Full_Name: Alex Deiter Version: 2.4.25 OS: FreeBSD URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (217.66.145.56)
FreeBSD x86 and amd64, OpenLDAP 2.4.25 configure option:
$ ./configure --with-threads=posix --with-tls=openssl --disable-dependency-tracking --enable-dynamic --with-cyrus-sasl --enable-modules --localstatedir=/var/db --enable-crypt --enable-lmpasswd --enable-ldap=mod --enable-meta=mod --enable-rewrite --enable-null=mod --enable-monitor=mod --enable-accesslog --enable-auditlog --enable-collect --enable-constraint --enable-dds --enable-deref --enable-dyngroup --enable-dynlist --enable-memberof --enable-ppolicy --enable-proxycache --enable-refint --enable-retcode --enable-rwm --enable-seqmod --enable-sssvlv --enable-syncprov --enable-translucent --enable-unique --enable-valsort --enable-bdb=mod --enable-hdb=mod --enable-spasswd --enable-slapi --enable-wrappers --prefix=/usr/local --mandir=/usr/local/man --infodir=/usr/local/info/ --build=i386-portbld-freebsd9.0
slapindex segmentation fault when option TLSCRLCheck all is used in slapd.conf:
TLSCACertificatePath /etc/ssl TLSCACertificateFile /etc/ssl/ca.crt TLSCertificateKeyFile /etc/ssl/server.key TLSCertificateFile /etc/ssl/server.crt TLSVerifyClient allow TLSCRLCheck all
# slapindex -v Segmentation fault (core dumped) # gdb /usr/local/libexec/slapd /var/tmp/slapd-49225.core ... (gdb) bt #0 ldap_free_urllist (ludlist=0x2) at url.c:1515 #1 0x28c9b0b4 in ldap_int_destroy_global_options () at init.c:485 #2 0x28c7efc0 in __do_global_dtors_aux () from /usr/local/lib/libldap-2.4.so.8 #3 0x28cabf1c in _fini () from /usr/local/lib/libldap-2.4.so.8 #4 0x281d4538 in ?? () from /libexec/ld-elf.so.1 #5 0x281d4538 in ?? () from /libexec/ld-elf.so.1 #6 0xbfbfea38 in ?? () #7 0x281a9100 in dlinfo () from /libexec/ld-elf.so.1 #8 0x281a9260 in dlclose () from /libexec/ld-elf.so.1 #9 0x283a81b1 in _sasl_done_with_plugins () from /usr/local/lib/libsasl2.so.2 #10 0x283a18f0 in sasl_done () from /usr/local/lib/libsasl2.so.2 #11 0x080c7a3b in slap_sasl_destroy () #12 0x080a4d3d in slap_destroy () #13 0x080e4553 in slap_tool_destroy () #14 0x080e6147 in slapindex () #15 0x0805b665 in main () (gdb) f 0 #0 ldap_free_urllist (ludlist=0x2) at url.c:1515 1515 next = ludp->lud_next;
also slapd segmentation fault when slapd service stopped:
(gdb) bt #0 ldap_free_urllist (ludlist=0x2) at url.c:1515 #1 0x28c9b0b4 in ldap_int_destroy_global_options () at init.c:485 #2 0x28c7efc0 in __do_global_dtors_aux () from /usr/local/lib/libldap-2.4.so.8 #3 0x28cabf1c in _fini () from /usr/local/lib/libldap-2.4.so.8 #4 0x281d4538 in ?? () from /libexec/ld-elf.so.1 #5 0x281d4538 in ?? () from /libexec/ld-elf.so.1 #6 0xbfbfe9f8 in ?? () #7 0x281a9100 in dlinfo () from /libexec/ld-elf.so.1 #8 0x281a9260 in dlclose () from /libexec/ld-elf.so.1 #9 0x283a81b1 in _sasl_done_with_plugins () from /usr/local/lib/libsasl2.so.2 #10 0x283a18f0 in sasl_done () from /usr/local/lib/libsasl2.so.2 #11 0x080c7a3b in slap_sasl_destroy () #12 0x080a4d3d in slap_destroy () #13 0x0805bc92 in main () (gdb) f 0 #0 ldap_free_urllist (ludlist=0x2) at url.c:1515 1515 next = ludp->lud_next;
without TLSCRLCheck all option in slapd.conf/ldap.conf slapd work fine, but without the CRL we can't authenticate clients on their certificates ;-(
ldap.conf: TLS_CACERT /etc/ssl/ca.crt TLS_CACERTDIR /etc/ssl TLS_REQCERT demand TLS_CRLCHECK all URI ldaps://server.domain.ru BASE dc=domain,dc=ru RESTART yes VERSION 3 SIZELIMIT 0 TIMELIMIT 0 TIMEOUT 30 NETWORK_TIMEOUT 30
slapd.conf: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/samba.schema include /usr/local/etc/openldap/schema/dhcp.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/sendmail.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/ssl TLSCACertificateFile /etc/ssl/ca.crt TLSCertificateKeyFile /etc/ssl/server.key TLSCertificateFile /etc/ssl/server.crt TLSVerifyClient allow TLSCRLCheck all
allow bind_v2 sizelimit -1 timelimit -1
modulepath /usr/local/libexec/openldap moduleload back_hdb
database hdb cachesize 1024 directory /var/db/openldap-data dbconfig set_cachesize 0 67108864 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 suffix "dc=domain,dc=ru" rootdn "cn=manager,dc=domain,dc=ru" rootpw "passwd"
index objectClass eq
access to * by * read
sasl-authz-policy to
sasl-regexp gidNumber=(.*)\+uidNumber=0,cn=peercred,cn=external,cn=auth "cn=manager,dc=domain,dc=ru"
sasl-regexp gidNumber=60\+uidNumber=60,cn=peercred,cn=external,cn=auth "cn=manager,dc=domain,dc=ru"
sasl-regexp gidNumber=(.*)\+uidNumber=(.*),cn=peercred,cn=external,cn=auth ldap:///dc=domain,dc=ru??sub?(&(gidNumber=$1)(uidNumber=$2))
sasl-regexp uid=(.*),cn=(.*),cn=auth ldap:///dc=domain,dc=ru??sub?(uid=$1)
-
alex.deiter@gmail.com