[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: seg fault with TLS syncrepl ?



On 08/12/2011 07:17 AM, Olivier wrote:
My N-WAY replication works properly with a
"bindmethod=simple".

However, I don't like keeping a password in clear in
a configuration file, then I tryed this :

On server "ldap-master1.example.fr" :

TLSVerifyClient allow

syncrepl rid=101
     provider=ldap://ldap-master2.example.fr:389
     searchbase="dc=example,dc=fr"
     schemachecking=on
     type=refreshOnly
     interval=00:00:01:00
     retry="10 +"
     bindmethod=sasl
     saslmech=EXTERNAL
     starttls=critical
     tls_cert=/etc/openldap/cacerts/master1/server.crt
     tls_key=/etc/openldap/cacerts/master1/server.key
     tls_cacert=/etc/openldap/cacerts/CA.crt
     tls_reqcert=demand

On server "ldap-master2.example.fr" :

TLSVerifyClient allow

syncrepl rid=201
     provider=ldap://ldap-master1.example.fr:389
     searchbase="dc=example,dc=fr"
     schemachecking=on
     type=refreshOnly
     interval=00:00:01:00
     retry="10 +"
     bindmethod=sasl
     saslmech=EXTERNAL
     starttls=critical
     tls_cert=/etc/openldap/cacerts/master2/server.crt
     tls_key=/etc/openldap/cacerts/master2/server.key
     tls_cacert=/etc/openldap/cacerts/CA.crt

I get a segmentation fault :

ldap-master1 #$ /usr/sbin/slapd -h  ldap:/// -u ldap -d256

@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
	mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
<= bdb_inequality_candidates: (entryCSN) not indexed
slapd starting
slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error,
ldap_start_tls failed (-1)
do_syncrepl: rid=101 rc -1 retrying
conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389)
conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1000 op=0 STARTTLS
conn=1000 op=0 RESULT oid= err=0 text=
conn=1000 fd=12 TLS established tls_ssf=256 ssf=256
conn=1000 op=1 BIND dn="" method=163
conn=1000 op=1 BIND
authcid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
authzid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
conn=1000 op=1 BIND
dn="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
mech=EXTERNAL sasl_ssf=0 ssf=256
conn=1000 op=1 RESULT tag=97 err=0 text=
conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0
filter="(objectClass=*)"
conn=1000 op=2 SRCH attr=* +
conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=1000 op=3 UNBIND
conn=1000 fd=12 closed
Erreur de segmentation

The segfault happened when the second server tried to sync with the first one :

[root@ldap-master2 cacerts]# /usr/sbin/slapd -h  ldap:/// -u ldap -d256
@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
	mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
slapd starting
conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389)
conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1000 op=0 STARTTLS
conn=1000 op=0 RESULT oid= err=0 text=
TLS: error: accept - force handshake failure: errno 2 - moznss error -5938
TLS: can't accept: TLS error -5938:Encountered end of file.
conn=1000 fd=12 closed (TLS negotiation failure)
^C
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd stopped.

Any idea ?
Can you get a core file and a stack trace from the server that gets the seg fault? I'm assuming from the build that you are running on Fedora 14 or later, or RHEL6.1. You should make sure the openldap-debuginfo package is installed (e.g. debuginfo-install openldap) and install abrt. This will collect the core files in /var/spool/abrt
NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that
produce the seg fault.

---
Olivier