ldapdb auxprop configuration

Torsten Schlabach tschlabach at gmx.net
Sun Jan 4 13:26:03 EST 2009 

Hi Lars!

 > @ Torsten Schlabach:
 >> One comment suggested that the problem might be one of the Debian
 >> specific patches! Did you try to build a package without them?

 > Not yet, but I'm determined to get that issue resolved. One of the
 > larger problems could be that Debian uses GnuTLS instead of OpenSSL. I
 > had some severe issues with that kind of porting some years back with
 > OpenLDAP.

It would be nice if you could give it a try. Actually, I would need 1-2 
days to get myself a fresh server to replicate the setup and join the 
effort.

What I do remember is:

I had build the respective parts from source tarballs once and it did 
*not* segfault. But it's too long ago to tell if I had been using GnuTLS 
or OpenSSL.

 > @ Dan White:
 > I produced debugging versions of cyrus-imap , cyrus-sasl, and openldap

If you have all the infrastructure set up to create your own version of 
the packages, it should be a five minute exercise to empty the 
debian/patches directory, re-build, re-install and see if the issue goes 
away.

In case it does, we're on the wrong mailist list and should continue the 
discussion in a Debian developer forum IMO.

Regards,
Torsten


Lars Hanke schrieb:
> Hi all!
> 
> Sorry for cross-posting, but since this appears to be SASL related, I 
> switch to the SASL list and leave this message in the cyrus-imap list 
> for others to follow. So when answering to this, please check that 
> you're not crossposting the answer.
> 
> Summary for the SASL list subscribers, who have missed the start of this 
> thread:
> 
> I'm running cyrus-imap to authenticate users using the ldapdb auxprop 
> against a remote ldaps: host. During the DIGEST-MD5 or CRAM-MD5 
> authentication of the user using imtest imapd SEGFAULTs. The ltrace 
> suggests that it happens somewhere in the SASL layer. The setup is 
> Debian Lenny kept current daily on an Intel Core2-Quad, i.e. amd64 build.
> 
> @ Torsten Schlabach:
>> One comment suggested that the problem might be one of the Debian 
>> specific patches! Did you try to build a package without them?
> Not yet, but I'm determined to get that issue resolved. One of the 
> larger problems could be that Debian uses GnuTLS instead of OpenSSL. I 
> had some severe issues with that kind of porting some years back with 
> OpenLDAP.
> 
> @ Dan White:
> I produced debugging versions of cyrus-imap , cyrus-sasl, and openldap 
> and created a backtrace of the crash. See the end of this message.
> 
> @ cyrus-imap list
> For some reason the method using the "debug_command" in /etc/imapd.conf 
> and the "-D" option for imapd in "/etc/cyrus.conf" as described in 
> https://langhorst.com/cgi-bin/dwww//usr/share/doc/cyrus21-common/README.Debian.debug.gz 
> does not work, i.e. it does not produce any logs in /tmp. Am I missing 
> something?
> 
> So what I did was to use CYRUS_VERBOSE=100 in /etc/default/cyrus2.2 and 
> used the 15 second delay to attach a gdb. The following happened and 
> produced the backtrace of the SEGFAULT:
> 
> hermod:/# imtest -u cyrus -a cyrus -v -p imap -m DIGEST-MD5 hermod.mgr
> S: * OK hermod.mgr Cyrus IMAP4 v2.2.13-Debian-2.2.13-14 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID 
> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS 
> AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
> S: C01 OK Completed
> C: A01 AUTHENTICATE DIGEST-MD5
> S: + 
> bm9uY2U9IjNFZzIrY2xsci84dmREdXprTkd3a1VmL25XYTRBVnRXQmMxSGpndFBiVEk9IixyZWFsbT0iaGVybW9kLm1nciIscW9wPSJhdXRoLGF1dGgtaW50LGF1dGgtY29uZiIsY2lwaGVyPSJyYzQtNDAscmM0LTU2LHJjNCxkZXMsM2RlcyIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M= 
> 
> Please enter your password:
> C: 
> dXNlcm5hbWU9ImN5cnVzIixyZWFsbT0iaGVybW9kLm1nciIsbm9uY2U9IjNFZzIrY2xsci84dmREdXprTkd3a1VmL25XYTRBVnRXQmMxSGpndFBiVEk9Iixjbm9uY2U9IjluczF0dmwwMUhWU095dzlNZXRXK0ltRnVyWHRINDd4TFhyUjEvcXpNZHM9IixuYz0wMDAwMDAwMSxxb3A9YXV0aC1jb25mLGNpcGhlcj1yYzQsbWF4YnVmPTEwMjQsZGlnZXN0LXVyaT0iaW1hcC9oZXJtb2QubWdyIixyZXNwb25zZT1lZmYxZjk2MjUyNzlmY2UyMDY3MmIxOTg1NjIzZmIwYw== 
> 
> failure: prot layer failure
> 
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7fa6ca1e3700 (LWP 5409)]
> 0x00007fa6c72ed4aa in pthread_mutex_lock () from /lib/libpthread.so.0
> (gdb) bt
> #0 0x00007fa6c72ed4aa in pthread_mutex_lock () from /lib/libpthread.so.0
> #1 0x00007fa6c32b75a9 in ldap_pvt_thread_mutex_lock (mutex=0x1)
> at 
> /home/admin/packages/openldap/openldap-2.4.11/libraries/libldap_r/thr_posix.c:296 
> 
> #2 0x00007fa6c32c112b in ldap_pvt_sasl_mutex_lock (mutex=0x1) at 
> cyrus.c:1294
> #3 0x00007fa6c4b69828 in digestmd5_client_mech_step 
> (conn_context=0x2094440, params=0x20960b0,
> serverin=0x0, serverinlen=0, prompt_need=0x7fffd21e8760, 
> clientout=0x7fffd21e8748,
> clientoutlen=0x7fffd21e875c, oparams=0x209a510) at digestmd5.c:3955
> #4 0x00007fa6c9dc25e6 in sasl_client_step (conn=0x2099ca0, serverin=0x0, 
> serverinlen=0,
> prompt_need=0x7fffd21e8760, clientout=0x7fffd21e8748, 
> clientoutlen=0x7fffd21e875c) at client.c:658
> #5 0x00007fa6c9dc2445 in sasl_client_start (conn=0x2099ca0, 
> mechlist=0x2041d40 "DIGEST-MD5",
> prompt_need=0x7fffd21e8760, clientout=0x7fffd21e8748, 
> clientoutlen=0x7fffd21e875c,
> mech=0x7fffd21e8778) at client.c:606
> #6 0x00007fa6c32bfc79 in ldap_int_sasl_bind (ld=0x2053880, dn=0x0, 
> mechs=0x2041d40 "DIGEST-MD5",
> sctrls=0x0, cctrls=0x0, flags=2, interact=0x7fa6c34fd704 
> <ldapdb_interact>, defaults=0x204dce0)
> at cyrus.c:689
> #7 0x00007fa6c32c3b7f in ldap_sasl_interactive_bind_s (ld=0x2053880, 
> dn=0x0,
> mechs=0x2041d40 "DIGEST-MD5", serverControls=0x0, clientControls=0x0, 
> flags=2,
> interact=0x7fa6c34fd704 <ldapdb_interact>, defaults=0x204dce0) at 
> sasl.c:464
> #8 0x00007fa6c34fd96c in ldapdb_connect (ctx=0x204dce0, 
> sparams=0x20516c0, user=0x2052f71 "cyrus",
> ulen=5, cp=0x7fffd21e8910) at ldapdb.c:106
> #9 0x00007fa6c34fdd45 in ldapdb_auxprop_lookup (glob_context=0x204dce0, 
> sparams=0x20516c0, flags=0,
> user=0x2052f71 "cyrus", ulen=5) at ldapdb.c:178
> #10 0x00007fa6c9dbe881 in _sasl_auxprop_lookup (sparams=0x20516c0, 
> flags=0, user=0x2052f71 "cyrus",
> ulen=5) at auxprop.c:898
> #11 0x00007fa6c9dbf309 in _sasl_canon_user (conn=0x20521d0, 
> user=0x2052f71 "cyrus", ulen=5, flags=1,
> oparams=0x2052a40) at canonusr.c:190
> #12 0x00007fa6c4b6556b in digestmd5_server_mech_step2 (stext=0x2054080, 
> sparams=0x20516c0,
> clientin=0x7fffd21e8e10 
> "username=\"cyrus\",realm=\"hermod.mgr\",nonce=\"3Eg2+cllr/8vdDuzkNGwkUf/nWa4AVtWBc1HjgtPbTI=\",cnonce=\"9ns1tvl01HVSOyw9MetW+ImFurXtH47xLXrR1/qzMds=\",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=1024,digest-u"..., 
> clientinlen=262, serverout=0x7fffd21e8e00,
> serveroutlen=0x7fffd21e8dfc, oparams=0x2052a40) at digestmd5.c:2301
> #13 0x00007fa6c4b666cc in digestmd5_server_mech_step 
> (conn_context=0x2054080, sparams=0x20516c0,
> clientin=0x7fffd21e8e10 
> "username=\"cyrus\",realm=\"hermod.mgr\",nonce=\"3Eg2+cllr/8vdDuzkNGwkUf/nWa4AVtWBc1HjgtPbTI=\",cnonce=\"9ns1tvl01HVSOyw9MetW+ImFurXtH47xLXrR1/qzMds=\",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=1024,digest-u"..., 
> clientinlen=262, serverout=0x7fffd21e8e00,
> serveroutlen=0x7fffd21e8dfc, oparams=0x2052a40) at digestmd5.c:2689
> #14 0x00007fa6c9dcd696 in sasl_server_step (conn=0x20521d0,
> clientin=0x7fffd21e8e10 
> "username=\"cyrus\",realm=\"hermod.mgr\",nonce=\"3Eg2+cllr/8vdDuzkNGwkUf/nWa4AVtWBc1HjgtPbTI=\",cnonce=\"9ns1tvl01HVSOyw9MetW+ImFurXtH47xLXrR1/qzMds=\",nc=00000001,qop=auth-conf,cipher=rc4,maxbuf=1024,digest-u"..., 
> clientinlen=262, serverout=0x7fffd21e8e00, serveroutlen=0x7fffd21e8dfc)
> at server.c:1433
> #15 0x000000000044ae85 in saslserver (conn=0x20521d0, mech=0x2054010 
> "DIGEST-MD5", init_resp=0x0,
> resp_prefix=0x473e03 "", continuation=0x473e27 "+ ", empty_chal=0x473e03 
> "", pin=0x2045a20,
> pout=0x2045ad0, sasl_result=0x7fffd21ee614, success_data=0x0) at 
> saslserver.c:134
> #16 0x000000000040e617 in cmd_authenticate (tag=0x2053eb0 "A01", 
> authtype=0x2054010 "DIGEST-MD5",
> resp=0x0) at imapd.c:1888
> #17 0x000000000040ae83 in cmdloop () at imapd.c:921
> #18 0x000000000040a59e in service_main (argc=1, argv=0x2041010, 
> envp=0x7fffd21f0f48) at imapd.c:691
> #19 0x00000000004083a1 in main (argc=3, argv=0x7fffd21f0f28, 
> envp=0x7fffd21f0f48) at service.c:533
> 
> Versions:
> hermod:~/imap# dpkg -l '*cyrus*' | grep '^ii'
> ii cyrus-admin-2.2 2.2.13-14 Cyrus mail system (administration tools)
> ii cyrus-clients-2.2 2.2.13-14+b3 Cyrus mail system (test clients)
> ii cyrus-common-2.2 2.2.13-14 Cyrus mail system (common files)
> ii cyrus-imapd-2.2 2.2.13-14 Cyrus mail system (IMAP support)
> ii libcyrus-imap-perl22 2.2.13-14+b3 Interface to Cyrus imap client 
> imclient libr
> hermod:~/imap# dpkg -l '*sasl*' | grep '^ii'
> ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstraction libr
> ii libsasl2-modules 2.1.22.dfsg1-23 Cyrus SASL - pluggable 
> authentication module
> ii libsasl2-modules-gssapi-mit 2.1.22.dfsg1-23 Cyrus SASL - pluggable 
> authentication module
> ii libsasl2-modules-ldap 2.1.22.dfsg1-23 Cyrus SASL - pluggable 
> authentication module
> ii sasl2-bin 2.1.22.dfsg1-23 Cyrus SASL - administration programs for SAS
> hermod:~# dpkg -l '*ldap*' | grep '^ii'
> ii ldap-utils 2.4.11-1 OpenLDAP utilities
> ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries

More information about the Cyrus-sasl mailing list