openldap-technical December 2007

openldap-technical@openldap.org

6 participants
5 discussions

ldap_set_option/ldap_bind_s segfaults
by Johan Ström 31 Dec '07

31 Dec '07

Hi list Im trying to run pure-ftpd 1.0.21 on a FreeBSD 7.0-amd64 (still beta yes) host, with LDAP (openldap-2.3.39) as auth backend. However the authing doesnt seem to work at all, as soon as password is sent the client gets disconnected. I've posted this similar message (altough more debugging info now) to their list without a single response. Tracing the problem got me to the following code (pureftpd's log_ldap.c, with a lot of logfile statements inserted by me): 110 static LDAP *pw_ldap_connect(void) 111 { 112 LDAP *ld; 113 # ifdef LDAP_OPT_PROTOCOL_VERSION 114 int version = ldap_version; 115 # endif 116 117 if (ldap_host == NULL || port < 0) { 118 logfile(LOG_DEBUG, "bad host"); 119 return NULL; 120 } 121 logfile(LOG_DEBUG, "initing to host %s port %d", ldap_host, port); 122 if ((ld = ldap_init(ldap_host, port)) == NULL) { 123 logfile(LOG_DEBUG, "init failed"); 124 return NULL; 125 } 126 logfile(LOG_DEBUG, "init ok ld is %p", ld); 127 # ifdef LDAP_OPT_PROTOCOL_VERSION 128 logfile(LOG_DEBUG, "setting version %d", version); 129 if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version) != 130 LDAP_SUCCESS) { 131 logfile(LOG_DEBUG, "failed versionset"); 132 return NULL; 133 } 134 logfile(LOG_DEBUG, "versionset ok"); 135 # endif 136 logfile(LOG_DEBUG, "binding"); 137 if (ldap_bind_s(ld, root, pwd, LDAP_AUTH_SIMPLE) != LDAP_SUCCESS) { 138 logfile(LOG_DEBUG, "bind failed"); 139 return NULL; 140 } 141 logfile(LOG_DEBUG, "bound ok"); 142 143 return ld; 144 } When running, I get this debug output Dec 29 09:31:10 back-1 pure-ftpd: (?(a)172.28.1.11) [DEBUG] ldap entered Dec 29 09:31:10 back-1 pure-ftpd: (?(a)172.28.1.11) [DEBUG] connecting Dec 29 09:31:10 back-1 pure-ftpd: (?(a)172.28.1.11) [DEBUG] initing to host localhost port 389 Dec 29 09:31:10 back-1 pure-ftpd: (?(a)172.28.1.11) [DEBUG] init ok ld is 0x1297180 Dec 29 09:31:10 back-1 pure-ftpd: (?(a)172.28.1.11) [DEBUG] setting version 3 Dec 29 09:31:10 back-1 kernel: pid 97603 (pure-ftpd), uid 0: exited on signal 11 After that, nothing.. And the forked process dies. As its a forked one, I havent been able to run gdb on it, so I've done the above log entrys instead.. But it seems pretty clear that it crashes when doign ldap_set_option. If i skip the set option and do bind directly, that crashes too. slapd doesnt even see the connection so I guess its something in the client part pure-ftpd: libssl.so.5 => /usr/lib/libssl.so.5 (0x800650000) libcrypto.so.5 => /lib/libcrypto.so.5 (0x80079a000) libldap-2.3.so.2 => /usr/local/lib/libldap-2.3.so.2 (0x800a2a000) liblber-2.3.so.2 => /usr/local/lib/liblber-2.3.so.2 (0x800b64000) libcrypt.so.4 => /lib/libcrypt.so.4 (0x800c72000) libpam.so.4 => /usr/lib/libpam.so.4 (0x800d8b000) libc.so.7 => /lib/libc.so.7 (0x800e93000) libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x8010b0000) Only have one version of the client lib installed so shouldnt be any problems there.. openldap-sasl-client-2.3.39 Open source LDAP client implementation with SASL2 support openldap-server-2.3.39 Open source LDAP server implementation I do have the same setup but with openldap-2.3.38 running fine on a FreeBSD 6.2-i386 box. Haven't seen any problems with the regular ldap* tools on this box, but havent tested any other software yet. Soo.. Anyone got any ideas? Hope this is the correct list, if not, sorry. Thanks! -- Johan Ström Stromnet johan(a)stromnet.se http://www.stromnet.se/

2 5

OpenLDAP and optional kerberos ?
by Nicolas GRENECHE 29 Dec '07

29 Dec '07

Hi all, I need tu replace an old NIS with a topnotch OpenLDAP server. I would like to add SSO support on my brand new architecture. 2 scenarii may occur : 1) Using pam_kerberos to authentaicate against KDC and retreiving information from LDAP server with SASL. The backward is that anyone (or anything) that need to authenticate MUST be kerberos aware. 2) Having LDAP and Kerberos passwords synced. Asset : You can authenticate through LDAP or kerberos (pam_ldap required an pam_kerberos optional) ie you must authenticate against LDAP and if Kerberos autentication success you get a TGT ! Backward : Two password databases to protect / lot of work on client side / passwords must be synced (Do you now materials to do it ?). I add that security is not a major concern for us and we got many OS on client side that's why the 1st solution may not fit our needs. Has someone ever experienced the second solution ? Have you some hints and feedbacks ? Thx, Nico

2 1

slapcat Segmentation fault
by John Sherling 29 Dec '07

29 Dec '07

Running OpenLDAP 2.2.19 on Darwin kernel v. 8.11.1, and when I issue: /usr/sbin/slapcat -d 5 -v -l /Users/localadmin/Desktop/bkup.ldif I get the following output: <snip>... # id=00000070 entry_decode: "cn=raidgroup,cn=groups,dc=fileserver,dc=mydomain,dc=private" <= entry_decode(cn=raidgroup,cn=groups,dc=fileserver,dc=mydomain,dc=private) # id=00000071 slapcat shutdown: initiated Segmentation fault ...</snip> Anyone know how I can track down what's causing this segmentation fault?

2 1

archive test
by Kurt Zeilenga 28 Dec '07

28 Dec '07

Test the archives....

1 0

test message
by Kurt Zeilenga 28 Dec '07

28 Dec '07

test

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2007