openldap client GSSAPI authentication segfaults in fbsd8stable i386

Jeremy Chadwick freebsd at jdc.parodius.com
Thu Jul 15 12:36:34 UTC 2010 

On Wed, Jul 14, 2010 at 09:18:21PM +0200, Henrik /KaarPoSoft wrote:
> On Tue, Jul 13, 2010 at 10:10:25PM +0200, Henrik /KaarPoSoft wrote:
> >>I have a problem: ldapsearch results in "Segmentation fault" under
> >>openldap-2.4.23 with cyrus-sasl-2.1.23.
> >>[...]
> 
> Jeremy Chadwick wrote:
> >If I was to build a test box from scratch, can you tell me how to set up
> >all the necessary software/etc. to mimic your environment so that I
> >could try to reproduce this?  Reviewing the source isn't enough, I'd
> >have to actually build a debug version of libgssapi to track it down.
> Jeremy, I would really appreciate your going through this!
> Thank you very much in advance.
> 
> Here is what I did:
> 
> 
> FreeBSD 8.0 vanilla install
> hostname: srv02.example.lan
> 
> freebsd-update fetch
> freebsd-update install
> 
> Create self-signed "CA" cert, and create SSL cert for LDAP signed by this.
> References:
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html
> http://forums.freebsd.org/showthread.php?t=6490
> http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php
> 
> pkg_add -r heimdal
> 
> cat >> /etc/rc.conf
> kerberos5_server_enable="YES"
> kadmind5_server_enable="YES"
> 
> cat > /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.LAN
> 
> kstash
> 
> kadmin -l
> kadmin> init EXAMPLE.LAN
> kadmin> add TestOne
> kadmin> list "*"
> 
> /etc/rc.d/kerberos start
> /etc/rc.d/kadmind start
> 
> Add to nameserver:
> 
> kerberos.example.lan CNAME srv02.example.lan
> ldap.example.lan CNAME srv02.example.lan
> _kerberos IN TXT kerberos.example.lan
> _kerberos._udp.example.lan. IN SRV 0 0 88 kerberos.example.lan.
> _kerberos._tcp.example.lan. IN SRV 0 0 88 kerberos.example.lan.
> _kerberos-adm._tcp.example.lan. IN SRV 0 0 749 kerberos.example.lan.
> _kpasswd._udp.example.lan. IN SRV 0 0 464 kerberos.example.lan.
> 
> cd /usr/ports
> portsnap fetch
> portsnap extract
> 
> (and subsequently portsnap fetch update)
> 
> cd /usr/ports/security/cyrus-sasl2
> make config
> [X] Berkeley DB
> [X] /dev/urandom
> make
> make install
> 
> cd /usr/ports/net/openldap24-sasl-client
> make
> make install
> 
> cd /usr/ports/net/openldap24-server
> make config
> [x] SASL
> make
> 
> cat >> /etc/rc.conf
> slapd_enable="YES"
> slapd_flags="-h ldaps:///"
> 
> touch /var/db/openldap-data/DB_CONFIG
> 
> srv02# diff /usr/local/etc/openldap/slapd.conf.ORIG
> /usr/local/etc/openldap/slapd.conf
> 48a50,80
> >
> > #######################################################################
> > # EXAMPLE
> > #######################################################################
> >
> > #=# Shemas we need
> > include /usr/local/etc/openldap/schema/cosine.schema
> > include /usr/local/etc/openldap/schema/nis.schema
> > include /usr/local/etc/openldap/schema/inetorgperson.schema
> >
> > #=# Logging
> > loglevel stats stats2 shell parse ACL config filter BER conns
> >
> >
> > #=# GSSAPI mapping
> > #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
> > #=# http://www.openldap.org/doc/admin24/sasl.html#Mapping
> Authentication Identities
> >
> > authz-regexp
> > uid=([^,]*),cn=example.lan,cn=gssapi,cn=auth
> > uid=$1,ou=Users,dc=example,dc=lan
> >
> >
> > #=# LDAP over TSL (SSL)
> > #=# http://www.openldap.org/doc/admin24/tls.html
> >
> > security ssf=128
> > TLSCertificateFile /etc/exampleCA/certs/ldap.pem
> > TLSCertificateKeyFile /etc/exampleCA/private/ldap.pem
> > TLSCACertificateFile /etc/exampleCA/certs/example.pem
> >
> 54,55c86,93
> < suffix "dc=my-domain,dc=com"
> < rootdn "cn=Manager,dc=my-domain,dc=com"
> ---
> >
> > #=# The example Network
> > suffix "dc=example,dc=lan"
> >
> > #=# The rootdn user, authenticated by Kerberos
> > #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
> > rootdn "uid=LDAProot,cn=example.lan,cn=gssapi,cn=auth"
> >
> 59c97,99
> < rootpw secret
> ---
> >
> > #=# Since rootdn is authenticated by Kerberos, we do not need rootpw
> > #rootpw secret
> 65a106
> 
> Add domain and a few users with slapadd
> 
> cat >> /usr/local/etc/openldap/ldap.conf
> base dc=example,dc=lan
> uri ldaps://ldap.example.lan/
> tls_cacert /etc/exampleCA/cacert.pem

Thank you for this.  I'm in the process of building the machine with
debugging symbols on libraries/binaries now (DEBUG_FLAGS=-g3 -ggdb in
src.conf).

-- 
| Jeremy Chadwick                                   jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list