Bug 124688 - rlm_ldap Segmentation fault when attempting to bind to LDAP server
rlm_ldap Segmentation fault when attempting to bind to LDAP server
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: openldap (Show other bugs)
2
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Jay Fenlason
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-28 11:02 EDT by Jason Montleon
Modified: 2014-08-31 19:26 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-28 13:16:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jason Montleon 2004-05-28 11:02:53 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a1)
Gecko/20040520

Description of problem:
The rlm_ldap module dies with a segmentation fault when used as part
of FreeRADIUS when it attempts to bind to the server.

When running 'radiusd -xxx -s' with openldap version openldap-2.1.22-8
(from FC1) on FC2 I receive the following:
Fri May 28 09:51:52 2004 : Debug: rlm_ldap: attempting LDAP reconnection
Fri May 28 09:51:52 2004 : Debug: rlm_ldap: (re)connect to
rice.cake.com:636, authentication 0
Fri May 28 09:51:52 2004 : Debug: rlm_ldap: setting TLS mode to 1
Fri May 28 09:51:52 2004 : Debug: rlm_ldap: bind as
cn=strongbad,o=sammich/password to rice.cake.com:636
Fri May 28 09:51:53 2004 : Debug: rlm_ldap: waiting for bind result ...
Fri May 28 09:51:53 2004 : Debug: rlm_ldap: performing search in
ou=ham,o=sammich, with filter cn=homestar
Fri May 28 09:51:53 2004 : Debug: ldap_release_conn: Release Id: 0
Fri May 28 09:51:53 2004 : Debug: rlm_ldap: user DN:
cn=homestar,ou=ham,o=sammich
Fri May 28 09:51:53 2004 : Debug: rlm_ldap: (re)connect to
rice.cake.com:636, authentication 1
Fri May 28 09:51:53 2004 : Debug: rlm_ldap: setting TLS mode to 1
Fri May 28 09:51:53 2004 : Debug: rlm_ldap: bind as
cn=homestar,ou=ham,o=sammich/password to rice.cake.com:636
Fri May 28 09:51:53 2004 : Debug: rlm_ldap: waiting for bind result ...
Fri May 28 09:51:53 2004 : Debug: rlm_ldap: user homestar
authenticated succesfully

When running 'radiusd -xxx -s' with openldap version openldap-2.1.29-1
(from FC2) on FC2 I receive the following:
Fri May 28 10:00:00 2004 : Debug: rlm_ldap: attempting LDAP reconnection
Fri May 28 10:00:00 2004 : Debug: rlm_ldap: (re)connect to
rice.cake.com:636, authentication 0
Fri May 28 10:00:00 2004 : Debug: rlm_ldap: setting TLS mode to 1
Fri May 28 10:00:00 2004 : Debug: rlm_ldap: bind as
cn=strongbad,o=sammich/password to rice.cake.com:636
Segmentation fault

There is only one line of configuration in /etc/openldap/ldap.conf; it
reads as follows:
TLS_CACERT /etc/openldap/riceca




Version-Release number of selected component (if applicable):
openldap-2.1.29-1

How reproducible:
Always

Steps to Reproduce:
1. Install FC2 with freeradius and openldap
2. configure freeradius to use ldap authentication to either port 636
or 389 (i.e. this problem occurs with or without ssl
3. attempt to authenticate a user.

Actual Results:  segmentation fault

Expected Results:  user should have been properly authenticated

Additional info:

This problem occurs with or without using SSL; as far as I know there
is absolutely no configuration for rlm_ldap when not using SSL and
only the one line above for configuring the CA cert for a self signed
cert.

removing the version of openldap that ships with FC2 and installing
the latest version for FC1 corrects the problem.
Comment 1 Bruce A. Locke 2004-06-21 23:22:01 EDT
The rlm_ldap module in FreeRadius seems to needlessly link against
libsasl provided by cyrus-sasl.  The version of sasl that rlm_ldap
links against is different from the version that OpenLDAP links
against.  The result is a segfault whenever certain sasl functions are
used due to API differences between the two sasl library versions.

As a result FreeRadius's LDAP support in Fedora Core 2 is completely
broken.

The upstream bug:

http://bugs.freeradius.org/show_bug.cgi?id=73

The workaround that worked for me is to remove:

AC_SMART_CHECK_LIB(sasl, sasl_encode)

from the configure.in file for the rlm_ldap module directory and
regenerate the configure script with autoconf213.

This seems like an easy workaround fix to me until upstream wakes up
and fixes it.

Comment 2 Jason Montleon 2004-06-24 15:17:57 EDT
Thanks I did as outlined above in Bruce Lockes comment; 

intsalled the freeradius-0.9.3-4.src.rpm 
unpacked in /usr/src/redhat/SOURCES/freeradius-.0.9.3.tar.gz
entered /usr/src/redhat/SOURCES/freeradius-0.9.3/src/modules/rlm_ldap
edited configure.in as outlined above 
ran gmake -f Makefile.in reconfig

this failed as it tried to use the -l option for autoconf-2.13 so I 
had to install the autoconf213 package and move autoconf temporarily 
and link autoconf to autoconf-2.13, then reran; removed link to 
autoconf-2.13 and moved the original back; there is probably a better 
way to do this but I don't know what it is...

cd /usr/src/redhat/SOURCES/
tar cvf - freeradius-0.9.3 | gzip > freeradius-0.9.3.tar.gz
cd /usr/src/redhat/SPECS
rpmbuild -ba freeradius.spec
cd /usr/src/redhat/RPMS/i386
rpm -ivh --force freeradius-0.9.3-4.i386.rpm 
also installed openldap-2.1.29-1
restarted radiusd
all appears to be working well

Prior to building I had to install the following packages to meet 
dependencies:
net-snmp-utils
mysql-devel
postgresql-devel
net-snmp-devel
unixODBC-devel
postgresql-libs
unixODBC
perl-DBD-MySQL
perl-DBI mysql
Comment 3 Matthew Miller 2005-04-26 11:52:44 EDT
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Comment 4 John Thacker 2006-10-28 13:16:46 EDT
Note that FC1 and FC2 are no longer supported even by Fedora Legacy.  Many
changes have occurred since these older releases.  Please install a supported
version of Fedora Core and retest.  If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy.  If it still occurs on FC5 or FC6,
please reopen and assign to the correct version.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.