Ubuntu
openldap package

Upgrade from Ubuntu 11.10 to 12.04 breaks slapd

Bug #995495 reported by Thomas Schweikle
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

After upgrading from Ubuntu 11.10 to 12.04 gssapiauth doesn't work any more with slapd (OpenLDAP):

# ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information ()

While on some other 11.10 system:
# ldapsearch >/dev/null
SASL/GSSAPI authentication started
SASL username: xxxxx@XXXXXX
SASL SSF: 56
SASL data security layer installed.

Konfiguration files where kept and edited manually afterwards. No really big changes: mostly additional comments and local configuration missing.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: slapd 2.4.28-1.1ubuntu4
ProcVersionSignature: Ubuntu 3.2.0-24.37-virtual 3.2.14
Uname: Linux 3.2.0-24-virtual x86_64
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Sun May 6 16:16:14 2012
InstallationMedia: Ubuntu-Server 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 TERM=screen-bce
 PATH=(custom, user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: openldap
UpgradeStatus: Upgraded to precise on 2012-05-06 (0 days ago)
mtime.conffile..etc.default.slapd: 2012-05-06T14:43:48.436029
mtime.conffile..etc.init.d.slapd: 2012-05-06T14:54:46.076029

Revision history for this message
Thomas Schweikle (tps) wrote :
Revision history for this message
James Page (james-page) wrote :

Hi Thomas

Thanks for taking the time to report this bug in Ubuntu.

I think that this bug might be related to bug 990742 which is currently going through SRU (however it needs a poke to get the openldap rebuild done - I'll do that).

Once the new version of openldap is accepted into precise-proposed would you be able to test it with your deployment?

Thanks

James Page (james-page)
Changed in openldap (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openldap (Ubuntu):
status: New → Confirmed
Revision history for this message
Dorian Taylor (dorian-taylor-lists) wrote :

I'm not sure if bug 990742 dealt with this:

[dorian$deuce:~] ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information ()

—which is exactly what I'm getting after upgrading as well. And then in the syslog, I see:

Oct 16 11:35:10 deuce ldapwhoami: canonuserfunc error -7
Oct 16 11:35:10 deuce ldapwhoami: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Oct 16 11:35:10 deuce ldapwhoami: DIGEST-MD5 common mech free

It's the empty minor code that has me puzzled.

Revision history for this message
Dorian Taylor (dorian-taylor-lists) wrote :

Oh, I forgot, the is i386 and:

root@deuce:~# dpkg -l | grep slapd
ii slapd 2.4.28-1.1ubuntu4.1 OpenLDAP server (slapd)
root@deuce:~# dpkg -l | grep libsasl
ii libsasl2-2 2.1.25.dfsg1-3ubuntu0.1 Cyrus SASL - authentication abstraction library
ii libsasl2-dev 2.1.25.dfsg1-3ubuntu0.1 Cyrus SASL - development files for authentication abstraction library
ii libsasl2-modules 2.1.25.dfsg1-3ubuntu0.1 Cyrus SASL - pluggable authentication modules
ii libsasl2-modules-gssapi-mit 2.1.25.dfsg1-3ubuntu0.1 Cyrus SASL - pluggable authentication modules (GSSAPI)
ii libsasl2-modules-ldap 2.1.25.dfsg1-3ubuntu0.1 Cyrus SASL - pluggable authentication modules (LDAP)

…and naturally it was working before the dist-upgrade.

Revision history for this message
Dorian Taylor (dorian-taylor-lists) wrote :

False alarm, was missing a principal for the value of olcSaslHost. The data from /var/log/auth.log is apparently a red herring.

Strange, though, as it still doesn't explain the empty minor error code.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.