BUG ALERT! - RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL

Igor Brezac igor at ipass.net
Fri Sep 27 22:46:04 EDT 2002 

Yes, to my knowledge.  This may be related just to Lee's environment, I am
still researching the issue.

-Igor

On Fri, 27 Sep 2002, C. Wegrzyn wrote:

> Is this a RedHat 7.3 problem only?
>
> Chuck Wegrzyn
>
> ----- Original Message -----
> From: "Mohan Khurana" <mkhurana at andrew.cmu.edu>
> To: "Igor Brezac" <igor at ipass.net>
> Cc: "Lee Hoffman" <lee_hoffman at brown.edu>; <info-cyrus at lists.andrew.cmu.edu>
> Sent: Friday, September 27, 2002 9:22 PM
> Subject: Re: BUG ALERT! - RE: Serious Bug in Cyrus/SASL: Intermittent Ldap
> AUTHFAIL
>
>
> > You're right Igor, I did create a memory leak, when I uncomment that line
> > though, saslauthd breaks, so I wasn't exactly sure what to do.  I agree,
> > persistance would be nice to limit the load on the LDAP servers, from what
> > I've seen, what is happening is that authentications will work fine using
> > the persistance cache for a while, then after a few minutes, it will stop
> > working.  I tracked it down and I printed the reply from the LDAP server,
> > and it is in fact "NO", a signal that access has been denied (I tested
> > this by making AUTHFAIL messages in saslauthd print the reply fully).
> > From that point on, it's downhill from there, and saslauthd gets "NO" in
> > it's char *reply every time.  I can give you more specifics if you need
> it.
> >
> > cheers,
> > mohan
> >
> > On Thu, 26 Sep 2002, Igor Brezac wrote:
> >
> > >
> > > Mohan/Lee,
> > >
> > > Thanks for the patch.  Unfortunately, this still does not fix the
> problem
> > > completely.  I think that you may have created a memory leak, so you
> might
> > > want to monitor the saslauthd process.  I really want to keep the
> > > persistance in place, otherwise busy sites may create an unneccessary
> load
> > > on the ldap server.
> > >
> > > In the meaning time I'll try to locate an RH box and I'll try to
> duplicate
> > > the problem.  Few questions, have you used ldap_cache_* params in
> > > saslautd.conf?  After you installed different versions of openldap, have
> > > you recompiled saslauthd each time?
> > >
> > > Note, this code works fine on Solaris 8 and 9.  At least this is the
> > > case in my environments.
> > >
> > > -Igor
> > >
> > > On Thu, 26 Sep 2002, Lee Hoffman wrote:
> > >
> > > > Guys,
> > > > This patch solved the problem I described below. I installed the patch
> 3
> > > > days ago, and havent had the problem since.
> > > >
> > > > To reiterate for the loyal cyrus bug hunters:
> > > >
> > > > My system is using cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box (ive tried
> > > > this config against 4 different versions of openldap, on two
> completely
> > > > different servers) and I compiled with:
> > > >
> > > > SASL:
> > > > ./configure --enable-plain --disable-krb4
> > > > --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib
> > > >
> > > > IMAP:
> > > > ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
> > > > --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no
> > > >
> > > >
> > > > Sincerely,
> > > > Lee
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Mohan Khurana [mailto:mkhurana at andrew.cmu.edu]
> > > > Sent: Thursday, September 26, 2002 7:56 PM
> > > > To: Lee Hoffman
> > > > Cc: info-cyrus at lists.andrew.cmu.edu; Igor Brezac
> > > > Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
> > > >
> > > > Lee,
> > > >
> > > > Below, I've included a patch, it basically removes persistance from
> > > > saslauthd.  This has fixed the problem for me.  I'm not exactly
> familiar
> > > > with all the code, so I was unable to free the lak config structure,
> but
> > > > this does let you atleast get saslauthd working.  I think there's a
> > > > problem with persistance, I'm not exactly sure what it is though.  Any
> > > > thoughts?
> > > >
> > > > mohan
> > > >
> > > > *** ../../orig/cyrus-sasl-2.1.7/saslauthd/lak.c Thu Aug  1 15:58:24
> 2002
> > > > --- lak.c       Thu Sep 26 19:42:11 2002
> > > > ***************
> > > > *** 816,821 ****
> > > > --- 816,832 ----
> > > >                 rc = lak_auth_custom(lak, user, realm, password);
> > > >         }
> > > >
> > > > +       /* free the lak */
> > > > +     if (lak->ld) {
> > > > +         if (lak->conf->cache_ttl)
> > > > +             ldap_destroy_cache(lak->ld);
> > > > +         ldap_unbind_s(lak->ld);
> > > > +         lak->ld = NULL;
> > > > +     }
> > > > +     //lak_free_config(&(lak->conf));
> > > > +       free(lak);
> > > > +       persistent_lak = NULL;
> > > > +
> > > >         return rc;
> > > >   }
> > > >
> > > > ***************
> > > > *** 846,851 ****
> > > > --- 857,874 ----
> > > >         attrs[1] = NULL;
> > > >
> > > >         rc = lak_retrieve(lak, user, realm, (const char **)attrs,
> > > > &lres);
> > > > +
> > > > +       /* free the lak */
> > > > +       if (lak->ld) {
> > > > +         if (lak->conf->cache_ttl)
> > > > +             ldap_destroy_cache(lak->ld);
> > > > +         ldap_unbind_s(lak->ld);
> > > > +         lak->ld = NULL;
> > > > +     }
> > > > +     lak_free_config(&lak->conf);
> > > > +     free(lak);
> > > > +     persistent_lak = NULL;
> > > > +
> > > >         if (rc != LAK_OK) {
> > > >                 return rc;
> > > >         }
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > --
> > > Igor
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>
>

-- 
Igor

More information about the Info-cyrus mailing list