net/openldap24 GSSAPI binds broken with SASL 2.1.25

John Marshall john.marshall at riverwillow.com.au
Wed Sep 28 09:59:35 UTC 2011 

Since upgrading cyrus/sasl2 2.1.25 and rebuilding net/openldap24 2.4.26
on 8.2-RELEASE/i386, any attempt to query using a SASL GSSAPI bind
causes ldap to come to an abrupt halt.  The problem is remedied by
reverting to cyrus-sasl2 2.1.23_3 and rebuilding net/openldap24 2.4.26.

 Scenario 1
 ----------
 - OpenLDAP 2.4.26 client linked with the old SASL 2.1.23
 - OpenLDAP 2.4.26 server linked with the new SASL 2.1.25
 - Client attempts query with GSSAPI bind

 Client shows:

   SASL/GSSAPI authentication started
   SASL username: john at EXAMPLE.COM
   SASL SSF: 56
   SASL data security layer installed.
   # extended LDIF
   #
   # LDAPv3
   # base <ou=Users,dc=example,dc=com> with scope subtree
   # filter: cn=fred
   # requesting: ALL
   #

   ldap_result: Can't contact LDAP server (-1)

 Server shows:

   fd=17 ACCEPT from IP=192.0.2.200:40978 (IP=192.0.2.18:389)
   op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
   op=0 SRCH attr=supportedSASLMechanisms
   op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
   op=1 BIND dn="" method=163
   op=1 RESULT tag=97 err=14 text=SASL(0): successful result: security flags do not match required
   op=2 BIND dn="" method=163
   op=2 RESULT tag=97 err=14 text=SASL(0): successful result: security flags do not match required
   op=3 BIND dn="" method=163
   op=3 BIND authcid="john" authzid="john"
   op=3 BIND dn="uid=john,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56
   op=3 RESULT tag=97 err=0 text=
   op=4 SRCH base="ou=Users,dc=example,dc=com" scope=2 deref=0 filter="(cn=fred)"

 ...and that's all.  The server is dead at this point.

 Scenario 2
 ----------
 - OpenLDAP 2.4.26 client linked with the new SASL 2.1.25
 - OpenLDAP 2.4.26 server linked with the new SASL 2.1.25
 - Client attempts query with GSSAPI bind

 Client shows:

   SASL/GSSAPI authentication started
   Segmentation fault (core dumped)

 Server shows:

   fd=17 ACCEPT from IP=192.0.2.16:19191 (IP=192.0.2.18:389)
   op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
   op=0 SRCH attr=supportedSASLMechanisms
   op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
   fd=17 closed (connection lost)

The backtrace from the client in Scenario 2 looks like this:

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols found)...
Core was generated by `ldapsearch'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/libldap-2.4.so.8...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libldap-2.4.so.8
Reading symbols from /usr/local/lib/liblber-2.4.so.8...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/liblber-2.4.so.8
Reading symbols from /usr/local/lib/libsasl2.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libsasl2.so.2
Reading symbols from /usr/lib/libssl.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libssl.so.6
Reading symbols from /lib/libcrypto.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypto.so.6
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /usr/local/lib/sasl2/libsasldb.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/sasl2/libsasldb.so.2
Reading symbols from /usr/local/lib/sasl2/libcrammd5.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/sasl2/libcrammd5.so.2
Reading symbols from /usr/local/lib/sasl2/libdigestmd5.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/sasl2/libdigestmd5.so.2
Reading symbols from /usr/local/lib/sasl2/libscram.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/sasl2/libscram.so.2
Reading symbols from /usr/local/lib/sasl2/libotp.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/sasl2/libotp.so.2
Reading symbols from /usr/lib/libopie.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libopie.so.6
Reading symbols from /lib/libmd.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libmd.so.5
Reading symbols from /usr/local/lib/sasl2/libgssapiv2.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/sasl2/libgssapiv2.so.2
Reading symbols from /usr/lib/libgssapi.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgssapi.so.10
Reading symbols from /usr/lib/libheimntlm.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libheimntlm.so.10
Reading symbols from /usr/lib/libkrb5.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libkrb5.so.10
Reading symbols from /usr/lib/libhx509.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libhx509.so.10
Reading symbols from /usr/lib/libcom_err.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libcom_err.so.5
Reading symbols from /usr/lib/libasn1.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libasn1.so.10
Reading symbols from /usr/lib/libroken.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libroken.so.10
Reading symbols from /lib/libcrypt.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.5
Reading symbols from /usr/local/lib/sasl2/libplain.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/sasl2/libplain.so.2
Reading symbols from /usr/local/lib/sasl2/libanonymous.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/sasl2/libanonymous.so.2
Reading symbols from /usr/local/lib/sasl2/liblogin.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/sasl2/liblogin.so.2
Reading symbols from /usr/local/lib/sasl2/libntlm.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/sasl2/libntlm.so.2
Reading symbols from /usr/lib/libgssapi_krb5.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgssapi_krb5.so.10
Reading symbols from /usr/lib/libgssapi_spnego.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgssapi_spnego.so.10
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x28303820 in free () from /lib/libc.so.7
(gdb) bt
#0  0x28303820 in free () from /lib/libc.so.7
#1  0x283f9b5a in gss_release_buffer () from /usr/lib/libgssapi.so.10
#2  0x283f957a in gss_release_name () from /usr/lib/libgssapi.so.10
#3  0x283f5dc7 in gss_init_sec_context () from /usr/lib/libgssapi.so.10
#4  0x283edc7e in gssapi_client_mech_step () from /usr/local/lib/sasl2/libgssapiv2.so.2
#5  0x280ec93a in sasl_client_step () from /usr/local/lib/libsasl2.so.2
#6  0x280ecfc1 in sasl_client_start () from /usr/local/lib/libsasl2.so.2
#7  0x280acb7a in ldap_int_sasl_bind () from /usr/local/lib/libldap-2.4.so.8
#8  0x280af4fb in ldap_sasl_interactive_bind () from /usr/local/lib/libldap-2.4.so.8
#9  0x280af597 in ldap_sasl_interactive_bind_s () from /usr/local/lib/libldap-2.4.so.8
#10 0x080504fd in ?? ()
#11 0x28401060 in ?? ()
#12 0x00000000 in ?? ()
#13 0x00000000 in ?? ()
#14 0x00000000 in ?? ()
#15 0x00000000 in ?? ()
#16 0x00000000 in ?? ()
#17 0x08053040 in ?? ()
#18 0x284010c0 in ?? ()
#19 0x00000007 in ?? ()
#20 0x00000002 in ?? ()
#21 0x280882f8 in ?? () from /libexec/ld-elf.so.1
#22 0x00000000 in ?? ()
#23 0x28095200 in ?? ()
#24 0xbfbfe244 in ?? ()
#25 0x2805d238 in dladdr () from /libexec/ld-elf.so.1
#26 0x0804d8e8 in ?? ()
#27 0x28401060 in ?? ()
#28 0x0804adb3 in ?? ()
#29 0x08056052 in ?? ()
#30 0x00000000 in ?? ()
#31 0x00000000 in ?? ()
#32 0x00000000 in ?? ()
#33 0x00000000 in ?? ()
#34 0x00000000 in ?? ()
#35 0x00000000 in ?? ()
#36 0x00000000 in ?? ()
#37 0xbfbfec40 in ?? ()
#38 0xbfbfedf7 in ?? ()
#39 0x00000000 in ?? ()
#40 0x00000000 in ?? ()
#41 0x00000000 in ?? ()
#42 0x28401060 in ?? ()
#43 0x00000000 in ?? ()
#44 0x00000000 in ?? ()
#45 0x00000000 in ?? ()
#46 0x280882f8 in ?? () from /libexec/ld-elf.so.1
#47 0x00000104 in ?? ()
#48 0x000f8000 in ?? ()
#49 0xbfbfe3f8 in ?? ()
#50 0x2806131e in _rtld_thread_init () from /libexec/ld-elf.so.1
#51 0x0804a824 in ?? ()
#52 0x00000000 in ?? ()
#53 0x00000000 in ?? ()
#54 0xbfbfec18 in ?? ()
#55 0x0804a824 in ?? ()
#56 0x00000006 in ?? ()
#57 0xbfbfec40 in ?? ()
#58 0xbfbfec5c in ?? ()
#59 0xbfbfec20 in ?? ()
#60 0xbfbfec3c in ?? ()
#61 0x00000000 in ?? ()
#62 0xbfbfec38 in ?? ()
#63 0x0804a798 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(gdb) 

Is there some gssapi routine in the sasl port clashing with gssapi in the base system?

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20110928/f72cb7b3/attachment.pgp

More information about the freebsd-ports mailing list