Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Jul 2010 21:18:21 +0200
From:      Henrik /KaarPoSoft <henrik@kaarposoft.dk>
To:        Jeremy Chadwick <freebsd@jdc.parodius.com>,  freebsd-stable@freebsd.org
Cc:        mamalos@eng.auth.gr
Subject:   Re: openldap client GSSAPI authentication segfaults in fbsd8stable i386
Message-ID:  <4C3E0D7D.5020305@kaarposoft.dk>
In-Reply-To: <20100713210729.GA11943@icarus.home.lan>
References:  <4C3CC831.7040005@kaarposoft.dk> <20100713210729.GA11943@icarus.home.lan>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 13, 2010 at 10:10:25PM +0200, Henrik /KaarPoSoft wrote:
>> I have a problem: ldapsearch results in "Segmentation fault" under
>> openldap-2.4.23 with cyrus-sasl-2.1.23.
>> [...]
>>     

Jeremy Chadwick wrote:
> If I was to build a test box from scratch, can you tell me how to set up
> all the necessary software/etc. to mimic your environment so that I
> could try to reproduce this?  Reviewing the source isn't enough, I'd
> have to actually build a debug version of libgssapi to track it down.
>   
Jeremy, I would really appreciate your going through this!
Thank you very much in advance.

Here is what I did:


FreeBSD 8.0 vanilla install
hostname: srv02.example.lan

freebsd-update fetch
freebsd-update install

Create self-signed "CA" cert, and create SSL cert for LDAP signed by this.
References:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html
http://forums.freebsd.org/showthread.php?t=6490
http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php

pkg_add -r heimdal

cat >> /etc/rc.conf
kerberos5_server_enable="YES"
kadmind5_server_enable="YES"

cat > /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.LAN

kstash

kadmin -l
kadmin> init EXAMPLE.LAN
kadmin> add TestOne
kadmin> list "*"

/etc/rc.d/kerberos start
/etc/rc.d/kadmind start

Add to nameserver:

kerberos.example.lan CNAME srv02.example.lan
ldap.example.lan CNAME srv02.example.lan
_kerberos IN TXT kerberos.example.lan
_kerberos._udp.example.lan. IN SRV 0 0 88 kerberos.example.lan.
_kerberos._tcp.example.lan. IN SRV 0 0 88 kerberos.example.lan.
_kerberos-adm._tcp.example.lan. IN SRV 0 0 749 kerberos.example.lan.
_kpasswd._udp.example.lan. IN SRV 0 0 464 kerberos.example.lan.

cd /usr/ports
portsnap fetch
portsnap extract

(and subsequently portsnap fetch update)

cd /usr/ports/security/cyrus-sasl2
make config
[X] Berkeley DB
[X] /dev/urandom
make
make install

cd /usr/ports/net/openldap24-sasl-client
make
make install

cd /usr/ports/net/openldap24-server
make config
[x] SASL
make

cat >> /etc/rc.conf
slapd_enable="YES"
slapd_flags="-h ldaps:///"

touch /var/db/openldap-data/DB_CONFIG

srv02# diff /usr/local/etc/openldap/slapd.conf.ORIG 
/usr/local/etc/openldap/slapd.conf
48a50,80
 >
 > #######################################################################
 > # EXAMPLE
 > #######################################################################
 >
 > #=# Shemas we need
 > include /usr/local/etc/openldap/schema/cosine.schema
 > include /usr/local/etc/openldap/schema/nis.schema
 > include /usr/local/etc/openldap/schema/inetorgperson.schema
 >
 > #=# Logging
 > loglevel stats stats2 shell parse ACL config filter BER conns
 >
 >
 > #=# GSSAPI mapping
 > #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
 > #=# http://www.openldap.org/doc/admin24/sasl.html#Mapping 
Authentication Identities
 >
 > authz-regexp
 > uid=([^,]*),cn=example.lan,cn=gssapi,cn=auth
 > uid=$1,ou=Users,dc=example,dc=lan
 >
 >
 > #=# LDAP over TSL (SSL)
 > #=# http://www.openldap.org/doc/admin24/tls.html
 >
 > security ssf=128
 > TLSCertificateFile /etc/exampleCA/certs/ldap.pem
 > TLSCertificateKeyFile /etc/exampleCA/private/ldap.pem
 > TLSCACertificateFile /etc/exampleCA/certs/example.pem
 >
54,55c86,93
< suffix "dc=my-domain,dc=com"
< rootdn "cn=Manager,dc=my-domain,dc=com"
---
 >
 > #=# The example Network
 > suffix "dc=example,dc=lan"
 >
 > #=# The rootdn user, authenticated by Kerberos
 > #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
 > rootdn "uid=LDAProot,cn=example.lan,cn=gssapi,cn=auth"
 >
59c97,99
< rootpw secret
---
 >
 > #=# Since rootdn is authenticated by Kerberos, we do not need rootpw
 > #rootpw secret
65a106

Add domain and a few users with slapadd

cat >> /usr/local/etc/openldap/ldap.conf
base dc=example,dc=lan
uri ldaps://ldap.example.lan/
tls_cacert /etc/exampleCA/cacert.pem




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C3E0D7D.5020305>