Ubuntu
openldap package

SASL/GSSAPI problem in OpenLDAP

Bug #328436 reported by Kim Botherway
4
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Fix Released
Undecided
Unassigned
Declined for Jaunty by Mathias Gug

Bug Description

Bug Description: OpenLDAP, Kerberos5 are installed, but when trying to use, for eg, ldapwhoami, openldap reports: ldap_sasl_interactive_bind_s: Can't contact LDAP Server

I have built two virtual machines, one running Intrepid amd64 and one with Jaunty amd64.
Description: Ubuntu jaunty (development branch)
Release: 9.04

Description: Ubuntu 8.10
Release: 8.10

Both have the same packages installed, obviously with the latest version for each distribution.
On both I can login to the LDAP database using SIMPLE, but when I use GSSAPI on Jaunty it does not work, works fine on Intrepid. I am not sure which package is causing the problem in Jaunty, so I have put the bug under slapd.

Debug logs and package versions attached

Revision history for this message
Kim Botherway (dj-dvant) wrote :
Revision history for this message
Kim Botherway (dj-dvant) wrote :
Revision history for this message
Kim Botherway (dj-dvant) wrote :
Revision history for this message
Kim Botherway (dj-dvant) wrote :
Revision history for this message
Kim Botherway (dj-dvant) wrote :
Revision history for this message
Kim Botherway (dj-dvant) wrote :

Jaunty Packages shows which version of debs are installed.

Testing Log shows the tests that I performed on each Ubuntu version

Debug Log is just that

Revision history for this message
Kim Botherway (dj-dvant) wrote :

And the ldap and krb5 config files are the same, except for host names.

Revision history for this message
Kim Botherway (dj-dvant) wrote :

I have downgraded these packages to the Intrepid version:
slapd (2.4.11-0ubuntu6.1), libldap (2.4.11-0ubuntu6.1), libsasl2-2 (2.1.22.dfsg1-21ubuntu2), libsasl2-modules (2.1.22.dfsg1-21ubuntu2)

And now I can login using Kerberos and LDAP

Revision history for this message
Kim Botherway (dj-dvant) wrote :

I also have a third virtual machine, running Jaunty and using it as an LDAP/Kerberos client with the latest version of SASL and GSSAPI modules without any problem.

Revision history for this message
Kim Botherway (dj-dvant) wrote :

I have also taken a working Intrepid virtual machine and dist-upgraded to Jaunty. Once upgraded OpenLDAP crashes when trying to use GSSAPI method to access the DB.

Revision history for this message
Kim Botherway (dj-dvant) wrote :

I have created a new Jaunty virtual machine with;
 slapd (2.4.14-0ubuntu1) packages slapd, ldap-utils, libldap
 sasl2 (2.1.22-dfsg1-23ubuntu2) packages libsasl2-2, libsasl2-modules, libsasl2-modules-gssapi-mit
 kerberos 5 (1.6-dfsg.4~beta1-5ubuntu1) packages krb5-kdc, krb5-admin-server, krb5-config + dependent packages

I still get the following error when using GSSAPI to access the LDAP Database (slapd is looking for the sasldb which I do not use)

Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: do_bind: dn () SASL mech GSSAPI
Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: slap_sasl_getdn: u:id converted to uid=root,cn=DJDVANT.COM,cn=GSSAPI,cn=auth
Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: >>> dnNormalize: <uid=root,cn=DJDVANT.COM,cn=GSSAPI,cn=auth>
Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: <<< dnNormalize: <uid=root,cn=djdvant.com,cn=gssapi,cn=auth>
Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: ==>slap_sasl2dn: converting SASL name uid=root,cn=djdvant.com,cn=gssapi,cn=auth to a DN
Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: slap_parseURI: parsing uid=root,ou=people,dc=djdvant,dc=com
Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: >>> dnNormalize: <uid=root,ou=people,dc=djdvant,dc=com>
Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: <<< dnNormalize: <uid=root,ou=people,dc=djdvant,dc=com>
Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: <==slap_sasl2dn: Converted SASL name to uid=root,ou=people,dc=djdvant,dc=com
Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: slap_sasl_getdn: dn:id converted to uid=root,ou=people,dc=djdvant,dc=com
Feb 27 07:14:49 virt-kim-jaunty slapd[4702]: SASL [conn=0] Failure: error fetching from sasldb: Invalid argument

Revision history for this message
Kim Botherway (dj-dvant) wrote :

Once slapd logs this error it then crashes and you have to restart slapd

Revision history for this message
Cyberax (alex-besogonov) wrote :

Also affects my install.

I get this in syslog if I try to use slapd as a backend for Heimdal KDC:
===========
Feb 28 23:20:05 devsrv slapd[27683]: SASL [conn=0] Failure: error fetching from sasldb: Invalid argument
Feb 28 23:20:05 devsrv kernel: [66316.640929] slapd[27686]: segfault at 7f9267392dc0 ip 00007f9267392dc0 sp 00007f925e465770 error 15
===========

Revision history for this message
Kim Botherway (dj-dvant) wrote :

Phew someone else is experiencing the same problem, I thought that I was going mad!

Kim Botherway (dj-dvant)
Changed in openldap:
status: New → Confirmed
Revision history for this message
Mathias Gug (mathiaz) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

I haven't been able to reproduce your issue.

Do you see any message in dmesg related to slapd apparmor profile?

Could you detail your sasl configuration, your kerberos configuration and ldap+sasl integration?

Changed in openldap:
status: Confirmed → Incomplete
Revision history for this message
Kim Botherway (dj-dvant) wrote :

I have just upgraded to:
 slapd and libldap-2.4.2 to version 2.4.15-1ubuntu1
 libsasl2-2, libsasl2-2-modules and libsasl2-2-modules-gssapi-mit to version 2.1.22.dfsg1-23ubuntu3

And slapd is no longer crashing. There has been no change in config, just the upgrade.

Changed in openldap:
status: Incomplete → Fix Released
Revision history for this message
Cyberax (alex-besogonov) wrote :

Yes, it now works for me too.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.