ldap_set_option/ldap_bind_s segfaults
by Johan Ström
Hi list
Im trying to run pure-ftpd 1.0.21 on a FreeBSD 7.0-amd64 (still beta
yes) host, with LDAP (openldap-2.3.39) as auth backend. However the
authing doesnt seem to work at all, as soon as password is sent the
client gets disconnected. I've posted this similar message (altough
more debugging info now) to their list without a single response.
Tracing the problem got me to the following code (pureftpd's
log_ldap.c, with a lot of logfile statements inserted by me):
110 static LDAP *pw_ldap_connect(void)
111 {
112 LDAP *ld;
113 # ifdef LDAP_OPT_PROTOCOL_VERSION
114 int version = ldap_version;
115 # endif
116
117 if (ldap_host == NULL || port < 0) {
118 logfile(LOG_DEBUG, "bad host");
119 return NULL;
120 }
121 logfile(LOG_DEBUG, "initing to host %s port %d", ldap_host,
port);
122 if ((ld = ldap_init(ldap_host, port)) == NULL) {
123 logfile(LOG_DEBUG, "init failed");
124 return NULL;
125 }
126 logfile(LOG_DEBUG, "init ok ld is %p", ld);
127 # ifdef LDAP_OPT_PROTOCOL_VERSION
128 logfile(LOG_DEBUG, "setting version %d", version);
129 if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version) !=
130 LDAP_SUCCESS) {
131 logfile(LOG_DEBUG, "failed versionset");
132 return NULL;
133 }
134 logfile(LOG_DEBUG, "versionset ok");
135 # endif
136 logfile(LOG_DEBUG, "binding");
137 if (ldap_bind_s(ld, root, pwd, LDAP_AUTH_SIMPLE) !=
LDAP_SUCCESS) {
138 logfile(LOG_DEBUG, "bind failed");
139 return NULL;
140 }
141 logfile(LOG_DEBUG, "bound ok");
142
143 return ld;
144 }
When running, I get this debug output
Dec 29 09:31:10 back-1 pure-ftpd: (?(a)172.28.1.11) [DEBUG] ldap entered
Dec 29 09:31:10 back-1 pure-ftpd: (?(a)172.28.1.11) [DEBUG] connecting
Dec 29 09:31:10 back-1 pure-ftpd: (?(a)172.28.1.11) [DEBUG] initing to
host localhost port 389
Dec 29 09:31:10 back-1 pure-ftpd: (?(a)172.28.1.11) [DEBUG] init ok ld
is 0x1297180
Dec 29 09:31:10 back-1 pure-ftpd: (?(a)172.28.1.11) [DEBUG] setting
version 3
Dec 29 09:31:10 back-1 kernel: pid 97603 (pure-ftpd), uid 0: exited
on signal 11
After that, nothing.. And the forked process dies. As its a forked
one, I havent been able to run gdb on it, so I've done the above log
entrys instead.. But it seems pretty clear that it crashes when doign
ldap_set_option. If i skip the set option and do bind directly, that
crashes too. slapd doesnt even see the connection so I guess its
something in the client part
pure-ftpd:
libssl.so.5 => /usr/lib/libssl.so.5 (0x800650000)
libcrypto.so.5 => /lib/libcrypto.so.5 (0x80079a000)
libldap-2.3.so.2 => /usr/local/lib/libldap-2.3.so.2
(0x800a2a000)
liblber-2.3.so.2 => /usr/local/lib/liblber-2.3.so.2
(0x800b64000)
libcrypt.so.4 => /lib/libcrypt.so.4 (0x800c72000)
libpam.so.4 => /usr/lib/libpam.so.4 (0x800d8b000)
libc.so.7 => /lib/libc.so.7 (0x800e93000)
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x8010b0000)
Only have one version of the client lib installed so shouldnt be any
problems there..
openldap-sasl-client-2.3.39 Open source LDAP client implementation
with SASL2 support
openldap-server-2.3.39 Open source LDAP server implementation
I do have the same setup but with openldap-2.3.38 running fine on a
FreeBSD 6.2-i386 box. Haven't seen any problems with the regular
ldap* tools on this box, but havent tested any other software yet.
Soo.. Anyone got any ideas? Hope this is the correct list, if not,
sorry.
Thanks!
--
Johan Ström
Stromnet
johan(a)stromnet.se
http://www.stromnet.se/
15 years, 8 months
OpenLDAP and optional kerberos ?
by Nicolas GRENECHE
Hi all,
I need tu replace an old NIS with a topnotch OpenLDAP server.
I would like to add SSO support on my brand new architecture.
2 scenarii may occur :
1) Using pam_kerberos to authentaicate against KDC and retreiving
information from LDAP server with SASL.
The backward is that anyone (or anything) that need to authenticate MUST be
kerberos aware.
2) Having LDAP and Kerberos passwords synced.
Asset : You can authenticate through LDAP or kerberos (pam_ldap required an
pam_kerberos optional) ie you must authenticate against LDAP and if Kerberos
autentication success you get a TGT !
Backward : Two password databases to protect / lot of work on client side /
passwords must be synced (Do you now materials to do it ?).
I add that security is not a major concern for us and we got many OS on
client side that's why the 1st solution may not fit our needs.
Has someone ever experienced the second solution ?
Have you some hints and feedbacks ?
Thx,
Nico
15 years, 8 months
slapcat Segmentation fault
by John Sherling
Running OpenLDAP 2.2.19 on Darwin kernel v. 8.11.1, and when I issue:
/usr/sbin/slapcat -d 5 -v -l /Users/localadmin/Desktop/bkup.ldif
I get the following output:
<snip>...
# id=00000070
entry_decode: "cn=raidgroup,cn=groups,dc=fileserver,dc=mydomain,dc=private"
<= entry_decode(cn=raidgroup,cn=groups,dc=fileserver,dc=mydomain,dc=private)
# id=00000071
slapcat shutdown: initiated
Segmentation fault
...</snip>
Anyone know how I can track down what's causing this segmentation fault?
15 years, 8 months
