Bug 213834 - slapd (FDS 1.0.3) crashes with plugin running fine under FDS 1.0.2
slapd (FDS 1.0.3) crashes with plugin running fine under FDS 1.0.2
Product: 389
Classification: Community
Component: Server - Plugins (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Orla Hegarty
Depends On:
Blocks: fds104tracking
  Show dependency treegraph
Reported: 2006-11-03 06:05 EST by Dirk Husung
Modified: 2007-04-18 13:52 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-11-06 15:37:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Kerberos 5 password schema plugin (4.84 KB, application/octet-stream)
2006-11-06 04:40 EST, Dirk Husung
no flags Details

  None (edit)
Description Dirk Husung 2006-11-03 06:05:05 EST
Description of problem:

I wrote a password storage scheme plugin, that contacts a Kerberos server to
verify, if the password provided by the user is valid, i.e. the LDAP server
stores the user's principal name, not the user's password. This plugin worked
fine for over a year up to FDS 1.0.2. Under FDS 1.0.3 slapd crashes when
krb5_init_context() is called in the function registered as
SLAPI_PLUGIN_PWD_STORAGE_SCHEME_CMP_FN, which is called to compare the password
provided by the user against the one stored in the LDAP server (the users'
principal name in my case). What changed in slapd concerning plugins?

Version-Release number of selected component (if applicable):
FDS 1.0.3 on FC 5 (worked with FDS 1.0.2 and FC 5)

How reproducible:

Steps to Reproduce:
1. compile and configure plugin
2. start slapd (succeeds, plugin loads ok)
3. do an ldapsearch with simple bind as a user with my krb5 password scheme
   (slapd (FDS 1.0.3) crashes)

Actual results:
slapd (FDS 1.0.3) crashes

Expected results:
ldapsearch operation completes with output or error message (as on FDS 1.0.2 and

Additional info:
The comparison function can be reduced to

int krb5_pw_cmp(char *userpwd, char *dbpwd)
  krb5_context context;
  pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;


  return 1;
I tried it on a test system, where I'm the only user.
Comment 1 Rich Megginson 2006-11-03 17:20:49 EST
Do you have any more information about the crash?  Do you have a stack trace or
something like that?  The only thing I can think of is that we changed the way
slapd links with cyrus-sasl/gssapi/kerberos - we use whatever version of
cyrus-sasl is install on the OS, and we don't link ns-slapd with -lgssapi_krb5.
Comment 2 Rich Megginson 2006-11-04 12:44:45 EST
It could be a binary incompatibility issue.  Several internal structures changed
sizes.  But if you just compile with the slapi-plugin.h header, and no other
headers, you should have been isolated from this.  The other thing that changed
sizes are the LDAP API structures.  slapi-plugin.h includes ldap.h, but if you
are not using any LDAP API functions, you should not be affected.

Can you post the Makefile you used to build your plugin, the header files
included by your plugin .c and .h files, and a list of the slapi and ldap
functions you are using?  That would be very useful to determine if this is an
ABI problem.

Or, if you could just recompile your plugin with FDS 1.0.3, we could see if that
fixes the problem.
Comment 3 Dirk Husung 2006-11-06 04:40:57 EST
Created attachment 140443 [details]
Kerberos 5 password schema plugin

Attached in krb5pwd.tar.gz you find krb5pwd.c, the Makefile and the dse.ldif
section I used. In krb5pwd.c "#ifdef XXXXXXXXXXX" uncomments the real code, the
corresponding "#else" section contains the few statements that cause slapd to
crash. My first idea was to recompile my plugin but that didn't help.

When I do an ldapsearch (openldap client) for a user who uses my kerberos
password scheme:

ldapsearch -H ldaps://<hostname> -x -b
"uid=<user>,ou=People,dc=tu-harburg,dc=de" -D
"uid=<user>,ou=People,dc=tu-harburg,dc=de" -W
Enter LDAP Password: xxxxxxx

I receive

ldap_result: Can't contact LDAP server (-1)

and the slapd process is gone.

slapd-<host>/logs/errors reports at the same time:
[06/Nov/2006:10:25:09 +0100] - slapd started.  Listening on port
389 for LDAP requests
[06/Nov/2006:10:25:09 +0100] - Listening on port 636 for LDAPS
[06/Nov/2006:10:25:45 +0100] krb5PwdStoragePlugin - -0-

and that's it; i.e. I don't pass "krb5_init_context(&context);"
What else could I test? strace stopped when the slapd process was detached.

(At the moment I think I'll have to switch to your pam_passthru plugin, but I
worry about other plugins.)
Comment 4 Rich Megginson 2006-11-06 15:37:20 EST
Looks like the problem is what I mentioned above.  slapd doesn't link against
-lkrb5 anymore with fds 1.0.3.  When you build your plugin, you have to
explicitly link against -lkrb5.  When I ran your original plugin against fds
1.0.3 using start-slapd -d 1, the output said that krb5_init_context() could not
be found, because neither slapd nor the plugin was linked with -lkrb5.  FDS
1.0.3 is linked against -lsasl2 only.  This will pull in -lkrb5 only when a
SASL/GSSAPI BIND attempt is made.

So the solution is to link your plugin with -lkrb5.
Comment 5 Dirk Husung 2006-11-07 02:55:54 EST
Thanks a lot, I'd like to confirm that my problem is solved.

Note You need to log in before you can comment on or make changes to this bug.