Red Hat Bugzilla – Bug 213834
slapd (FDS 1.0.3) crashes with plugin running fine under FDS 1.0.2
Last modified: 2007-04-18 13:52:23 EDT
Description of problem:
I wrote a password storage scheme plugin, that contacts a Kerberos server to
verify, if the password provided by the user is valid, i.e. the LDAP server
stores the user's principal name, not the user's password. This plugin worked
fine for over a year up to FDS 1.0.2. Under FDS 1.0.3 slapd crashes when
krb5_init_context() is called in the function registered as
SLAPI_PLUGIN_PWD_STORAGE_SCHEME_CMP_FN, which is called to compare the password
provided by the user against the one stored in the LDAP server (the users'
principal name in my case). What changed in slapd concerning plugins?
Version-Release number of selected component (if applicable):
FDS 1.0.3 on FC 5 (worked with FDS 1.0.2 and FC 5)
Steps to Reproduce:
1. compile and configure plugin
2. start slapd (succeeds, plugin loads ok)
3. do an ldapsearch with simple bind as a user with my krb5 password scheme
(slapd (FDS 1.0.3) crashes)
slapd (FDS 1.0.3) crashes
ldapsearch operation completes with output or error message (as on FDS 1.0.2 and
The comparison function can be reduced to
int krb5_pw_cmp(char *userpwd, char *dbpwd)
pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
I tried it on a test system, where I'm the only user.
Do you have any more information about the crash? Do you have a stack trace or
something like that? The only thing I can think of is that we changed the way
slapd links with cyrus-sasl/gssapi/kerberos - we use whatever version of
cyrus-sasl is install on the OS, and we don't link ns-slapd with -lgssapi_krb5.
It could be a binary incompatibility issue. Several internal structures changed
sizes. But if you just compile with the slapi-plugin.h header, and no other
headers, you should have been isolated from this. The other thing that changed
sizes are the LDAP API structures. slapi-plugin.h includes ldap.h, but if you
are not using any LDAP API functions, you should not be affected.
Can you post the Makefile you used to build your plugin, the header files
included by your plugin .c and .h files, and a list of the slapi and ldap
functions you are using? That would be very useful to determine if this is an
Or, if you could just recompile your plugin with FDS 1.0.3, we could see if that
fixes the problem.
Created attachment 140443 [details]
Kerberos 5 password schema plugin
Attached in krb5pwd.tar.gz you find krb5pwd.c, the Makefile and the dse.ldif
section I used. In krb5pwd.c "#ifdef XXXXXXXXXXX" uncomments the real code, the
corresponding "#else" section contains the few statements that cause slapd to
crash. My first idea was to recompile my plugin but that didn't help.
When I do an ldapsearch (openldap client) for a user who uses my kerberos
ldapsearch -H ldaps://<hostname> -x -b
Enter LDAP Password: xxxxxxx
ldap_result: Can't contact LDAP server (-1)
and the slapd process is gone.
slapd-<host>/logs/errors reports at the same time:
[06/Nov/2006:10:25:09 +0100] - slapd started. Listening on 126.96.36.199 port
389 for LDAP requests
[06/Nov/2006:10:25:09 +0100] - Listening on 188.8.131.52 port 636 for LDAPS
[06/Nov/2006:10:25:45 +0100] krb5PwdStoragePlugin - -0-
and that's it; i.e. I don't pass "krb5_init_context(&context);"
What else could I test? strace stopped when the slapd process was detached.
(At the moment I think I'll have to switch to your pam_passthru plugin, but I
worry about other plugins.)
Looks like the problem is what I mentioned above. slapd doesn't link against
-lkrb5 anymore with fds 1.0.3. When you build your plugin, you have to
explicitly link against -lkrb5. When I ran your original plugin against fds
1.0.3 using start-slapd -d 1, the output said that krb5_init_context() could not
be found, because neither slapd nor the plugin was linked with -lkrb5. FDS
1.0.3 is linked against -lsasl2 only. This will pull in -lkrb5 only when a
SASL/GSSAPI BIND attempt is made.
So the solution is to link your plugin with -lkrb5.
Thanks a lot, I'd like to confirm that my problem is solved.