[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd -u user -g group segfault



Hi,

I use a slapd server openldap-2.2.17 on suse8.2.
openldap is build with this options:
--with-tls --enable-debug --enable-bdb --with-cyrus-sasl --enable-spasswd
--enable-crypt
LDFLAGS="-L/usr/local/kerberos/lib -L/usr/local/ssl/lib
-L/usr/local/berkeleydb/lib -Wl,-rpath,/usr/local/kerberos/lib -W
l,-rpath,/usr/local/berkeleydb/lib -L/usr/local/cyrus-sasl/lib
-Wl,-rpath,/usr/local/cyrus-sasl/lib
CFLAGS="-D_REENTRANT -g -I/usr/local/berkeleydb/include
-I/usr/local/ssl/include -I/usr/local/cyrus-sasl/include"
CXXFLAGS="-D_REENTRANT -g -I/usr/local/berkeleydb/include
-I/usr/local/ssl/include -I/usr/local/cyrus-sasl/include"

Versions of other used software:
cyrus-sasl-2.1.19 ( I've also tested it with cyrus-sasl-2.1.17)
db-4.2.52
krb5-1.3.4

I start the slapd with the options "-u ldap" and "-g ldap". "ldap" is a user in
/etc/passwd and group in /etc/groups. This works fine as long as no ldap is
used for nss:
------------
/etc/nsswitch.conf:
passwd: files
shadow: files
group: files

But if I configure the host to use ldap for nss
passwd: files ldap
shadow: files ldap
group: files ldap

the slapd starts and I can do one ldapsearch and then the slapd crashes with a
segfault.
Unfortunately I can not send you stack back trace or strace output because the
linux kernel does not permit tracing after a user switch.

If I omit the -u -g options and slapd is running as root, all works fine. Giving -u and -g as numerical uid/gid does not solve the problem.

For testing I also compiled an slapd 2.2.17 without sasl support. This daemon is working fine.

Thanks in advance.

Theo

Here is the output of slapd started in debugging mode:

/usr/local/openldap/libexec/slapd -h 'ldap:/// ldaps:///' -f
/usr/local/etc/openldap/slapd.conf -u ldap -g ldap -d 1

@(#) $OpenLDAP: slapd 2.2.17 (Sep 27 2004 11:51:10) $

sn@os-suse82:/net/os-suse82/fs1/scr/os-suse82/sn/openldap-2.2.17/ARENA/servers/slapd
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: initialized ldap:///
ldap_url_parse_ext(ldaps:///)
daemon: initialized ldaps:///
daemon_init: 4 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_initialize: initialize BDB backend
bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
dnNormalize: <cn=Subschema>
=> ldap_bv2dn(cn=Subschema,0)
ldap_err2string
<= ldap_bv2dn(cn=Subschema)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=subschema)=0 Success
<<< dnNormalize: <cn=subschema>
dnNormalize: <cn=manager,dc=science-computing,dc=de>
=> ldap_bv2dn(cn=manager,dc=science-computing,dc=de,0)
ldap_err2string
<= ldap_bv2dn(cn=manager,dc=science-computing,dc=de)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=manager,dc=science-computing,dc=de)=0 Success
<<< dnNormalize: <cn=manager,dc=science-computing,dc=de>
dnNormalize: <cn=manager,dc=science-computing,dc=de>
=> ldap_bv2dn(cn=manager,dc=science-computing,dc=de,0)
ldap_err2string
<= ldap_bv2dn(cn=manager,dc=science-computing,dc=de)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=manager,dc=science-computing,dc=de)=0 Success
<<< dnNormalize: <cn=manager,dc=science-computing,dc=de>
dnNormalize: <cn=manager,dc=science-computing,dc=de>
=> ldap_bv2dn(cn=manager,dc=science-computing,dc=de,0)
ldap_err2string
<= ldap_bv2dn(cn=manager,dc=science-computing,dc=de)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=manager,dc=science-computing,dc=de)=0 Success
<<< dnNormalize: <cn=manager,dc=science-computing,dc=de>
bdb_db_init: Initializing bdb database
dnPrettyNormal: <dc=science-computing,dc=de>
=> ldap_bv2dn(dc=science-computing,dc=de,0)
ldap_err2string
<= ldap_bv2dn(dc=science-computing,dc=de)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=science-computing,dc=de)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=science-computing,dc=de)=0 Success
<<< dnPrettyNormal: <dc=science-computing,dc=de>, <dc=science-computing,dc=de>
dnPrettyNormal: <cn=manager,dc=science-computing,dc=de>
=> ldap_bv2dn(cn=manager,dc=science-computing,dc=de,0)
ldap_err2string
<= ldap_bv2dn(cn=manager,dc=science-computing,dc=de)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=manager,dc=science-computing,dc=de)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=manager,dc=science-computing,dc=de)=0 Success
<<< dnPrettyNormal: <cn=manager,dc=science-computing,dc=de>,
<cn=manager,dc=science-computing,dc=de>
matching_rule_use_init
    1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( oncRpcNumber $
ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $
shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $
uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
    1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( oncRpcNumber $
ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $
shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $
uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
    1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( nisMapEntry $
bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $
memberNisNetgroup $ memberUid $ loginShell $ homeDirectory $ gecos $
janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $
aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) )
    1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( nisMapEntry $
bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $
memberNisNetgroup $ memberUid $ loginShell $ homeDirectory $ gecos $
janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $
aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) )
    2.5.13.35 (certificateMatch): matchingRuleUse: ( 2.5.13.35 NAME
'certificateMatch' APPLIES ( cACertificate $ userCertificate ) )
    2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME
'certificateExactMatch' APPLIES ( cACertificate $ userCertificate ) )
    2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: (
2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
supportedApplicationContext $ ldapSyntaxes $ supportedFeatures $
supportedExtension $ supportedControl ) )
    2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME
'integerFirstComponentMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $
ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $
shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $
mailPreferenceOption $ supportedLDAPVersion ) )
    2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME
'generalizedTimeMatch' APPLIES ( modifyTimestamp $ createTimestamp ) )
    2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME
'protocolInformationMatch' APPLIES protocolInformation )
    2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
    2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME
'presentationAddressMatch' APPLIES presentationAddress )
    2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME
'telephoneNumberMatch' APPLIES ( pager $ mobile $ homePhone $ telephoneNumber ) )
    2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES userPassword )
    2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
    2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch'
APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $
shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $
shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $
supportedLDAPVersion ) )
    2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch'
APPLIES hasSubordinates )
    2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( homePostalAddress $ registeredAddress $
postalAddress ) )
    2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( internationaliSDNNumber $ x121Address ) )
    2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME
'caseExactSubstringsMatch' APPLIES ( dnQualifier $ destinationIndicator $
serialNumber ) )
    2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME
'caseExactOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $
serialNumber ) )
    2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( nisMapName $ ipServiceProtocol $ preferredLanguage $
employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $
documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier $ co
$ personalTitle $ documentLocation $ documentVersion $ documentTitle $
documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $
textEncodedORAddress $ uid $ dmdName $ houseIdentifier $ dnQualifier $
generationQualifier $ initials $ givenName $ destinationIndicator $
physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory $
description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $
knowledgeInformation $ labeledURI $ cn $ name $ ref $ vendorVersion $
vendorName $ supportedSASLMechanisms ) )
    2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME
'caseIgnoreSubstringsMatch' APPLIES ( dnQualifier $ destinationIndicator $
serialNumber ) )
    2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME
'caseIgnoreOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $
serialNumber ) )
    2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( nisMapName $ ipServiceProtocol $ preferredLanguage
$ employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $
documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier $ co
$ personalTitle $ documentLocation $ documentVersion $ documentTitle $
documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $
textEncodedORAddress $ uid $ dmdName $ houseIdentifier $ dnQualifier $
generationQualifier $ initials $ givenName $ destinationIndicator $
physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory $
description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $
knowledgeInformation $ labeledURI $ cn $ name $ ref $ vendorVersion $
vendorName $ supportedSASLMechanisms ) )
    2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( dITRedirect $ associatedName $ secretary $
documentAuthor $ manager $ seeAlso $ roleOccupant $ owner $ member $
distinguishedName $ aliasedObjectName $ namingContexts $ subschemaSubentry $
modifiersName $ creatorsName ) )
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedApplicationContext $
supportedFeatures $ supportedExtension $ supportedControl ) )
slapd startup: initiated.
backend_startup: starting "dc=science-computing,dc=de"
bdb_db_open: dbenv_open(/var/lib/scVenusldap/db)
slapd starting
ldap_pvt_gethostbyname_a: host=pangaea-vm-2, r=0
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ber_get_next
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 7
do_bind: v3 anonymous bind
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 63 contents:
ber_get_next
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <dc=science-computing,dc=de>
=> ldap_bv2dn(dc=science-computing,dc=de,0)
ldap_err2string
<= ldap_bv2dn(dc=science-computing,dc=de)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=science-computing,dc=de)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=science-computing,dc=de)=0 Success
<<< dnPrettyNormal: <dc=science-computing,dc=de>, <dc=science-computing,dc=de>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=0 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("dc=science-computing,dc=de")
=> bdb_dn2id( "dc=science-computing,dc=de" )
<= bdb_dn2id: got id=0x00000001
entry_decode: "dc=science-computing,dc=de"
<= entry_decode(dc=science-computing,dc=de)
search_candidates: base="dc=science-computing,dc=de" (0x00000001) scope=2
=> bdb_dn2idl( "dc=science-computing,dc=de" )
=> bdb_presence_candidates (objectClass)
bdb_search_candidates: id=1 first=1 last=1
=> send_search_entry: dn="dc=science-computing,dc=de"
ber_flush: 94 bytes to sd 7
<= send_search_entry
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 7
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
do_unbind
connection_closing: readying conn=0 sd=7 for close
connection_resched: attempting closing conn=0 sd=7
connection_close: conn=0 sd=7
Segmentation fault