[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RedHat 9's ldapsearch segfaults with SubjectAltName certificates

To: Frank Swasey <Frank.Swasey@uvm.edu>
Subject: Re: RedHat 9's ldapsearch segfaults with SubjectAltName certificates
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: Thu, 07 Aug 2003 18:15:41 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.53.0308070838550.7836@ebova.hiz.rqh>
References: <Pine.LNX.4.53.0308070838550.7836@ebova.hiz.rqh>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624

Frank Swasey wrote:

Maybe I'm just stupid, but with the impending upgrade of my production servers from 2.0.27 to 2.1.22, I've have bitten the bullet and generated SSL certificates for them that utilize the SubjectAltName construct. This is required because the master uses a private network to send the update traffic to the slave(s) so they have to be known by different names.

However, another member of my team is building a cluster that is using stock RedHat 9's openldap (2.0.27-8), nss_ldap (202-5), and nscd (2.3.2-27.9) and through the process of elimination we have discovered that the ldapsearch binary will segfault if the LDAP server's SSL certificate contains the SubjectAltName parameters.

I attempted to upgrade one of the systems to OpenLDAP 2.1.22, but then nscd refused to run and I had to reimage the system because there was no way in..... Ouch!

Far be it from me to lecture one so illustrious as you ... but just the following notes and suggestions:

Seg faults and RH 9 seem to abound - for various reasons. SuSE gives its own problems which neither you nor I want.. I've staked my reputation on RH9 and have yet to find out I'm wrong by the system actually dying on me.

What I've done: Production RH9 server that has to run as an Openldap server with Postfix 2.0.14 and Courier 2.0.0 IMAPD with LDAP support. LDAP support has to authenticate another (production, primary) RH9 LTSP server. All compiles from source. All installs into Linux (more or less) standard directories (so /usr/local is not used for any of this.) All installations with checkinstall 1.53 to generate rpms which replace the RH9 rpms and satisfy all dependencies (checkinstall rips out the old RH rpm and installs the new with what I've compiled.) checkinstall is a breeze for generating one's own rpms without any hassle.

Components: Openssl 0.9.7b (first,) Cyrus SASL 2.1.13 with LDAP-modified auxprop libraries for Postfix SASL support (o.k. there are newer, but they have bugs - all installs to /usr/lib/sasl2,) Berkeley BDB 4.1.25, Openldap 2.1.22. Everything is SSL/TLS apart from Postfix LDAP support (I haven't tried SubjectAltName, but nscd runs without problems and nothing's crashed yet.) Standard RH9 pam, libnss; PADL'S nss_ldap-203 and pam_ldap-164 (self-compiled, checkinstall.)

The most important point about all the above is that the RH9 Openssl libs and "other peoples' rpms" which have used their own libraries and dependencies lead to 'orrible segfaults under other conditions, too.

YMMV.

Tony

--
Tony Earnshaw

http://www.billy.demon.nl
Mail: tonni@billy.demon.nl

Follow-Ups:
- Re: RedHat 9's ldapsearch segfaults with SubjectAltName certificates
  - From: Frank Swasey <Frank.Swasey@uvm.edu>

References:
- RedHat 9's ldapsearch segfaults with SubjectAltName certificates
  - From: Frank Swasey <Frank.Swasey@uvm.edu>

Prev by Date: compile error with back-perl
Next by Date: Tracing ACL problems (insuficient access)
Index(es):
- Chronological
- Thread