Comment 0 for bug 2009259

Revision history for this message
AZ (m-dev) wrote :

Using apache2 authnz_ldap against Active Directory with ldap-group crashes apache2 when serving any request with:

[Thu Mar 02 16:43:21.251455 2023] [mpm_prefork:notice] [pid 3809200] AH00163: Apache/2.4.52 (Ubuntu) mod_auth_kerb/5.4 OpenSSL/3.0.2 configured -- resuming normal operations
[Thu Mar 02 16:43:21.251503 2023] [core:notice] [pid 3809200] AH00094: Command line: '/usr/sbin/apache2'
apache2: ../../../../libraries/libldap/request.c:970: ldap_do_free_request: Assertion `lr->lr_refcnt == 1' failed.

This only happens with search base = ad root dsn and seems related to the following extra search response items to the user lookup query (traced with tshark), which are only returned when search base = ad root dsn.

Lightweight Directory Access Protocol
    LDAPMessage searchResRef(2)
        messageID: 2
        protocolOp: searchResRef (19)
            searchResRef: 1 item
                LDAPURL: ldap://,DC=example,DC=org
        [Response To: 8]
        [Time: 0.043273000 seconds]

Likely a bug related to openldap, so these are the ldap libs installed:
ii libldap-2.5-0:amd64 2.5.13+dfsg-0ubuntu0.22.04.1 amd64 OpenLDAP libraries
ii libldap-common 2.5.13+dfsg-0ubuntu0.22.04.1 all OpenLDAP common files for libraries

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: apache2 2.4.52-1ubuntu4.3
ProcVersionSignature: Ubuntu 5.19.0-32.33~22.04.1-generic 5.19.17
Uname: Linux 5.19.0-32-generic x86_64
Apache2ConfdDirListing: False
 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using Set the 'ServerName' directive globally to suppress this message
 httpd (pid 4107) already running
ApportVersion: 2.20.11-0ubuntu82.3
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: LXQt
Date: Sat Mar 4 12:57:47 2023
SourcePackage: apache2
UpgradeStatus: Upgraded to jammy on 2022-07-09 (238 days ago)
error.log: Error: [Errno 13] Keine Berechtigung: '/var/log/apache2/error.log'