir=/var/db --enable-crypt --enable-lmpasswd
--enable-ldap=mod --enable-meta=mod --enable-rewrite --enable-null=mod
--enable-monitor=mod --enable-accesslog --enable-auditlog --enable-collect
--enable-constraint --enable-dds --enable-deref --enable-dyngroup
--enable-dynlist --enable-memberof --enable-ppolicy --enable-proxycache
--enable-refint --enable-retcode --enable-rwm --enable-seqmod --enable-sssvlv
--enable-syncprov --enable-translucent --enable-unique --enable-valsort
--enable-bdb=mod --enable-hdb=mod --enable-spasswd --enable-slapi
--enable-wrappers --prefix=/usr/local --mandir=/usr/local/man
--infodir=/usr/local/info/ --build=i386-portbld-freebsd9.0
slapindex segmentation fault when option TLSCRLCheck all is used in slapd.conf:
TLSCACertificatePath /etc/ssl
TLSCACertificateFile /etc/ssl/ca.crt
TLSCertificateKeyFile /etc/ssl/server.key
TLSCertificateFile /etc/ssl/server.crt
TLSVerifyClient allow
TLSCRLCheck all
# slapindex -v
Segmentation fault (core dumped)
# gdb /usr/local/libexec/slapd /var/tmp/slapd-49225.core
...
(gdb) bt
#0 ldap_free_urllist (ludlist=0x2) at url.c:1515
#1 0x28c9b0b4 in ldap_int_destroy_global_options () at init.c:485
#2 0x28c7efc0 in __do_global_dtors_aux () from /usr/local/lib/libldap-2.4.so.8
#3 0x28cabf1c in _fini () from /usr/local/lib/libldap-2.4.so.8
#4 0x281d4538 in ?? () from /libexec/ld-elf.so.1
#5 0x281d4538 in ?? () from /libexec/ld-elf.so.1
#6 0xbfbfea38 in ?? ()
#7 0x281a9100 in dlinfo () from /libexec/ld-elf.so.1
#8 0x281a9260 in dlclose () from /libexec/ld-elf.so.1
#9 0x283a81b1 in _sasl_done_with_plugins () from /usr/local/lib/libsasl2.so.2
#10 0x283a18f0 in sasl_done () from /usr/local/lib/libsasl2.so.2
#11 0x080c7a3b in slap_sasl_destroy ()
#12 0x080a4d3d in slap_destroy ()
#13 0x080e4553 in slap_tool_destroy ()
#14 0x080e6147 in slapindex ()
#15 0x0805b665 in main ()
(gdb) f 0
#0 ldap_free_urllist (ludlist=0x2) at url.c:1515
1515 next = ludp->lud_next;
also slapd segmentation fault when slapd service stopped:
(gdb) bt
#0 ldap_free_urllist (ludlist=0x2) at url.c:1515
#1 0x28c9b0b4 in ldap_int_destroy_global_options () at init.c:485
#2 0x28c7efc0 in __do_global_dtors_aux () from /usr/local/lib/libldap-2.4.so.8
#3 0x28cabf1c in _fini () from /usr/local/lib/libldap-2.4.so.8
#4 0x281d4538 in ?? () from /libexec/ld-elf.so.1
#5 0x281d4538 in ?? () from /libexec/ld-elf.so.1
#6 0xbfbfe9f8 in ?? ()
#7 0x281a9100 in dlinfo () from /libexec/ld-elf.so.1
#8 0x281a9260 in dlclose () from /libexec/ld-elf.so.1
#9 0x283a81b1 in _sasl_done_with_plugins () from /usr/local/lib/libsasl2.so.2
#10 0x283a18f0 in sasl_done () from /usr/local/lib/libsasl2.so.2
#11 0x080c7a3b in slap_sasl_destroy ()
#12 0x080a4d3d in slap_destroy ()
#13 0x0805bc92 in main ()
(gdb) f 0
#0 ldap_free_urllist (ludlist=0x2) at url.c:1515
1515 next = ludp->lud_next;
without TLSCRLCheck all option in slapd.conf/ldap.conf slapd work fine, but
without the CRL we can't authenticate clients on their certificates ;-(
ldap.conf:
TLS_CACERT /etc/ssl/ca.crt
TLS_CACERTDIR /etc/ssl
TLS_REQCERT demand
TLS_CRLCHECK all
URI ldaps://server.domain.ru
BASE dc=domain,dc=ru
RESTART yes
VERSION 3
SIZELIMIT 0
TIMELIMIT 0
TIMEOUT 30
NETWORK_TIMEOUT 30
slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/dhcp.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/sendmail.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/ssl
TLSCACertificateFile /etc/ssl/ca.crt
TLSCertificateKeyFile /etc/ssl/server.key
TLSCertificateFile /etc/ssl/server.crt
TLSVerifyClient allow
TLSCRLCheck all
allow bind_v2
sizelimit -1
timelimit -1
modulepath /usr/local/libexec/openldap
moduleload back_hdb
database hdb
cachesize 1024
directory /var/db/openldap-data
dbconfig set_cachesize 0 67108864 1
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
suffix "dc=domain,dc=ru"
rootdn "cn=manager,dc=domain,dc=ru"
rootpw "passwd"
index objectClass eq
access to * by * read
sasl-authz-policy to
sasl-regexp gidNumber=(.*)\\+uidNumber=0,cn=peercred,cn=external,cn=auth
"cn=manager,dc=domain,dc=ru"
sasl-regexp gidNumber=60\\+uidNumber=60,cn=peercred,cn=external,cn=auth
"cn=manager,dc=domain,dc=ru"
sasl-regexp gidNumber=(.*)\\+uidNumber=(.*),cn=peercred,cn=external,cn=auth
ldap:///dc=domain,dc=ru??sub?(&(gidNumber=$1)(uidNumber=$2))
sasl-regexp uid=(.*),cn=(.*),cn=auth
ldap:///dc=domain,dc=ru??sub?(uid=$1)