Date: Wed, 14 Jul 2010 21:18:21 +0200 From: Henrik /KaarPoSoft <henrik@kaarposoft.dk> To: Jeremy Chadwick <freebsd@jdc.parodius.com>, freebsd-stable@freebsd.org Cc: mamalos@eng.auth.gr Subject: Re: openldap client GSSAPI authentication segfaults in fbsd8stable i386 Message-ID: <4C3E0D7D.5020305@kaarposoft.dk> In-Reply-To: <20100713210729.GA11943@icarus.home.lan> References: <4C3CC831.7040005@kaarposoft.dk> <20100713210729.GA11943@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 13, 2010 at 10:10:25PM +0200, Henrik /KaarPoSoft wrote: >> I have a problem: ldapsearch results in "Segmentation fault" under >> openldap-2.4.23 with cyrus-sasl-2.1.23. >> [...] >> Jeremy Chadwick wrote: > If I was to build a test box from scratch, can you tell me how to set up > all the necessary software/etc. to mimic your environment so that I > could try to reproduce this? Reviewing the source isn't enough, I'd > have to actually build a debug version of libgssapi to track it down. > Jeremy, I would really appreciate your going through this! Thank you very much in advance. Here is what I did: FreeBSD 8.0 vanilla install hostname: srv02.example.lan freebsd-update fetch freebsd-update install Create self-signed "CA" cert, and create SSL cert for LDAP signed by this. References: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html http://forums.freebsd.org/showthread.php?t=6490 http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php pkg_add -r heimdal cat >> /etc/rc.conf kerberos5_server_enable="YES" kadmind5_server_enable="YES" cat > /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.LAN kstash kadmin -l kadmin> init EXAMPLE.LAN kadmin> add TestOne kadmin> list "*" /etc/rc.d/kerberos start /etc/rc.d/kadmind start Add to nameserver: kerberos.example.lan CNAME srv02.example.lan ldap.example.lan CNAME srv02.example.lan _kerberos IN TXT kerberos.example.lan _kerberos._udp.example.lan. IN SRV 0 0 88 kerberos.example.lan. _kerberos._tcp.example.lan. IN SRV 0 0 88 kerberos.example.lan. _kerberos-adm._tcp.example.lan. IN SRV 0 0 749 kerberos.example.lan. _kpasswd._udp.example.lan. IN SRV 0 0 464 kerberos.example.lan. cd /usr/ports portsnap fetch portsnap extract (and subsequently portsnap fetch update) cd /usr/ports/security/cyrus-sasl2 make config [X] Berkeley DB [X] /dev/urandom make make install cd /usr/ports/net/openldap24-sasl-client make make install cd /usr/ports/net/openldap24-server make config [x] SASL make cat >> /etc/rc.conf slapd_enable="YES" slapd_flags="-h ldaps:///" touch /var/db/openldap-data/DB_CONFIG srv02# diff /usr/local/etc/openldap/slapd.conf.ORIG /usr/local/etc/openldap/slapd.conf 48a50,80 > > ####################################################################### > # EXAMPLE > ####################################################################### > > #=# Shemas we need > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > > #=# Logging > loglevel stats stats2 shell parse ACL config filter BER conns > > > #=# GSSAPI mapping > #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI > #=# http://www.openldap.org/doc/admin24/sasl.html#Mapping Authentication Identities > > authz-regexp > uid=([^,]*),cn=example.lan,cn=gssapi,cn=auth > uid=$1,ou=Users,dc=example,dc=lan > > > #=# LDAP over TSL (SSL) > #=# http://www.openldap.org/doc/admin24/tls.html > > security ssf=128 > TLSCertificateFile /etc/exampleCA/certs/ldap.pem > TLSCertificateKeyFile /etc/exampleCA/private/ldap.pem > TLSCACertificateFile /etc/exampleCA/certs/example.pem > 54,55c86,93 < suffix "dc=my-domain,dc=com" < rootdn "cn=Manager,dc=my-domain,dc=com" --- > > #=# The example Network > suffix "dc=example,dc=lan" > > #=# The rootdn user, authenticated by Kerberos > #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI > rootdn "uid=LDAProot,cn=example.lan,cn=gssapi,cn=auth" > 59c97,99 < rootpw secret --- > > #=# Since rootdn is authenticated by Kerberos, we do not need rootpw > #rootpw secret 65a106 Add domain and a few users with slapadd cat >> /usr/local/etc/openldap/ldap.conf base dc=example,dc=lan uri ldaps://ldap.example.lan/ tls_cacert /etc/exampleCA/cacert.pem
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C3E0D7D.5020305>