Postfix, SASL/SASL2 and LDAP

Thomas Luzat thomas at luzat.com
Sun Sep 28 17:21:12 EDT 2003 

On Sun, 2003-09-28 at 18:53, Phil Brutsche wrote:
> Diego Rivera wrote:
> > My question is: am I totally screwed?  Will I be forced to go to
> > OpenLDAP 2.1.X and recompile EVERYTHING that touches LDAP (especially
> > hoping that 2.1.X is backward-compatible with 2.0.X)?
> 
> You're not the only person to get bitten by this (nss_ldap uses OpenLDAP
> 2.0 which uses SASL 1.x, which causes segfaults in anything using SASL 2.1).
> 
> Note this comment from README.Debian.gz, from the Cyrus IMAP 2.1.x 
> Debian packages:
>   o "The Debian libldap2 and cyrus-imapd packages are both compiled using
>     the SASL library.  If you use cyrus-imapd together with libnss-ldap,
>     or saslauthd together with libpam-ldap, the resulting double calls to
>     SASL library functions can trigger a double-free bug which may cause
>     the calling process to crash.  To avoid such a crash, you must
>     recompile the libldap2 package --without-cyrus-sasl."  --
>     http://bugs.debian.org/145766 [!@#$%!!! I didn't expect SASL 2.1 to
>     still have this annoying problem]
> 
> My understanding of the situation is that you have 2 options:
> 1) Upgrade to OpenLDAP 2.1 which uses SASL 2.1

How do you figure that would solve the bug? Do you mean to upgrade
nss_ldap to use OpenLDAP 2.1?

According to the above site the bug is fixed in the latest cyrus21-imapd
(of Debian) - why imapd and why not SASL? I'm really confused.

Anyway, I checked on my Debian sid, on which I'm configuring OpenLDAP
currently, and it does use SASL 2.1 for libldap2 which is used by
nss_ldap. I guess I'm fine with sid then?

> 2) Re-compile OpenLDAP 2.0 to not link against SASL
> 
> Either way you'll need to maintain custom binaries.  Option 1 definitely 
> works, but is a non-trivial change.  Option 2 may the easier of the two 
> for you.

On Debian sid it doesn't seem that you need to compile anything anymore
from what I understand - but I'm confused: The bug is closed,
cyrus21-imapd still does have the warning in its README, though...

Hopefully someone can clarify the situation :-)

Thanks!

Cheers,
Thomas

--
Thomas Luzat <thomas at luzat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20030928/40cf1ad1/attachment.bin

More information about the Info-cyrus mailing list