Bug 213834
| Summary: | slapd (FDS 1.0.3) crashes with plugin running fine under FDS 1.0.2 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Dirk Husung <husung> | ||||
| Component: | Server - Plugins | Assignee: | Rich Megginson <rmeggins> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Orla Hegarty <ohegarty> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 1.0.2 | CC: | k.georgiou, ohegarty | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i386 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-11-06 20:37:20 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 213957 | ||||||
| Attachments: |
|
||||||
Do you have any more information about the crash? Do you have a stack trace or something like that? The only thing I can think of is that we changed the way slapd links with cyrus-sasl/gssapi/kerberos - we use whatever version of cyrus-sasl is install on the OS, and we don't link ns-slapd with -lgssapi_krb5. It could be a binary incompatibility issue. Several internal structures changed sizes. But if you just compile with the slapi-plugin.h header, and no other headers, you should have been isolated from this. The other thing that changed sizes are the LDAP API structures. slapi-plugin.h includes ldap.h, but if you are not using any LDAP API functions, you should not be affected. Can you post the Makefile you used to build your plugin, the header files included by your plugin .c and .h files, and a list of the slapi and ldap functions you are using? That would be very useful to determine if this is an ABI problem. Or, if you could just recompile your plugin with FDS 1.0.3, we could see if that fixes the problem. Created attachment 140443 [details]
Kerberos 5 password schema plugin
Attached in krb5pwd.tar.gz you find krb5pwd.c, the Makefile and the dse.ldif
section I used. In krb5pwd.c "#ifdef XXXXXXXXXXX" uncomments the real code, the
corresponding "#else" section contains the few statements that cause slapd to
crash. My first idea was to recompile my plugin but that didn't help.
When I do an ldapsearch (openldap client) for a user who uses my kerberos
password scheme:
ldapsearch -H ldaps://<hostname> -x -b
"uid=<user>,ou=People,dc=tu-harburg,dc=de" -D
"uid=<user>,ou=People,dc=tu-harburg,dc=de" -W
Enter LDAP Password: xxxxxxx
I receive
ldap_result: Can't contact LDAP server (-1)
and the slapd process is gone.
slapd-<host>/logs/errors reports at the same time:
[06/Nov/2006:10:25:09 +0100] - slapd started. Listening on 134.28.201.19 port
389 for LDAP requests
[06/Nov/2006:10:25:09 +0100] - Listening on 134.28.201.19 port 636 for LDAPS
requests
[06/Nov/2006:10:25:45 +0100] krb5PwdStoragePlugin - -0-
and that's it; i.e. I don't pass "krb5_init_context(&context);"
What else could I test? strace stopped when the slapd process was detached.
(At the moment I think I'll have to switch to your pam_passthru plugin, but I
worry about other plugins.)
Looks like the problem is what I mentioned above. slapd doesn't link against -lkrb5 anymore with fds 1.0.3. When you build your plugin, you have to explicitly link against -lkrb5. When I ran your original plugin against fds 1.0.3 using start-slapd -d 1, the output said that krb5_init_context() could not be found, because neither slapd nor the plugin was linked with -lkrb5. FDS 1.0.3 is linked against -lsasl2 only. This will pull in -lkrb5 only when a SASL/GSSAPI BIND attempt is made. So the solution is to link your plugin with -lkrb5. Thanks a lot, I'd like to confirm that my problem is solved. |
Description of problem: I wrote a password storage scheme plugin, that contacts a Kerberos server to verify, if the password provided by the user is valid, i.e. the LDAP server stores the user's principal name, not the user's password. This plugin worked fine for over a year up to FDS 1.0.2. Under FDS 1.0.3 slapd crashes when krb5_init_context() is called in the function registered as SLAPI_PLUGIN_PWD_STORAGE_SCHEME_CMP_FN, which is called to compare the password provided by the user against the one stored in the LDAP server (the users' principal name in my case). What changed in slapd concerning plugins? Version-Release number of selected component (if applicable): FDS 1.0.3 on FC 5 (worked with FDS 1.0.2 and FC 5) How reproducible: 100% Steps to Reproduce: 1. compile and configure plugin 2. start slapd (succeeds, plugin loads ok) 3. do an ldapsearch with simple bind as a user with my krb5 password scheme (slapd (FDS 1.0.3) crashes) Actual results: slapd (FDS 1.0.3) crashes Expected results: ldapsearch operation completes with output or error message (as on FDS 1.0.2 and older) Additional info: The comparison function can be reduced to int krb5_pw_cmp(char *userpwd, char *dbpwd) { krb5_context context; /* pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; pthread_mutex_lock(&mutex); */ krb5_init_context(&context); krb5_free_context(context); /* pthread_mutex_unlock(&mutex); */ return 1; } I tried it on a test system, where I'm the only user.