Bug 710430

Reassigned to maintainer of yast2-ldap

Please attach y2logs: 
http://en.opensuse.org/openSUSE:Bugreport_YaST#I_reported_a_YaST2_bug.2C_and_now_I_am_asked_to_.22attach_y2logs.22._What_does_that_mean.2C_and_how_do_I_do_that.3F

Created attachment 444702 [details]
yast log

It seems that it was dns-server which crashed, and logs contains some error lines invoking /usr/lib/perl5/vendor_perl/5.12.3/Net/LDAP.pm starting with 2011-08-06 21:54:48.

Seems like these are called from dns-server module, but maybe by some other service? Is it caused by LdapServerAccess.pm?

(In reply to comment #4)
> Seems like these are called from dns-server module, but maybe by some other
> service?
I suspect it's the ldapdump Perl helper that is called by named init script. AFAIK yast2-dns doesn't use perl-ldap.

> Is it caused by LdapServerAccess.pm?
Most likely not.

Could you please attach /etc/ldap.conf, /etc/openldap/ldap.conf, /etc/sysconfig/ldap and /etc/sysconfig/named.

Created attachment 448411 [details]
Thank you for kind interest ^_^

Created attachment 448432 [details]
patch for testing

Ok, could you please test if the attached patch for /usr/share/bind/ldapdump resolves your problem?

To apply it, it should be enough to call:

patch -p0 < ldapdump-use-uri.patch

on the command line, from inside the directory where you saved that patch. You might need to install the "patch" rpm for it to work (if you don't don't already have it installed).

yes Mr Ralf ..... the line witch you mention below :

if ( /^uri\s+([^\s]*)\s*/i ) { $data = $1; last }

is not exist at all in the file ldapdump , l found :

sub getLDAPConfigServer {
    my $data;
    open( FILE, "< /etc/openldap/ldap.conf" ) or die "unable to open /etc/openldap/ldap.conf. $!";
    while(<FILE>) {
        if ( /^host\s+([^\s]*)\s*/i ) { $data = $1; last }
    }
    close(FILE);
    return $data;
}

hope it will help

(In reply to comment #9)
> yes Mr Ralf ..... the line witch you mention below :
> 
> if ( /^uri\s+([^\s]*)\s*/i ) { $data = $1; last }
> 
> is not exist at all in the file ldapdump , l found :
Yes, and I think that is at least part of the problem that's causing you trouble. The patch I attached is supposed to fix that. Where you able to apply the patch?

I just submitted the ldapdump patch to Factory. While that fix is needed it is however unlikely that it is really the cause of yast2 crashing. 

Looking at /var/log/YaST/signal is seems to crash somewhere in 
/usr/lib64/libldapcpp.so.1 (when called from the ldap-agent). One crash occure e.g. on 2011-08-05 05:04:42 the corresponding y2logs can be found in y2log-1.gz:

2011-08-05 05:04:25 <1> Creations(32256) [Perl] modules/LdapServerAccess.pm(LdapServerAccess::AddLdapSchemas):90 Schemabase: dnszone
2011-08-05 05:04:25 <1> Creations(32256) [Perl] modules/LdapServerAccess.pm(LdapServerAccess::AddLdapSchemas):101 Schema /etc/openldap/schema/dnszone.schema is already included
2011-08-05 05:04:25 <3> Creations(32256) [agent-ldap] LdapAgent.cc(debug_exception):485 ldap error while starting TLS (-11): Connect error
2011-08-05 05:04:25 <3> Creations(32256) [agent-ldap] LdapAgent.cc(debug_exception):487 additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verif
y failed (self signed certificate in certificate chain)
2011-08-05 05:04:25 <1> Creations(32256) [ui] YPushButton.cc(setFunctionKey):204 Guessing button role YOKButton for YPushButton "OK" at 0x25d2208 from function key F10
2011-08-05 05:04:42 <1> Creations(32256) [Perl] modules/DnsServer.pm(DnsServer::GetConfigurationStat):905 Stat of the file '/etc/named.conf' is 'rights: 644, blocks: 16, size: 41
08, owner: 0:44 changed: 1312484041, modifyied: 1312484041'
2011-08-05 05:04:42 <1> Creations(32256) [Perl] modules/DnsServer.pm(DnsServer::SaveGlobals):385 Deleting zones

So the hint for LdapServerAccess.pm was not that far off.
It seems that DnsServer::SaveGlobals() calls DnsZone::ZonesDeleteLdap() which uses the ldap-agent. The ldap-agent however was unable to open a connection (because of TLS problems) and somehow ends up using a stale LDAPConnection Object.

This might be even a bug in libldapcpp. Still investigating.

Hm, attaching with a debugger gives this:
----------------------
(gdb) bt
#0  0x00007fb917a31860 in LDAPAsynConnection::getSessionHandle() const () from /usr/lib64/libldapcpp.so.1                                           
#1  0x00007fb917a474d6 in LDAPSearchRequest::sendRequest() () from /usr/lib64/libldapcpp.so.1
#2  0x00007fb917a3205c in LDAPAsynConnection::search(std::string const&, int, std::string const&, StringList const&, bool, LDAPConstraints const*)
    () from /usr/lib64/libldapcpp.so.1
#3  0x00007fb917a3913b in LDAPConnection::search(std::string const&, int, std::string const&, StringList const&, bool, LDAPConstraints const*) ()
   from /usr/lib64/libldapcpp.so.1
#4  0x00007fb917cb3ea3 in LdapAgent::Read (this=0x1f4fa60, path=..., arg=..., opt=...) at LdapAgent.cc:608
[..]
(gdb) frame 4
#4  0x00007fb917cb3ea3 in LdapAgent::Read (this=0x1f4fa60, path=..., arg=..., opt=...) at LdapAgent.cc:608
608                         base_dn, scope, filter, attrs, attrsOnly, cons);
(gdb) list
603                         base_dn.c_str(), filter.c_str(), scope);
604                 // do the search call
605                 LDAPSearchResults* entries = NULL;
606                 try {
607                     entries = ldap->search (
608                         base_dn, scope, filter, attrs, attrsOnly, cons);
609                 }
610                 catch  (LDAPException e) {
611                     if (not_found_ok && e.getResultCode() == 32)
612                     {
(gdb) print ldap
$1 = (LDAPConnection *) 0x0
(gdb) print ldap_initialized
$2 = true
-----------------------

So it seems the ldap-agent is trying to use an uninitialized LDAPConnection object. I guess it deleted that object when the start_tls() call failed (see LdapAgent::Execute().

So I think the ldap-agent has a bug here.

This patch for yast2-ldap seems to prevent the crashing:

Index: src/LdapAgent.cc
===================================================================
--- src/LdapAgent.cc    (revision 65464)
+++ src/LdapAgent.cc    (working copy)
@@ -1250,6 +1250,8 @@
      */
     if (path->length() == 0) {
 
+       ldap_initialized        = false;
+
        hostname = getValue (argmap, "hostname");
        if (hostname =="") {
            y2error ("Missing hostname of LDAPHost, aborting");

Thanks, Ralf, for investigation.

I've submitted fixed yast2-ldap package.

However, according to Ralf, the problem in y2-dns-server is not solved, because it does not check return values from ldap agent. (And it is SP2 problem as well)

This is an autogenerated message for OBS integration:
This bug (710430) was mentioned in
https://build.opensuse.org/request/show/80402 Factory / yast2-ldap

*** Bug 715240 has been marked as a duplicate of this bug. ***

yast2-dns-server will be fixed in both openSUSE and SLE 11 SP2.

This is an autogenerated message for OBS integration:
This bug (710430) was mentioned in
https://build.opensuse.org/request/show/80484 Factory / bind

*** Bug 722512 has been marked as a duplicate of this bug. ***

Not 100% a duplicate, but the solution is actually the same.

See bug #690237 comment #7 (and below)
Created an attachment (id=475894)

*** This bug has been marked as a duplicate of bug 690237 ***

openSUSE-SU-2013:0666-1: An update that solves four vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 710430,715881,716745,718441,738156,743758,772946,792926,811876
CVE References: CVE-2011-1907,CVE-2012-3868,CVE-2012-5688,CVE-2013-2266
Sources used:
openSUSE 11.4 (src):    bind-9.9.2P2-45.1