Bug 479313 - Server to Server SASL - DIGEST/MD5 - Can not Stop server
Summary: Server to Server SASL - DIGEST/MD5 - Can not Stop server
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: Security - SASL
Version: 8.1
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 249650 FDS1.2.0
TreeView+ depends on / blocked
Reported: 2009-01-08 19:42 UTC by Jenny Severance
Modified: 2015-01-04 23:35 UTC (History)
2 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-04-29 23:09:16 UTC
Target Upstream Version:

Attachments (Terms of Use)
diffs (1.93 KB, patch)
2009-01-13 21:24 UTC, Rich Megginson
no flags Details | Diff
cvs commit log (163 bytes, text/plain)
2009-01-13 22:24 UTC, Rich Megginson
no flags Details

System ID Priority Status Summary Last Updated
Mozilla Foundation 473438 None None None Never

Description Jenny Severance 2009-01-08 19:42:40 UTC
Description of problem:

After successfully configuring Server to Server Connection via SASL/DIGEST-MD5 (SSL or TLS) the first server fails to stop.  With the following error:

Server still running!! Failed to stop the ns-slapd process: 18341. Please check the errors log for problems.

Errors log:
[08/Jan/2009:13:19:44 -0500] - slapd shutting down - signaling operation threads
[08/Jan/2009:13:19:44 -0500] - slapd shutting down - waiting for 29 threads to terminate
[08/Jan/2009:13:19:44 -0500] - slapd shutting down - closing down internal subsystems and plugins
[08/Jan/2009:13:22:12 -0500] - repl5_tot_waitfor_async_results timed out waiting for responses: 0 164
[08/Jan/2009:13:22:13 -0500] - repl5_tot_waitfor_async_results timed out waiting for responses: 0 176

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install two servers
2. Configure replication to bind with SASL/GSSAPI over TLS or SSL
3. View errors log
4. Try to stop server 1.

Actual results:
See above - server 1 subsequently becomes unreachable but service appears to be still running

Expected results:
Server one to stop and restart.

Additional info:

Configuration Tested:

Server 1 and Server 2 MMR Server 3 Read Only Consumer of Server 1

    * Create Instances
    * SSL secure the instances
    * Add required SASL maps
    * Change password scheme to CLEAR
    * Add replication manager under cn=config
    * Add changelogs
    * Enable replication 
    * Add replication agreemens
    * Initialize consumers

Server 2 and Server 3 (consumer) stop and start successfully

Comment 1 Rich Megginson 2009-01-13 21:24:24 UTC
Created attachment 328916 [details]

Comment 2 Rich Megginson 2009-01-13 22:24:46 UTC
Created attachment 328926 [details]
cvs commit log

Reviewed by: nhosoi (Thanks!)
Fix Description: Using ldap_set_option with LDAP_OPT_X_SASL_SECPROPS is not thread safe.  ldap_set_option acquires the OPTION lock, but using LDAP_OPT_X_SASL_SECPROPS just calls return rather than calling break to exit the switch and unlock the lock.  A mozilla bug has been filed https://bugzilla.mozilla.org/show_bug.cgi?id=473438.  The fix is to use LDAP_OPT_X_SASL_SSF_MAX.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

Comment 3 Jenny Severance 2009-03-16 16:25:36 UTC
Can no longer add an agreement configured with GSSAPI over TLS.  fix verified - RHEL 5 DS 8.1.

Comment 4 Chandrasekar Kannan 2009-04-29 23:09:16 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.