From owner-freebsd-stable@FreeBSD.ORG Wed Jul 14 19:18:24 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 999AA10656DB for ; Wed, 14 Jul 2010 19:18:24 +0000 (UTC) (envelope-from henrik@kaarposoft.dk) Received: from pfepb.post.tele.dk (pfepb.post.tele.dk [195.41.46.236]) by mx1.freebsd.org (Postfix) with ESMTP id 344F98FC1D for ; Wed, 14 Jul 2010 19:18:23 +0000 (UTC) Received: from [192.168.99.150] (x1-6-00-00-24-cc-93-b4.k874.webspeed.dk [87.52.11.120]) by pfepb.post.tele.dk (Postfix) with ESMTP id 7A60CF8403A; Wed, 14 Jul 2010 21:18:22 +0200 (CEST) Message-ID: <4C3E0D7D.5020305@kaarposoft.dk> Date: Wed, 14 Jul 2010 21:18:21 +0200 From: Henrik /KaarPoSoft User-Agent: Thunderbird 2.0.0.24 (X11/20100317) MIME-Version: 1.0 To: Jeremy Chadwick , freebsd-stable@freebsd.org References: <4C3CC831.7040005@kaarposoft.dk> <20100713210729.GA11943@icarus.home.lan> In-Reply-To: <20100713210729.GA11943@icarus.home.lan> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: mamalos@eng.auth.gr Subject: Re: openldap client GSSAPI authentication segfaults in fbsd8stable i386 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2010 19:18:24 -0000 On Tue, Jul 13, 2010 at 10:10:25PM +0200, Henrik /KaarPoSoft wrote: >> I have a problem: ldapsearch results in "Segmentation fault" under >> openldap-2.4.23 with cyrus-sasl-2.1.23. >> [...] >> Jeremy Chadwick wrote: > If I was to build a test box from scratch, can you tell me how to set up > all the necessary software/etc. to mimic your environment so that I > could try to reproduce this? Reviewing the source isn't enough, I'd > have to actually build a debug version of libgssapi to track it down. > Jeremy, I would really appreciate your going through this! Thank you very much in advance. Here is what I did: FreeBSD 8.0 vanilla install hostname: srv02.example.lan freebsd-update fetch freebsd-update install Create self-signed "CA" cert, and create SSL cert for LDAP signed by this. References: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html http://forums.freebsd.org/showthread.php?t=6490 http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php pkg_add -r heimdal cat >> /etc/rc.conf kerberos5_server_enable="YES" kadmind5_server_enable="YES" cat > /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.LAN kstash kadmin -l kadmin> init EXAMPLE.LAN kadmin> add TestOne kadmin> list "*" /etc/rc.d/kerberos start /etc/rc.d/kadmind start Add to nameserver: kerberos.example.lan CNAME srv02.example.lan ldap.example.lan CNAME srv02.example.lan _kerberos IN TXT kerberos.example.lan _kerberos._udp.example.lan. IN SRV 0 0 88 kerberos.example.lan. _kerberos._tcp.example.lan. IN SRV 0 0 88 kerberos.example.lan. _kerberos-adm._tcp.example.lan. IN SRV 0 0 749 kerberos.example.lan. _kpasswd._udp.example.lan. IN SRV 0 0 464 kerberos.example.lan. cd /usr/ports portsnap fetch portsnap extract (and subsequently portsnap fetch update) cd /usr/ports/security/cyrus-sasl2 make config [X] Berkeley DB [X] /dev/urandom make make install cd /usr/ports/net/openldap24-sasl-client make make install cd /usr/ports/net/openldap24-server make config [x] SASL make cat >> /etc/rc.conf slapd_enable="YES" slapd_flags="-h ldaps:///" touch /var/db/openldap-data/DB_CONFIG srv02# diff /usr/local/etc/openldap/slapd.conf.ORIG /usr/local/etc/openldap/slapd.conf 48a50,80 > > ####################################################################### > # EXAMPLE > ####################################################################### > > #=# Shemas we need > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > > #=# Logging > loglevel stats stats2 shell parse ACL config filter BER conns > > > #=# GSSAPI mapping > #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI > #=# http://www.openldap.org/doc/admin24/sasl.html#Mapping Authentication Identities > > authz-regexp > uid=([^,]*),cn=example.lan,cn=gssapi,cn=auth > uid=$1,ou=Users,dc=example,dc=lan > > > #=# LDAP over TSL (SSL) > #=# http://www.openldap.org/doc/admin24/tls.html > > security ssf=128 > TLSCertificateFile /etc/exampleCA/certs/ldap.pem > TLSCertificateKeyFile /etc/exampleCA/private/ldap.pem > TLSCACertificateFile /etc/exampleCA/certs/example.pem > 54,55c86,93 < suffix "dc=my-domain,dc=com" < rootdn "cn=Manager,dc=my-domain,dc=com" --- > > #=# The example Network > suffix "dc=example,dc=lan" > > #=# The rootdn user, authenticated by Kerberos > #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI > rootdn "uid=LDAProot,cn=example.lan,cn=gssapi,cn=auth" > 59c97,99 < rootpw secret --- > > #=# Since rootdn is authenticated by Kerberos, we do not need rootpw > #rootpw secret 65a106 Add domain and a few users with slapadd cat >> /usr/local/etc/openldap/ldap.conf base dc=example,dc=lan uri ldaps://ldap.example.lan/ tls_cacert /etc/exampleCA/cacert.pem