From owner-freebsd-stable@FreeBSD.ORG Thu Jul 15 12:36:33 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE9C6106567F for ; Thu, 15 Jul 2010 12:36:33 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta12.emeryville.ca.mail.comcast.net (qmta12.emeryville.ca.mail.comcast.net [76.96.27.227]) by mx1.freebsd.org (Postfix) with ESMTP id C4AA48FC1B for ; Thu, 15 Jul 2010 12:36:33 +0000 (UTC) Received: from omta11.emeryville.ca.mail.comcast.net ([76.96.30.36]) by qmta12.emeryville.ca.mail.comcast.net with comcast id iCWb1e0040mlR8UACCcZpU; Thu, 15 Jul 2010 12:36:33 +0000 Received: from koitsu.dyndns.org ([98.248.41.155]) by omta11.emeryville.ca.mail.comcast.net with comcast id iCcX1e0053LrwQ28XCcXe6; Thu, 15 Jul 2010 12:36:32 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 0AD0E9B425; Thu, 15 Jul 2010 05:36:31 -0700 (PDT) Date: Thu, 15 Jul 2010 05:36:31 -0700 From: Jeremy Chadwick To: Henrik /KaarPoSoft Message-ID: <20100715123631.GA69253@icarus.home.lan> References: <4C3CC831.7040005@kaarposoft.dk> <20100713210729.GA11943@icarus.home.lan> <4C3E0D7D.5020305@kaarposoft.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C3E0D7D.5020305@kaarposoft.dk> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: mamalos@eng.auth.gr, freebsd-stable@freebsd.org Subject: Re: openldap client GSSAPI authentication segfaults in fbsd8stable i386 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jul 2010 12:36:34 -0000 On Wed, Jul 14, 2010 at 09:18:21PM +0200, Henrik /KaarPoSoft wrote: > On Tue, Jul 13, 2010 at 10:10:25PM +0200, Henrik /KaarPoSoft wrote: > >>I have a problem: ldapsearch results in "Segmentation fault" under > >>openldap-2.4.23 with cyrus-sasl-2.1.23. > >>[...] > > Jeremy Chadwick wrote: > >If I was to build a test box from scratch, can you tell me how to set up > >all the necessary software/etc. to mimic your environment so that I > >could try to reproduce this? Reviewing the source isn't enough, I'd > >have to actually build a debug version of libgssapi to track it down. > Jeremy, I would really appreciate your going through this! > Thank you very much in advance. > > Here is what I did: > > > FreeBSD 8.0 vanilla install > hostname: srv02.example.lan > > freebsd-update fetch > freebsd-update install > > Create self-signed "CA" cert, and create SSL cert for LDAP signed by this. > References: > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html > http://forums.freebsd.org/showthread.php?t=6490 > http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php > > pkg_add -r heimdal > > cat >> /etc/rc.conf > kerberos5_server_enable="YES" > kadmind5_server_enable="YES" > > cat > /etc/krb5.conf > [libdefaults] > default_realm = EXAMPLE.LAN > > kstash > > kadmin -l > kadmin> init EXAMPLE.LAN > kadmin> add TestOne > kadmin> list "*" > > /etc/rc.d/kerberos start > /etc/rc.d/kadmind start > > Add to nameserver: > > kerberos.example.lan CNAME srv02.example.lan > ldap.example.lan CNAME srv02.example.lan > _kerberos IN TXT kerberos.example.lan > _kerberos._udp.example.lan. IN SRV 0 0 88 kerberos.example.lan. > _kerberos._tcp.example.lan. IN SRV 0 0 88 kerberos.example.lan. > _kerberos-adm._tcp.example.lan. IN SRV 0 0 749 kerberos.example.lan. > _kpasswd._udp.example.lan. IN SRV 0 0 464 kerberos.example.lan. > > cd /usr/ports > portsnap fetch > portsnap extract > > (and subsequently portsnap fetch update) > > cd /usr/ports/security/cyrus-sasl2 > make config > [X] Berkeley DB > [X] /dev/urandom > make > make install > > cd /usr/ports/net/openldap24-sasl-client > make > make install > > cd /usr/ports/net/openldap24-server > make config > [x] SASL > make > > cat >> /etc/rc.conf > slapd_enable="YES" > slapd_flags="-h ldaps:///" > > touch /var/db/openldap-data/DB_CONFIG > > srv02# diff /usr/local/etc/openldap/slapd.conf.ORIG > /usr/local/etc/openldap/slapd.conf > 48a50,80 > > > > ####################################################################### > > # EXAMPLE > > ####################################################################### > > > > #=# Shemas we need > > include /usr/local/etc/openldap/schema/cosine.schema > > include /usr/local/etc/openldap/schema/nis.schema > > include /usr/local/etc/openldap/schema/inetorgperson.schema > > > > #=# Logging > > loglevel stats stats2 shell parse ACL config filter BER conns > > > > > > #=# GSSAPI mapping > > #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI > > #=# http://www.openldap.org/doc/admin24/sasl.html#Mapping > Authentication Identities > > > > authz-regexp > > uid=([^,]*),cn=example.lan,cn=gssapi,cn=auth > > uid=$1,ou=Users,dc=example,dc=lan > > > > > > #=# LDAP over TSL (SSL) > > #=# http://www.openldap.org/doc/admin24/tls.html > > > > security ssf=128 > > TLSCertificateFile /etc/exampleCA/certs/ldap.pem > > TLSCertificateKeyFile /etc/exampleCA/private/ldap.pem > > TLSCACertificateFile /etc/exampleCA/certs/example.pem > > > 54,55c86,93 > < suffix "dc=my-domain,dc=com" > < rootdn "cn=Manager,dc=my-domain,dc=com" > --- > > > > #=# The example Network > > suffix "dc=example,dc=lan" > > > > #=# The rootdn user, authenticated by Kerberos > > #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI > > rootdn "uid=LDAProot,cn=example.lan,cn=gssapi,cn=auth" > > > 59c97,99 > < rootpw secret > --- > > > > #=# Since rootdn is authenticated by Kerberos, we do not need rootpw > > #rootpw secret > 65a106 > > Add domain and a few users with slapadd > > cat >> /usr/local/etc/openldap/ldap.conf > base dc=example,dc=lan > uri ldaps://ldap.example.lan/ > tls_cacert /etc/exampleCA/cacert.pem Thank you for this. I'm in the process of building the machine with debugging symbols on libraries/binaries now (DEBUG_FLAGS=-g3 -ggdb in src.conf). -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |