Re: libldap DSA-227-1 and proftpd-ldap problems?

To: debian-security@lists.debian.org
Subject: Re: libldap DSA-227-1 and proftpd-ldap problems?
From: Arthur de Jong <arthur@tiefighter.et.tudelft.nl>
Date: Sat, 18 Jan 2003 15:59:05 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.44.0301181455390.18605-100000@ch.its.tudelft.nl>
In-reply-to: <[🔎] wd2iswmhe2a.fsf_-_@shai-hulud.atnet.at>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18 Jan 2003, Guenther Starnberger wrote:

> the last openldap upgrade (DSA-227-1) seems to break proftpd when using
> LDAP authentication with proftpd-ldap (at least on my i386 system).
>
> proftpd logs:
> Jan 18 11:51:07 osprey proftpd[349]: foo (bla[xx.xx.xx.xx]) - FTP session opened.
> Jan 18 11:51:11 osprey proftpd[349]: foo (bla[xx.xx.xx.xx]) - ProFTPD terminating (signal 11)
>
> my slapd logs:
> Jan 18 11:47:52 bar slapd[31310]: daemon: conn=0 fd=9 connection from IP=yy.yy.yy.yy:34063 (IP=0.0.0.0:389) accepted.
> Jan 18 11:47:52 bar slapd[31310]: conn=-1 fd=9 closed
>
> the LDAP parts of my proftpd.conf are:
> LDAPServer            aa.bb.cc
> LDAPDoAuth            on ou=something,ou=services,o=zz,c=at
> LDAPUseTLS off
> LDAPHomedirOnDemand on 0700
>
> i am using the grsecurity and trustees patches in my kernel, but i am
> currently only using some of the "filesystem protection" features of
> grsecurity without PaX, so i don't think its the fault of the patches.

I can confirm this problem. I had a proftp running from before the library
upgrade and was working correctly. When I restarted proftp is gives the
same problem:

client:  % ftp server
         Connected to server
         220 Welcome to My ftp server
         Name (server:arthur):
server:  proftpd[3421]: server.my.domain (client.my.domain[192.168.12.2]) - FTP session opened.
client:  Name (server:arthur): arthur
         331 Password required for arthur.
         Password:
server:  slapd[21243]: daemon: conn=5506 fd=16 connection from IP=192.168.12.1:3003 (IP=0.0.0.0:34049) accepted.
         slapd[21255]: conn=5506 op=0 BIND dn="" method=128
         slapd[21255]: conn=5506 op=0 RESULT tag=97 err=0 text=
         slapd[5921]: conn=5506 op=1 SRCH base="dc=my,dc=domain" scope=2 filter="(&(objectClass=posixGroup))"
         slapd[5921]: conn=5506 op=1 SEARCH RESULT tag=101 err=0 text=
client:  Password: ****
         421 Service not available, remote server has closed connection
         Login failed.
         No control connection for command: Permission denied
server:  slapd[6254]: conn=5506 op=2 SRCH base="dc=my,dc=domain" scope=2 filter="(&(objectClass=posixGroup))"
         slapd[6254]: conn=5506 op=2 SEARCH RESULT tag=101 err=0 text=
         slapd[21243]: daemon: conn=5507 fd=20 connection from IP=192.168.12.1:3004 (IP=0.0.0.0:34049) accepted.
         slapd[15260]: conn=5507 op=0 BIND dn="" method=128
         slapd[15260]: conn=5507 op=0 RESULT tag=97 err=0 text=
         proftpd[3421]: server.my.domain (client.my.domain[192.168.12.2]) - ProFTPD terminating (signal 11)
         slapd[21243]: conn=-1 fd=16 closed
         slapd[21243]: conn=-1 fd=20 closed

(names changed) (slapd running on ftp server)
And a succesfull connection reconstructed from before the restart:

client:  % ftp server
         Connected to server
         220 Welcome to My ftp server
         Name (server:arthur):
server:  proftpd[2294]: server.my.domain (client.my.domain[192.168.12.2]) - FTP session opened.
client:  Name (server:arthur): arthur
         331 Password required for arthur.
         Password:
server:  slapd[21243]: daemon: conn=5457 fd=20 connection from IP=192.168.12.1:2810 (IP=0.0.0.0:34049) accepted.
         slapd[14583]: conn=5457 op=0 BIND dn="" method=128
         slapd[14583]: conn=5457 op=0 RESULT tag=97 err=0 text=
         slapd[19472]: conn=5457 op=1 SRCH base="dc=my,dc=domain" scope=2 filter="(&(objectClass=posixGroup))"
         slapd[19472]: conn=5457 op=1 SEARCH RESULT tag=101 err=0 text=
client:  Password: ****
         230 User arthur logged in.
         Remote system type is UNIX.
         Using binary mode to transfer files.
server:  slapd[15259]: conn=5457 op=2 SRCH base="dc=my,dc=domain" scope=2 filter="(&(objectClass=posixGroup))"
         slapd[15259]: conn=5457 op=2 SEARCH RESULT tag=101 err=0 text=
         slapd[21243]: daemon: conn=5458 fd=27 connection from IP=192.168.12.1:2811 (IP=0.0.0.0:34049) accepted.
         slapd[15836]: conn=5458 op=0 BIND dn="" method=128
         slapd[15836]: conn=5458 op=0 RESULT tag=97 err=0 text=
         slapd[21256]: conn=5458 op=1 SRCH base="dc=my,dc=domain" scope=2 filter="(&(uid=arthur)(objectClass=posixAccount))"
         slapd[21256]: conn=5458 op=1 SEARCH RESULT tag=101 err=0 text=
         slapd[21243]: daemon: conn=5459 fd=29 connection from IP=192.168.12.1:2812 (IP=0.0.0.0:34049) accepted.
         slapd[14047]: conn=5459 op=0 BIND dn="UID=ARTHUR,OU=PEOPLE,DC=MY,DC=DOMAIN" method=128
         slapd[14047]: conn=5459 op=0 RESULT tag=97 err=0 text=
         slapd[9265]: conn=5459 op=1 UNBIND
         slapd[9265]: conn=-1 fd=29 closed
         slapd[16055]: conn=5457 op=3 SRCH base="dc=my,dc=domain" scope=2 filter="(&(objectClass=posixGroup))"
         slapd[16055]: conn=5457 op=3 SEARCH RESULT tag=101 err=0 text=

The communication looks the same up to to point that proftpd crashes.
Restarting slapd doesn't seem to help. Rebuilding proftpd-common and
proftpd-ldap also doesn't help.

I'm using the vanilla 2.2.19 kernel with nothing fancy added.

- -- arthur - arthur@tiefighter.et.tudelft.nl - http://tiefighter.et.tudelft.nl/~arthur --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE+KWu8VYan35+NCKcRAqZEAKDlNZzeBAnwTPxwA9icrOTKFBkPNwCePKI5
YDHsELL7/AhqbpZl1xMxjfs=
=Ppar
-----END PGP SIGNATURE-----

Reply to:

References:
- libldap DSA-227-1 and proftpd-ldap problems?
  - From: Guenther Starnberger <gst@atnet.at>

Prev by Date: Re: apache 1.3.27
Next by Date: BCC fields shown
Previous by thread: libldap DSA-227-1 and proftpd-ldap problems?
Next by thread: Re: Updated OPENSSL package for Debian?
Index(es):
- Date
- Thread