Date: Wed, 28 Sep 2011 19:59:29 +1000 From: John Marshall <john.marshall@riverwillow.com.au> To: freebsd-ports@freebsd.org Subject: net/openldap24 GSSAPI binds broken with SASL 2.1.25 Message-ID: <20110928095929.GD12314@rwpc13.mby.riverwillow.net.au>
next in thread | raw e-mail | index | archive | help
--cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Since upgrading cyrus/sasl2 2.1.25 and rebuilding net/openldap24 2.4.26 on 8.2-RELEASE/i386, any attempt to query using a SASL GSSAPI bind causes ldap to come to an abrupt halt. The problem is remedied by reverting to cyrus-sasl2 2.1.23_3 and rebuilding net/openldap24 2.4.26. Scenario 1 ---------- - OpenLDAP 2.4.26 client linked with the old SASL 2.1.23 - OpenLDAP 2.4.26 server linked with the new SASL 2.1.25 - Client attempts query with GSSAPI bind Client shows: SASL/GSSAPI authentication started SASL username: john@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=3DUsers,dc=3Dexample,dc=3Dcom> with scope subtree # filter: cn=3Dfred # requesting: ALL # ldap_result: Can't contact LDAP server (-1) Server shows: fd=3D17 ACCEPT from IP=3D192.0.2.200:40978 (IP=3D192.0.2.18:389) op=3D0 SRCH base=3D"" scope=3D0 deref=3D0 filter=3D"(objectClass=3D*)" op=3D0 SRCH attr=3DsupportedSASLMechanisms op=3D0 SEARCH RESULT tag=3D101 err=3D0 nentries=3D1 text=3D op=3D1 BIND dn=3D"" method=3D163 op=3D1 RESULT tag=3D97 err=3D14 text=3DSASL(0): successful result: secur= ity flags do not match required op=3D2 BIND dn=3D"" method=3D163 op=3D2 RESULT tag=3D97 err=3D14 text=3DSASL(0): successful result: secur= ity flags do not match required op=3D3 BIND dn=3D"" method=3D163 op=3D3 BIND authcid=3D"john" authzid=3D"john" op=3D3 BIND dn=3D"uid=3Djohn,cn=3Dgssapi,cn=3Dauth" mech=3DGSSAPI sasl_s= sf=3D56 ssf=3D56 op=3D3 RESULT tag=3D97 err=3D0 text=3D op=3D4 SRCH base=3D"ou=3DUsers,dc=3Dexample,dc=3Dcom" scope=3D2 deref=3D= 0 filter=3D"(cn=3Dfred)" ...and that's all. The server is dead at this point. Scenario 2 ---------- - OpenLDAP 2.4.26 client linked with the new SASL 2.1.25 - OpenLDAP 2.4.26 server linked with the new SASL 2.1.25 - Client attempts query with GSSAPI bind Client shows: SASL/GSSAPI authentication started Segmentation fault (core dumped) Server shows: fd=3D17 ACCEPT from IP=3D192.0.2.16:19191 (IP=3D192.0.2.18:389) op=3D0 SRCH base=3D"" scope=3D0 deref=3D0 filter=3D"(objectClass=3D*)" op=3D0 SRCH attr=3DsupportedSASLMechanisms op=3D0 SEARCH RESULT tag=3D101 err=3D0 nentries=3D1 text=3D fd=3D17 closed (connection lost) The backtrace from the client in Scenario 2 looks like this: GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain condition= s. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols fo= und)... Core was generated by `ldapsearch'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/local/lib/libldap-2.4.so.8...(no debugging symbol= s found)...done. Loaded symbols for /usr/local/lib/libldap-2.4.so.8 Reading symbols from /usr/local/lib/liblber-2.4.so.8...(no debugging symbol= s found)...done. Loaded symbols for /usr/local/lib/liblber-2.4.so.8 Reading symbols from /usr/local/lib/libsasl2.so.2...(no debugging symbols f= ound)...done. Loaded symbols for /usr/local/lib/libsasl2.so.2 Reading symbols from /usr/lib/libssl.so.6...(no debugging symbols found)...= done. Loaded symbols for /usr/lib/libssl.so.6 Reading symbols from /lib/libcrypto.so.6...(no debugging symbols found)...d= one. Loaded symbols for /lib/libcrypto.so.6 Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.7 Reading symbols from /usr/local/lib/sasl2/libsasldb.so.2...(no debugging sy= mbols found)...done. Loaded symbols for /usr/local/lib/sasl2/libsasldb.so.2 Reading symbols from /usr/local/lib/sasl2/libcrammd5.so.2...(no debugging s= ymbols found)...done. Loaded symbols for /usr/local/lib/sasl2/libcrammd5.so.2 Reading symbols from /usr/local/lib/sasl2/libdigestmd5.so.2...(no debugging= symbols found)...done. Loaded symbols for /usr/local/lib/sasl2/libdigestmd5.so.2 Reading symbols from /usr/local/lib/sasl2/libscram.so.2...(no debugging sym= bols found)...done. Loaded symbols for /usr/local/lib/sasl2/libscram.so.2 Reading symbols from /usr/local/lib/sasl2/libotp.so.2...(no debugging symbo= ls found)...done. Loaded symbols for /usr/local/lib/sasl2/libotp.so.2 Reading symbols from /usr/lib/libopie.so.6...(no debugging symbols found)..= .done. Loaded symbols for /usr/lib/libopie.so.6 Reading symbols from /lib/libmd.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/libmd.so.5 Reading symbols from /usr/local/lib/sasl2/libgssapiv2.so.2...(no debugging = symbols found)...done. Loaded symbols for /usr/local/lib/sasl2/libgssapiv2.so.2 Reading symbols from /usr/lib/libgssapi.so.10...(no debugging symbols found= )...done. Loaded symbols for /usr/lib/libgssapi.so.10 Reading symbols from /usr/lib/libheimntlm.so.10...(no debugging symbols fou= nd)...done. Loaded symbols for /usr/lib/libheimntlm.so.10 Reading symbols from /usr/lib/libkrb5.so.10...(no debugging symbols found).= ..done. Loaded symbols for /usr/lib/libkrb5.so.10 Reading symbols from /usr/lib/libhx509.so.10...(no debugging symbols found)= ...done. Loaded symbols for /usr/lib/libhx509.so.10 Reading symbols from /usr/lib/libcom_err.so.5...(no debugging symbols found= )...done. Loaded symbols for /usr/lib/libcom_err.so.5 Reading symbols from /usr/lib/libasn1.so.10...(no debugging symbols found).= ..done. Loaded symbols for /usr/lib/libasn1.so.10 Reading symbols from /usr/lib/libroken.so.10...(no debugging symbols found)= ...done. Loaded symbols for /usr/lib/libroken.so.10 Reading symbols from /lib/libcrypt.so.5...(no debugging symbols found)...do= ne. Loaded symbols for /lib/libcrypt.so.5 Reading symbols from /usr/local/lib/sasl2/libplain.so.2...(no debugging sym= bols found)...done. Loaded symbols for /usr/local/lib/sasl2/libplain.so.2 Reading symbols from /usr/local/lib/sasl2/libanonymous.so.2...(no debugging= symbols found)...done. Loaded symbols for /usr/local/lib/sasl2/libanonymous.so.2 Reading symbols from /usr/local/lib/sasl2/liblogin.so.2...(no debugging sym= bols found)...done. Loaded symbols for /usr/local/lib/sasl2/liblogin.so.2 Reading symbols from /usr/local/lib/sasl2/libntlm.so.2...(no debugging symb= ols found)...done. Loaded symbols for /usr/local/lib/sasl2/libntlm.so.2 Reading symbols from /usr/lib/libgssapi_krb5.so.10...(no debugging symbols = found)...done. Loaded symbols for /usr/lib/libgssapi_krb5.so.10 Reading symbols from /usr/lib/libgssapi_spnego.so.10...(no debugging symbol= s found)...done. Loaded symbols for /usr/lib/libgssapi_spnego.so.10 Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...= done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x28303820 in free () from /lib/libc.so.7 (gdb) bt #0 0x28303820 in free () from /lib/libc.so.7 #1 0x283f9b5a in gss_release_buffer () from /usr/lib/libgssapi.so.10 #2 0x283f957a in gss_release_name () from /usr/lib/libgssapi.so.10 #3 0x283f5dc7 in gss_init_sec_context () from /usr/lib/libgssapi.so.10 #4 0x283edc7e in gssapi_client_mech_step () from /usr/local/lib/sasl2/libg= ssapiv2.so.2 #5 0x280ec93a in sasl_client_step () from /usr/local/lib/libsasl2.so.2 #6 0x280ecfc1 in sasl_client_start () from /usr/local/lib/libsasl2.so.2 #7 0x280acb7a in ldap_int_sasl_bind () from /usr/local/lib/libldap-2.4.so.8 #8 0x280af4fb in ldap_sasl_interactive_bind () from /usr/local/lib/libldap= -2.4.so.8 #9 0x280af597 in ldap_sasl_interactive_bind_s () from /usr/local/lib/libld= ap-2.4.so.8 #10 0x080504fd in ?? () #11 0x28401060 in ?? () #12 0x00000000 in ?? () #13 0x00000000 in ?? () #14 0x00000000 in ?? () #15 0x00000000 in ?? () #16 0x00000000 in ?? () #17 0x08053040 in ?? () #18 0x284010c0 in ?? () #19 0x00000007 in ?? () #20 0x00000002 in ?? () #21 0x280882f8 in ?? () from /libexec/ld-elf.so.1 #22 0x00000000 in ?? () #23 0x28095200 in ?? () #24 0xbfbfe244 in ?? () #25 0x2805d238 in dladdr () from /libexec/ld-elf.so.1 #26 0x0804d8e8 in ?? () #27 0x28401060 in ?? () #28 0x0804adb3 in ?? () #29 0x08056052 in ?? () #30 0x00000000 in ?? () #31 0x00000000 in ?? () #32 0x00000000 in ?? () #33 0x00000000 in ?? () #34 0x00000000 in ?? () #35 0x00000000 in ?? () #36 0x00000000 in ?? () #37 0xbfbfec40 in ?? () #38 0xbfbfedf7 in ?? () #39 0x00000000 in ?? () #40 0x00000000 in ?? () #41 0x00000000 in ?? () #42 0x28401060 in ?? () #43 0x00000000 in ?? () #44 0x00000000 in ?? () #45 0x00000000 in ?? () #46 0x280882f8 in ?? () from /libexec/ld-elf.so.1 #47 0x00000104 in ?? () #48 0x000f8000 in ?? () #49 0xbfbfe3f8 in ?? () #50 0x2806131e in _rtld_thread_init () from /libexec/ld-elf.so.1 #51 0x0804a824 in ?? () #52 0x00000000 in ?? () #53 0x00000000 in ?? () #54 0xbfbfec18 in ?? () #55 0x0804a824 in ?? () #56 0x00000006 in ?? () #57 0xbfbfec40 in ?? () #58 0xbfbfec5c in ?? () #59 0xbfbfec20 in ?? () #60 0xbfbfec3c in ?? () #61 0x00000000 in ?? () #62 0xbfbfec38 in ?? () #63 0x0804a798 in ?? () Previous frame inner to this frame (corrupt stack?) (gdb)=20 Is there some gssapi routine in the sasl port clashing with gssapi in the b= ase system? --=20 John Marshall --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk6C8AEACgkQw/tAaKKahKKRTQCgrKlatYQD0EUbvf7ibiRO4Swu g+AAn3a/v0jism3dK3dxgrIlqMyJmgD3 =tDe9 -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110928095929.GD12314>