Bug 479313 - Server to Server SASL - DIGEST/MD5 - Can not Stop server
Summary: Server to Server SASL - DIGEST/MD5 - Can not Stop server
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: Security - SASL
Version: 8.1
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 249650 FDS1.2.0
TreeView+ depends on / blocked
 
Reported: 2009-01-08 19:42 UTC by Jenny Severance
Modified: 2015-01-04 23:35 UTC (History)
2 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-29 23:09:16 UTC


Attachments (Terms of Use)
diffs (1.93 KB, patch)
2009-01-13 21:24 UTC, Rich Megginson
no flags Details | Diff
cvs commit log (163 bytes, text/plain)
2009-01-13 22:24 UTC, Rich Megginson
no flags Details


Links
System ID Priority Status Summary Last Updated
Mozilla Foundation 473438 None None None Never

Description Jenny Severance 2009-01-08 19:42:40 UTC
Description of problem:

After successfully configuring Server to Server Connection via SASL/DIGEST-MD5 (SSL or TLS) the first server fails to stop.  With the following error:

Server still running!! Failed to stop the ns-slapd process: 18341. Please check the errors log for problems.


Errors log:
[08/Jan/2009:13:19:44 -0500] - slapd shutting down - signaling operation threads
[08/Jan/2009:13:19:44 -0500] - slapd shutting down - waiting for 29 threads to terminate
[08/Jan/2009:13:19:44 -0500] - slapd shutting down - closing down internal subsystems and plugins
[08/Jan/2009:13:22:12 -0500] - repl5_tot_waitfor_async_results timed out waiting for responses: 0 164
[08/Jan/2009:13:22:13 -0500] - repl5_tot_waitfor_async_results timed out waiting for responses: 0 176

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install two servers
2. Configure replication to bind with SASL/GSSAPI over TLS or SSL
3. View errors log
4. Try to stop server 1.

  
Actual results:
See above - server 1 subsequently becomes unreachable but service appears to be still running

Expected results:
Server one to stop and restart.

Additional info:

Configuration Tested:

Server 1 and Server 2 MMR Server 3 Read Only Consumer of Server 1

    * Create Instances
    * SSL secure the instances
    * Add required SASL maps
    * Change password scheme to CLEAR
    * Add replication manager under cn=config
    * Add changelogs
    * Enable replication 
    * Add replication agreemens
    * Initialize consumers

Server 2 and Server 3 (consumer) stop and start successfully

Comment 1 Rich Megginson 2009-01-13 21:24:24 UTC
Created attachment 328916 [details]
diffs

Comment 2 Rich Megginson 2009-01-13 22:24:46 UTC
Created attachment 328926 [details]
cvs commit log

Reviewed by: nhosoi (Thanks!)
Fix Description: Using ldap_set_option with LDAP_OPT_X_SASL_SECPROPS is not thread safe.  ldap_set_option acquires the OPTION lock, but using LDAP_OPT_X_SASL_SECPROPS just calls return rather than calling break to exit the switch and unlock the lock.  A mozilla bug has been filed https://bugzilla.mozilla.org/show_bug.cgi?id=473438.  The fix is to use LDAP_OPT_X_SASL_SSF_MAX.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

Comment 3 Jenny Severance 2009-03-16 16:25:36 UTC
Can no longer add an agreement configured with GSSAPI over TLS.  fix verified - RHEL 5 DS 8.1.

Comment 4 Chandrasekar Kannan 2009-04-29 23:09:16 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html


Note You need to log in before you can comment on or make changes to this bug.