Re: [nssldap] Segmentation Faults for Ldap Accounts

[Jim Summers <jsummers [at] bachman.cs.ou.edu>]

Andrew Morgan wrote:
> On Fri, 11 Apr 2008, Jim Summers wrote:
>
> > > What about turning off SSL in nss-ldap temporarily?  That could 
> > > narrow the problem down.  Also, you could run strace on pjm and see 
> > > which system call actually segfaults it.
> >
> > I turned off ssl and the pjm program worked.  Turned it back on and 
> > the pjm segfaults.
> >
> > Here is my ldap.conf, which is also the same as the one on the FC5 and 
> > FC6 clients:
> >
> > uri ldaps://server1 ldaps://server2
> > base dc=ou,dc=edu
> > binddn cn=bind0,ou=profile,dc=ou,dc=edu
> > bindpw ++++++++
> > port 636
> > #port 389
> > #idle_timelimit 3600
> > ssl on
> > tls_checkpeer no
> > pam_password crypt
> > pam_lookup_policy yes
> > #debug 1
> >
> > I am not sure what to look for in my ssl/tls setup.  The whole thing 
> > is running off of self-signed certificates.
>
> Can you run your pjm program under strace?  Something like:
>
>   strace -ff -o /tmp/trace pjm <args>
>
> I can help look at the trace files, if you don't know what to look for.

Here is a snip from an strace of the fedora 8 machine where pjm fails:
===
fcntl64(4, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(4, F_SETFL, O_RDWR)             = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=2528, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x111000
read(5, "# Locale name alias data base.\n#"..., 4096) = 2528
read(5, "", 4096)                       = 0
close(5)                                = 0
munmap(0x111000, 4096)                  = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 
ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT 
(No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No 
such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT 
(No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT 
(No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No 
such file or directory)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
===

and then from the FC6 where pjm works:
===
fcntl64(4, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(4, F_SETFL, O_RDWR)             = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=2528, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x251000
read(5, "# Locale name alias data base.\n#"..., 4096) = 2528
read(5, "", 4096)                       = 0
close(5)                                = 0
munmap(0x251000, 4096)                  = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 
ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT 
(No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No 
such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT 
(No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT 
(No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No 
such file or directory)
brk(0x9cd2000)                          = 0x9cd2000
time(NULL)                              = 1207971400
write(2, "TLS trace: SSL_connect:before/co"..., 53) = 53
time(NULL)                              = 1207971400
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 5
fstat64(5, {st_mode=S_IFCHR|0444, st_rdev=makedev(1, 9), ...}) = 0
===

I agree with you it still is appearing to be something with TLS/ssl.  It is 
just confusing me that the operating system itself authenticates and can 
resolve uidNumbers and group info fine.

Let me know if you need the whole trace file and I can send that also.

Ideas / Suggestions?

Thanks again

>     Andy

--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------